"Clear" Air-Travel Pass Data Stolen From SFO

Kozar_The_Malignant writes "A laptop containing the unencrypted security data for 33,000 travelers using the Clear system was stolen at San Francisco International Airport on July 26, according to CBS5 Television. The Clear system allows travelers who register and pay a $100.00 annual fee to speed through airport security by using a smart card at special kiosks in some airports. TSA has suspended new registrations in the system, which is run by a private contractor, Verified Identity Pass, Inc., a subsidiary of GE. The laptop was apparently stolen from a locked office at SFO. The company has now decided that it might be a good idea to encrypt the data in their systems. They are in the process of notifying customers that all of their personal data, including name, address, SSi number, passport number, date of birth, etc. has been compromised."

Security theatre

[BWJones (18351)]

To have a company intimately involved with *security* not apparently able to manage their own security in a manner that protects the country and their customers is a joke. Fine... having a laptop stolen is common enough and I don't fault them, but having unencrypted data of 33,000 of your customers on that laptop is a crime.

  I never liked the idea of handing over private information in the security theatre that our nation has become, but events like this where private companies motivated by the lowest common denominator really get under ones skin. Why the data was stored in unencrypted formats is inexcusable. I don't know what the penalty should be for something like this, but it should be commensurate with the potential damage it could cause.

The whole point of outsourcing information and jobs like this to the private sector is to get the job done better and more efficiently. When the government then has to police these private companies like the TSA is apparently having to now do, the concept is made moot. So.... our options are to continue to live the security theatre with private companies like this or turn the job back over to the government (who's job it to ensure safety of travel and should not have been in the business of verifying identity for air travel anyway).

Or... we could go back to the way things were when I could carry pocket knives on planes. (I also remember when you could carry long guns on planes back in the late 80's/early 90's.)

Re:Security theatre

[boaworm (180781)]

Yea, and this also brings some interesting light to the issue with "If you have nothing to hide, why don't you want to provide us with your [biometrics|passport|id|*]" argument.

Refusing to give away address, email, phones, SSID along with fingerprints is almost considered a crime in itself right now, since if you are not planning on terrorist activities, you don't have anything to hide, have you!?

But here, perfectly innocent people suddenly have all their personal information spread to criminal groups or whoever end up being the buyer of this information.

Scary stuff...

Re:Security theatre

[BWJones (18351)]

Yeah.... You have nothing to fear except fear itself..... and incompetence. So, just hand your data over to us and we'll verify that you are who you are which really does nothing for national security anyway because there is nothing that prevents someone from getting "cleared", then carrying out a crime later.

Re:Security theatre

[greedyturtle (968401)]

This is a brilliant paper that sums it all up. It was posted on ./ a few years back, couldn't find the ./ story but I did find the paper:

I've Got Nothing to Hide and Other Misunderstandings of Privacy [ssrn.com]

Re:Security theatre

[Dekortage (697532)]

I haven't made it far through the article, but it's good so far...

"...in a more compelling form than is often expressed in popular discourse, the nothing to hide argument proceeds as follows: The NSA surveillance, data mining, or other government information-gathering programs will result in the disclosure of particular pieces of information to a few government officials, or perhaps only to government computers. This very limited disclosure of the particular information involved is not likely to be threatening to the privacy of law-abiding citizens. Only those who are engaged in illegal activities have a reason to hide this information. Although there may be some cases in which the information might be sensitive or embarrassing to law-abiding citizens, the limited disclosure lessens the threat to privacy. Moreover, the security interest in detecting, investigating, and preventing terrorist attacks is very high and outweighs whatever minimal or moderate privacy interests law-abiding citizens may have in these particular pieces of information.

"Cast in this manner, the nothing to hide argument is a formidable one. It balances the degree to which an individuals privacy is compromised by the limited disclosure of certain information against potent national security interests. Under such a balancing scheme, it is quite difficult for privacy to prevail.

...

