Good riddance to the Clear 'frequent flyer' program

Those who subscribed to the Clear (formerly Verified Identity Pass) program, paying $199 to allegedly speed up the TSA checkpoint process, are dismayed that they're out that money now that Verified Identity Pass has abruptly folded. Amazing that they're not as concerned about all that personal data they provided the system, but were they ever?

After a considerable amount of nudging, Verified Identity Pass has confirmed that yes, they're securing the data as required by the TSA's privacy standards for Registered Traveler programs, which a security pal of mine sums up with a snort as, "We decide who gets to buy it." That's a little mean, though as you may remember it took TSA from 2005, when the Registered Traveler pilot program was launched, until July 2008 to notice that Verified Identity Pass was keeping data on thousands of passengers on unencrypted laptops. It's that laser-like focus on detail, you know, that makes TSA what it is today.

As you may have discerned, I'm enjoying the spectacle. It cracks me up that since the TSA didn't actually exempt Clear members from undergoing checkpoint screening, the members were paying hundreds of dollars, submitting themselves to background checks, and providing biometric data to unsecured systems essentially for the right to cut in line. That's a business model? What do those travelers do when they find themselves in lands where the idea of "a line" is a mystery? I have visions of Ugly Americans impatiently waving their little Clear cards on train platforms in northern India and bleating, "But I'm registered! I'm registered!"

I bashed on TSA a little up there, but to its credit, TSA has made real progress on improving the problem of long checkpoint lines without compromising anyone's privacy or security -- and they did so by using the basic self-organizing tendency of individual travelers, not by throwing money at the problem.

I speak of course of the Black Diamond system, which asks each passenger, "Really, how confused are you?" and lets everyone self-sort -- black diamond for the experienced flyer who has her shoes off and her laptop out of its case by the time she reaches the conveyor belt, blue square for more casual travelers, and green circle for the people who wear lace-up thigh-high boots to the airport and don't know why anyone would mind that they have a boa constrictor and three throwing stars in their carry-on bag. Airports that have diamond-lane sorting are by definition better than airports that do not. Even Omaha, and I do not say a thing like that lightly.

Self-sorting makes the lanes go faster and more smoothly; fast, smoothly moving lanes make the frequent flyers happy. (Though I'd like to know why I always end up sitting next to thigh-high-boa-constrictor-throwing-star dude -- I mentioned it's a guy, right? -- on the plane, but TSA probably can't help me there.)

The diamond-lane solution essentially does a pigeonhole sort on the problem of "get lots of people through this bottleneck." That's a nice algorithmic model, as opposed to... would it be too vicious to call Clear a stooge-sort solution?... an insertion sort, evaluating individual flyers and, if she or he meets certain criteria, putting her or him at the front of the line. That approach doesn't work very well if you've got a big batch of objects needing sorting -- especially if some of those "objects" are already confused by and impatient with the whole process.

Best of all, the diamond-lane speed improvements pose no fresh attack surface, no unencrypted laptop that can be stolen or opportunity for a social engineer to claim special treatment and thus sneak something by. No data is offered, let alone retained. In contrast, Clear's inefficient sorting system caused a whole lot of personally identifiable information -- PII on people who have a couple hundred bucks to throw at the "problem," no less -- to leave the control of the individuals contributing it. That information's now at the mercy of a dead company's sense of responsibility about securing and deleting it. Under those circumstances, those lost membership fees for Clear look a whole lot like a tax on security stupidity.

And now for something almost completely different: Need to bring someone -- a parent, a kid, a co-worker -- up to speed on how not to be a menace to herself or others? OnGuardOnline.gov has a set of cute online security quizzes that will do your lecturing for you. I've got beef with "P2P Threeplay," which makes some shaky claims (is it possible the federal government is unfamiliar with Windows' infernal ad hoc computer-to-computer networks?), but overall these are a nice way to get your civilians thinking more clearly.