Thursday, 2 July 2009
"Clear" shuts down its registered-traveller system
Verified Identity Pass, Inc. ("VIP") shut down its Clear traveller registration and airport fast-lane scheme last week. Under the Clear scheme, and two much smaller competing ones run by other companies, air travellers could get access to dedicated lanes leading up to TSA checkpoints in airports, in exchange for payment of about $200 per person per year and submission of detailed information (which is passed on to the TSA) including fingerprints, iris scans, residence histories, permission for police and other record checks, etc.
I was interviewed about this by KGO (Channel 7) television, but of course only brief sound bites were used on the air. For more background, see my previous articles about Clear and other "trusted traveller" and "registered traveller" schemes:
VIP has ceased Clear operations and has no other lines of business or source of income, but hasn't (yet) filed for bankruptcy. That means they are still in control of their archives of data about Clear cardholders (once VIP filed for bankruptcy, those decisions would be up to the bankruptcy court ), but also that there may still be time for customers who move quickly to get small claims court judgements against VIP for refunds before they go bankrupt. Class-action lawsuits for Clear fee refunds have also been filed, but will take longer -- probably too long for judgments to be issued before VIP is forced into bankruptcy.
It appears that VIP hopes to stay out of bankruptcy long enough to negotiate a sale of its assets -- including its archives of data about Clear cardholders -- to a competitor or other successor. In practice, such a sale seems unlikely. Clear dominated the industry, with deeper pockets, many more registered travellers, and operations at more and larger airports than its two competitors. If Clear couldn't make a go of this business model, who else could?
One of the competing traveller-registration companies , which operates only in Jacksonville (FL) and Louisville, has already been reported to be behind on its debts for airport rent and other services. The other company operates only at Reno, NV. Neither offers much of a value proposition (not that Clear ever did, really) without the ability mandated under TSA interoperability standards to use their cards at the major airports with Clear lanes, as long as Clear was operating. Their only hope of staying in business now is for one of them, or someone else richer and stupider than Clear's original investors, to come up with the money to take over Clear's operations at a critical mass of major airports.
It's unclear what will happen to Clear's data archives, especially if no one wants to buy its traveller registration business. Clear hopes to reassure customers by telling them that it operates in accordance with TSA regulations. But those regulations are at best ambiguous, particularly as to whether requirements for the "destruction" and "use" of data refer only to the copies of that data held by the TSA, or also apply to the copies held by Clear and other traveller registration companies.
Clear has relatively few customers: a total of only 250,000 Clear cardholders, compared to more than 2 million travellers per day who pass through TSA checkpoints at airports in the USA. The bigger question is not what happens with Clear data, but whether travellers, legislators, and government regulators will learn any lessons from this episode.
In most other situations, a travel company that goes bankrupt (as numerous hotels have done recently) would have no way to keep its archives of records about travellers from being sold -- even if it wanted to stop such a sale. In particular, the APIS and Secure Flight regulations contain no restrictions whatsoever on how airlines and other travel companies retain, use, or sell the data that travellers are required to provide to those private companies in order to be allowed to fly.
Clear going out of business should be a wake-up call about the need to :
- Insist that privacy policies include explicit terms limiting data retention, including requiring the destruction of all copies of our data, including those held by third parties to whom it has been passed on, once it has served its purpose.
- Insist that privacy policies contain explicit terms requiring the destruction of personal data, unless data subjects explictly "opt-in" to its retention or transfer, in the event of a sale or liquidation of the company holding the data or its assets. One of several ways to accomplish this would be through contract terms making explicit that the company does not acquire ownership of the data but merely a nontransferable time-limited license to use it for a specific purpose.
- Change the law in the USA to create a default presumption that, in the absence of explicit contractual terms to the contrary, personal data is provided solely for the purpose of the commercial transaction for which it is provided, and is not intended (unless explicitly so stated in the contract) to be an unrestricted grant of "ownership" of the data, as the law throughout the USA currently but counter-factually presumes. This is essentially the difference between the laws in the USA and those in Canada and the European Union. This would do nothing to restrict the provision of data on different terms, as long as they are explicit. This could be done either through a specific privacy law for travel data, or better through a general Federal privacy law for commercial data and a change in the Uniform Commerical Code.
- Amend the federal Privacy Act to make explicit that all data collected under government mandate, including data provided to or held by third parties (such as data that the DHS requires to be provided to airlines, as a condition of receiving government permisison to travel), is protected by that Act.
- Withdraw the regulations that currently purport to require travellers, as a condition of exercising their right to travel, to provide information to travel companies or other commercial third parties, without restricting what those companies can do with this data.
If none of this is done, it's only a matter of time before a bankruptcy court is compelled by law to supervise the auction of a much larger archive of travel records from a travel company to the highest-bidding direct marketing, data mining, profiling, or data aggregation company.Link | Posted by Edward on Thursday, 2 July 2009, 08:55 ( 8:55 AM) | TrackBack (0)