Forgot your password?
typodupeerror
Privacy Security Transportation

"Clear" Air-Travel Pass Data Stolen From SFO 379

Posted by timothy
from the is-kip-hawley-thetan-clear? dept.
Kozar_The_Malignant writes "A laptop containing the unencrypted security data for 33,000 travelers using the Clear system was stolen at San Francisco International Airport on July 26, according to CBS5 Television. The Clear system allows travelers who register and pay a $100.00 annual fee to speed through airport security by using a smart card at special kiosks in some airports. TSA has suspended new registrations in the system, which is run by a private contractor, Verified Identity Pass, Inc., a subsidiary of GE. The laptop was apparently stolen from a locked office at SFO. The company has now decided that it might be a good idea to encrypt the data in their systems. They are in the process of notifying customers that all of their personal data, including name, address, SSi number, passport number, date of birth, etc. has been compromised."
This discussion has been archived. No new comments can be posted.

"Clear" Air-Travel Pass Data Stolen From SFO

Comments Filter:
  • Security theatre (Score:5, Interesting)

    by BWJones (18351) * on Tuesday August 05, 2008 @12:14PM (#24481331) Homepage Journal

    To have a company intimately involved with *security* not apparently able to manage their own security in a manner that protects the country and their customers is a joke. Fine... having a laptop stolen is common enough and I don't fault them, but having unencrypted data of 33,000 of your customers on that laptop is a crime.

      I never liked the idea of handing over private information in the security theatre that our nation has become, but events like this where private companies motivated by the lowest common denominator really get under ones skin. Why the data was stored in unencrypted formats is inexcusable. I don't know what the penalty should be for something like this, but it should be commensurate with the potential damage it could cause.

    The whole point of outsourcing information and jobs like this to the private sector is to get the job done better and more efficiently. When the government then has to police these private companies like the TSA is apparently having to now do, the concept is made moot. So.... our options are to continue to live the security theatre with private companies like this or turn the job back over to the government (who's job it to ensure safety of travel and should not have been in the business of verifying identity for air travel anyway).

    Or... we could go back to the way things were when I could carry pocket knives on planes. (I also remember when you could carry long guns on planes back in the late 80's/early 90's.)

    • by boaworm (180781) <boaworm@gmail.com> on Tuesday August 05, 2008 @12:20PM (#24481465) Homepage Journal

      Yea, and this also brings some interesting light to the issue with "If you have nothing to hide, why don't you want to provide us with your [biometrics|passport|id|*]" argument.

      Refusing to give away address, email, phones, SSID along with fingerprints is almost considered a crime in itself right now, since if you are not planning on terrorist activities, you don't have anything to hide, have you!?

      But here, perfectly innocent people suddenly have all their personal information spread to criminal groups or whoever end up being the buyer of this information.

      Scary stuff...

      • by BWJones (18351) * on Tuesday August 05, 2008 @12:26PM (#24481611) Homepage Journal

        Yeah.... You have nothing to fear except fear itself..... and incompetence. So, just hand your data over to us and we'll verify that you are who you are which really does nothing for national security anyway because there is nothing that prevents someone from getting "cleared", then carrying out a crime later.

      • Re:Security theatre (Score:5, Interesting)

        by greedyturtle (968401) on Tuesday August 05, 2008 @12:40PM (#24481899)
        This is a brilliant paper that sums it all up. It was posted on ./ a few years back, couldn't find the ./ story but I did find the paper:

        I've Got Nothing to Hide and Other Misunderstandings of Privacy [ssrn.com]
        • Re:Security theatre (Score:4, Informative)

          by Dekortage (697532) on Tuesday August 05, 2008 @01:24PM (#24482695) Homepage

          I haven't made it far through the article, but it's good so far...

          "...in a more compelling form than is often expressed in popular discourse, the nothing to hide argument proceeds as follows: The NSA surveillance, data mining, or other government information-gathering programs will result in the disclosure of particular pieces of information to a few government officials, or perhaps only to government computers. This very limited disclosure of the particular information involved is not likely to be threatening to the privacy of law-abiding citizens. Only those who are engaged in illegal activities have a reason to hide this information. Although there may be some cases in which the information might be sensitive or embarrassing to law-abiding citizens, the limited disclosure lessens the threat to privacy. Moreover, the security interest in detecting, investigating, and preventing terrorist attacks is very high and outweighs whatever minimal or moderate privacy interests law-abiding citizens may have in these particular pieces of information.

          "Cast in this manner, the nothing to hide argument is a formidable one. It balances the degree to which an individuals privacy is compromised by the limited disclosure of certain information against potent national security interests. Under such a balancing scheme, it is quite difficult for privacy to prevail.

          ...