"Many commentators had been using the metaphor of George Orwells 1984 to describe the problems created by the collection and use of personal data.51 I contended that the Orwell metaphor, which focuses on the harms of surveillance (such as inhibition and social control) might be apt to describe law enforcements monitoring of citizens. But much of the data gathered in computer databases is not particularly sensitive, such as ones race, birth date, gender, address, or marital status. Many people do not care about concealing the hotels they stay at, the cars they own or rent, or the kind of beverages they drink. People often do not take many steps to keep such information secret. Frequently, though not always, peoples activities would not be inhibited if others knew this information.

"I suggested a different metaphor to capture the problems: Franz Kafkas The Trial, which depicts a bureaucracy with inscrutable purposes that uses peoples information to make important decisions about them, yet denies the people the ability to participate in how their information is used.52 The problems captured by the Kafka metaphor are of a different sort than the problems caused by surveillance. They often do not result in inhibition or chilling. Instead, they are problems of information processingthe storage, use, or analysis of datarather than information collection. They affect the power relationships between people and the institutions of the modern state. They not only frustrate the individual by creating a sense of helplessness and powerlessness, but they also affect social structure by altering the kind of relationships people have with the institutions that make important decisions about their lives."

It's a great analysis of the issues, laying out what the heck privacy really is, anyway.

Re:Security theatre

[Devil's BSD (562630)]

Refusing to give away address, email, phones, SSID along with fingerprints is almost considered a crime in itself right now

I have no problem giving you my SSID, it's the WPA2 key that I have a problem giving out ;)

Re:Security theatre

[JCSoRocks (1142053)]

What is it with planes? The only reason planes were so effective in 9/11 is because they TOOK IT OVER and FLEW IT INTO A BUILDING. That sort of thing won't happen again. I have a feeling everyone on the plane would fight it. Continuing to secure them like they're bloody fort knox is ridiculous. If the only reason we're worried about it is the potential for loss of human life... we're wasting our time. Why bomb one plane when you could blow up a whole airport terminal? Anyone remember Oklahoma city? Much more devastating than just a plane blowing up in mid-flight.

Don't get me wrong. I'm all about security where it's needed and where it's appropriate. I'd prefer not to be killed by a terrorist just as much as the next guy... but we've got to maintain some perspective here. You can't stop someone willing to commit suicide from killing people. Look at that guy in Japan that ran over people in a mall with a truck and then started stabbing people. He was armed with a KNIFE.

Throwing away our rights for the illusion of security depresses me.

Re:Security theatre

[by Anonymous Coward]

Nice to see the almost automated partisan knee-jerk moderating system is still working.

Bury my posts as trolling as fast as you can. It's not /. it's digg!

I was going to mod you troll, but you genuinely seem to not understand the moderation, so I thought this might be more educational.

Your posts are moderated as "troll" because your argument is poorly reasoned, poorly expressed, and wholly inflammatory. You fail to address the claims of "security theater" (ie, why identity verification increases safety of travel), and instead provide a fallacious and derogatory argument.

Your blaming this on partisanship only demonstrates a total lack of cognizance of your churlish use of logical fallacies to further a point, and moderation as "troll" is well deserved.

This is slashdot, not digg, and I hope that we have the capability to hold discourse to a higher standard.

Re:Security theatre

[Muad'Dave (255648)]

Asking someone to show ID to get on a plane seems reasonable to me.

How does knowing a passenger's identity increase your safety aboard an airplane? I'd rather allow anonymous travel and require mandatory pat-downs than believe I'm any safer because some government hack knows the name of the guy that's willing to die so he can kill a few others.

So much for not needing 'papers' to travel inside the US.

Re:Security theatre

[dgatwood (11270)]

None of the Sept. 11th hijackers were in the U.S. illegally. All had legitimate forms of identification, and none used false identification. I doubt any were even suspected of terrorist ties.... We ask people to show ID as they get on airplanes for one reason and one reason only: to make people who can't see through the new sham measures feel safer.

Want to make people actually safer?

