"Clear" Air-Travel Pass Data Stolen From SFO

Kozar_The_Malignant writes "A laptop containing the unencrypted security data for 33,000 travelers using the Clear system was stolen at San Francisco International Airport on July 26, according to CBS5 Television. The Clear system allows travelers who register and pay a $100.00 annual fee to speed through airport security by using a smart card at special kiosks in some airports. TSA has suspended new registrations in the system, which is run by a private contractor, Verified Identity Pass, Inc., a subsidiary of GE. The laptop was apparently stolen from a locked office at SFO. The company has now decided that it might be a good idea to encrypt the data in their systems. They are in the process of notifying customers that all of their personal data, including name, address, SSi number, passport number, date of birth, etc. has been compromised."

What was that info doing on a laptop?

[Animats]

What was that info doing on a laptop? That in itself is very suspicious. Nobody should have a full list of the "approved people" outside of an database where each access is logged. That's info a terrorist group would want. It gives them a list of people who won't be searched. Those are the ones to exploit to get something past security.

The laptop disappeared from a locked room at an airport. This wasn't an ordinary laptop theft. TSA has to assume that the database is now in hostile hands. So now everyone with a "Clear" card should be subjected to extra searches.

Let's check out the "Clear" privacy policy [flyclear.com]. "Clear and its subcontractors, pursuant to legal agreements, have a comprehensive information security program to ensure the privacy of Clear applicants and members as well as the integrity of our systems. We apply ID's and passwords to insure that access to systems and data is only on a need-to-know basis. We use encryption (a strong data coding process) for all program sensitive data communications." ... "In the highly unlikely event that a member is the victim of identity theft (defined as the taking of a member's personal information so that fraudulent transactions are made in the member's name) that is the result of any unauthorized dissemination by Clear or its subcontractors, or theft from Clear or its subcontractors, of the member's personal data collected by Clear, we will reimburse the member for any otherwise unreimbursable monetary costs directly resulting from such Identity Theft. In addition, Clear will, at its own expense, offer any such member assistance in restoring the integrity of the member's financial or other accounts." ... "Clear has appointed an independent, outside Privacy Ombudsman, Law Professor Paul Schwartz [paulschwartz.net], noted privacy expert and advocate. He will be identified to members as the person to contact if a member has a privacy complaint or privacy problem with administration of the Clear system or fidelity to our published Privacy Policies. The Independent Privacy Ombudsman is empowered to investigate all privacy complaints, gather the facts, and respond to members, as well as to post responses publicly and prominently on our website."

Yet there's no announcement of the security breach on the Clear web site.

Current Consumer Reports Magazine

[BitterOldGUy]

disagrees with you (Sept 2008) Government is by far the worst offender for IS leaks.

See page 32.

Re:That's okay...

[jacquesm]

a security audit does not require you to give up your logins / passwords, if it does you're likely being social engineered.

Re:Good write up

[jmcbain]

How about we use the tags 'goodsummary' and 'badsummary' instead?

Oh Please

[mpapet]

Having worked the contractor side of Identity projects, I promise you the story as provided in the summary is the working norm.

Unsecured computers in the field with live identity information? Check.

Multiple copies of identity information floating around? Check.

Many **totally** unaware employees in the field with private data? Check.

Many **totally** unaware employees at the contractor's office passing private data? Check.

It boggles my mind anyone would believe it's better than that. The contractor suffers no consequences and the burden falls on the individual.

Which, is why the rules, regs, and standards for handling private information is ***perfectly*** designed in the U.S. Not that any of you would get off your collective asses and do anything to change it.

Re:Skeptical

[amn108]

Wrong. Running around and being sloppy means nothing because no matter how "corporate" laptop is, it does not store any copies of any sensitive information. The person carrying the laptop is no more allowed access to such records, than any other.

Please give me ANY reason why and how a corporate employee with a laptop, however sloppy he or she is, should be carrying a copy of 33k of personal records with him, regardless of what company he works for, his position in the company and the type of computer.

There is a chance such access is required on a humans part, but not in security area. A person I know close was working as a translator for the refugees in a European country. The information refugees gave that made them eligible for asylum was to remain strictly confidential, but since she had to translate this information to the government authorities on behalf of the refugees, and since she did translate it, it all went through her head and thus was potentially leaked, as it was entirely up to her to occasionally recall and reveal all kinds of intimate details on these refugees to her friends and what not. Which she did, occasionally. That's sloppiness.