          "Many commentators had been using the metaphor of George Orwells 1984 to describe the problems created by the collection and use of personal data.51 I contended that the Orwell metaphor, which focuses on the harms of surveillance (such as inhibition and social control) might be apt to describe law enforcements monitoring of citizens. But much of the data gathered in computer databases is not particularly sensitive, such as ones race, birth date, gender, address, or marital status. Many people do not care about concealing the hotels they stay at, the cars they own or rent, or the kind of beverages they drink. People often do not take many steps to keep such information secret. Frequently, though not always, peoples activities would not be inhibited if others knew this information.

          "I suggested a different metaphor to capture the problems: Franz Kafkas The Trial, which depicts a bureaucracy with inscrutable purposes that uses peoples information to make important decisions about them, yet denies the people the ability to participate in how their information is used.52 The problems captured by the Kafka metaphor are of a different sort than the problems caused by surveillance. They often do not result in inhibition or chilling. Instead, they are problems of information processingthe storage, use, or analysis of datarather than information collection. They affect the power relationships between people and the institutions of the modern state. They not only frustrate the individual by creating a sense of helplessness and powerlessness, but they also affect social structure by altering the kind of relationships people have with the institutions that make important decisions about their lives."

          It's a great analysis of the issues, laying out what the heck privacy really is, anyway.

      • by Devil's BSD (562630) on Tuesday August 05, 2008 @12:55PM (#24482223) Homepage

        Refusing to give away address, email, phones, SSID along with fingerprints is almost considered a crime in itself right now

        I have no problem giving you my SSID, it's the WPA2 key that I have a problem giving out ;)

    • by Cruciform (42896) on Tuesday August 05, 2008 @12:25PM (#24481579) Homepage

      The whole point of outsourcing information and jobs like this to the private sector is to get the job done better and more efficiently.

      That might be the point for you, but for the government officials there are other points to consider:

      1) Who bid the lowest.
      2) Will the company chosen contribute enough money to my/our campaign in the future.
      3) Is there a way I can profit from my choice of contractor.

      The idea that someone would believe a company is chosen for its actual merits is ludicrous.

      • by Anonymous Coward on Tuesday August 05, 2008 @12:33PM (#24481761)

        The idea that someone would believe a company is chosen for its actual merits is ludicrous.

        Well, choosing a company based on something abstract like merits is illegal because it's often used to hide #2 and #3. Price is the only consideration you are allowed. Yes, it's stupid, but it's the way the taxpayer demands it be done.

        Honestly, do you think larger corporations are any different? Deals are always given to good old boy friends who will give you something later. It's not even illegal, like it is in government.

        • Re:Security theatre (Score:5, Interesting)

          by samkass (174571) on Tuesday August 05, 2008 @12:56PM (#24482229) Homepage Journal

          That's only true in the very last stage of bidding on government contracts. The key is to have the requirements written "properly". I put the last word in quotes because every contractor wants their special value-add to be made a requirement of all bid requests-- that way they're always cheapest and win the final bid. By the time the final wording is written into any request for proposals, the winner is usually no surprise.

          • by XenoPhage (242134) on Tuesday August 05, 2008 @01:34PM (#24482867) Homepage

            The key is to have the requirements written "properly".

            And that's part of the problem. The government, in many cases, outsources because it does not have the expertise to do the job. Not having the expertise also manifests itself in the lack of details in the requirements document. Just requiring a security company that can secure stuff isn't good enough, you need to elaborate. In many cases, you may need to elaborate into details like what encryption algorithms are usable, what are not, etc. Stuff your average government lackey would know nothing about.

        • by demachina (71715) on Tuesday August 05, 2008 @01:15PM (#24482571)

          "Price is the only consideration you are allowed. Yes, it's stupid, but it's the way the taxpayer demands it be done."

          That USED to be the only consideration before the Bush administration came to town, that and if you had a token minority or woman in your executive suite you could win by exploiting affirmative action.

          But, the Bush administration has been constantly sole sourcing and otherwise steering contracts to friends and contributors for 7 and a half years. There is a well oiled machine of Republican connected lobbyists who hooked companies up with a fast path to contracts. Karl Rove apparently tried to turn the entire executive branch in to a political tool where government contracts were being steered to "good Republican" companies and as tools to get Republicans elected for bringin home the bacon to companies in their districts. Many of the contracts in Iraq, both in supporting the military and rebuilding Iraq(rebuilding it very badly it turns out), were done that way.

          Maybe its illegal but if no one enforces the law what does the law matter. The Bush administration had complete contempt for the law in little things like torture, spying on Americans, hiring and politically motivated prosection in the DOJ etc, what makes you think they care about it in government contracting. If they dominated the executive branch, including the DOJ, and the Congress, which they did from 2000-2006 they knew no one would investigate anything, or enforce any law. Some private citizen or public interest group would've had to blow the whistle. When they've tried the Federal government has been very effective at smacking them down. I recall a number of instances where Federal contract monitors and auditors have questioned the performance and billing of politically well connected contractors, and if they didn't shut up and rubber stamp the payments the Bush administration just fired them and put someone in the job who would stop asking questions. There was an instance of this reported a couple weeks ago.

