Schneier on Security
A blog covering security and security technology.
« Authenticating Paperwork |
| The Problem with Password Masking »
June 25, 2009
Clear Shuts Down Operation
Clear, the company that sped people through airport security, has ceased operations. My first question: what happened to all that personal information it collected on its members? An answer appeared on its website:
Applicant and Member data is currently secured in accordance with the Transportation Security Administration's Security, Privacy and Compliance Standards. Verified Identity Pass, Inc. will continue to secure such information and will take appropriate steps to delete the information.
Some are not reassured:
The disturbing part is that everyone who joined the Clear program had to give this private company (and the TSA) fingerprint and iris scans. I never joined Clear. But if I had, I would be extremely concerned about what happens to this information now that the company has gone defunct.
I can hear it now -- they'll surely say all the biometric and fingerprint data is secure, you don't need to worry. But how much can you trust a company that shuts down with little notice while being hounded by creditors?
Details matter here. Nowhere do the articles say that Clear, or its parent company Verified Identity, Inc., have declared bankruptcy. But if that does happen, does the company's biggest asset -- the personal information of the quarter of a million Clear members -- become the property of Clear's creditors?
I previously wrote about Clear here.
Posted on June 25, 2009 at 12:36 PM
• 31 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Clear closed its doors (taking customers annual subscriptions with it), because it wasn't profitable.
Who can ever have seen it coming ?
Can a bankruptcy judge require the sale of the personal information database (its a valuable asset) to a third party willing to pay for it in order to raise funds to satisfy some of their debt?
If the ownership of data comes to trial, this could be a landmark case that subsequent courts will cite to. Very curious how this one will play out.
The iris and fingerprint scans seem somewhat superfluous since you can make your own database Google Street style. I would think the list of relatively affluent people who travel extensively, ie aren't home very much, and whose backgrounds have been checked would make this database valuable for all kinds of criminals.
Not a lawyer but I'd say it depends on their contract with TSA. If they act as a private enterprise then like the credit agencies the data is property of the company and if sellable will be sold. If they are operating as agents of TSA then Federal Privacy Act should apply and the data cannot be sold.
A hundred hundred-dollar-an-hour billable lawyers just punched the air.
The 2005 amendments to the Bankruptcy Code added new provisions dealing with the transfer of personally identifiable information. That includes a definition (101(41A)) and some restrictions on the transfer of that information (in 332 (the consumer privacy ombudsman provision) and 363(b)(1)). It looks like there are only five reported cases looking at this at all and none at a level higher than a bankruptcy court.
I can't answer the question with regard to US law but, for those who are interested, I can tell you the position if a UK company were to do the same.
Some years ago a British company which had registered personal details declared bankruptcy and the administrators tried to sell the data they had collected. I asked the Information Commissioner's Office for a legal opinion. The ICO has formal responsibility for administering and enforcing the UK's Data Protection Act.
I received a letter explaining that, as I had thought, a transfer is only legal if the recipients were registered (i.e. anticipated) before the data was collected. The administrators cannot receive, let alone sell the data.
As the Data Protection Act implements the European Data Protection Directive, the same ought to apply if any company within the European Union were to go into administration.
I would have joined Clear if it really was any faster. From what I'd heard, it wasn't worth the money.
On the other hand, one day waiting on line, I saw a hunter walk in, carrying two long rifle cases, escorted by the local police. Police escorted him to the check in counter, where he got immediate attention. They then took him directly to the special security line and sent him through. Probably took him less than 5 minutes, while we stood in two lines for a total of probably 20.
The problem is, the (only) people whose interest it is in to protect this data (the people who the data is about) aren't notified of and don't typically attend the bankruptcy proceedings. Nor are they represented in the proceedings. They as a class will need to hire a lawyer to represent their interests. This, however, will be a task. Since their is no money to be made from this venture, they'll either have to hand over money to a lawyer themselves or find one pro-bono (maybe the EFF?).
So, what are the odds that at least one of the people who signed up with Clear is a lawyer? Pretty good, I'd say: many lawyers are well-paid and many travel regularly. (Not all, in both cases--but this doesn't need all, it needs one who either cares enough about their own data, or thinks this will be a good use of their time. There are a lot of recently unemployed corporate lawyers; it might be worth it for one of them to take the case on for the publicity and contacts.
Then we get back to the problem that the people the data is about are probably not even notified of the bankruptcy proceedings. How will they know to get a lawyer?
The problem you're describing lies with the whole idea of "corporations" they are designed to protect people far too much from liability.
Perhaps if liability remained with the former CEO and management team even after bankruptcy those responsible would make damn sure things were handled properly.
Err it might be more complicated than it appears.
When a UK bank got into financial trouble (Northern Rock) I had a troubling thought.
UK banks have for some time outsourced call centers to countries outside of the UK/EEA.
Bruce has posted in the past about Asian Call Centers and Identity theft so it is well known as a practice that just about all customer data including passport info credit refrence data purchase/spendin data etc has been supplied to the call center and has ended up being sold to reporters for relativly minor sums.
What is not well known is what happens if a bank or other business breaks it's contract with the call center.
Technicaly the data on the call centers computers belongs to the call center because the contract would have been breached. It therfore could be used as an asset to recover any outstanding monies owed unless the contract has very specific clauses or the juresdiction in which the call center is in has appropriate legislation.
