Should Verified Identity Pass destroy or store passenger information?

by Steve Ragan - Jul 1 2009, 16:15

By now the news is out, Verified Identity Pass, Inc. (VIP) was unable to secure a new deal with their senior creditor, and as such the company has folded like a player with a poor poker hand. However, the child company of VIP, Clear, held a good deal of information on customers who used the service to skip long security lines at the airport. Should VIP continue to secure and store the data or simply destroy it?

For a few hundred dollars a year, $200 USD to be exact, members would offer up all the normal personal information, including names, birthdates, addresses, and Social Security Numbers, as well as added information like employment history, photographs, and credit card numbers, to enroll in Clear. Members offered up biological information too, such as fingerprints and iris images.

In return for this complete profile, a person could get a faster pass into the flight gates passing by the long lines of the security checkpoints at the airport. To some, the service was gold, to others it was an expensive extravagance. Now that the company has officially gone under, the first question raised by privacy watchdogs and government officials was what will happen to all of this data?

VIP explained in a statement that all of the airport kiosks used by Clear were systematically being wiped clean. “The triple wipe process we used automatically and completely overwrites the contents of the entire disk, including the operating system, the data, and the file structure,” VIP said. It also “prevents and thoroughly hinders all known techniques of hard disk forensic analysis.”

This same data removal process is being used on the computers assigned to VIP employees. The entire protection and removal plan was developed and is currently being seen through to the very end by Lockheed Martin, remaining consistent with TSA policy. Once the information has been wiped, Clear members will get one final email detailing them that the information is deleted.

While the process VIP has taken to protect data has been covered in the press, countless pundit interviews and expert thoughts, the one aspect that has not seen nearly enough coverage is exactly what the members think of all of this? Do the members want the data wiped, as is the current plan, or do they want it totally removed?

Clear will wipe the data and secure it, according to the TSA, but let’s be honest, the TSA doesn’t have a spotless security record when it comes to data protection. Lockheed does, but they have to conform to the TSA standards in the end. There is the issue of information sales as well.

In the VIP FAQ on the company’s business troubles, under the heading asking if the information collected will be sold, the company had a cryptic answer.

“The personally identifiable information that customers provided to Clear may not be used for any purpose other than a Registered Traveler program operated by a Transportation Security Administration authorized service provider. Any new service provider would need to maintain personally identifiable information in accordance with the Transportation Security Administration’s privacy and security requirements for Registered Traveler programs. If the information is not used for a Registered Traveler program, it will be deleted.”

So will it be sold? Based on this answer, yes it will, as long as the company purchasing it is approved by the TSA as a registered traveler service provider. Clear is removing data on employee computers and kiosks; however, the central collection of member data is being kept intact and stored. How else would they justify its sale to a TSA approved service provider?

If you are wondering, there are no refunds for those who renewed their Clear membership before the company collapsed. “At the present time, Verified Identity Pass, Inc. cannot issue refunds due to the company’s financial condition,” they explain, while pointing out they haven’t “commenced any proceedings under the United States Bankruptcy Code.”

Use the comments or email us at security@thetechherald.com and tell us what you think about Clear’s collapse and what you want VIP to do with your data. Do you care if it is sold to another registered traveler service? Are you happy they are taking the steps they’ve reported with regard to data removal? Would you rather they just destroyed all the data, leaving you with the choice to register it all again should you chose a similar service?

 

Around the Web