• Construct a non-privacy-invading millimeter-wave scanner. Build it in such a way that everything that passes through would get hit with a beam, but not in such a way that that you can see pictures, i.e. much blurrier, more scattered, more regional in nature. Sort out the data through basic math about the composition of the human body. See way more metal than you would expect (regardless of whether it is ferrous), set off red flags. Detect massing of large polymers, set off flags. And so on. Do this with computers, not through people watching a screen. Then, let the computer identify what general vicinity set off red flags with lights on a board with the shape of a human drawn from a couple of angles and ask them to empty the contents of their shirt pockets.
• Add mass spectrometry portals to detect dangerous chemical residues.
• Add shoe millimeter-wave machines that don't require passengers to remove their feet from the shoes. Step in, step out.
• Move all parking and drop-offs to a minimum of 1500 feet from any area where people congregate (terminal buildings, etc. Use conveyor belts to get people into the terminal. Have the mass spectrometer portals and a security person in an atrium at the midpoint of the belts. This should be a fairly quick procedure, so you shouldn't build up a line of any significance. You're just looking for bomb residue to reduce the risk of somebody doing a suicide bombing attack on the terminal.
• Make all personnel subject to the same security screening as passengers---no waving a badge and getting a quick pass through security.
• Figure out why people are doing these quick pass things and fix security so that they are not necessary, then give them the boot. The biggest point of security risk from an individual passenger safety perspective is waiting in line for the security checkpoint.

Re:Security theatre

[dgatwood (11270)]

As a total dollar amount, sure, the U.S. seems to give a lot. I used to think that was pretty good until I saw the cold, hard math. Total dollars is just not a very interesting metric when you consider how wealthy the U.S. is as a nation. Per capita, the U.S. provides much less disaster relief money than any of the other major world powers, and as a percentage of our GNP, it's even more laughable.

Remember the parable of the widow who gave her two coins in the synagogue. People perceive that we a nation give of our excess while so many others give in spite of their need. It's like a billionaire giving $500 at a charity auction. Even if it is more than all the other people combined, if that was his only donation to any charity, people will still call him stingy. The poor woman who gives the two pennies that would have helped help feed her family... she is the one we should aspire to imitate as a nation.

Re:Security theatre

[Cruciform (42896)]

The whole point of outsourcing information and jobs like this to the private sector is to get the job done better and more efficiently.

That might be the point for you, but for the government officials there are other points to consider:

1) Who bid the lowest.
2) Will the company chosen contribute enough money to my/our campaign in the future.
3) Is there a way I can profit from my choice of contractor.

The idea that someone would believe a company is chosen for its actual merits is ludicrous.

Re:Security theatre

[by Anonymous Coward]

The idea that someone would believe a company is chosen for its actual merits is ludicrous.

Well, choosing a company based on something abstract like merits is illegal because it's often used to hide #2 and #3. Price is the only consideration you are allowed. Yes, it's stupid, but it's the way the taxpayer demands it be done.

Honestly, do you think larger corporations are any different? Deals are always given to good old boy friends who will give you something later. It's not even illegal, like it is in government.

Re:Security theatre

[samkass (174571)]

That's only true in the very last stage of bidding on government contracts. The key is to have the requirements written "properly". I put the last word in quotes because every contractor wants their special value-add to be made a requirement of all bid requests-- that way they're always cheapest and win the final bid. By the time the final wording is written into any request for proposals, the winner is usually no surprise.

Re:Security theatre

[XenoPhage (242134)]

The key is to have the requirements written "properly".

And that's part of the problem. The government, in many cases, outsources because it does not have the expertise to do the job. Not having the expertise also manifests itself in the lack of details in the requirements document. Just requiring a security company that can secure stuff isn't good enough, you need to elaborate. In many cases, you may need to elaborate into details like what encryption algorithms are usable, what are not, etc. Stuff your average government lackey would know nothing about.

Re:Security theatre

[demachina (71715)]

"Price is the only consideration you are allowed. Yes, it's stupid, but it's the way the taxpayer demands it be done."

That USED to be the only consideration before the Bush administration came to town, that and if you had a token minority or woman in your executive suite you could win by exploiting affirmative action.

But, the Bush administration has been constantly sole sourcing and otherwise steering contracts to friends and contributors for 7 and a half years. There is a well oiled machine of Republican connected lobbyists who hooked companies up with a fast path to contracts. Karl Rove apparently tried to turn the entire executive branch in to a political tool where government contracts were being steered to "good Republican" companies and as tools to get Republicans elected for bringin home the bacon to companies in their districts. Many of the contracts in Iraq, both in supporting the military and rebuilding Iraq(rebuilding it very badly it turns out), were done that way.

