Fate of Registered Traveler data up in air after vendor quits program

Lawmakers have called on TSA to improve protection of data

The Transportation Security Administration appears to be taking a hands-off stance toward the treatment of personal data for 165,000 enrollees in a Registered Traveler program.

That data is in the hands of Verified Identity Pass, which was the largest operator under Registered Traveler in a program known as Clear. Under the program, enrolled travelers provided personal information and went through a background check so that they could receive expedited treatment at security lanes at airports.

But Verified Identity Pass shut down the Clear program abruptly on June 22. Although TSA sets requirements for Registered Traveler, the individual programs, such as Clear, are run by private operators, who collect data and manage enrollment.

Now lawmakers are questioning the disposition of the personal data for Clear enrollees, which includes digital fingerprints. Rep. Bennie Thompson (D-Miss.), who chairs the House Homeland Security Committee, and two other lawmakers wrote to TSA on June 25 asking about the safety and security of the personal data. TSA said June 30 that it was drafting a response to Thompson.

However, in an official TSA Blog entry, the agency said it is directing all inquiries about the personal customer data collected through Clear to the vendor.

“Clear was not a TSA program, but many are looking to TSA for answers,” states the TSA Blog entry. “Questions about how the data is managed should be directed to Clear.”

The TSA Blog further describes Clear as a “market-driven, private-sector venture” and notes that Clear bears the responsibility for use of the personal data.

“After TSA’s pilot [program] ended in July 2008, all Registered Traveler service providers were obligated to follow data security standards to continue offering service,” the TSA Blog states. “Service providers’ use of data, however, is regulated under its [sic] own privacy policy and by its relationship with its customers and sponsoring airport or airline. The information provided to TSA during the pilot will be destroyed as shown in the schedule on our Web page.”

But at least one privacy advocate believes that both Clear and TSA have responsibility for the data. “There are problems on both sides,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center. “There are questions about what happens with Clear’s data, and also about the adequacy of TSA’s oversight of the Registered Program.”

On its Web site, Verified Identity Pass said it is protecting the information and assured customers that the data cannot be used for any other purpose. “If the information is not used for a Registered Traveler program, it will be deleted,” the company said.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

The 2014 Federal 100

FCW is very pleased to profile the women and men who make up this year's Fed 100. 

Reader comments

Tue, Jul 7, 2009

This is a clear example of what happens when the government encourages multiple approaches to solving a single problem. Identity management has been on the Presidential burner for several years (Bush's E-Authentication Initiative, HSPD-12) but the administration and congress failed to establish and enforce common standards that would enable interoperability. As a result, the taxpayers have invested in far too many solutions at a financial cost and adoption timeline that far exceeds acceptable boundaries.

Tue, Jul 7, 2009 Wayne Thomson

How can TSA reasonably attest that “Clear was not a TSA program, but many are looking to TSA for answers,” ? The only reason for the existence of Clear was to address a problem of TSA's creation. TSA laid down the requirements, and should have been providing some oversight. The personal data would never have been collected, were it not to expedite a TSA process. The TSA statement is clearly a cop out!

Tue, Jul 7, 2009

Why TSA would not use a Government Agency, like GPO to produce and safeguard these type of credentials is beyond one senses and any logic associated with the tax dollars paid for such programs. As an afterthought, I wonder how much money this company's failurew cost, and if TSA will not be asking for more tax payer dollars to select another vendor? What I'm referencing here is the internal TSA review and selection processes that failed, and ultimately cost the taxpayer!

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above