          Even since the Democrats regained control of Congress the Bush administration has been very good at frustrating every attempt to investigate all their law breaking.

          If the Republicans had managed to stack the courts a little better, and hadn't been so incompetent and corrupt that they started losing elections again in 2006 the law would have been pretty much history in the U.S.

      • by BitterOldGUy (1330491) on Tuesday August 05, 2008 @12:38PM (#24481863)
        disagrees with you (Sept 2008) Government is by far the worst offender for IS leaks.

        See page 32.

      • Re:Security theatre (Score:4, Informative)

        by krbvroc1 (725200) on Tuesday August 05, 2008 @01:33PM (#24482847)

        The company in question was founded by Steven Brill who founded CourtTV and American Lawyer magazine.

        He is from NY state and is a solid Democrat from what I can tell (according to his campaign contributions).

    • by nasor (690345)
      That was my first thought as well. When some random company that sells carpet or bulldozers or hamburgers makes stupid decisions about data security and customer information is stolen, yeah, it's idiotic. But these guys are supposed to be a security company.
    • by Anonymous Coward

      Our company was being audited for security, and the auditors lost their papers with information on logins, etc. As a result, we had to change all of our passwords.

    • by rk (6314) * on Tuesday August 05, 2008 @12:36PM (#24481825) Journal

      The whole point of outsourcing information and jobs like this to the private sector is to get the job done better and more efficiently.

      That's the ostensible reason, the one they use to sell it to those who distrust government spending like libertarians, fiscal conservatives and some old-school Republicans.

      The real reason is usually to privatize the profit centers, while continuing to keep the cost centers public, so the old boy network can continue to get slopped at the public trough.

    • Re: (Score:3, Interesting)

      Corporate Death Penalty! It's an option that is seldom used, but should be used more and more.

      When corporations break the law and are found guilty, their existence as corporations should be ENDED.

    • Oh Please (Score:5, Informative)

      by mpapet (761907) on Tuesday August 05, 2008 @12:48PM (#24482069) Homepage

      Having worked the contractor side of Identity projects, I promise you the story as provided in the summary is the working norm.

      Unsecured computers in the field with live identity information? Check.

      Multiple copies of identity information floating around? Check.

      Many **totally** unaware employees in the field with private data? Check.

      Many **totally** unaware employees at the contractor's office passing private data? Check.

      It boggles my mind anyone would believe it's better than that. The contractor suffers no consequences and the burden falls on the individual.

      Which, is why the rules, regs, and standards for handling private information is ***perfectly*** designed in the U.S. Not that any of you would get off your collective asses and do anything to change it.

    • Re: (Score:3, Interesting)

      by bob_herrick (784633)
      This is a local story to me. On the TV news last night one of the security company's staff was interviewed. He asserted:

      o Only publicly available information - name, address, etc. was on the laptop.
      o No private data such as SSID and credit card information were on the laptop

      This does not excuse the lack of security, but it might make those that had their data on the laptop feel better, if true.
    • by ptbarnett (159784) on Tuesday August 05, 2008 @01:03PM (#24482355)
      I'm replying close to the top, so that this will show up as early as possible.

      This is from Clear customer support: consider the source and apply the appropriate amount of salt.

      The only personal information that was compromised was for people who were in the midst of the application process. If you are already enrolled and have received your card, your personal info was not in the laptop that was stolen.

      At this point, Clear is not planning to notify existing members that their personal info was not stolen. However, I strongly suggested that they rethink that policy, and notify all members of the extent of the breach. The news story quoted in this article doesn't make the distinction between pending applications and enrolled members.

    • Re: (Score:3, Interesting)

      by fishbowl (7759)

      >having unencrypted data of 33,000 of your customers on that laptop is a crime.

      It is a crime, and the person responsible, and anyone that knew or should have known that person had this data on a laptop, should be treated *precisely*, literally, as an enemy of the state, an enemy combatant during wartime, and the incident should be approached with strong suspicion that the loss was no accident. The people responsible will protest their innocence, as do all traitors, and we should be deaf to that.

      This may

  • The company has now decided that it might be a good idea to encrypt the data in their systems.

    Then they've clearly hired the wrong people for the job. But since when is news like this anything new?

    • Re: (Score:3, Funny)

      by omeomi (675045)
      Then they've clearly hired the wrong people for the job. But since when is news like this anything new?

      But they were the ones who bought enough congressmen and senators to get the job...surely you're not suggesting there's a better way to choose government contractors?
  • If you have customer (or business!) data on a laptop, there is really no reason at all to not have full disk encryption on it. Laptops are stolen all of the time and this is the sort of publicity your company does not need.
    • by AJWM (19027) on Tuesday August 05, 2008 @12:21PM (#24481483) Homepage

      WTF was data like this doing on something nice and portable like a laptop anyway? I bet it was in an Excel spreadsheet (the database of choice for PHBs everywhere) too.

      (And yes, it should have been encrypted.)

