John Paczkowski

Recent Posts by John Paczkowski

No Worries, Just Add All 33,000 to the Do-Not-Fly List …

I think of Clear as a $100 service that tells terrorists if the FBI is on to them or not. Why in the world would we provide terrorists with this ability?”

— Security technologist Bruce Schneier

Verified Identity Pass’s Clear registered traveler program requires members to submit to in-depth background checks, provide the company with their drivers’ licenses and passport numbers and get hand and/or retina scans. Those who do are given speedier passage through airport security lines.

Given such robust security precautions, it’s ironic, isn’t it, that a laptop containing the personal information of 33,000 Clear customers went missing for a week? How is it that it simply disappeared?

How is it that the information it contained was unencrypted? And, beyond that, what the hell was that information doing on a laptop in the first place? Surely it’s not Verified Identity Pass’s practice to dump entire customer databases on machines without access logging.

Is it?

No, of course not. And, to be fair, the laptop was protected by two levels of passwords. Two! Plus, according to Allison Beer, senior vice president for corporate development of Clear, the data on the laptop weren’t even all that good. “Yes, it was sensitive privacy information, but not the stuff that was most sensitive,” she told The San Francisco Chronicle.

Sensitive, but not that sensitive. Yeah, no big deal, just addresses, birth dates and driver license, passport or green card information. Just the sort of information that might be, you know, used to verify people’s identity when they travel around the country.

As Bruce Schneier presciently noted in his review of Clear in January, 2007, “If you think having a criminal impersonating you to your bank is bad, wait until they start impersonating you to the Transportation Security Administration.”