Laptop with data about 33,000 Clear card applicants lost at SFO

The TSA says a laptop with the personal information of 33,000 Clear card applicants was lost at San Francisco Airport on July 26.
cler-card.jpg The TSA has suspended new enrollments in the program, known as Clear, which allows passengers to pay to use special "fast lanes" at airport security checkpoints.

The laptop belonged to a privately run company known as Verified Identity Pass Inc., which operates the program at 17 airports nationwide.

Security Breached At SFO Due To Stolen Laptop (CBS5)

Previously on Boing Boing:
ETech phone snapshot: Anil Dash's trusted traveler card


  1. Well there goes the “security” of that program…

    Who gets the blame (ie. promotion) at the TSA now?

  2. From Verified Identity Pass’s site:

    Verified Identity Pass was started in 2003 with a simple idea: In the post 9-11 era we had to take new measures to protect ourselves yet not destroy our way of life by strangling the free flow of people and commerce.

    Read ‘We saw an opportunity to make a giant bundle of cash after 9/11’

  3. A security company, helping the TSA, lost security cards that help bypass security?

    I feel much safer, now!

    Maybe if the cards were liquid, they could have kept track of them… (-:

  4. The article really should highlight the fact that the laptop wasn’t encrypted in any way. To which I say, WTF? What idiot hired a “security” company that lets their employees have unencrypted laptops?

  5. Great idea in the first place: “The terrorists” wouldn’t even think about the possibility of using a “fast lane” for entry, now would they? Oh, I see, it’s not available to Arabs? That should fix it. We know “the terrorists” can’t possibly come from other ethnicities… (/sarcasm.)

    Such a policy belies the true agenda of total incompetence, theft, and prolonged misery that is the TSA today: to impose another tax just to leave you alone. It doesn’t make me feel any better that a bribe has been formalized into policy. Kudos to whoever took the missing laptop! This “program” needs exposure in a way that highlights this “security” agency’s ineptitude.

  6. no help for it, we must assume that the IDs on the laptop have been sold,possibly to terrorists. Sorry, every name on that list must now go on the No Fly. It is the only safe thing to do.

  7. According to Bruce Schneier, the stupidity of this program is: For $99 (the application fee for the clear card security check), any terrorist out there can check whether the government is on to them.

  8. That pretty much sums up the problem with any kind of surveillance, Database State, blah blah blah. Not so much the unpleasant uses that gathered data can be put to, but sheer incompetence on the part of government.

    Any government.

  9. When you collect the private details of people all in one place, its stupid to think that you can secure that against people who want it. The best way to ‘protect’ details, is to not collect it in one place like that. If someone really wants to know the specifics of a person thats easy but getting thousands of names takes a great deal of time and effort and money. Well it USED to take a great deal of time and effort, now you just need to find the weak point of an aggregate system like Clear card.

  10. The clear card system is wrong on so many deep levels. May it go down in flames. Those folks need to wait in the same lines as the rest of us, period. No “special” security classes of travellers, please.

  11. As a terrorist and long time No-Fly Lister, I was never even eligible for a Clear Card so I never applied.

    Which means that the government has some information about someone with a name tangentially like mine (I’ve never found my *actual* name on any of their lists), but whoever stole the Clear Card laptop has nothing about me.

    See how we terrorists defeat your puny attempts at security, while protecting ourselves? Bwahaha!

  12. Someone lost a laptop full of employee data where I work. Why is this happening so much? I know, statistically speaking, it probably isn’t happening “so much”, but why are executives or contractors flying around with laptops full of personnel or credit or other private information? At all?

  13. The war on terrorism’s first casualty was its own credibility. But they do seem determined to escalate the self-embarrassment until everyone realizes just how dumb the whole concept has been.

    Unfortunately there are a lot of folks out there who still haven’t gotten the joke…

    Seriously, the question after 9/11 should not have been “what did we do wrong to let this happen”, but “what did we do right for all the preceding years to prevent it?” I submit that what changed was a move toward isolationist, arrogant international policies. I won’t quite say we were asking for it, but we decided we were tired of being everyone’s friend and some folks returned the complement.

    Which is one reason I think this administration’s responses to the attack were completely inappropriate. We were provoked into making ourselves an even more attractive target, as well as into imposing a continuing state of terror upon ourselves. DUMB reaction.

    I know, I sound like a broken record on this topic, but… ye gods and demons, for a party which portrays itself as strong on international issues the Republicans blew this one in every way they possibly could. Even if we believe their claims that the mistakes were honest ones. Which I’m still trying to do, mostly because I really don’t want to contemplate the alternative.