      • Re: (Score:3, Insightful)

        by xgr3gx (1068984)
        I know really. It's always laptops with critical data.
        A laptop should be nothing more than a client to the critical data. (Obviously with proper login and security to connect to whatever hosts the critical data)
        Bah! So dumb!
      • by jandrese (485)
        In my experiance, that works great until you have to go somewhere with crappy connectivity. Sometimes real life will make a mockery of your best laid plans.
    • Re: (Score:3, Insightful)

      by cream wobbly (1102689)

      Screw disk encryption. The data should not have been on the laptop in the first place. It should have been in a secure location, reached by secure connections.

      Then if the laptop is stolen, the most the thief will get is the method by which the data is reached, and possibly the IP of the server. Because nobody saves usernames and passwords, right?

      Right?

  • by Gat0r30y (957941) on Tuesday August 05, 2008 @12:15PM (#24481369) Homepage Journal
    Before they require hardware based encryption for drives containing this sort of data? It seems completely ridiculous to me that they would keep sensitive data like this on an unencrypted drive.
    One word of this: Incompetent.
    • I think the only thing saving the IRS is that operates with COBOL software and nine-track tape and not many hackers can do those these days.

      I forgot the exact country, but one of the major western European countries had a significant chunk of taxpayer ids stolen last year.
    • by nasor (690345) on Tuesday August 05, 2008 @12:43PM (#24481959)
      The ridiculous thing, in my option, isn't that people aren't careful with "personal information" - it's that banks, credit card companies, etc. all like to pretend that knowing a social security number magically proves that you are who you claim to be. I shouldn't have to keep my information secret just because it makes things convenient for some company that wants to give credit cards/loans/whatever worth thousands of dollars to people that they have never met, via the mail. That's an idiotic business plan, and it shouldn't be my problem that people try to scam them.
      • by QuantumRiff (120817) on Tuesday August 05, 2008 @01:20PM (#24482635)

        Exactly. Why is my Social Security number needed to purchase a cell phone and contract? Does my insurance company need it? Why do credit checks have to be run for everything nowadays? I would honestly prefer giving something like my fingerprint at the store, as long as the employee also had to give theirs, as a way of certifing "yes, they pressed their thumb, I watched them, and they were not coerced".

        I think that the best thing that can happen is that more ID's are stolen, as in millions, as in IRS or some states database. If they can no longer be trusted, they will no longer be used..

    • I KNOW! I won't even store my own SSN / Passwords, etc. on my personal computer on my desk at home, much less on a laptop or cellphone. And yet these people are in possession of what amounts to an "identity brief" for tens of thousands of their paying customers, and leave it all conveniently accessible in a single unencrypted file on an unencrypted drive in an unsecured laptop?

      Here's hoping it's just a disgruntled employee trying to call attention to the insecurity, rather than actual criminals who will u

    • Re: (Score:3, Interesting)

      by zappepcs (820751)

      Well, not only that, but shouldn't that laptop have a tracing program on it? One of those services that helps you find the stolen laptop?

      A new security industry created by the government's drive to snoop in all our lives has proven exactly why no one is to be trusted with your ID info. period. Makes you wonder who the real terrorists are? Bin Laden must be laughing his last lung out.

      The weakest link in your security is always a human and since humans work for the NSA, DHS et al, there is NO reason to trust

  • "The company has now decided that it might be a good idea to encrypt the data in their systems"

    because apparently before locked doors was good enough

  • by gcnaddict (841664) on Tuesday August 05, 2008 @12:17PM (#24481403)
    You've got social security numbers of thousands of people on company laptops and you didn't make it a policy to encrypt everything?

    Seriously?
  • by langelgjm (860756) on Tuesday August 05, 2008 @12:17PM (#24481407) Journal

    From the "Clear" link: "Clear's first year price is $128."

    I'd say that's a bargain to have your identity stolen!

  • by Anonymous Coward

    Who am I kidding. No, it won't.

  • ... especially since at my workplace, they are starting to think about encryption laptop hard drives, that contain personal information about government related investigations related to people working without permits and that kind of deal.

    The thing is, though, they're only encrypting the new tablet PCs we just bought, not the older Thinkpads we used - And the database is imported from the web, which means the unencrypted laptops contain the same data the encrypted ones do...

    I have a feeling we'll see ev
  • All aboard the FailPlane!

    With Pic! [flickr.com]

  • Step 1: Encryption (Score:4, Insightful)

    by Spy der Mann (805235) <spydermann.slash ... Hl.com minus cat> on Tuesday August 05, 2008 @12:22PM (#24481505) Homepage Journal

    A laptop containing the unencrypted -

    NEXT!!!

  • by Reality Master 201 (578873) on Tuesday August 05, 2008 @12:22PM (#24481509) Journal

    Assuming this system allows them to reliably identify a person, so what? Do they do extensive background checks and continuous monitoring to ensure that the people aren't involved in terrorism? Or if I have no obvious problems in my background and enough money to pay for it, can I get treated differently too?

