Thursday, 2 July 2009

"Clear" shuts down its registered-traveller system

Verified Identity Pass, Inc. ("VIP") shut down its Clear traveller registration and airport fast-lane scheme last week. Under the Clear scheme, and two much smaller competing ones run by other companies, air travellers could get access to dedicated lanes leading up to TSA checkpoints in airports, in exchange for payment of about $200 per person per year and submission of detailed information (which is passed on to the TSA) including fingerprints, iris scans, residence histories, permission for police and other record checks, etc.

I was interviewed about this by KGO (Channel 7) television, but of course only brief sound bites were used on the air. For more background, see my previous articles about Clear and other "trusted traveller" and "registered traveller" schemes:

VIP has ceased Clear operations and has no other lines of business or source of income, but hasn't (yet) filed for bankruptcy. That means they are still in control of their archives of data about Clear cardholders (once VIP filed for bankruptcy, those decisions would be up to the bankruptcy court ), but also that there may still be time for customers who move quickly to get small claims court judgements against VIP for refunds before they go bankrupt. Class-action lawsuits for Clear fee refunds have also been filed, but will take longer -- probably too long for judgments to be issued before VIP is forced into bankruptcy.

What's next?

It appears that VIP hopes to stay out of bankruptcy long enough to negotiate a sale of its assets -- including its archives of data about Clear cardholders -- to a competitor or other successor. In practice, such a sale seems unlikely. Clear dominated the industry, with deeper pockets, many more registered travellers, and operations at more and larger airports than its two competitors. If Clear couldn't make a go of this business model, who else could?

One of the competing traveller-registration companies , which operates only in Jacksonville (FL) and Louisville, has already been reported to be behind on its debts for airport rent and other services. The other company operates only at Reno, NV. Neither offers much of a value proposition (not that Clear ever did, really) without the ability mandated under TSA interoperability standards to use their cards at the major airports with Clear lanes, as long as Clear was operating. Their only hope of staying in business now is for one of them, or someone else richer and stupider than Clear's original investors, to come up with the money to take over Clear's operations at a critical mass of major airports.

It's unclear what will happen to Clear's data archives, especially if no one wants to buy its traveller registration business. Clear hopes to reassure customers by telling them that it operates in accordance with TSA regulations. But those regulations are at best ambiguous, particularly as to whether requirements for the "destruction" and "use" of data refer only to the copies of that data held by the TSA, or also apply to the copies held by Clear and other traveller registration companies.

As long as the company remains solvent, it can (if it wishes, which it may not) destroy its copies unless enjoined from doing so by a court in response to a consumer or shareholder lawsuit. Shareholders might sue, however, to prevent corporate management from destroying the company's valueable informational property. Once it's under the supervision of the bankruptcy court, it would have to show that it is legally precluded (either by contract or government regulaiton) from selling its data, or the court will be required to sell the data to the highest bidder, to recover as much of its value as possible for the company's creditors. Since the Clear privacy policy -- like almost all travel and other corporate privacy policies -- isn't part of its contract with cardholders/customers, it isn't clear (pun intended) if that privacy policy would give even a consumer-friendly bankruptcy judge sufficuent basis to be allowed to keep cardholders' fingerprints, etc. off the auction block.

Clear has relatively few customers: a total of only 250,000 Clear cardholders, compared to more than 2 million travellers per day who pass through TSA checkpoints at airports in the USA. The bigger question is not what happens with Clear data, but whether travellers, legislators, and government regulators will learn any lessons from this episode.

Several feaures of the Clear case are unusual. Clear's privacy policy is stronger than most, and contains rare terms requiring (if the policy is enforceable) destruction of records in at least some cases, although not necessarily in the case of a sale of the company or its assets. I've never seen any provision for mandatory data destruction in the privacy policy of any other USA-based travel company. The TSA's regulations for the "registered traveller" program are also unusual, and include terms not preesent in the rules for other TSA programs and which, at least arguably, give the TSA some control over how the companies that collect data about registered travellers use their copies of that data.

In most other situations, a travel company that goes bankrupt (as numerous hotels have done recently) would have no way to keep its archives of records about travellers from being sold -- even if it wanted to stop such a sale. In particular, the APIS and Secure Flight regulations contain no restrictions whatsoever on how airlines and other travel companies retain, use, or sell the data that travellers are required to provide to those private companies in order to be allowed to fly.

