Fate of Registered Traveler data up in air after vendor quits program

Lawmakers have called on TSA to improve protection of data

The Transportation Security Administration appears to be taking a hands-off stance toward the treatment of personal data for 165,000 enrollees in a Registered Traveler program.

That data is in the hands of Verified Identity Pass, which was the largest operator under Registered Traveler in a program known as Clear. Under the program, enrolled travelers provided personal information and went through a background check so that they could receive expedited treatment at security lanes at airports.

But Verified Identity Pass shut down the Clear program abruptly on June 22. Although TSA sets requirements for Registered Traveler, the individual programs, such as Clear, are run by private operators, who collect data and manage enrollment.

Now lawmakers are questioning the disposition of the personal data for Clear enrollees, which includes digital fingerprints. Rep. Bennie Thompson (D-Miss.), who chairs the House Homeland Security Committee, and two other lawmakers wrote to TSA on June 25 asking about the safety and security of the personal data. TSA said June 30 that it was drafting a response to Thompson.

However, in an official TSA Blog entry, the agency said it is directing all inquiries about the personal customer data collected through Clear to the vendor.

“Clear was not a TSA program, but many are looking to TSA for answers,” states the TSA Blog entry. “Questions about how the data is managed should be directed to Clear.”

The TSA Blog further describes Clear as a “market-driven, private-sector venture” and notes that Clear bears the responsibility for use of the personal data.

“After TSA’s pilot [program] ended in July 2008, all Registered Traveler service providers were obligated to follow data security standards to continue offering service,” the TSA Blog states. “Service providers’ use of data, however, is regulated under its [sic] own privacy policy and by its relationship with its customers and sponsoring airport or airline. The information provided to TSA during the pilot will be destroyed as shown in the schedule on our Web page.”

But at least one privacy advocate believes that both Clear and TSA have responsibility for the data. “There are problems on both sides,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center. “There are questions about what happens with Clear’s data, and also about the adequacy of TSA’s oversight of the Registered Program.”

On its Web site, Verified Identity Pass said it is protecting the information and assured customers that the data cannot be used for any other purpose. “If the information is not used for a Registered Traveler program, it will be deleted,” the company said.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.