    Does it basically come down to people paying to not have to stand in line with the rest of humanity at the airport?

    • by oldspewey (1303305) on Tuesday August 05, 2008 @12:27PM (#24481619)

      Does it basically come down to people paying to not have to stand in line with the rest of humanity at the airport?

      Ding ding ding!

    • by metlin (258108)

      Does it basically come down to people paying to not have to stand in line with the rest of humanity at the airport?

      Pretty much.

      And that's a big bonus for business travelers. I fly at least twice a week, and on some weeks, it could be way more than that. So, I spend a lot of time standing in lines at the airport and spending time with idiot passengers who do not know how to pack. Before I get in line, I have my wallet, phone and everything else in my bag, I usually carry no liquids (buy 'em where I go or le

    • Re: (Score:3, Insightful)

      by nasor (690345)
      That was my first thought as well. How do they know that a terrorist wouldn't just add himself to the list? Or, if that's not possible, simply impersonate someone who is on the list? Since apparently the list of all 33k people is now floating around, they would have plenty of choices of people to impersonate.
      • Re: (Score:3, Insightful)

        by smellsofbikes (890263)

        You've hit upon the actual problem with this whole scheme: if you build a two-tier security system (whether you call it Clear or racial profiling or whatever) you annoy the people in the lower tier because they're being 'profiled' for extra checking -- they're false positives and they resent it and tell you that you're a racist or something.
        But the reason it's a Very Bad Idea isn't because of them, it's because of the false negatives, the people who figure out how to get into the less-checked, higher tier.

  • by seanonymous (964897) on Tuesday August 05, 2008 @12:22PM (#24481525)
    So it's the same price as mobileMe, and it provides users with the same level of frustration. Who says government contractors can't compete?
  • by ds_job (896062) on Tuesday August 05, 2008 @12:23PM (#24481531)
    Please tell me that there is going to either be prison time or a huge *personal* fine for the CEO of the tinpot company who thought that a lock and key was enough security. I'n not talking about firing the person who left it there or proped the door open to do the vacuuming, but the person at the top who says "Yes, this is cost effective and proper." We need to have people at board level think twice about storing our data so shockingly badly.
    • by oyenstikker (536040) <slashdot.sbyrne@org> on Tuesday August 05, 2008 @12:58PM (#24482265) Homepage Journal

      CORPORATION, n. An ingenious device for obtaining individual profit without individual responsibility.
      - The Devil's Dictionary

  • Skeptical (Score:5, Interesting)

    by PPH (736903) on Tuesday August 05, 2008 @12:23PM (#24481539)

    I'm becoming quite skeptical about this whole 'stolen laptop' B.S. After the first few big news stories, I'd expect most corporations to have strict guidelines in place to prevent this sort of thing. And a policy of coming down hard, very hard, on violators.

    I wonder how much one can get per personnal record for selling this sort of data to organized crime. And cover your ass by reporting a stolen laptop.

    • Strict guidelines are all well and fine, but when you have hundreds or thousands of employees running around with corporate laptops there is simply no way to guarantee that everyone will comply.

      When people are running around at the airport, hopping in and out of cabs, running from meeting to meeting, and generally trying to keep ahead of their workload, they get sloppy.

    • Re: (Score:2, Funny)

      by lathama (639499)

      Sad to say but I think that you are on to something. I get several emails offering to buy and sell contact lists on email all the time. I wonder exactly what the product line looks like for these groups that buy and sell lists? "For an extra $500 you get matching SSN"!!! "Need us to sort the data, we will stop by and pick up your laptop with cash payment and completed police report."

    • It's because everyone else is of the "Well, it won't happen to me, it only happens to the other guys" mentality.

      What those execs fail to realize is they ARE the 'other guys' to everyone else.

      If I proposed something like this to the companies I help support, I guarentee the first question I'd get would be "How much would it cost to impliment?"

  • Good write up (Score:4, Insightful)

    by Faux_Pseudo (141152) <Faux.Pseudo @ g mail.com> on Tuesday August 05, 2008 @12:25PM (#24481573) Homepage

    This might be the best summery I have seen in some time. It has far more usefull informtaion than the linked news story. I want to personally thank the poster for that and suggest we could use a 'goodsummery' tag to balance the 'badsummery' tag that we so often see.

  • by oodaloop (1229816) on Tuesday August 05, 2008 @12:26PM (#24481601)
    I was just thinking earlier today of signing up for that. I do a lot of travel and thought the cost might be worth it to cut down on wait time. Guess not.
  • by sakdoctor (1087155) on Tuesday August 05, 2008 @12:28PM (#24481641) Homepage

    Names, SSi number, date of birth .. we need to stop using all of these as ID right now.

    My suggestion is this. At some appropriate age, say 16-18 where most countries seem to issue ID, we each choose and commit to memory a graph G, such that the chance of a collision in all earth population is close to zero. Then whenever we need to prove our ID for air-travel or whatever we just need to go though several rounds of identify proof where we generate an isomorphic graph H, and show EITHER isomorphism between H and G, or a Hamiltonian cycle in H. After a sufficient number of rounds your identity would be certain to the required probability and you could be on your way.

