Three days after ceasing operations, owners of the Clear airport security screening service acknowledged that their database of sensitive customer information may end up in someone else’s hands, but only if it goes to a similar provider, authorized by the U.S. Transportation Security Administration.
Until this week, the Clear service had given customers a way to skip long security lines in certain airports. For a $199 annual fee, air travelers could be pre-screened for flight and then use Clear’s security checkpoints instead of the TSA’s. Clear was run by New York’s Verified Identity Pass, which also shut down on Monday.
Customers had to provide personal information, including credit card numbers, fingerprints and iris scans in order to participate in the program. After Clear abruptly shut its doors—it has not yet declared bankruptcy—some worried that this data could fall into the wrong hands.
“They had your social security information, credit information, where you lived, employment history, fingerprint information,” said Clear customer David Maynor, who is chief technical officer with Errata Security in Atlanta. “They should be the only ones who have access to that information.”
Maynor wants Clear to delete his information, but that isn’t happening, the company said in a note posted to its Web site Thursday.
Clear’s IT partner, Lockheed Martin, is working with the company “to ensure an orderly shutdown as the program closes,” Clear said. But in a section of the note entitled, “Will personally identifiable information be sold?” Clear acknowledged that it could be used by someone else, presumably if Clear’s assets were sold. “If the information is not used for a Registered Traveler program, it will be deleted,” Clear said.
Boasting more than 260,000 customers, Clear was the largest private company authorized to provide airport security services, under a TSA program called Registered Traveler. Other providers, who may now be interested in purchasing Clear’s assets, include Flo and Preferred Traveler.
Until Clear’s demise, Registered Traveler companies operated in about 20 airports nationwide. Once a traveller has registered with any one of these companies, he is given a travel card that can be used for security screening by any company in the Registered Traveler program.
Last year the TSA temporarily yanked Clear’s Registered Traveler status after the company lost an unencrypted laptop containing data on 33,000 customers at San Francisco International Airport. A few days later, Clear was allowed back into the program after the laptop mysteriously reappeared and the TSA determined that Clear was properly encrypting data.
Although it appears to be retaining information on its central databases, Clear said it has erased PC hard drives at its airport screening kiosks, and it is wiping employee computers as well, using what it calls a “triple wipe process.” This technique, used by the U.S. Department of Defense, is considered to be a reliable way of erasing data.
“Clear is communicating with TSA, airport and airline sponsors, and subcontractors, to ensure that the security of the information and systems is maintained throughout the closure process,” the company said.
Customers will be notified via e-mail when their information is deleted.
That wasn’t good enough for Maynor. “How about the opposite? Where if they sell my information, they send me an e-mail,” he said.