Web: www.thetravelstrategist.com — E-Mail: firstname.lastname@example.org
24/06/2009 – Verified Identity Pass & Clear Vanish : Why & What Happens Now?
The departure of the Registered Traveler “Clear Program” isn’t all that clear. What is clear is that on the morning of Monday June 22nd Clear sent out an easy to overlook, rather unclear, e-mail to its users informing them that Clear would cease to exist at 11:00pm PST.
While many airline industry observes are focusing on what caused Verified Identity Pass’ ‘”Clear” to abruptly close, the root causes of Clear’s demise is quite clear to me.
Clear, formerly the largest Registered Traveler program provider, failed to meet the majority of its objectives as originally promised to its members and misjudged its value to frequent flyers
Below are four simple reasons clear failed and has jeopardized the Registered Traveler program:
1) Clear was only available at 22 of the roughly 600 airports in the U.S. certified to operate commercial airline flights. Of the 10 busiest airports in the U.S. by passenger traffic, Clear was only available at 3.5 of them (3.5 of them because Clear was only available in limited terminals at JFK Airport). Of the top five busiest airports in the U.S. Clear was only available at two of them, on of which has a high transfer traffic, rather than origin traffic whom would be the primary benefactors of Clear.
2) Those who used the Clear program were required to remove their shoes, remove their jackets, remove their laptops, proceed through standard TSA check points, subject to “SSSS” on boarding passes and subject to secondary screening.The Registered Traveler program was supposed to simplify this process.
3) Clear was never embraced by the Transportation Security Administration (TSA) or many airlines. The TSA largely felt as if clear was forced upon them and was potentially a competitor. Many airlines viewed Clear’s ‘cut the line’ perk as a competitor to their established ‘elite access lines.
Aside from the four simple reasons clear failed, Verified Identity Pass (VIP) was also unable to prove its ability to secure the sensitive data its members entrusted it with. While VIP operated under the authority of the Department of Homeland Security (DHS) their practices of not encrypting data is quite shocking.
In May of 2008 a laptop containing the complete personal information of 33,000 Clear users and applicants was found to be missing from an unsecured Clear office at San Francisco International Airport. It was mysteriously found 10 days later exactly in the spot it went missing from. The missing laptop with names, dates of birth, passport numbers, credit card information and biometric data for 33,000 Clear users and applicants was not encrypted. The laptop did require two passwords, however two passwords can be fairly easy to bypass by a hacker. Once the laptop was found it was determined that it was ‘intact’ with no investigation of whether or not the hard drive had been cloned before the laptop was returned.
You can read what I had written regarding this incident in detail here:
5/08/2008 – ‘Clear’ Registered Traveler User Information Stolen
9/08/2008 – Stolen ‘Registered Traveler’ Laptop Found, But Is The Data Safe?
Given VIP’s lack of security surrounding the sensitive data provided by Clear users, what happens to this data now? The company is bankrupt, its phones are off and it’s out of money.
VIP claims that they will comply with the TSA and delete all the files. Formatting all the hard drives is time intensive and expensive, who will cover the costs of a supervised and secure removal of all the sensitive data? With VIP having secure date stored on non-encrypted hardware what security measures are in place to ensure that the data will not be pirated?
Currently VIP is in possession of the personal data for more than 260,000 individuals (it is probably closer to 300,000 individuals). This data includes not only full-names, dates of birth, addresses, passport numbers and credit card numbers, but also individual biometric information including retinal scan and finger prints. Access to this range of information creates countless security risks.
While some are down playing the security risks posed by the access to VIP’s user data I see a risk far beyond bank fraud and credit theft.
While it is widely accepted that the majority of Clear’s users included a range of business travellers and some leisure travellers, there are quite a few ‘higher profile’ users that create a significant security risk. Some of the ‘high profile’ users of Clear include government officials, high level scientists, politicians, security and defense experts, financial executives and others who would be of ‘significant interest.’ Who are these users a ‘significant interest’ to? Probably not terrorists, but more likely for identity theft, corporate espionage, national security breaches, information theft, extortion and other not so nice things.
From here the company assets will be sold off, but what happens to the data if it is not cleared off all the hardware? What if another company wants to purchase the assets including all the customer data? Possibly a competitor or an upstart Registered Traveler provider?
VIP has failed to maintained security standard throughout its short history. It is not often I suggest that the Department of Homeland Security (DHS) get involved in anything, however the potentially best outcome is that the DHS step in, seize the hardware and directly oversee the destruction of all of VIP’s Clear files prior to the liquidation and sale of Verified Identity Pass and Clear’s assets.