aroubtsovNot long ago I stood in the once spacious center of the Denver airport (which now filled with endless rope lines and the pointless gov’t employees who sniff everybody’s shoes for some weird reason) getting my retina’s scanned and my finger-prints electronically taken so I could get a Clear card.
I had already filled out the forms online, and this was ‘step 2’ where you get physically ID’d in such a way that the TSA is willing to take one huge dose of humiliation and privacy degradation in return for avoiding the long wait for dozens or hundreds of later ones.
It seemed like a good idea when I filled out the forms.
Standing there with my eyes staring into little red lights like those in 2001: Space Odyssey, it seemed like a bad trade. I really thought about leaving and just living with the enforced insanity that is standard grade airport security circa 2008.
The attendant was quick to playback her script, telling me how secure and encrypted and safely stored away in the computers of GE or Lockheed Martin of whomever it was she claimed was going to hold my complete data set. They’re not even released to the TSA she claimed. (huh?)
Only a few weeks later we learn that a good hunk of this secure data set can be downloaded and stored without encryption on laptops used by folks who run Clear sign-up kiosks in the malls around San Francisco. And these unsecure laptops can go missing for weeks at a time.
I know: None of that has anything to do with online marketing.
But when a company based on the concepts of security and privacy suffers a failure like this, and it’s in the news media and blogosphere for nearly 24 hours, and the corporate website and homepage still has no mention, let alone no clear communication or public response, choosing instead to live back in ‘nothing ever happened land’, we’ve got ourselves a new case study for how not to handle PR and corporate communications in the 21st Century.
There’s also been no email sent to members yet (at least not this one).
Makes me wonder how long it would take them to tell me if my fingerprints and social security number were for sale on ‘terrorist ebay’?
From the details in the ‘laptop found’ story, the incident was bad but perhaps not catastrophic in technical terms. If the company doesn’t fix their PR/communciations stance in the next 12 hours I’m not so sure the same thing will be true, or should be true, for the business itself.
Which will be too bad, because I really don’t like to wait in line at the airport just do to a little Kabuki Theater for the benefit on no one.
UPDATE: On Thursday, 48-hours after the event, Clear CEO Stephen Brill sent an email to members both informing and explaining the situation. In that email (which is apparently not posted on the flyclear.com website which is silent on this whole issue) , he says the following:
Before we could send out that notice, the laptop was recovered. And, we have determined from a preliminary investigation that no one logged into the computer from the time it went missing in the office until the time it was found. Therefore, no unauthorized person has obtained any personal information.
No one logged in. What if they mirror-imaged the hard drive and put the laptop back?
I have no illusion of privacy for most of this data, and agree that it’s most likely this event won’t cause anyone any problems. But to compound a slow reaction with this sloppy assurance isn’t a good ending to the story.