Even in this case of contractual clauses or legislation, what incentive does the call center have to securely destroy the data of people who are foriegn nationals who have no contractual arangment with the call center.
They could just chuck the backup tapes etc in the refuse as that would involve minaml cost. And as we are aware in some countries in that part of the world children survive by picking through refuse for any items of value.
What are the chances that any such tapes like the US Army thumb drives in Iraq end up on a market traders stall?
I tried finding out answers but unfortunatly there appears to be no answers that would give me any confidence about the outcome of such an event.
Well, here's a thought: just add all those Clear list names to the no-fly list. That data is probably already in the hands of the wrong people, and since Clear isn't around to vouch for the data anymore, just maybe none of those people should be allowed to fly as they could be impersonated. The data should have been owned and held by TSA (or DHS).
There is only one way to secure biometrics - never to let them get collected in the first place and stick to collect and match on-card.
The problems is that the ICAO standards are dangerous - creating certified biometrics is like a blank third-party witness that whoever fakes your bioemtrics is you. And collecting them at any checkpoints makes abuse certain and creates and open attack point for identitytheft faking biometrics..
I'm sorry, I can't remember sufficient details to look it up.
Biometrics are coming. Rep Shumer said yesterday he wants to scrap eVerify and substitute biometric id cards
“Only by creating a biometric-based federal employment verification system will both employers and employees have the peace of mind that all employment relationships are both lawful and proper,”
My current employer validated my citizenship and I've lived here for 50 years. Okay so what will employers want? Two separate books one for citizens and another for immigrants or one card for everyone.
Follow up thought - in the Toysmart case, the FTC agreed that Toysmart's customer data could be sold to a similar supplier. If another company decides to go into the "skip the security line" business, the FTC might not object to Clear's data being sold to that company.
I was a Clear customer. I now know not to sign up for this kind of service without some kind of statement about what will happen to the data in the event of a financial disaster.
The problem is referenced and implied above, but is fairly simple. The people that the data represents are not considered owners of the data, therefore have no rights or notifications about its use and subsequent sale.
That is failure point. The law needs to be updated to allow for individuals to own, and be notified about the use of, experience data that is collected about them that can be used to materially represent them for the purposes of proof of identity. Of course it's harder to do than to say, but if we want to reach a place where privacy and accountability are the rule not the exception, then we have to give the person impacted by the use of the data, the ownership role and the right to sue for misuse.
Granted if it was me I'd do this and add a stipulation about frivolous lawsuits automatically being the responsibility of the frivolous party AND lawyer to prevent fraudulent misuse of this new legal stance.
The thought occurs to me that we know about this because of the high profile of the company.
What's below the sonar? There are record lookup firms on the intenet that are buying and selling PII data. Their data bases are sizable. Would we necessarily even know if one went titsup?
Out of business, Clear may sell customer data.
"Three days after ceasing operations, owners of the Clear airport security screening service acknowledged that their database of sensitive customer information may end up in someone else's hands, but only if it goes to a similar provider, authorized by the U.S. Transportation Security Administration."
Some years ago, I seem to recall that the "Church" of Scientology went after an anti-Scientology web site for copyright infringement (of internal Scientology documents) and, upon bankrupting the sponsoring organization, took as an asset the mailing lists and membership lists of those that were critical of the organization. Maybe a terrorist organization can purchase Clear's intellectual property from the court overseer.
@TS: Rifles! What a way to move to the front of the line.
"Hello, police? I'm flying to hunt white-nosed marmosets, and I need to check my rifles. Will you send a couple of officers to assist me at check-in?"
Two cheap rifles cost way less than a Clear membership, and there's no intrusive data gathering process.
It will be interesting to follow when the US data paradigme realise that this is NOT a question of "rights", but a questions of real technical controls.
When a compnay like this goes down, any citizen should be able to revoke any credential or key related. WITHOUT ASKING THE COMPANY.
This means that the company
a) Cannot store any non-revokable key material such as biometrics or simple derivatives or biometrics (such as hashes)
b) Cannot store any identifying data as this would make data non-revokable.
Remember that one fo the core problems here is biometrics-based identity theft, i.e. stealing your identity by faking your biometrics. Which is always possible as biometrics is merely physical constants.
The threat issue is NOT handled by combining several mechanisms in parallel as this today merely leads to each of these increasing security problems through these naive assumptions.
The real issue here is to make security and applications that ensure control is never transferred as that is the source of the security violation.
ICAO-style passport "security" is simply outdated and security destructive even before implementation as but somewhat completed.
US will learn eventually - question is only when. Historically failues of this magnitude required serious abuse before sense in the paradigme is restored.
What we see to day is not about security - it is about interessets overtaking rights and security . About Might ruling over Right.
And about the exact opposite of what US was built upon. The founding fathers would turn in their graves.
Speaking with Nelson;: ha ha
From the wired article on the data breach:
"The company is now installing full disk encryption on the mobile kiosk computers and hopes to re-open enrollment soon once the TSA approves."
From the Flyclear.com website:
"How is Clear securing any information at the airports?
Each hard disk at the airport, including the enrollment and verification kiosks, has now been wiped clean of all data and software. The triple wipe process we used automatically and completely overwrites the contents of the entire disk, including the operating system, the data and the file structure. This process also prevents or thoroughly hinders all known techniques of hard disk forensic analysis."
I guess they never got around to the disk encryption thing.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.