Wednesday, August 06, 2008

Now Where Are My Keys, Dammit?

In the week's best "Never mind" moment, Verified Identity Pass Inc., operator of the Clear registered traveler program, found the laptop it had reported stolen from its offices. A company employee found the laptop ... in the office. "It was not in an obvious location," a spokeswoman said.

The laptop burglary was reported on July 28. The laptop contained basic information on 33,000 new applicants for Clear membership -- names, dates of birth, and in some cases drivers license and passport numbers, but no credit card, Social Security or other more-sensitive information like biometric data that is encoded on ID cards. Nevertheless, the Transportation Security Administration on Monday suspended membership enrollment in Clear until the company can demonstrate in an audit that is encrypting all data. The initial applicant data was not encrypted.

Here are two reports on the reappearance of the laptop, one a news report and the other a press release from the company.

By the way, I am puzzled by one thing. The TSA said two weeks ago that it was relinquishing its role in conducting background checks on registered traveler members -- thereby removing the agency from its security role in the registered traveler program. In effect, it seemed to me, TSA -- whose only role had been conducting those cursory background checks -- had removed itself entirely from supervising of the program.

We'll sort it out. Just as soon as I find my cell phone.

[Note: Ellen Howe, the TSA assistant administrator for public affairs, explains it all in the comment posted below.]


1 comment:

Ellen Howe said...


Let me explain TSA's regulatory role in the case of the missing laptop:

Every commercial airport is required to have an approved airport security plan. So Register Traveler is part of that comprehensive plan at the airports where it operates. Under the airport security plan, the sponsoring entity, SFO in this case, is required to assure its vendors has approved information security program. Because the computer at SFO was not encrypted it is in violation of the security plan. We also have the ability to go directly to vendors when the plan is not being adhered to. (Another example of that would be the vendor in Chicago who had a SIDA badge infraction in 2007)

Clear® needs to meet the information security requirements that they agreed to as part of the Register Traveler program before their enrollment privileges will be reinstated. Encryption is the wider issue as opposed to one incident with one laptop.

Ellen Howe, TSA Office of Strategic Communications and Public Affairs