Failure raises Clear privacy concerns

For the London Free Press - July 20, 2009 Read this on Canoe

No one enjoys long lines at the airport, so when Verified Identity Pass Inc, introduced a service called Clear that promised to shorten delays for frequent business flyers, it seemed like a good idea.

But now that the service has ended -- leaving the fate of all that personal information up in the air -- many are not so sure.

Basically, Clear subscribers paid $199 US a year to use express security lanes at 20 American airports.

Subscribers had to give the company a great deal of highly sensitive personal information. Iris patterns, fingerprints, social insurance numbers, and other data to receive a Clear pass. The company had 260,000 registered users.

For various reasons -- including at one point losing a laptop containing unencrypted information on thousands of customers -- Clear had a difficult time becoming profitable. On June 22, the company closed shop for financial reasons.

Initial customer outrage related to whether or not subscriber fees would be refunded, especially considering that Clear was recently being advertised as a great Father's Day gift idea.

But once Clear stated that due to its financial situation it would not be offering refunds, the focus quickly shifted.

What was to be done with all the sensitive information which Clear no longer had any use for?

On the open market, sensitive personal information is very valuable. For this reason, it is very tempting for a business in Clear's position, or its creditors, to sell the information to recoup their losses.

This is less than attractive to those who now have their sensitive data hanging in limbo.

Many privacy advocates would simply suggest all sensitive data be destroyed in these cases.

However, this has to be weighed against the rights of creditors.

In a letter to members, Clear stated it was wiping all customer information from records contained at individual airports.

It also assured members it would delete all of the data from their main database if they were unable to provide it to a new entity providing a similar service.

That philosophy fits with general privacy principles that say personal information should only be used for the purpose it was collected, absent specific individual consent.

While there are difficulties with the Canadian PIPEDA legislation in this regard, privacy principles generally say that a business can transfer the personal information of its customers to a buyer of its assets, so long as the privacy obligations go with it. They can't transfer it to others for different purposes.

It was fortunate that the company holding the information didn't simply walk away from its equipment, leaving the personal information unprotected.

Because it is so valuable, the temptation is for creditors to make other uses of personal information, or to sell it to others.