    The technique to do this mentally could be taught in schools. It's THAT SIMPLE!

    • Re: (Score:3, Funny)

      by vjmurphy (190266)

      I am not an isomorphic graph, I am a free man!

  • by copperconductor (1325789) on Tuesday August 05, 2008 @12:28PM (#24481653)
    Dude, it's called "Clear" for a reason.
  • by Animats (122034) on Tuesday August 05, 2008 @12:32PM (#24481737) Homepage

    What was that info doing on a laptop? That in itself is very suspicious. Nobody should have a full list of the "approved people" outside of an database where each access is logged. That's info a terrorist group would want. It gives them a list of people who won't be searched. Those are the ones to exploit to get something past security.

    The laptop disappeared from a locked room at an airport. This wasn't an ordinary laptop theft. TSA has to assume that the database is now in hostile hands. So now everyone with a "Clear" card should be subjected to extra searches.

    Let's check out the "Clear" privacy policy [flyclear.com]. "Clear and its subcontractors, pursuant to legal agreements, have a comprehensive information security program to ensure the privacy of Clear applicants and members as well as the integrity of our systems. We apply ID's and passwords to insure that access to systems and data is only on a need-to-know basis. We use encryption (a strong data coding process) for all program sensitive data communications." ... "In the highly unlikely event that a member is the victim of identity theft (defined as the taking of a member's personal information so that fraudulent transactions are made in the member's name) that is the result of any unauthorized dissemination by Clear or its subcontractors, or theft from Clear or its subcontractors, of the member's personal data collected by Clear, we will reimburse the member for any otherwise unreimbursable monetary costs directly resulting from such Identity Theft. In addition, Clear will, at its own expense, offer any such member assistance in restoring the integrity of the member's financial or other accounts." ... "Clear has appointed an independent, outside Privacy Ombudsman, Law Professor Paul Schwartz [paulschwartz.net], noted privacy expert and advocate. He will be identified to members as the person to contact if a member has a privacy complaint or privacy problem with administration of the Clear system or fidelity to our published Privacy Policies. The Independent Privacy Ombudsman is empowered to investigate all privacy complaints, gather the facts, and respond to members, as well as to post responses publicly and prominently on our website."

    Yet there's no announcement of the security breach on the Clear web site.

  • Why do these fucktards always seem to decide that it's a good idea to encrypt their data after a laptop, computer, hard disk or tape backup containing the personal information of hundreds of thousands of people gets lost? There need to be more legal penalties for these companies' shoddy IT practices! Perhaps a CEO/CTO should do some jail time to drive the point home...
  • NOW?... (Score:3, Interesting)

    by whisper_jeff (680366) on Tuesday August 05, 2008 @12:35PM (#24481823)
    The company has now decided that it might be a good idea to encrypt the data in their systems.

    NOW? They're NOW deciding that it might be a good idea to encrypt the data? Ok, I don't work in the industry and all but even I, as an uneducated outsider, knows that it's a good idea to encrypt that sort of data. Jebus... That should have been one of the first priorities in developing their systems and procedures...
  • I don't get it (Score:3, Insightful)

    by jjohnson (62583) on Tuesday August 05, 2008 @12:39PM (#24481881) Homepage

    I don't understand why data like this was on a laptop in the first place. Encrypted or not, it seems problematic to have copies of databases floating around, flying with executives, packaged up neatly in a form that makes it easy to steal (i.e., a freakin' laptop).

    What am I missing that I don't get why this database was allowed off the core server that hosts it? Simply from a data integrity standpoint it seems like a bad idea to let multiple copies move around.

    • Re: PHB (Score:3, Insightful)

      by Phrogman (80473)

      I expect the required rules for security of the data were likely in place and applicable to most employees. It would take a special kind of stupid to not have some security rules.

      But those rules seldom are applied to upper echelon management who can simply say they want data X in a readable format (probably an Excel spreadsheet) put on that laptop for their trip etc. The higher you are in an organization it seems the less likely you are to think the rules apply to *you*.

      Either that or this "theft" is a conv

  • Irony (Score:3, Insightful)

    by FrankSchwab (675585) on Tuesday August 05, 2008 @12:41PM (#24481929) Journal

    I guess my question is....

    Could a terrorist organization exploit this information to be able to get someone on a plane who wouldn't have been able to before? A fake passport/drivers license in the name of a trusted passenger who knows all the personal information he should. In any kind of rational security process, each and every one of the CLEAR passengers would now be on the TSA Watchlist, subject to extra scrutiny.

    Talk about blowback! Talk about (Alanis Morissette be damned) irony! An intrusive system designed to help trusted passengers bypass an intrusive search for terrorists, allows those same terrorists to bypass the search.

  • Blame capitalism!

