Fate of Registered Traveler data up in air after vendor quits program

The Transportation Security Administration appears to be taking a hands-off stance toward the treatment of personal data for 165,000 enrollees in a Registered Traveler program.

That data is in the hands of Verified Identity Pass, which was the largest operator under Registered Traveler in a program known as Clear. Under the program, enrolled travelers provided personal information and went through a background check so that they could receive expedited treatment at security lanes at airports.

But Verified Identity Pass shut down the Clear program abruptly on June 22. Although TSA sets requirements for Registered Traveler, the individual programs, such as Clear, are run by private operators, who collect data and manage enrollment.

Now lawmakers are questioning the disposition of the personal data for Clear enrollees, which includes digital fingerprints. Rep. Bennie Thompson (D-Miss.), who chairs the House Homeland Security Committee, and two other lawmakers wrote to TSA on June 25 asking about the safety and security of the personal data. TSA said June 30 that it was drafting a response to Thompson.

However, in an official TSA Blog entry, the agency said it is directing all inquiries about the personal customer data collected through Clear to the vendor.

“Clear was not a TSA program, but many are looking to TSA for answers,” states the TSA Blog entry. “Questions about how the data is managed should be directed to Clear.”

The TSA Blog further describes Clear as a “market-driven, private-sector venture” and notes that Clear bears the responsibility for use of the personal data.

“After TSA’s pilot [program] ended in July 2008, all Registered Traveler service providers were obligated to follow data security standards to continue offering service,” the TSA Blog states. “Service providers’ use of data, however, is regulated under its [sic] own privacy policy and by its relationship with its customers and sponsoring airport or airline. The information provided to TSA during the pilot will be destroyed as shown in the schedule on our Web page.”

But at least one privacy advocate believes that both Clear and TSA have responsibility for the data. “There are problems on both sides,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center. “There are questions about what happens with Clear’s data, and also about the adequacy of TSA’s oversight of the Registered Program.”

On its Web site, Verified Identity Pass said it is protecting the information and assured customers that the data cannot be used for any other purpose. “If the information is not used for a Registered Traveler program, it will be deleted,” the company said.