Security Management : IAM Trends, biometricshttp://community.ca.com/blogs/iam/archive/tags/IAM+Trends/biometrics/default.aspxTags: IAM Trends, biometricsenCommunityServer 2007 SP1 (Build: 20510.895)Verified Identity Pass Goes Kaput - Where is the Data Now?http://community.ca.com/blogs/iam/archive/2009/06/24/verified-identity-pass-goes-kaput-where-is-the-data-now.aspxWed, 24 Jun 2009 16:15:00 GMT8d07cc69-a460-48f1-844d-25b05ba87317:2587Merritt Maxim0http://community.ca.com/blogs/iam/archive/2009/06/24/verified-identity-pass-goes-kaput-where-is-the-data-now.aspx#comments<p>On Monday, Verified Identity Pass <a class="" href="http://news.cnet.com/8301-13505_3-10270837-16.html" target="_blank">announced</a> that it will cease operation of its Clear program at 18 airports throughout the U.S.&nbsp; To the estimated 250,000 frequent fliers who had signed up for Clear Pass program and shelled out $200 annually for the privilege, this news was sudden and unexpected.&nbsp;&nbsp; </p> <p>The Clear program was one of three registered traveler programs that enabled travelers to obtain priority at airport security.&nbsp; In light of the extra waits often encountered at airport security following the new post-9/11 rules, these registered programs seemed attractive.&nbsp; With Verified Identity Pass&#39; announcement, the viability of such services is now in doubt.</p> <p>The initial <a class="" href="http://www.usatoday.com/travel/news/2009-06-23-registered-flights-travel_N.htm?obref=obinsite" target="_blank">news</a> on getting refunds back is not promising.&nbsp; Disregarding the financial impact of not getting a refund, there is a much more important identity question to ask, &quot;What happens to the biometric data of the registered travelers?&quot;</p> <p>Biometrics are the one credential that cannot be revoked.&nbsp; Passwords can be changed, users can be removed from directories, smart cards can be locked, and certificates can expire, but your fingers, eyes and face are with you.&nbsp; And while most biometric systems only store a digital interpretation of this data, the point is that Clear possesses some unique data about 250,000 people and the future of that data is in some doubt.&nbsp; The FlyClear <a class="" href="http://www.flyclear.com/" target="_blank">website</a> has this short statement </p> <p>&quot;Applicant and Member data is currently secured in accordance with the Transportation Security Administration&#39;s Security, Privacy and Compliance Standards. Verified Identity Pass, Inc.&nbsp; will continue to secure such information and will take appropriate steps to delete the information.&quot;</p> <p>On the surface, this sounds good, but given that the company is having financial difficulties, what assurances do we have that their systems are safe from attack and that personal data will not be compromised now? If the data is going to be deleted, what assurances are there that the data will be destroyed completely?</p> <p>I don&#39;t mean to be an alarmist and all data may be handled correctly, but this business failure raises some important policy questions about ownership and protection of personal biometric data by third parties.&nbsp; </p> <p>This will be an interesting case to monitor going forward.</p><img src="http://community.ca.com/aggbug.aspx?PostID=2587" width="1" height="1">biometricsdata loss preventionDLPFlyClearIAM TrendsIdentity ManagementPrivacySecurityTSA