    That shit never worked, man.

  • by rickb928 (945187) on Tuesday August 05, 2008 @12:49PM (#24482101) Homepage Journal

    You can NOT make this shit up.

    I wouldn't be fired if this happened to my laptop. I would be charged, sued, and ostracized, and find a new line of work. Probably with the phrase 'biggie-size' involved.

    Almost as ludicrous as electonic voting...

  • next time... (Score:4, Insightful)

    by harvey the nerd (582806) on Tuesday August 05, 2008 @12:57PM (#24482243)
    One can hear it already, "we encrypted it, it'll never happen again". Next time, "its okay, we encrypted all the records with 1024 bits" and then have to admit the key was on a sticky note over the screen of the stolen laptop or in an attached thumb drive. Clear's name is now Mudd but the whole "airport security" business is a dangerous hoax (constitutionally and economically, too).

    It will be interesting to see the fallout from this episode of "Security Theatre".

  • by sribe (304414) on Tuesday August 05, 2008 @01:02PM (#24482347)

    OMG! The only, ONLY appropriate response is to temporarily shut down the program, fire the contractor, ban them from future work on this, put it out for bid again and start over.

  • by EEBaum (520514) on Tuesday August 05, 2008 @01:03PM (#24482365) Homepage
    $50 says that they'll keep the key to the encrypted data on a post-it attached to the computer, or use "password" as the password, or have a file on the desktop called "key to encrypted data".
  • by MaWeiTao (908546) on Tuesday August 05, 2008 @01:05PM (#24482401)

    I don't understand why there aren't penalties for this sort of thing. The way I see it this qualifies as criminal negligence because the ramifications for an individual of having their identity stolen can be severe.

    If lose of personal data is somehow attributable to negligence on the part of the company, in this case the lack of encryption and maybe not securing the laptop properly, the company should be penalized. The most obvious would be a fine; lets say $10,000 for each account.

    My bank, or companies they do business with have managed to lose a significant amount of customer information, not once, but twice in the past year. They mailed out notices and provided customers with some bullshit free access to credit monitoring for 12 months, later extending it to 18 or 24 months. And that's that, it's out of their hands.

    But then what the hell do politicians care? With financial institutions like Countrywide giving out extra-low interest rate VIP loans to congressmen they have no incentive whatsoever to look out for our best interest.

    • Unfortunately there's not a mouthpiece for a giant multibillion dollar industry available to sue people who "make available" personal information.

      Nor are their investigators roaming the internet making warrantless searches for offenders.

      Nor are there lobbyists sending Congressmen on junkets to ensure that maximally favorable and punitive laws are passed.

      And when the government serves up your personal information, even through a contractor, you usually can't sue anyone, and if you do, it takes most of a deca

  • Nelson (Score:3, Funny)

    by LoudMusic (199347) on Tuesday August 05, 2008 @01:13PM (#24482545)

    Nelson Muntz, "Hah hah."

  • by Anonymous Coward on Tuesday August 05, 2008 @01:19PM (#24482621)
    See, this is exactly why I gave them a fake name, address, and SSN when I enrolled in CLEAR.
  • by John Hasler (414242) on Tuesday August 05, 2008 @01:29PM (#24482781) Homepage

    Just add all those names to the no-fly list.

  • by ErichTheRed (39327) on Tuesday August 05, 2008 @01:48PM (#24483133)

    I'm not surprised this happened...well, maybe I'm surprised that a security company would leave that kind of data on a laptop.

    Fact is, this happens everywhere and it's going to get harder to manage. Unless you start taking people's laptops and even their desktop PCs away from them, you'll never stop it. Add to that the fact that you can get 16 GB flash drives and 80 GB iPods. The only ways to stop this are to (a) encrypt data, or (b) take users' toys away. Neither happens without a huge fight.

    Encrypting laptops is a really big challenge. If you let users do it themselves (using vendor software, Windows EFS or others,) then they hold all the encryption keys and could make it impossible for you to get the data back in the event they get fired or quit. Implementing enterprise encryption is another road, but has its own set of problems. You have to have a full-time admin to keep the public key infrastructure up, revoke and reissue certs, etc. You also need to spend a large sum of money -- RSA and others make huge bucks every year selling enterprise-level disk encryption software. This is a very hard fight to win until something bad like this happens. And even if you get the software purchased, convincing the execs that you also need someone to look after it is tough.

    Plus, you cannot stop a developer from taking the customer database home on a 1 TB disk drive to write/test software against. Unless you're disciplined enough to scrub any dev data of any customer information, it will be used. Even if you tell them they're fired if they take home data, being fired isn't the permanent black mark it used to be. Not everyone's a professional.

    So, either completely limit access to data, or take toys away. Everything else is just a band-aid. I odn't mean to sound defeatist, but unless you give employees some incentive to protect customer privacy, they won't do it. Security is a major pain in the butt...even I think so. The key is to make security "not a pain."