Clear going out of business should be a wake-up call about the need to :

  1. Insist that privacy policies be incorporated explicitly in contractual terms and condiitons. I've argued for years that there is absolutely no legitimate excuse for any reputable company not to include its privacy policy in its contractual terms. In the case of an airline or other common carrier, those terms are the conditions of carriage filed with the government as part of its tariff. Consumers and consumer watchdog organizations should dismiss out of hand as unenforceable -- most critically in a bankruptcy court -- any privacy policy not explcitly made a part of a contract. Consumers should ignore any "privacy seal" that tolerates such unenforceable "policies". In the case of airlines and other common carriers, government agencies could require the inclusion of privacy policies in tariffs, and could treat the promotion of a privacy "policy" that isn't contractually enforceable as false advertising and a fraudulent business practice. "If you mean it, put it in writing in the contract," should be your initial nonnegotiable demand.

  2. Insist that privacy policies include explicit terms limiting data retention, including requiring the destruction of all copies of our data, including those held by third parties to whom it has been passed on, once it has served its purpose.

  3. Insist that privacy policies contain explicit terms requiring the destruction of personal data, unless data subjects explictly "opt-in" to its retention or transfer, in the event of a sale or liquidation of the company holding the data or its assets. One of several ways to accomplish this would be through contract terms making explicit that the company does not acquire ownership of the data but merely a nontransferable time-limited license to use it for a specific purpose.

  4. Change the law in the USA to create a default presumption that, in the absence of explicit contractual terms to the contrary, personal data is provided solely for the purpose of the commercial transaction for which it is provided, and is not intended (unless explicitly so stated in the contract) to be an unrestricted grant of "ownership" of the data, as the law throughout the USA currently but counter-factually presumes. This is essentially the difference between the laws in the USA and those in Canada and the European Union. This would do nothing to restrict the provision of data on different terms, as long as they are explicit. This could be done either through a specific privacy law for travel data, or better through a general Federal privacy law for commercial data and a change in the Uniform Commerical Code.

  5. Amend the federal Privacy Act to make explicit that all data collected under government mandate, including data provided to or held by third parties (such as data that the DHS requires to be provided to airlines, as a condition of receiving government permisison to travel), is protected by that Act.

  6. Withdraw the regulations that currently purport to require travellers, as a condition of exercising their right to travel, to provide information to travel companies or other commercial third parties, without restricting what those companies can do with this data.

If none of this is done, it's only a matter of time before a bankruptcy court is compelled by law to supervise the auction of a much larger archive of travel records from a travel company to the highest-bidding direct marketing, data mining, profiling, or data aggregation company.

Link | Posted by Edward on Thursday, 2 July 2009, 08:55 ( 8:55 AM) | TrackBack (0)
Comments

This service began in Orlando. I can say that Orlando travellers will really miss having Clear. Some of the lines that develop are excruciating.

Posted by: Orlando Villas, 5 July 2009, 06:24 ( 6:24 AM)

Well, not just CLEAR PASS has gone away. This past week Preferred Traveler also ceased operations. (http://www.jax-vip.com) They had issued us an email about 11 days ago at the time that ClearPass went out of biz. Preferred Traveler stated (on their website):

"As many of you are aware, Clear put out a statement stating "At 11:00 p.m. PST on June 22, 2009, Clear will cease operations. Clear's parent company, Verified Identity Pass, Inc. has been unable to negotiate an agreement with its senior creditor to continue operations."

Be assured, that while we are interoperable with all Clear lanes, we are not Clear and will continue to operate on a limited basis. We are working on gathering information and are having discussions with other industry members and will provide you information as we receive it."

I am no longer covered at any airport. My personal info is at risk. No one answers the phone at Preferred Traveler.

This is deeply disturbing.

Posted by: Mark, 7 July 2009, 08:59 ( 8:59 AM)

The post is very informative, I mostly visit your blog & have information about travel. Its really helps me.

Posted by: Samuel Peterson, 9 July 2009, 14:20 ( 2:20 PM)
Post a comment









Save personal info as cookie?