Blogger: Kevin Kampman
The Clear registered traveler program is responding to subscriber questions and concerns, and providing us some very relevant considerations for identity services. In correspondence that came out Friday afternoon, Clear indicated that:
• The service provided are no longer available at airports
• Privacy information has been secured in accordance with “Transportation Security Administration's Security, Privacy and Compliance Standards” (which don’t by the way, identify what happens in the case of a company failure)
• Clear, TSA, and Lockheed Martin (identified as the lead systems integrator for Verified Identity Pass, Inc, the company behind Clear) are working on an orderly program shutdown
• Clear computers and disks assigned to airport kiosks and to Clear employees are being “triple wiped” to destroy all data and software
• The identity information collected by Clear could be transferred to another service provider in accordance with TSA’s Registered Traveler Program polices, but no such transfer was identified. It is more likely that the information will be destroyed.
• Clear is working with TSA, airports, partners and subcontractors to keep subscriber information secure.
• There will be no refunds, support, or other consideration for subscribers.
The bottom line is that the service that subscribers bought into and the data collected is history. I for one am happy that I didn’t respond to their recent special offers, for example, for Father’s Day (“Reminder: There's still time - Dad deserves 5 star service (and a new tie)”). Here’s a sad joke: What do a Clear smartcard and a necktie have in common? Answer: They’re both useless.
Watching Clear’s demise, I see some disturbing parallels. One example is electronic patient records. I would be very careful, based on this experience, to ask:
• What regulations protect the information
• Who owns the information
• Who holds the information, and how can it be archived or transferred
• How is it secured, and how can it be corrected, modified, and deleted
• Who can see the information, and under what circumstances
• How are breaches detected, how will they be remediated,
• Who is liable for lapses, omissions, or damages?
In the case of Clear, it is likely that the only lasting damages will be to registered travelers’ wallets. However, the questions that emerged from Clear’s failure should be a bellwether for future identity-related private-public initiatives.
Comments