TSA Loses Laptops With 'Verified' Flyer Details
from the your-middle-name-is-what-now? dept
The concept of a "trusted" or "verified" traveler program at airports has been shown as not particularly secure for years -- but it didn't stop the TSA from aggressively rolling out the program. There's no doubt that, for frequent travelers to locations participating in the "Clear" program, it's wonderful. You pay $100/year and you get to bypass all the security lines, and head to a special faster security screening line, supposedly because your background is already "cleared." As Bruce Schneier writes in the above link, in terms of security, all this really does is give those looking to break security a better target. Get some "terrorists" on the list, and you've just made life a lot easier.Either that, or pretend to be someone on the list.
And what better way to do that then to get your hands on the details of everyone on the list. Well, it appears that the TSA has forgotten its middle name, and failed to protect its own laptop carrying the (unencrypted, of course) details of 33,000 people on the clear list (Update: to clarify, the laptop was actually lost by a TSA vendor, but considering these were applications made to the TSA, it's not clear that the difference here really matters). While it certainly may have just been lost or stolen by someone who wanted a free laptop, whoever has that laptop now has the names, addresses and driver's license or passport numbers of 33,000 applicants. It's unclear if it indicates which of those applicants were approved, but I would still imagine that info would be useful to someone looking to bypass airport security.
The company that runs the program, Verified Identity Pass, issued statement that isn't particularly comforting:
"We don't believe the security or privacy of these would-be members will be compromised in any way."First of all, that's not true. If you've exposed people's names, addresses and driver's license or passport numbers, their security has certainly already been compromised. But, more importantly, rather than those individuals' security and privacy, I would be worried about overall airport security, which has now been compromised. Update: So, this is weird. The laptop has been found. Where was it? Right where it was last seen. Not clear if it was actually lost or someone just got confused or what -- but still not particularly comforting.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: clear, laptops, lost data, security, tsa, verified identity
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
TSA didn't lose it....
Point is that if you wish to blast someone for not taking security seriously, in this case it's hard to see why TSA is getting blamed.
[ link to this | view in thread ]
Re: TSA didn't lose it....
Would you give the TSA as an organization a pass because one "employee" let a terrorist through the check point with a bomb..."hey man it's not the TSA's fault it was that one guy that let him in"...
[ link to this | view in thread ]
Background Doesn't Matter On My Flight
All that really matters is today, right now, are they carrying a bomb or a weapon?
All passengers need the same pre-flight screening. I don't care if Osama Bin Laden himself is sitting next to me on a plane, as long as he doesn't have a bomb or a box cutter in his briefcase.
[ link to this | view in thread ]
Re: Background Doesn't Matter On My Flight
OBL would be a real PITA to sit next to: constantly calling you an infidel dog, bitching about the violations of the Koran all around him, and I'll bet you $100 he snores...
[ link to this | view in thread ]
identity theft yes, security risk for flights....not so much
But to assume their identity to get on a plane will be a little more difficult as you will need to pass a retina scan (part of the Clear enrollment) before you get passed the gate.
[ link to this | view in thread ]
Re: Background Doesn't Matter On My Flight
It's nothing more than a social control device.
Here, let me say it so you'll understand:
"baa, baa baa, baa."
[ link to this | view in thread ]
Laptop Encryption Question
Do our gov't agencies or organizations as large as the TSA with private info not use security like this? And if they do, should we really be all that worried about the info on these computers?
[ link to this | view in thread ]
Re: Re: TSA didn't lose it....
Unless SOMEHOW that detail wasn't in the contract, then the contractor is fully responsible (both legally and morally) and the TSA is not.
Won't stop the bad press and TSA bashers (of which I'm one) however.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Background Doesn't Matter On My Flight
[ link to this | view in thread ]
Re: Laptop Encryption Question
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re: Background Doesn't Matter On My Flight
[ link to this | view in thread ]
Another one, or same one?
http://www.bizjournals.com/eastbay/stories/2008/08/04/daily32.html
[ link to this | view in thread ]
TSA is a JOKE!!
[ link to this | view in thread ]
the real question
Why is this data on a laptop to begin with?
I keep hearing of all these stories, and I find no reason why all these laptops have plain text files of all this data on them. It shouldn't be sitting around in plain text, and it shouldn't be on laptops.
This is what VPN is for people.
Is it time for a law against storing CC#, DLN, Passport, or SSN information on any portable device?
[ link to this | view in thread ]
Another chapter in the continuing saga of
Companies, government, your doctor ... they do not have a reason to care.
One of these days someone will take them to court.
[ link to this | view in thread ]
Re: Re: Re: Background Doesn't Matter On My Flight
[ link to this | view in thread ]
On the bright side, at least the TSA has a ready supply of potential replacement laptops to pick from.
[ link to this | view in thread ]
A farce from begining to end
1) Before Osama turned 'bad', before he was friends with the CIA, before all that, he was the son of a very well respected family (shake hands with the Bushes and all that good stuff) - who says that just because you aren't a threat today you won't be tomorrow?. Therefore the whole concept of a 'Clear' list is ridiculous
2) As noted by other posters the quality of staff enforcing the 'rules' isn't exactly sky high. I don't know what it's like in the US at the moment, but whenever I fly from the UK I take one look at the spotty reject nosing through my hand luggage and think "If you're the last line of defense between me, and a criminal mind so ingenious they can make a bomb out of 101ml of water then I am so DEAD!"
3) If you contract out work to the lowest bidder (or let's be honest your best mate), no matter how much legalese you get them to sign and whether or not you are legally liable its still YOUR FAULT when something goes wrong. You trusted someone who was not worthy of trust. The same people who are saying otherwise in this thread are probably the exact same people who would jump all over me if I were to double click on every attachment which came from someone I tusted
4) The laptop was 'found' - yeah right, translation: "We are getting shit loads more flak from this than we expected and since we still have copies of the data you can't prove anything". Whether it was found or not the best that can be said is that this sensitive information is revealed to be stored on an unencrypted portable device, which they do not keep good tabs on and have no idea where it is some of the time. Serious security that!
5) As for the statement "Yes, it was sensitive privacy information, but not the stuff that was most sensitive", translation: "We store that on a CD...". Once you have got to the point where you have stolen 33,000 ($3.3million TSA dollars worth incidentally) records containing enough information to potentially clone supposedly 'safe' IDs, does it really matter if you didn't managed to get their sexual preferences?
[ link to this | view in thread ]
get it straight
no it was NOT the TSA that lost the laptop: it was a PRIVATE firm whose office was broken into. Granted, the laptop was not encrypted (a cost saving measure -- private firms do that a lot nowadays). The office was at SFO, so the airport didn't provide strong doors(?).
the program is supported by user fees, so tax dollars are not as much an issue.
Try to keep it straight -- or at least share the stuff you're smoking
[ link to this | view in thread ]
Re: get it straight
[ link to this | view in thread ]
[ link to this | view in thread ]
Giving so much power to the uneducated...
[ link to this | view in thread ]
Laptops multiplied by airports...
[ link to this | view in thread ]
Q: if they cannot guard a laptop, how can they protect an airport?
the deal was, citizens would trade comfort for safety... and now we have neither...
if TSA keeps this or any other vendor capable of such a knucklehead play, there should be terminations of senior managers...
the C-levels at the vendor should be asked to step down -- today
[ link to this | view in thread ]