Site icon Liquidmatrix Security Digest

FlyClear Sends Out “Dear John” Letters

From the Associated Press:

More than a quarter million people are wondering what will happen to their fingerprints, Social Security numbers, home addresses and other personal information now that a company that sped them through airport security is out of business.

Government officials are wondering too.

Well, wonder no more…for the moment at least. Today we had one of our readership who as good enough to share a copy of the Dear John letters that Clear Members around the US are receiving on the heels of the programs demise (Thx rybolov).

Flyclear.com have taken down the website and replaced the main page with the following email text.

From: “Clear Customer Service”
Date: [REDACTED]
To: [REDACTED]
Subject: Clear Member Update

Clear Member Update

Dear [REDACTED],

In response to questions raised by our members, Clear would like to offer the following information:

Clear Lanes Are No Longer Available.

At 11:00 p.m. PST on June 22, 2009, Clear ceased operations. Clear’s parent company, Verified Identity Pass, Inc., was unable to negotiate an agreement with its senior creditor to continue operations. Verified Identity Pass regrets that Clear will not be able to continue operations.

How is Clear securing personal information?

Clear stands by our commitment to protect our customer’s personally identifiable information – including fingerprints, iris images, photos, names, addresses, credit card numbers and other personal information provided to us – and to keep the privacy promises that we have made. Information is secured in accordance with the Transportation Security Administration’s Security, Privacy and Compliance Standards.

How is Clear securing any information at the airports?

Each hard disk at the airport, including the enrollment and verification kiosks, has now been wiped clean of all data and software. The triple wipe process we used automatically and completely overwrites the contents of the entire disk, including the operating system, the data and the file structure. This process also prevents or thoroughly hinders all known techniques of hard disk forensic analysis.

How is Clear securing any information in central databases and corporate systems?

Lockheed Martin is the lead systems integrator for Clear, and is currently working with Verified Identity Pass, Inc. to ensure an orderly shutdown as the program closes. As Verified Identity Pass, Inc. and the Transportation Security Administration work through this process, Lockheed Martin remains committed to protecting the privacy of individuals’ personal information provided for the Clear Registered Traveler program. Lockheed’s work will also remain consistent with the Transportation Security Administration’s federal requirements and the enhanced security and privacy requirements of Verified Identity Pass, Inc.

The computers that Verified Identity Pass, Inc. assigned to its former corporate employees are being wiped using the same process described for computers at the airports.

Will personally identifiable information be sold?

The personally identifiable information that customers provided to Clear may not be used for any purpose other than a Registered Traveler program operated by a Transportation Security Administration authorized service provider. Any new service provider would need to maintain personally identifiable information in accordance with the Transportation Security Administration’s privacy and security requirements for Registered Traveler programs. If the information is not used for a Registered Traveler program, it will be deleted.

How will members be notified when information is deleted?

Clear intends to notify members in a final email message when the information is deleted.

Who is monitoring this process?

Clear is communicating with TSA, airport and airline sponsors, and subcontractors, to ensure that the security of the information and systems is maintained throughout the closure process. Clear thanks these partners for their continuing cooperation and diligence.

How can I contact Clear?

Please visit our website, www.flyclear.com, for the latest updates. Clear’s call center and customer support email service are no longer available.

Will I receive a refund for membership in Clear?

At the present time, Verified Identity Pass, Inc. cannot issue refunds due to the company’s financial condition.

Has Verified Identity Pass, Inc. filed for bankruptcy?

At the present time, Verified Identity Pass has not commenced any proceedings under the United States Bankruptcy Code.

Clear Customer Service

Clear, 600 Third Avenue 10th Floor, New York, NY 10016
www.flyclear.com

Three times overwrite to destroy the hard drive data. OK, but, by what method? NIST 800-88 (.pdf) lays out some criteria but, it’s unclear if they followed that guidance or something similar. The Canadian Communications Security Establishment offers this guidance for clearing and declassifying data storage devices.

Myrcurial had this to add,

It depends on the technology and the over-write method — ie: all ones, random, and whether or not the controller (assuming it’s magnetic disk and not tape/optical/etc.) is giving you a true 1:1 representation of all sectors. 3x with the wrong method on a modern IDE disk doesn’t mean the same as one time with the right method on an MFM/RLL disk

Why not just pitch the drives in a grinder? Also, I have little doubt that there were laptops floating about. Have they all been accounted for? Thumb drives?

Oh, and they’re not filing for bankruptcy. But, they’re keeping your money. WTF?

For more on this story check out the following article.

Article Link

Exit mobile version