ACLU Guest Post: “Trusted Traveler” Program Suspended After 33,000 Customers’ Records Went Missing

By Melissa Ngo, ACLU Technology & Liberty Project

The Transportation Security Administration announced Monday that it has suspended “Verified Identity Pass, Inc. (VIP) -- the company that operates Registered Traveler (RT) programs under the brand name Clear® -- from enrolling new applicants in RT due to vulnerabilities discovered in the company's storage of Clear® applicants' sensitive personal information.” TSA suspended the company after learning the company had lost an unencrypted laptop with “pre-enrollment records of approximately 33,000 customers” on July 26. The laptop reappeared yesterday in the same San Francisco International Airport office that it was taken from, but not in the same location, according to the San Francisco Chronicle.

Clear says the computer held names, addresses, birth dates, and driver's license, passport and green card data for program applicants, but no biometric data or Social Security numbers. However, this data is still valuable to thieves and the unencrypted laptop could be seen as containing 33,000 identity theft kits.

Clear records can contain even more sensitive data: an applicant’s credit card information; “a digital photo and digital images of all of the applicant's fingerprints and his or her irises”; previous home addresses for the past five years; and digital images of passports and driver's licenses.

Not only is Verified Identity Pass violating TSA security requirements by leaving sensitive data unencrypted on a laptop, the company is also breaking its own promises to customers. Check out the company’s statement on data security, “We use encryption (a strong data coding process) for all program sensitive data communications.”

Verified Identity Pass is notifying customers of the breach and says they “will now include the finding that the laptop has been found and that no one attempted to access that information, let alone obtained it.” However, this is based on the company’s own “preliminary investigation.” Law enforcement officials are separately analyzing the unencrypted computer and have not announced whether the data was accessed or copied.
The Registered Traveler/Clear program was created under the mistaken assumption that if one can identify an individual, then one can learn that person’s intent. But that is just wrong. Criminals will choose applicants without previous links to terrorism, who can pass the background checks, to commit their crimes. For example, Timothy McVeigh and the Unabomber could have passed the background checks – they had no previous links to terrorism.

In an excellent analysis of the problems in Registered Traveler, security expert Bruce Schneier explains, “The truth is that whenever you create two paths through security -- a high-security path and a low-security path -- you have to assume that the bad guys will find a way to exploit the low-security path. It may be counterintuitive, but we are all safer if the people chosen for more thorough screening are truly random and not based on an error-filled database or a cursory background check.”