I find it funny that when it comes to money, most respectful banks realized it long ago that true security should exclude human interaction altogether, and try to replace parts of the system where human hands are due with electronics.

Time to value privacy and offer it the same kind of recognition.

CLARIFICATION, breach was limited.

[ptbarnett]

I'm replying close to the top, so that this will show up as early as possible.

This is from Clear customer support: consider the source and apply the appropriate amount of salt.

The only personal information that was compromised was for people who were in the midst of the application process. If you are already enrolled and have received your card, your personal info was not in the laptop that was stolen.

At this point, Clear is not planning to notify existing members that their personal info was not stolen. However, I strongly suggested that they rethink that policy, and notify all members of the extent of the breach. The news story quoted in this article doesn't make the distinction between pending applications and enrolled members.

Re:Security theatre

[Dekortage]

I haven't made it far through the article, but it's good so far...

"...in a more compelling form than is often expressed in popular discourse, the nothing to hide argument proceeds as follows: The NSA surveillance, data mining, or other government information-gathering programs will result in the disclosure of particular pieces of information to a few government officials, or perhaps only to government computers. This very limited disclosure of the particular information involved is not likely to be threatening to the privacy of law-abiding citizens. Only those who are engaged in illegal activities have a reason to hide this information. Although there may be some cases in which the information might be sensitive or embarrassing to law-abiding citizens, the limited disclosure lessens the threat to privacy. Moreover, the security interest in detecting, investigating, and preventing terrorist attacks is very high and outweighs whatever minimal or moderate privacy interests law-abiding citizens may have in these particular pieces of information.

"Cast in this manner, the nothing to hide argument is a formidable one. It balances the degree to which an individuals privacy is compromised by the limited disclosure of certain information against potent national security interests. Under such a balancing scheme, it is quite difficult for privacy to prevail.

...

"Many commentators had been using the metaphor of George Orwells 1984 to describe the problems created by the collection and use of personal data.51 I contended that the Orwell metaphor, which focuses on the harms of surveillance (such as inhibition and social control) might be apt to describe law enforcements monitoring of citizens. But much of the data gathered in computer databases is not particularly sensitive, such as ones race, birth date, gender, address, or marital status. Many people do not care about concealing the hotels they stay at, the cars they own or rent, or the kind of beverages they drink. People often do not take many steps to keep such information secret. Frequently, though not always, peoples activities would not be inhibited if others knew this information.

"I suggested a different metaphor to capture the problems: Franz Kafkas The Trial, which depicts a bureaucracy with inscrutable purposes that uses peoples information to make important decisions about them, yet denies the people the ability to participate in how their information is used.52 The problems captured by the Kafka metaphor are of a different sort than the problems caused by surveillance. They often do not result in inhibition or chilling. Instead, they are problems of information processingthe storage, use, or analysis of datarather than information collection. They affect the power relationships between people and the institutions of the modern state. They not only frustrate the individual by creating a sense of helplessness and powerlessness, but they also affect social structure by altering the kind of relationships people have with the institutions that make important decisions about their lives."

It's a great analysis of the issues, laying out what the heck privacy really is, anyway.

Re:Security theatre

[krbvroc1]

The company in question was founded by Steven Brill who founded CourtTV and American Lawyer magazine.

He is from NY state and is a solid Democrat from what I can tell (according to his campaign contributions).

Re:Get rid of these bozos NOW!

[tugboat0902]

As a medical professional in the midwest I have had my personal information stolen 3 times in the last 12 months. In order to sign up with insurance companies, medicare, medicaid and etc., I have to provide name, office address, home address, SSN, personal and professional history and in some cases even a photo. They provide a really, really nice privacy policy that says they won't share any of this information, but they accept no responsibility for its loss. Today, I have three really great credit monitoring services (for one year mind you) and that is the extent of the liability I can extract from an insurance company, or even the federal government, for the loss of my information. It seems really retarded to me, but who am I to complain? (hears jack-boots in hallway---)

Re:Security theatre

[Profane MuthaFucka]

You must be one of those morons who talks up private enterprise, but then conveniently forgets that corporations are not the only kind of business.

