NEW YORK (AP) — More than a quarter million people are wondering what will happen to their fingerprints, social security numbers, home addresses and other personal information now that a company that sped them through airport security is out of business.
Government officials are wondering too.
The sudden shutdown of the Clear program, run by Verified Identity Pass Inc., this week has raised more concerns about who keeps our personal information, how well it’s protected from theft and whether it could be sold to the highest bidder.
If Verified files for bankruptcy protection or is taken over by another company, security experts say it’s unlikely customers’ private data would be handed over to creditors or new owners. But they — as well as some members of Congress — are starting to trace the data trail.
Worries about protecting personal information and the danger of identity theft cover many areas of life in the 21st century beyond travel — from drawing cash out of an ATM to handing a credit card over to a store or restaurant.
On Tuesday, the parent company of retailers T.J. Maxx and Marshall’s said it will pay $9.75 million in a settlement with a number of states related to massive data theft that exposed tens of millions of payment card numbers.
Clear said it will secure the personal information it gathered, which it says it handled according to Transportation Security Administration standards, and will “take appropriate steps to delete the information.” Clear only provided information to TSA when it was part of the agency’s pilot program, Registered Traveler, which ended in July 2008.
In a statement on its Web site Friday, Verified Identity Pass said that all of its Clear airport kiosks have been wiped clean of data. Employees’ laptops are in the process of being cleared.
Although it was a private company, Clear had to follow TSA guidelines and report personal information to the TSA to get its members through special fast-lane security lines at about 20 airports.
Spokesman Greg Soule said Friday that the agency didn’t keep any data for passengers after July 2008, when Clear began operations as a fully private company. Soule said that the TSA is obligated to delete all information it collected during the pilot program by July 31.
Soule emphasized that Clear was a private company responsible for destroying its own data.
But security experts are still questioning the TSA’s methods. Some say the Transportation Security Administration should manage passenger data better and not store so much of it for so long.
“This question about whether or not (the TSA is holding on to information from Clear customers) is actually part of a bigger debate,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center. “This is just one of the long-running battles; they simply keep too much data on too many people for too long,”
The intimate information shared with the TSA by Clear could leave some people especially vulnerable if there were a security breach, he said.
In addition to information such as social security numbers and home addresses, Clear took eye scans, fingerprints and digital photos of every one of its approximately 260,000 members.
“I think the customers of Clear should be concerned about this,” Rotenberg said. “Fingerprints are one of the most effective ways to (steal someone’s) identity.”
Clear grew out of the government agency’s Registered Traveler program, which requires “biometric identifiers.” Two similar companies — FLO and Vigilant, still operate similar databases, but are far smaller.
Rotenberg said he doesn’t believe that all the data the TSA collected from Clear members is going to be deleted. And the longer the data is held, the more potential there is for leaks.
TSA’s own record raises doubts about the security of personal information it holds. In 2007, it lost an external hard drive containing the personal and financial information of 100,000 current and former agency workers. In 2006, the TSA inadvertently exposed thousands of Americans’ personal information on the Internet when they launched an unsecured Web site to help travelers whose names were incorrectly on airline watch lists.
Clear had breaches as well. Last year, the TSA suspended the program temporarily after a laptop containing pre-enrollment records of about 33,000 customers was lost at San Francisco International Airport.
On Thursday, the House Committee on Homeland Security sent a letter to TSA Assistant Secretary Gale Rossides expressing concern about the handling of Clear members personal data.
“While we recognize that Clear is not a government program managed by TSA, we are concerned about the protocols Verified Identity Pass will implement in the next few days as Clear winds down,” the letter read. “…It appears the TSA allowed the private sector to determine a method of storage and disposal of extremely sensitive personal information. It is our understanding that TSA’s directives are silent on the disposal of data in the event of a company’s merger, buy out, or bankruptcy.”
The letter went on to say that the committee is “concerned about the safety and security of the information currently held by Clear.”
Rotenberg said he doesn’t think the TSA is properly prepared to deal with removing the large amount of private information from Clear customers.
“It’s not clear to me that they’re really going to destroy it,” he said. “The TSA policy does not appear to adequately consider the consumers of Registered Traveler programs if the company ceases operations. I don’t think they anticipated this.”

A look at what TSA and the airlines know about you

Here’s a look at what the Transportation Security Administration and the airlines know about the traveling public:

Under a new TSA program called Secure Flight, four unnamed airlines are
now providing names of passengers to the TSA. The others check watch
lists individually.

— The agency is also asking passengers to provide date of birth and gender.

How long does TSA hold onto your information?

— Data related to names that don’t match a watch list is held for 7 days.

— Data for names that are a potential match for the watch list are held for 7 years.

— Information for names matching a watch or “No Fly” list will be held for 99 years.

Starting in August, the TSA will ask all airlines to provide names, birth dates and genders.

Source: TSA

Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.