  14. Why, why, why is data like this, encrypted or not, kept on *laptops*? If it’s that important to access it from anywhere, put it on a heavily-secured central server.

    I don’t understand things like this, I really, truly don’t. Why would that data ever need to be moved in such a wholesale manner that it requires being on a laptop?

  15. Technogeek – “what did we do right for all the preceding years to prevent it?”

    Yes. I think it’s that ‘we’ relied on a private contractor to do a job for the government. The job was ‘finding a way for people of means and reputation to get past the peons at the airport’. I can think of two good reasons to do it well, and I admit that one of the possible reasons is deeply cynical, the other is more likely, as it’s just about greed.

    You’re asking the same question as “why did FEMA under-react to Katrina?” and “Why did the FHA under-regulate mortgage loans?”, and “WTF is Blackwater still doing in Iraq!?!?”.

    Ultimately it’s a rhetorical question, at least insofar as I don’t want to hijack a thread with presidential politics – though it must be said the TSA is within the executive branch.

  16. While the loss of sensitive data is always distressing, even more distressing is that something like the Clear Card can exist. Isn’t the whole point of the security regimen because our driver’s licenses aren’t good enough to determine nefarious intent anymore? All this does is to further class distinctions. This is no different in theory from the Civil War policy of the rich buying their way out of the draft. If it’s our “patriotic duty” to undergo scrutiny at the airport, everyone should be treated equally.

    Someone should tell Verified Identity Pass, Inc and the TSA (and other governmental organizations both in the US and abroad), that Douglas Adams was joking about the Ident-i-Eeze. Clearly They missed the point.

    It’s the same story with “real ID” and other national ID card schemes. When proving one’s identity becomes too burdensome, people are going to invent and legislate ways to make it easier, thus circumventing the very reason for checking ID.

    Rather than focus on finding out if we really are who we say we are, why don’t they focus on finding out if we have the means to take down an airplane? After all, I know the name of my neighbor’s dog, but that doesn’t tell me if he’s the one leaving poo on my lawn.

    But then, maybe our safety is just the cover story and tracking the population is the real goal. That’s the only thing that makes sense anymore. I never considered myself a conspiracy theorists, but things like this have no reasonable explanation.

  17. If you read the article, the laptop was found shortly later in the same room it was “stolen” from. That’s a pretty important detail. The numerous points about encryption and the silliness of this program are well founded and valid regardless of whether the laptop was stolen or not, but it appears there was no actual theft in this case.

  18. The Clear Cards are a joke. But the thing that burns me, is the shorter security lines for First Class customers. Why do they get a priority over the great unwashed? The TSA is a government agency and theoretically, ideally, should treat passengers equally. What makes someone a First Class passenger is a contract (ticket) with the Airline, not the TSA. Why are the business/economy class passengers being treated differently? I know, I know, this is the United States and we have given up even pretending the government isn’t owned by corporations. My bad.

  19. Oh, /yay/. Many people that I work with have Clear cards due to needing to travel for business quite often.

    The TSA isn’t going to compensate me for having to put up with spoiled executives who are suddenly denied business travel. The TSA isn’t going to compensate me for my company not being able to pay raises or bonuses because business travel was denied to these people who are suddenly denied the privilege of flying.

    Not to mention that they’re all going to have to close bank accounts, phone subscriptions, and possibly even /move/.



  20. Ok, just so we’re clear: DHS/ICE can copy and share your laptop data with any federal agency any time you cross the border. Your data is safe, however, because “when a review is completed and no probable cause exists to keep the information, any copies of the data must be destroyed. Copies sent to non-federal entities must be returned to DHS.

    So non-federal entities (like, oh, say, Verified Identity Pass, Inc./Clear Card) are going to keep my laptop data safe and return it to DHS for destruction when they’re done storing it, unencrypted, on laptops. Right….

  21. MATTYMATT@27: Maybe Garfield is a sponsor of Clear? “Whenever my cartoon cat has to travel…”

  22. Do the folks bearing these Clear cards travel on different flights to the rest of us?

    If not, they’d surely be cheesed off as they die in the fiery conflagration caused by some plebeian terrorist who had to wait longer they to board the same aircraft. Not only will they not make their destination, but all they managed was to be seated faster on what would still become a plummeting comet of death.

    Spending money on this snake-oil will not make these people flame-proof, more resistant to impact or explosion damage or even more buoyant. I’ll stick with my St. Christopher pendant – the giant armoured one that I can sit inside in the cargo hold.

