Fate of private data vague as firm closes
By SAMANTHA BOMKAMP
Associated Press
NEW YORK — More than a quarter million people are wondering what will happen to their fingerprints, Social Security numbers, home addresses and other personal information now that a company that sped them through airport security is out of business.
Government officials are wondering, too.
The sudden shutdown of the Clear program, run by Verified Identity Pass Inc., last week has raised more concerns about who keeps our personal information, how well it's protected from theft and whether it could be sold to the highest bidder.
If Verified files for bankruptcy protection or is taken over by another company, security experts say it's unlikely customers' private data would be handed over to creditors or new owners. But they — as well as some members of Congress — are starting to trace the data trail.
Worries about protecting personal information and the danger of identity theft cover many areas of life in the 21st century beyond travel — from drawing cash out of an ATM to handing a credit card over to a store or restaurant.
On Tuesday, the parent company of retailers T.J. Maxx and Marshall's said it will pay $9.75 million in a settlement with a number of states related to massive data theft that exposed tens of millions of payment card numbers.
Clear said it will secure the personal information it gathered, which it says it handled according to Transportation Security Administration standards, and will "take appropriate steps to delete the information."
In a statement on its Web site Friday, Verified Identity Pass said that all of its Clear airport kiosks have been wiped clean of data. Employees' laptops are in the process of being cleared.
Although it was a private company, Clear had to follow TSA guidelines and report personal information to the TSA to get its members through special fast-lane security lines at about 20 airports.
The TSA, however, has stopped short of promising that it will delete the information it has stored from Clear, and won't say why. Spokesman Greg Soule said, though, that the agency didn't keep any data for passengers after July 2008, when Clear began operations as a fully private company.
Some experts say the Transportation Security Administration should manage passenger data better and not store so much of it for so long.
"This question about whether or not (the TSA is holding on to information from Clear customers) is actually part of a bigger debate," said Marc Rotenberg, executive director of the Electronic Privacy Information Center. "This is just one of the long-running battles; they simply keep too much data on too many people for too long."
The intimate information shared with the TSA by Clear could leave some people especially vulnerable if there were a security breach, he said.
In addition to information such as Social Security numbers and home addresses, Clear took eye scans, fingerprints and digital photos of every one of its approximately 260,000 members.
"I think the customers of Clear should be concerned about this," Rotenberg said. "Fingerprints are one of the most effective ways to (steal someone's) identity."
Clear grew out of the government agency's Registered Traveler program, which requires "biometric identifiers." Two similar companies — FLO and Vigilant, still operate similar databases, but are far smaller.
Rotenberg said he doesn't believe that all the data the TSA collected from Clear members is going to be deleted. And the longer the data is held, the more potential there is for leaks.
TSA's own record raises doubts about the security of personal information it holds. In 2007, it lost an external hard drive containing the personal and financial information of 100,000 current and former agency workers. In 2006, the TSA inadvertently exposed thousands of Americans' personal information on the Internet when it launched an unsecured Web site to help travelers whose names were incorrectly on airline watch lists.
Clear had breaches as well. Last year, the TSA suspended the program temporarily after a laptop containing pre-enrollment records of about 33,000 customers was lost at San Francisco International Airport.
On Thursday, the House Committee on Homeland Security sent a letter to TSA Assistant Secretary Gale Rossides expressing concern about the handling of Clear members personal data.
"While we recognize that Clear is not a government program managed by TSA, we are concerned about the protocols Verified Identity Pass will implement in the next few days as Clear winds down," the letter read. "... It appears the TSA allowed the private sector to determine a method of storage and disposal of extremely sensitive personal information. It is our understanding that TSA's directives are silent on the disposal of data in the event of a company's merger, buyout, or bankruptcy."
The letter went on to say that the committee is "concerned about the safety and security of the information currently held by Clear."
Rotenberg said he doesn't think the TSA is properly prepared to deal with removing the large amount of private information from Clear customers.
"It's not clear to me that they're really going to destroy it," he said. "The TSA policy does not appear to adequately consider the consumers of Registered Traveler programs if the company ceases operations. I don't think they anticipated this."