I was a happy Clear customer up until the service went away, quickly earlier this week.
I'm not a super paranoid personal data protector but I have been interested in how Clear, or rather Verified Identity Pass, was intending to handle the personal data they kept on Clear travelers. Today I got an email that covered several questions including the "What about the personal data" question.
Will personally identifiable information be sold?
The personally identifiable information that customers provided to Clear may not be used for any purpose other than a Registered Traveler program operated by a Transportation Security Administration authorized service provider. Any new service provider would need to maintain personally identifiable information in accordance with the Transportation Security Administration's privacy and security requirements for Registered Traveler programs. If the information is not used for a Registered Traveler program, it will be deleted.
I think they just said "Yes". Not sure I like the look of that. What exactly is the definition of a "Registered Traveler Program?". Seems like a fairly broad statement that can include uses that I am not in favor of. This does not make me feel better.
How is Clear securing any information at the airports?
Each hard disk at the airport, including the enrollment and verification kiosks, has now been wiped clean of all data and software. The triple wipe process we used automatically and completely overwrites the contents of the entire disk, including the operating system, the data and the file structure. This process also prevents or thoroughly hinders all known techniques of hard disk forensic analysis.
When I read this question I thought to myself, "This shouldn't be a big deal". The reason I thought that is in today's connected world it would seem to me that they would not keep personal information on Kiosks. After all they are a security based value proposition. If one of their members was on a no-fly-list wasn't it their value proposition that they would stop that? I would think they would need constant communication with "something" to keep that from happening. Why would they need anything stored on the kiosk hard disk that is personally identifiable? This again, does not make me feel better.
Who is monitoring this process?
Clear is communicating with TSA, airport and airline sponsors, and subcontractors, to ensure that the security of the information and systems is maintained throughout the closure process. Clear thanks these partners for their continuing cooperation and diligence.
Ok, so Clear is "communicating" with them. What does that mean. This does not seem to be a "monitoring process" so much as a reporting process to people who have little control over the issue at hand. This does not make me feel better.
How can I contact Clear?
Please visit our website, www.flyclear.com, for the latest updates. Clear's call center and customer support email service are no longer available.
I think that means you can't. Again, probably nothing comes of any of this and everyone's data is protected. I think this is an interesting case for working with startups that maintain a high degree of personal data. If not handled right Clear could become a text example of how not to do this kind of thing.