Maybe its illegal but if no one enforces the law what does the law matter. The Bush administration had complete contempt for the law in little things like torture, spying on Americans, hiring and politically motivated prosection in the DOJ etc, what makes you think they care about it in government contracting. If they dominated the executive branch, including the DOJ, and the Congress, which they did from 2000-2006 they knew no one would investigate anything, or enforce any law. Some private citizen or public interest group would've had to blow the whistle. When they've tried the Federal government has been very effective at smacking them down. I recall a number of instances where Federal contract monitors and auditors have questioned the performance and billing of politically well connected contractors, and if they didn't shut up and rubber stamp the payments the Bush administration just fired them and put someone in the job who would stop asking questions. There was an instance of this reported a couple weeks ago.

Even since the Democrats regained control of Congress the Bush administration has been very good at frustrating every attempt to investigate all their law breaking.

If the Republicans had managed to stack the courts a little better, and hadn't been so incompetent and corrupt that they started losing elections again in 2006 the law would have been pretty much history in the U.S.

Current Consumer Reports Magazine

[BitterOldGUy (1330491)]

disagrees with you (Sept 2008) Government is by far the worst offender for IS leaks.

See page 32.

Re:Current Consumer Reports Magazine

[cmat (152027)]

I wonder how that number is affected when one considers that the government is more likely to be required to report these types of crimes whereas a private company is not (for the most part).

Re:Security theatre

[krbvroc1 (725200)]

The company in question was founded by Steven Brill who founded CourtTV and American Lawyer magazine.

He is from NY state and is a solid Democrat from what I can tell (according to his campaign contributions).

Re:Security theatre

[rk (6314)]

The whole point of outsourcing information and jobs like this to the private sector is to get the job done better and more efficiently.

That's the ostensible reason, the one they use to sell it to those who distrust government spending like libertarians, fiscal conservatives and some old-school Republicans.

The real reason is usually to privatize the profit centers, while continuing to keep the cost centers public, so the old boy network can continue to get slopped at the public trough.

Oh Please

[mpapet (761907)]

Having worked the contractor side of Identity projects, I promise you the story as provided in the summary is the working norm.

Unsecured computers in the field with live identity information? Check.

Multiple copies of identity information floating around? Check.

Many **totally** unaware employees in the field with private data? Check.

Many **totally** unaware employees at the contractor's office passing private data? Check.

It boggles my mind anyone would believe it's better than that. The contractor suffers no consequences and the burden falls on the individual.

Which, is why the rules, regs, and standards for handling private information is ***perfectly*** designed in the U.S. Not that any of you would get off your collective asses and do anything to change it.

CLARIFICATION, breach was limited.

[ptbarnett (159784)]

I'm replying close to the top, so that this will show up as early as possible.

This is from Clear customer support: consider the source and apply the appropriate amount of salt.

The only personal information that was compromised was for people who were in the midst of the application process. If you are already enrolled and have received your card, your personal info was not in the laptop that was stolen.

At this point, Clear is not planning to notify existing members that their personal info was not stolen. However, I strongly suggested that they rethink that policy, and notify all members of the extent of the breach. The news story quoted in this article doesn't make the distinction between pending applications and enrolled members.

Re:That's okay...

[jacquesm (154384)]

a security audit does not require you to give up your logins / passwords, if it does you're likely being social engineered.

Re:Security theatre

[Intron (870560)]

Happens all the time. Then another corporation buys all their assets for cents on the dollar, the stockholders get screwed, and surprisingly, the new company is run by the same guys who ran the old company.

How many times does this need to happen

[Gat0r30y (957941)]

Before they require hardware based encryption for drives containing this sort of data? It seems completely ridiculous to me that they would keep sensitive data like this on an unencrypted drive.
One word of this: Incompetent.

Re:How many times does this need to happen

[nasor (690345)]

The ridiculous thing, in my option, isn't that people aren't careful with "personal information" - it's that banks, credit card companies, etc. all like to pretend that knowing a social security number magically proves that you are who you claim to be. I shouldn't have to keep my information secret just because it makes things convenient for some company that wants to give credit cards/loans/whatever worth thousands of dollars to people that they have never met, via the mail. That's an idiotic business plan, and it shouldn't be my problem that people try to scam them.

