July 27, 2009

Lessons to Learn from Clear program

Article on the closing of Clear program and what may have gone wrong with it. Better integration with TSA so that the travelers really did get to skip the lines.

by Caroline Cooper, * • 24 Jul 2009

"Clear lanes are no longer available."

That's the message that confronts former members of the Clear registered traveler program upon their visits to its Web site, following the sudden news last month that the company was ceasing operations.

Clear began at the Orlando International Airport in 2005 and served 250,000 people in 18 U.S. airports at the time it shut down. The outfit claims on its Web site that its parent company, Verified Identity Pass, was "unable to negotiate an agreement with its senior creditor to continue operations."

A business losing funding certainly isn't unheard of in this challenging economy, but many former Clear customers and air travel industry experts are troubled by the manner in which the company handled its demise, as well as the factors that may have led, at least in part, to the closure.

Since Clear and Verified Identity Pass have shut down their Web sites and office — phone calls to a listed number were met by a voicemail and not returned — few people know for certain what went wrong. But there are still some important lessons self-service deployers can take from the Clear situation.

A self-service program must deliver on the promises it makes.

The Clear program was supposed to make life easier for frequent travelers. Members would simply swipe their Clear card at the program's airport kiosk, which would then read their biometric data (fingerprint and iris scans) and submit approval for the attending Clear agent to take them through a special, expedited security line. But the company never was able to properly implement that model.

"The death of Clear has little to do with its kiosks and everything to do with everything else," said airline industry speaker and strategist Steven Frischling.

According to Frischling, the kiosk component of the process worked fine. But Clear's original model was such that registered members would not have to go through many of the usual airport security hassles, such as removing computers from carry-ons and taking off their shoes.

"The technology that they chose did not meet any of the TSA requirements, meaning that Clear travelers that got to the security checkpoint still needed to take their laptop out, still needed to remove their shoes, because you couldn't integrate Clear into a TSA line," he said. "So if you had a Clear traveler who purchased Clear to save time, fine, they're skipping the line, but they're still going through the same hassles as every other traveler."

Frischling says participating airports would have needed a separate, TSA-compliant security line just for Clear passengers, and the organization and airports simply didn't have the manpower to accommodate that requirement.

"They kept saying you could walk up there and leave your shoes on and leave your laptop in and not be hassled because you've already been pre-cleared — well, the TSA never signed up for that," he said. "They did not meet the vast majority of the promises that were made to Clear members."

Proceed with caution in uncharted territory.

Though Clear may have been a pioneer in the registered traveler arena, it seems to have been ill-prepared for some of the challenges of operating in the airport security business.

In July 2008, a laptop belonging to a Clear employee was stolen from what was thought to be a secured room at the San Francisco International Airport. The computer was unencrypted, which contravenes TSA regulations for registered traveler programs, and stored on it were credit card numbers, passport numbers and biometric data belonging to more than 30,000 Clear members.

The company claimed the laptop was protected by dual passwords and that the data wasn't compromised, but the incident still worried many in the industry and prompted a TSA order for Clear to suspend the enrollment of new customers until an independent audit of its systems could be completed.

"They kept saying it wasn't compromised, but nobody knew that," Frischling said. "Dual passwords, from what I understand from a number of security experts, are fairly easy to get past. If you're an experienced hacker looking for credit card and passport information, chances are you know how to do that."

Because registered traveler programs are not mainstream yet, all the issues that go along with storing the biometric data of frequent fliers have not been explored thoroughly. And since the TSA and the U.S. Department of Homeland Security are not affiliated with private registered traveler programs, ensuring the security of that data is up to the companies themselves.

"They say they are going to wipe the hard drives and meet all the TSA requirements and the DHS requirements," he said. "But if you contact the TSA and the DHS, there are no requirements for how this stuff is supposed to be dealt with."

Read rest of article on selfserviceworld

Posted by staff at July 27, 2009 07:42 AM