  23. re: Found the Laptop After All…

    My wife just said, “TSA probably misplaced the laptop when it got hidden under their huge NO FLY notebook.”

    My wife is pretty damn smart.

  24. Oh, so the laptop only disappeared for a few hours then?

    Nobody could possibly have read unencrypted files off your hard drive in mere hours, … of course not. Nothing to see here, moving along….

  25. It was found in the same office it was determined missing from (a week ago, FYI).

    That is one messy office.

    “It was not in an obvious place.”


  26. I’ve never really liked the idea of the Clear Card program. It’s sounds so…bourgeoisie.

    Only 15 years ago, a program like this would have been classified as elitist, indicative of a separation between the upper and lower ranks of society and the beginning of the end of the middle class.

    Would you like a Weyland-Yutani along with your police state? I personally feel like NOT super-sizing the government.

  27. @ #34 colinb

    I love, it, your wife and my girlfriend thought the same thing! She went on to quote an Onion like headline that went something like: Laptop detained by TSA for having sensitive TSA info found to be TSA laptop for managing sensitive info. Sounds like something they would do.

  28. Of course maybe someone stole it, copied the data and then put it back…

    nothing to see here, move along….

  29. The other comments were all tl;dr

    Doesn’t CLEAR require biometric information to be submitted, i.e. fingerprints and DNA and/or retinal scan? Doesn’t that mean someone now has identities COMPLETE with biometrics to fake?

  30. Wynneth, no. No biometric data was on the laptop. Also, if you had read the comments, you’d note the laptop was recovered.

  31. Sensitive data should NEVER be stored on laptops — especially by government agencies or contractors.

    Leave it on a server, and connect to it via encrypted VPN.

    A security contractor who does something this stupid should be fired. Really, anybody who does should be fired.

  32. When the physical security of airline passengers is at stake, wouldn’t it be a good idea to have a Plan B that gives an agency the option to destroy data if a breach is suspected? If that laptop hadn’t turned up, or in the case that the laptop was stolen, breached and returned, the data contained within could make it easier for dangerous people to travel undetected. This puts anyone who travels by plane at risk.

    Even full-disk encryption isn’t a failsafe. The option to remotely destroy data seems like a reasonable one when it comes to people’s lives.

  33. The Transportation Security Administration (TSA) continues to investigate the circumstances surrounding the loss of a Clear®- owned laptop computer on July 26 that contained unencrypted data of approximately 33,000 customers. TSA has verified that a laptop was discovered by Clear® officials yesterday at San Francisco International Airport (SFO). It was voluntarily surrendered to TSA officials for forensic examination.

    TSA’s regulatory role in this matter is as follows: Every commercial airport is required to have an approved airport security plan. So Register Traveler is part of that comprehensive plan at the airports where it operates. Under the airport security plan, the sponsoring entity, (SFO in this case) is required to assure its vendors have an approved information security program. Because the computer at SFO was not encrypted it is in violation of the airport’s security plan.

    TSA also has the ability to go directly to vendors when the plan is not being adhered to so TSA is conducting a broad review of all Registered Traveler providers’ information systems and data security processes to ensure compliance with security regulations.

    Clear® needs to meet the information security requirements that they agreed to as part of the Register Traveler program before their enrollment privileges will be reinstated. Encryption is the wider issue as opposed to one incident with one laptop. So for now, Clear® enrollments remain curtailed.

    Current customers will not experience any disruption when using Registered Traveler.


    TSA EoS Blog Team

  34. @MarkHB

    Government screwup? This was the private sector that lost the laptop, you know, the guys we are told know how to do it better than some fat, overpaid government bureaucrat.

    “The laptop belonged to a privately run company known as Verified Identity Pass Inc., which operates the program at 17 airports nationwide.”

  35. Oh – what terrorists are these? Are they always skulking about? FBI says there were no Al-Qaeda cells in the US after 9-11. But, like the pinkos and commie fellow travellers, the meme is the gift to power that keeps on giving. The Enemy is Ever Vigilant. Even if they don’t exist.

  36. Current customers will not experience any more annoyance,suffering,loss of property and dignity, physical humiliation and disruption then what is now forced upon them in the name of a laughable security theatre when using Registered Traveler.

    there. Fixed.

  37. I’ll bet that some TSA screener didn’t know what they were looking at and just decided to confiscate it. It’s probably been incinerated by now.

  38. Sigh. What is not intuitive about keeping records in secure, unnetworked workstations? Why is this so constantly a problem?

    Oh well. The Clear card is clearly facing the wrath of FSM.

Comments are closed.