Privacy Digest

Registered Traveler Company Frozen After Losing Flier Data - Via Threat Level:

The Transportation Security Administration suspended Verified Identity Pass from enrolling any new passengers in its get-through-security-faster program on Tuesday, after the company lost (and then oddly found) a unencrypted laptop containing personal information of 33,000 people who had applied for the so-called Registered Traveler program.

The company learned of the loss of an unencrypted laptop from the San Francisco airport on July 26 that included enrollees' names, addresses, dates of birth and some drivers' license numbers. TSA suspended new enrollments in the company's Clear Pass program until the company complies with rules requiring that such data notifies all of the affected enrollees.

Current lanes and participants are not affected.

But just hours after that TSA announcement, a VIP spokeswoman Allison Beer said the company had just found the laptop in the very room it had reported it stolen from. Beer declined to speak on the record about whether the laptop had been returned or had been overlooked originally.

Beer says that the laptop contained only a portion of the online enrollment records, which are stored on a separate server. Instead, it contained a subset that was used to verify people's identity when they came to the airport to have their iris or fingerprint scanned.

Beer could not explain why a subset of the data was kept outside the server, instead of just querying the server when a person came in to have an iris scan. Beer says the laptop was connected to the iris scanner and that the iris scanner writes its images directly to the encrypted database.

Registered Traveler is a set of negotiated standards that lets private companies contract with airports to set up screening lanes and issue biometric cards to participants. All the companies must recognize cards from the other companies, but VIP's Clear program, run by former journalist Steven Brill, is by far the largest program with lanes in airports in Orlando, New York, Denver and Los Angeles, among others.

The loss, or potential loss, of the data is ironic, since the collection of the data is purely security theater, meant to make a convenience program for frequent fliers look like a security solution.

Under the program, travelers willing to undergo a background check by the government and pay $100 a year get to go to the front of the security line. But enrollees still have to go through all the same screening procedures as any other traveler and could still be singled out by computers for extra screening.

Photo: Hyku

See Also:

• Why Registered Traveler Can't Solve Watchlist Problems
• Registered Traveler Program Is Fake Security
• $500K Prize for Better Hijacker Trap

(Read Original Article - Via Threat Level.)