Re:How many times does this need to happen

[QuantumRiff (120817)]

Exactly. Why is my Social Security number needed to purchase a cell phone and contract? Does my insurance company need it? Why do credit checks have to be run for everything nowadays? I would honestly prefer giving something like my fingerprint at the store, as long as the employee also had to give theirs, as a way of certifing "yes, they pressed their thumb, I watched them, and they were not coerced".

I think that the best thing that can happen is that more ID's are stolen, as in millions, as in IRS or some states database. If they can no longer be trusted, they will no longer be used..

Directed to the Systems Administrator of VIP, inc.

[gcnaddict (841664)]

You've got social security numbers of thousands of people on company laptops and you didn't make it a policy to encrypt everything?

Seriously?

Re:Directed to the Systems Administrator of VIP, i

[Aliencow (653119)]

Like the sysadmin really had a say in this. He probably asked for that a thousand times.

$128, not $100

[langelgjm (860756)]

From the "Clear" link: "Clear's first year price is $128."

I'd say that's a bargain to have your identity stolen!

Re:$128, not $100

[krbvroc1 (725200)]

The extra $28 was added to include a year of credit monitoring I think.

Re:$128, not $100

[seanonymous (964897)]

They charge a one-time fee of $28 to encode your data with an encryption algorithm known as 'plain text.'

Step 1: Encryption

[Spy der Mann (805235)]

A laptop containing the unencrypted -

NEXT!!!

How does this system improve security, anyway?

[Reality Master 201 (578873)]

Assuming this system allows them to reliably identify a person, so what? Do they do extensive background checks and continuous monitoring to ensure that the people aren't involved in terrorism? Or if I have no obvious problems in my background and enough money to pay for it, can I get treated differently too?

Does it basically come down to people paying to not have to stand in line with the rest of humanity at the airport?

Re:How does this system improve security, anyway?

[oldspewey (1303305)]

Does it basically come down to people paying to not have to stand in line with the rest of humanity at the airport?

Ding ding ding!

hundred bucks

[seanonymous (964897)]

So it's the same price as mobileMe, and it provides users with the same level of frustration. Who says government contractors can't compete?

Lack of proper management

[ds_job (896062)]

Please tell me that there is going to either be prison time or a huge *personal* fine for the CEO of the tinpot company who thought that a lock and key was enough security. I'n not talking about firing the person who left it there or proped the door open to do the vacuuming, but the person at the top who says "Yes, this is cost effective and proper." We need to have people at board level think twice about storing our data so shockingly badly.

Re:Lack of proper management

[oyenstikker (536040)]

CORPORATION, n. An ingenious device for obtaining individual profit without individual responsibility.
- The Devil's Dictionary

Skeptical

[PPH (736903)]

I'm becoming quite skeptical about this whole 'stolen laptop' B.S. After the first few big news stories, I'd expect most corporations to have strict guidelines in place to prevent this sort of thing. And a policy of coming down hard, very hard, on violators.

I wonder how much one can get per personnal record for selling this sort of data to organized crime. And cover your ass by reporting a stolen laptop.

Good write up

[Faux_Pseudo (141152)]

This might be the best summery I have seen in some time. It has far more usefull informtaion than the linked news story. I want to personally thank the poster for that and suggest we could use a 'goodsummery' tag to balance the 'badsummery' tag that we so often see.

Kind of a coincidence

[oodaloop (1229816)]

I was just thinking earlier today of signing up for that. I do a lot of travel and thought the cost might be worth it to cut down on wait time. Guess not.

It shouldn't matter, but it does

[sakdoctor (1087155)]

Names, SSi number, date of birth .. we need to stop using all of these as ID right now.

My suggestion is this. At some appropriate age, say 16-18 where most countries seem to issue ID, we each choose and commit to memory a graph G, such that the chance of a collision in all earth population is close to zero. Then whenever we need to prove our ID for air-travel or whatever we just need to go though several rounds of identify proof where we generate an isomorphic graph H, and show EITHER isomorphism between H and G, or a Hamiltonian cycle in H. After a sufficient number of rounds your identity would be certain to the required probability and you could be on your way.

