Posted by Andrew Jaquith on June 30, 2009
- Clear collects enough personal information to make it a gold mine for identity thieves. Verified Identity Pass collects immense amounts of personally identifiable information so that it can determine applicant eligibility, as required by the TSA. The data collected includes scans of the applicant’s irises and fingerprints. Clear also collects the applicant’s social security number and credit card number, which is used for payment, and biographic information for vetting. It makes digital copies of identifying documents like passports or driver licenses. It is allowed by the TSA to retain all of these things in its data centers.
- Verified Identity Pass could sell its customer information to another Registered Travel operator. Verified Identity Pass states, in a letter to customers, that the personal information it has collected could potentially be sold to third-parties. In answer to the question, “will personally identifiable information be sold?” VIP answers, “The personally identifiable information that customers provided to Clear may not be used for any purpose other than a Registered Traveler program operated by a Transportation Security Administration authorized service provider. Any new service provider would need to maintain personally identifiable information in accordance with the Transportation Security Administration’s privacy and security requirements for Registered Traveler programs. If the information is not used for a Registered Traveler program, it will be deleted.”
- TSA deflected concerns about what might happen to Clear's customer information. In its own statement about Clear, TSA answers concerns about disposition of personal information this way: “Questions about how the data is managed should be directed to the vendor. Clear has assured TSA that it is appropriately safeguarding the data. RT service providers were required to use customer data for purposes of the RT program unless customers expressly opted-in to other uses.”
Based on the facts, I’ve concluded that:
- The Bush administration’s disregard for citizen privacy will take years to undo. The TSA’s feeble response to the issue of Clear’s customer data laughable. How can the TSA simply “direct questions to the vendor?” The TSA Undersecretary must be high — and not 35,000 feet high, either. Despite all of the fine words in the recent cybersecurity plan (which I blogged about recently) noting the importance of citizen privacy, these are not a substitute for action. Inaction, in this case, speaks louder than words.
- Some things shouldn’t be left to the private sector. When the Aviation and Transportation Security Act was passed, it established the TSA’s authority to take over passenger screening operations at airports. Why? Because the private sector was seen as doing a lousy job, and the function was thought to be so vital to the national interest that it should be run by the government. Why should the Registered Traveler program be any different? The Clear program hasn’t exactly kept its nose clean: nearly a year ago, staff lost an unencrypted laptop containing personal information on 33,000 passengers.
Search Forrester's Blogs
Free Mobile Mind Shift Webinar Series
Learn how to win your customers' mobile moments in this three-part series »
Free On-Demand and Live Events
Latest events from Forrester analysts, online and in person. »