What is Clear?
If you have traveled in the past year, you probably have noticed Clear kiosks that are located in the airport security line before identity verification and security screening. Clear is an identity verification company that provides expedited security checking programs for customers in exchange for a hefty annual subscription fee. Normally, people would have to wait in lines at security checkpoints to have airport staff manually verify their identities. Clear speeds up this process as it allows subscribers get through security more quickly by verifying their identities without a TSA agent, and instead using their biometric data such as face, iris, and fingerprint at Clear’s kiosks.
Clear is currently operating in 35 airports in the U.S. and has acquired more than 5 million customers.[1] In addition to airports, the company partners with sports stadiums to provide priority access to its members. Clear has also expanded to the field of biometric payments, allowing users to verify they are over 21 and pay for alcoholic beverages at concession stands with just their fingerprints.[2]
Clear’s ambition does not stop at making things move faster at airports and stadiums; it wants biometric verification to become a way of life and be used anywhere that a card is involved.[3] During an on-stage interview in 2019, Clear’s CEO positioned the company as a “platform” rather than merely an airport streamline service.[4] With the pandemic halting travel and Clear’s previously steady revenue growth, the company expedited its search of other opportunities.
A few months after Covid-19 started, Clear introduced a new initiative called Health Pass, which is similar to immunity passports; it connects biometric data to information that determines risk for Covid-19.[5] People confirm their identities using facial recognition, take quizzes about their health conditions and upload test results, and receive QR codes in order to gain access to certain premises such as office buildings and grocery stores.[6] This way, Clear is essentially given the power to decide the criteria sufficient to verify that a person is not Covid contagious. Scholars are concerned that the implementation of similar technology will place the power of shaping public health policies in hands of private actors.[7] Small decisions such as the type of test result to produce in order to gain access (whether it is a negative result by a rapid test, which is more likely to produce false negatives, or by a PCR test, which is more accurate but could remain positive long after a person is no longer contagious) could have an enormous impact on people’s daily lives and the spread of the virus.
Data Privacy Concerns
Clear’s biometric verification technology certainly provided convenience to its members: 10 to 20 minutes saved per each travel can quickly add up for a frequent traveler, and business entities won’t have to check temperature or vaccination status of every person that goes into the vicinities. However, members of Clear are effectively signing away their privacy for convenience. Clear has collected enormous personal data on its customers, encompassing intimate parts of people’s lives. Besides subscribers’ biometric information, Clear knows users’ mobility and location, personal preferences for travel and shopping, financial capabilities, and health conditions. Since the company sees opportunities at any place where one’s identity has to be proven or a card needs to be presented, the amount and types of data it holds will only increase in the future – this will make Clear an attractive data hub for hackers as well as third-party advertisers.
Clear’s predecessor, Verified Identity Pass (VIP), had a serious data breach less than a year before it filed for bankruptcy. An unencrypted company laptop that contained information about its 33,000 applicants disappeared for a week before it was found. TSA treated this incident as theft and suspended new enrollment to VIP’s program for two weeks.[8] VIP did not operate the same way as Clear does now: it did not collect any biometric information from users; only a special card was issued to provide members priority access. If a hack happens to Clear now, the consequence will be a lot more serious because, unlike passwords or credit card information, a person is not able to change her biometric traits.[9] Once such data is compromised, it will remain compromised forever.
Clear’s terms of service state that the company never sells or rents personal information to other entities without the user’s consent.[10] Nevertheless, the company commodifies customers’ data by using a business model that is similar to Facebook’s — partnerships with third-party companies to allow them to reach audiences via targeted ads and promotional emails. With the new Health Pass being rolled out and the inherent sensitivity of health data, regulatory agencies also need to make sure any use of those data for marketing purposes is compliant with HIPAA.
Officials have voiced concern about how health data will be safeguarded by Clear and its biometric verification program as a whole. Senator Jeff Merkley and Senator Cory Booker identified in a letter to Clear CEO that facial recognition technology can be used widely and passively in ways that elude consumers’ awareness, permission, or the ability to opt-out. Over or misuse of such technology can risk a state of undetectable and constant government surveillance.[11] In the letter, the senators invited Clear to answer a series of questions, including steps Clear is taking to ensure the privacy and security of its customers, whether or not Clear makes inferences based on collected data, the duration of retention and the availability of deletion of data, as well as the reasons why biometric identification is necessary to determine if an individual has or displays symptoms consistent with Covid-19.[12] It is reassuring to see that some government officials recognize the potential consequences on people’s privacy if Clear’s technologies are widely adopted, but it still remains unclear how this company will be monitored going forward as it continuously expands to new fields.
Conclusion
Biometric identification technologies are developing at an unprecedented speed, and they will continue to pose a clear and increased danger to people’s data privacy. A company that has such a complete picture of a person has to find a promising way to guarantee the safety of its customer’s data. With customers being unaware of the entailed risks of giving away their biometric information or choosing to ignore them for the sake of convenience, some regulatory actions might be necessary to ensure data privacy protections for customers using service providers like Clear.
[1] https://clear-website.cdn.prismic.io/clear-website/cbf7e0a1-1736-4e9c-b77f-009c48f7770a_CLEAR+Company+Overview+12.15.pdf
[2] https://onezero.medium.com/clear-conquered-u-s-airports-now-it-wants-to-own-your-entire-digital-identity-15d61076e44d (“In a 2018 partnership with concession stands at the Seattle Mariners’ T-Mobile stadium, Clear users could verify they’re over 21 and pay for a beer with their fingerprint, as long as the card and fingerprint had been previously registered with Clear.”)
[3] https://www.cnbc.com/2019/05/15/san-francisco-facial-recognition-ban-may-give-you-wrong-impression.html
[4] https://www.youtube.com/watch?v=G3lLfe8-DbE&ab_channel=U.S.ChamberofCommerceFoundation
[5] Rosenbaum, supra note 3.
[6] https://onezero.medium.com/facial-recognition-company-clear-is-going-from-airports-to-your-office-99e9a33fde2e
[7] Id.
[8] https://www.mercurynews.com/2008/08/12/sheriff-clear-program-laptop-at-sfo-was-stolen-then-returned-2/
[9] https://www.forbes.com/sites/zakdoffman/2019/08/14/new-data-breach-has-exposed-millions-of-fingerprint-and-facial-recognition-records-report/?sh=dd733e846c60
[10] https://www.clearme.com/privacy_policy
[11] https://www.merkley.senate.gov/news/press-releases/merkley-booker-press-biometric-identification-company-to-ensure-americans-privacy-is-protected-amid-coronavirus-2020
[12] Id.