Let me spell it out for you, as I would to a child:

Corporation fucks up, you kill the corporation. IBM Corporation becomes IBM the private business. The investors get their money (whatever they can) and cash out, or they are private owners of the company. Tough to be them, they should have demanded responsible business practices. Now they're going to be held accountable as owners.

The company then loses all corporate status. It's a private company. If you're going to break the law, then you cannot get the blessing of the government as a corporation.

Remember, corporations exist only because the government says they exist. Suck on that.

Re:Security theatre

[Anonymous Coward]

Just a point of clarity; The Democrats are not "in control" of Congress. They have a slight majority in the House. To be in control, you need a 2/3rds majority in the House and Senate so you have enough votes to halt parliamentary procedures, force votes, and over-ride vetoes.

From the perspective of a Clear user...

[joedoc]

I enrolled in the Clear program back in March. My reasons were very specific: I got tired of fighting long security lines at the airport, and since I work away from home and travel back and forth a lot, the convenience of this system is more than worth the $100.

I work in DC, and live in Jacksonville, FL, and I normally travel back to the District on Monday mornings. i was stunned to see how long the security lines were at Jax International, even at 6:15 in the morning, and with a full slate of TSA scanners and personnel on the job.

There is nothing like being able to walk past a line of three or four hundred flyers, skip right to the head of the line and be at the gate with enough time to hit the head and grab a coffee. I have zero stress when flying now.

That being said, I'm certainly upset about the laptop theft, and the "inside job" theories might have some truth to them, considering this was supposed to be in a locked office. I don't necessarily buy the "stolen to order' conspiracies, but it is worrisome. I'll continue to do what I always have - monitor all my accounts, credit reports, etc. and hope this gets solved in a quick and reasonable fashion.

As for the necessity to hand over a lot of private information, let me explain what the procedure is:

When you apply for a Clear card on line, you provide the same information, initially, that would would ordering a product: name, address, phone, and a credit card for the screening fee only ($28 which goes to the TSA). Part of the on-line application process is providing your SSN. In this care, it's a necessary evil, since Clear has to access information only you would know. I would assume they're getting this off credit reports or public records. You answer three or four questions, and if the answers are satisfactory, you move on to the next step. You print out a document with a registration number.

That step requires an appearance, in person, at the local airport with the Clear service counters. They check your registration, and you have to provide two forms of identification. One can be any government-issued picture ID. The other, however, must be a government-issued birth certificate or a valid passport. I tried to use a birth certificate issued by the hospital where I was born in 1955, but they refused to accept it. This required me to order a new BC from the state where I lived, and finsish the process another day.

Once that's finished, you stand at a kiosk and have all your fingerprints and one iris scanned. They save two or three of the fingerprints and the iris, and the data from both are eventually encoded into the chip on the smart card they issue you.

The wait for the card can be nearly a month.

As protective as I am of my privacy, I really didn't have a lot of issues with what I had to do to get this. I am an IT contractor and former federal employee, and I have a high security clearance. I had to give up a lot more during that investigation, including having family, friends and neighbors interviewed about my character. Since this is a requirement of the job, I have nothing in my past to hide, and it means a much higher salary, I'm not going to raise too much of a stink.

Clear, on the other hand, didn't get anything from me that isn't easily available (or steal-able) to anyone with a few dollars and a couple of private detectives on the Rolodex. Go to one of these "free credit report" sites and request to see what's on that thing. You have to answer some of those questions I mentioned before, and what they have is pretty interesting, and deep.

I'd be lying if I said this laptop theft doesn't worry me. I have the feeling that the idiot who stole it probably won't even look on the damn thing, and it will turn up, drive slicked, in some pawn shop.

In the meantime, I'll keep a close eye on everything sensitive (I get lots of practice at work).

And I'll still be jumping the line at the airport.

The laptop has been found

[origamy]

So reports the SF Chronicle [sfgate.com] in an article from the AP:

(08-05) 11:59 PDT San Francisco, CA (AP) --

The company that runs an airport security prescreening program says they've found a laptop containing the personal information of 33,000 people more than a week after it apparently went missing.
...