TSA asked to ensure safety of customer data after Clear closing
Transportation security agency given July 8 deadline to explain how private information will be safeguarded
Computerworld - The chairman of the House Committee on Homeland Security has given the Transportation Security Administration until July 8 to explain how the agency plans to ensure the security of private data collected by a recently shuttered company that offered a registered traveler program.
In a letter to the TSA's acting assistant secretary, committee Chairman Bennie Thompson (D-Miss.) expressed his concern over the abrupt closure of Verified Identity Pass Inc.
For a $199 annual fee, New York-based VIP offered a service called Clear that was designed to help air travelers get through airport security checks faster by vetting their identities and backgrounds in advance.
VIP was the largest of seven private companies approved by the TSA to operate a registered traveler program. VIP announced it was ceasing operations on June 21 because of financial reasons. The announcement prompted immediate concerns about the privacy and security of the detailed personal identity information, including fingerprints, iris scans and digital images, the company had collected on its approximately 260,000 customers.
In his letter last Friday, Thompson expressed similar concerns over the "handling" of personal identity data in the aftermath of the Clear shutdown. Though the registered traveler program is run by private companies, it is authorized by the TSA, which set specific requirements for the operators to follow, Thompson said. The requirements included the need for every operator of the service to collect details such as full legal names, home address, date and place of birth, gender, height, driver's license number, passport details and other information.
At the same time, the agency appears to have been silent on what steps should be taken if a company that collects the data were to go out of business, merge or be acquired by another company, Thompson noted.
"We are concerned about the security and safety of the information currently held by Clear," Thompson wrote. He asked the TSA to explain what role it will play in ensuring that "adequate privacy protections are in place prior to any disposition of the personally identifiable information." He also asked whether VIP had informed the TSA about its plans to shut down Clear, and whether the agency had asked the company about its plans for securing the personal data.
A TSA spokesman said the agency is in the process of drafting a response to Thompson's letter. The spokesman also pointed to an FAQ that the TSA posted on its Web site on Monday that directed questions about the Clear program back to the vendor.
"CLEAR has assured TSA that it is appropriately safeguarding the data," the FAQ noted. It also said that registered traveler service providers are required to use any collected data solely for the purpose for which it was intended unless customers had "expressly opted-in to other uses."
VIP, after initially offering no details on its plans for the collected data, has been more forthcoming over the past few days. In a note posted on the company's Web site, VIP assured customers that their information is being secured in conformance with the TSA's security and privacy requirements. The note also said that the company is using a "triple wipe" process to completely erase hard disks containing customer data at airports.
In addition, Lockheed Martin, the lead systems integrator for the Clear program, "remains committed" to protecting the privacy of information stored on VIP's central databases, the note said.
Despite such assurances, the company left open the possibility that the data could end up being acquired or sold to a third party, but only if it was going to be used for a registered traveler program.
"If the information is not used for a Registered Traveler program, it will be deleted," VIP said.
Read more about Security in Computerworld's Security Topic Center.
This pilot fish is a contractor at a military base, working on some very cool fire-control systems for tanks. But when he spots something obviously wrong during a live-fire test, he can't get the firing-range commander's attention.
- IT Certification Study Tips
- Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.
- Reduce federal infrastructure risk with compliance management and situational awareness
- IBM continuous monitoring and management solutions deliver real-time situational awareness to help federal agencies understand vulnerabilities, and protect the infrastructure.
- SANS: Next-Generation Datacenters = Next-Generation Security
- This whitepaper takes a look at some new technology that may allow security teams to implement more flexible and capable protection models in...
- SANS: Protecting Virtual Endpoints with McAfee Server Security Suite Essentials
- SANS review of McAfees Server Security Suite Essentials that address some of the emerging challenges of securing virtual platforms and cloud environments.
- Safeguarding the Next-Generation Data Center
- Use of virtual and cloud servers has exploded. Unfortunately, security often lags behind. McAfee recommends looking at innovative solutions in order to erect...
- Aberdeen: Securing the Evolving Datacenter
- This report highlights ways security technologies and services are evolving to provide the visibility and control needed to deploy workloads flexibly in the... All Government IT White Papers
- Is SQL Server AlwaysOn really as powerful? Tips and Tricks from the field With the introduction of AlwaysOn, Windows Clustering Services is now more critical than ever.
- What Does it Take to Deliver a Superior Customer Experience? The Two Top-Rated Online Retailers, B&H Photo and Crutchfield Electronics, Share Their Secrets Discuss practical CX tools and service methods such as contact center agents and the use of realtime speech analytics to help contact center...
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- On Demand: Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed, and it continues to escalate. IT must answer to users who demand access to their...
- DevOps with PureApplication System: Reduce cost and speed delivery with an integrated IBM Cloud solution Join this webcast to hear what ING Netherlands has been able to achieve while deploying DevOps tools from IBM Rational. An ING executive...
- All Government IT Webcasts