The technique to do this mentally could be taught in schools. It's THAT SIMPLE!

The system's name says it all

[copperconductor (1325789)]

Dude, it's called "Clear" for a reason.

What was that info doing on a laptop?

[Animats (122034)]

What was that info doing on a laptop? That in itself is very suspicious. Nobody should have a full list of the "approved people" outside of an database where each access is logged. That's info a terrorist group would want. It gives them a list of people who won't be searched. Those are the ones to exploit to get something past security.

The laptop disappeared from a locked room at an airport. This wasn't an ordinary laptop theft. TSA has to assume that the database is now in hostile hands. So now everyone with a "Clear" card should be subjected to extra searches.

Let's check out the "Clear" privacy policy [flyclear.com]. "Clear and its subcontractors, pursuant to legal agreements, have a comprehensive information security program to ensure the privacy of Clear applicants and members as well as the integrity of our systems. We apply ID's and passwords to insure that access to systems and data is only on a need-to-know basis. We use encryption (a strong data coding process) for all program sensitive data communications." ... "In the highly unlikely event that a member is the victim of identity theft (defined as the taking of a member's personal information so that fraudulent transactions are made in the member's name) that is the result of any unauthorized dissemination by Clear or its subcontractors, or theft from Clear or its subcontractors, of the member's personal data collected by Clear, we will reimburse the member for any otherwise unreimbursable monetary costs directly resulting from such Identity Theft. In addition, Clear will, at its own expense, offer any such member assistance in restoring the integrity of the member's financial or other accounts." ... "Clear has appointed an independent, outside Privacy Ombudsman, Law Professor Paul Schwartz [paulschwartz.net], noted privacy expert and advocate. He will be identified to members as the person to contact if a member has a privacy complaint or privacy problem with administration of the Clear system or fidelity to our published Privacy Policies. The Independent Privacy Ombudsman is empowered to investigate all privacy complaints, gather the facts, and respond to members, as well as to post responses publicly and prominently on our website."

Yet there's no announcement of the security breach on the Clear web site.

next time...

[harvey the nerd (582806)]

One can hear it already, "we encrypted it, it'll never happen again". Next time, "its okay, we encrypted all the records with 1024 bits" and then have to admit the key was on a sticky note over the screen of the stolen laptop or in an attached thumb drive. Clear's name is now Mudd but the whole "airport security" business is a dangerous hoax (constitutionally and economically, too).

It will be interesting to see the fallout from this episode of "Security Theatre".

Make it a punishable offense.

[MaWeiTao (908546)]

I don't understand why there aren't penalties for this sort of thing. The way I see it this qualifies as criminal negligence because the ramifications for an individual of having their identity stolen can be severe.

If lose of personal data is somehow attributable to negligence on the part of the company, in this case the lack of encryption and maybe not securing the laptop properly, the company should be penalized. The most obvious would be a fine; lets say $10,000 for each account.

My bank, or companies they do business with have managed to lose a significant amount of customer information, not once, but twice in the past year. They mailed out notices and provided customers with some bullshit free access to credit monitoring for 12 months, later extending it to 18 or 24 months. And that's that, it's out of their hands.

But then what the hell do politicians care? With financial institutions like Countrywide giving out extra-low interest rate VIP loans to congressmen they have no incentive whatsoever to look out for our best interest.

Private information stolen from CLEAR

[by Anonymous Coward]

See, this is exactly why I gave them a fake name, address, and SSN when I enrolled in CLEAR.

Simple solution

[John Hasler (414242)]

Just add all those names to the no-fly list.

Re:

[omeomi (675045)]

Then they've clearly hired the wrong people for the job. But since when is news like this anything new?

But they were the ones who bought enough congressmen and senators to get the job...surely you're not suggesting there's a better way to choose government contractors?

Re:Does nobody use disk encryption?

[AJWM (19027)]

WTF was data like this doing on something nice and portable like a laptop anyway? I bet it was in an Excel spreadsheet (the database of choice for PHBs everywhere) too.

(And yes, it should have been encrypted.)