  • Targeted theft? (Score:3, Interesting)

    by ardle (523599) on Tuesday August 05, 2008 @01:50PM (#24483157)
    It's possible that is an "inside job", rather than an opportunistic theft. I mean, the laptop could have been "stolen to order". Identity criminals are getting more organised. Who knows what other data was on that laptop, given that it was being used by a security professional.
    • Re: (Score:3, Insightful)

      by bugs2squash (1132591)
      What's less damaging ?

      oops - we fucked up and gave away your data, sorry, won't happen again...

      or

      oops - the whole basis for us being here at all is undermined because the process of background checking as a way to pinpoint troublemakers is fundamentally flawed. The background checks we make on our own staff are clearly as worthless as the ones we run on you.

      I wonder what checks they do run anyway - I bet most of them are focused on ensuring that the check for $128 doesn't bounce.

      Firefox is probably more pic
  • by fcarolo (101096) on Tuesday August 05, 2008 @01:51PM (#24483179)
    Looks like someone used the same trick [theregister.co.uk] as the PFY, just three years later.
  • Real-ID resistance (Score:3, Insightful)

    by Plugh (27537) on Tuesday August 05, 2008 @02:26PM (#24483721) Homepage
    Now perhaps a few more people will understand why we fought so hard to ensure that New Hampshire will not participate in the Real-ID system, or any de facto national ID card that may follow. [freestateproject.org]
  • by joedoc (441972) on Tuesday August 05, 2008 @03:11PM (#24484497) Homepage
    I enrolled in the Clear program back in March. My reasons were very specific: I got tired of fighting long security lines at the airport, and since I work away from home and travel back and forth a lot, the convenience of this system is more than worth the $100.

    I work in DC, and live in Jacksonville, FL, and I normally travel back to the District on Monday mornings. i was stunned to see how long the security lines were at Jax International, even at 6:15 in the morning, and with a full slate of TSA scanners and personnel on the job.

    There is nothing like being able to walk past a line of three or four hundred flyers, skip right to the head of the line and be at the gate with enough time to hit the head and grab a coffee. I have zero stress when flying now.

    That being said, I'm certainly upset about the laptop theft, and the "inside job" theories might have some truth to them, considering this was supposed to be in a locked office. I don't necessarily buy the "stolen to order' conspiracies, but it is worrisome. I'll continue to do what I always have - monitor all my accounts, credit reports, etc. and hope this gets solved in a quick and reasonable fashion.

    As for the necessity to hand over a lot of private information, let me explain what the procedure is:

    When you apply for a Clear card on line, you provide the same information, initially, that would would ordering a product: name, address, phone, and a credit card for the screening fee only ($28 which goes to the TSA). Part of the on-line application process is providing your SSN. In this care, it's a necessary evil, since Clear has to access information only you would know. I would assume they're getting this off credit reports or public records. You answer three or four questions, and if the answers are satisfactory, you move on to the next step. You print out a document with a registration number.

    That step requires an appearance, in person, at the local airport with the Clear service counters. They check your registration, and you have to provide two forms of identification. One can be any government-issued picture ID. The other, however, must be a government-issued birth certificate or a valid passport. I tried to use a birth certificate issued by the hospital where I was born in 1955, but they refused to accept it. This required me to order a new BC from the state where I lived, and finsish the process another day.

    Once that's finished, you stand at a kiosk and have all your fingerprints and one iris scanned. They save two or three of the fingerprints and the iris, and the data from both are eventually encoded into the chip on the smart card they issue you.

    The wait for the card can be nearly a month.

    As protective as I am of my privacy, I really didn't have a lot of issues with what I had to do to get this. I am an IT contractor and former federal employee, and I have a high security clearance. I had to give up a lot more during that investigation, including having family, friends and neighbors interviewed about my character. Since this is a requirement of the job, I have nothing in my past to hide, and it means a much higher salary, I'm not going to raise too much of a stink.

    Clear, on the other hand, didn't get anything from me that isn't easily available (or steal-able) to anyone with a few dollars and a couple of private detectives on the Rolodex. Go to one of these "free credit report" sites and request to see what's on that thing. You have to answer some of those questions I mentioned before, and what they have is pretty interesting, and deep.

    I'd be lying if I said this laptop theft doesn't worry me. I have the feeling that the idiot who stole it probably won't even look on the damn thing, and it will turn up, drive slicked, in some pawn shop.

    In the meantime, I'll keep a close eye on everything sensitive (I get lots of practice at work).

    And I'll still be jumping the line at the airport.
  • by origamy (807009) on Tuesday August 05, 2008 @03:23PM (#24484757) Homepage
    So reports the SF Chronicle [sfgate.com] in an article from the AP:

    (08-05) 11:59 PDT San Francisco, CA (AP) --

    The company that runs an airport security prescreening program says they've found a laptop containing the personal information of 33,000 people more than a week after it apparently went missing.
    ...

"It is better to have tried and failed than to have failed to try, but the result's the same." - Mike Dennison

Working...