As regular readers know, I wrote a blog post a week or so ago about applying for a CLEAR card [see Biometrics and my application for the CLEAR card] and in that writeup I had one big question: with all the biometric data collected, how does the company ensure that it’s safe and secure?
I just got an update from CLEAR Vice President Mark Neirick addressing my security concerns. Here’s what he says:
CLEAR recognizes that with the information provided by its members comes the expectation and trust that CLEAR will appropriately protect it. A key difference between the current system and that of the previous Verified Identity Pass system is that personal data is not distributed to remote systems such as kiosks or mobile systems.
CLEAR encrypts all data in transmission to ensure security in transit. CLEAR uses a variety of security protocols and procedures to secure the data collected including: AES 256, virtual private networks, SFTP, SSL, and TLS. In many cases these protocols and procedures are combined for even higher levels of protection.
Our secure data center uses extensive physical and logical security protections including access control, personnel screening, video surveillance, intrusion detection, and others. The data stored on the CLEARcard is encrypted with 2 separate security keys. The fingerprints and iris images collected are converted to templates prior to being stored on the CLEARcard. These templates can be used for positive matching against the original biometric but cannot be used to reverse engineer the source biometric.
Other than our technical security standards, tools, and procedures, the CLEAR privacy and security policies help ensure the integrity of the information we collect and protect. These policies include screening requirements for key employees and contractors, data management policies, and mandatory training all focused on ensuring the highest levels of protection for our member’s data.
Is it sufficient? I will say that it’s something that the company needs to address head on. Responses to my previous article about CLEAR demonstrate clearly that people are leery of trading their personal data – particularly biometric data — against the convenience of passing through airport security more rapidly.
What do you think? Is this response from Mark sufficient to alleviate your anxieties in this regard?