Carriers in the US have had numerous incidents of data breaches and fraud. T-Mobile is no exception, having had multiple breaches and SIM swap fraud problems for years now.
Security is important for both individual customers and companies security customer data. It can become difficult, however, when security measures begin to cross the line into potential privacy violations. That seems to be an issue T-Mobile employees are now dealing with.
According to internal documents, along with a few employees, T-Mobile has now begun requiring all employees to register their identity with CLEAR, a third-party company that calls themselves “an identity company”.
What is CLEAR?
You may have heard of CLEAR before. They’re one of the companies working with the TSA for their PreCheck program. T-Mobile appears to now be working with CLEAR to verify employees are who they say they are.
The company requires employees to submit a valid ID along with a face scan to verify their identity. The biometrics are handled externally, by CLEAR, and not T-Mobile, which has some employees a bit concerned.
Below is a document shared with us here at The Mobile Report detailing the CLEAR requirements, as well as a deadline of March 1st to complete the requirements, though we believe the deadline has moved to April 1st.
Some employees are not happy
Over on Reddit, a few employees are voicing their displeasure in the new CLEAR requirements.
One employee late last month simply asked “do we just get fired?” if they don’t complete their CLEAR verification. As of yet, that question is still unanswered.
Apparently, employees that did not complete the CLEAR requirements were essentially locked out of their tools necessary to do their job. We’re not sure if any employees have been let go due to non-compliance (we have yet to see any claims of this so far), but if the company is requiring it, it’s likely the firings may come soon.
Another alleged employee says that’s exactly what is being threatened, saying “I like my job but don’t agree with biometrics” and that their coworkers and superiors are saying they “won’t have a job soon”.
A third employee says that they have no choice in the matter, and that during sign up it’s clear that they are forced to waive their rights in the event their data is compromised. Yikes.
Some commenters even suggest that T-Mobile could be benefiting from the use of CLEAR, such as some sort of quid pro quo or financial agreement between the two companies. Of course, there’s no evidence of that, but it’s definitely in the minds of the affected employees as a possibility.
There’s reason to be concerned
Employees aren’t just being difficult here, either. There are some concerning issues with CLEAR.
First, the company’s privacy policy implies they collect far more than what is necessary to verify an identity. The list of collected details is long.
Along with the expected personal details like name and address, the company apparently also collects details such as your financial information, your biometrics (like the aforementioned face scans), health records, GPS location data, and more.
In addition, the service apparently requires a personal email address from the employee, and terms indicate the company will retain the employee’s data even after the employee leaves T-Mobile.
It therefore makes sense that employees are hesitant to hand over their personal identities to this third-party company.
There is something employees can do
There may not be any way to opt-out of the new CLEAR requirements yet, but one source says the company has delayed any actual enforcement until April 1st, and that the company is looking into alternatives for verification. If so, that would be a good move by T-Mobile.
In addition, for those that do go through with CLEAR verification, you do have a potential option when it comes to the company retaining that data.
Over on the CLEAR website, the company says data will be deleted by request, either via email or an online form.
Theoretically, an employee could complete the requirements at T-Mobile for identity verification, then immediately request that CLEAR delete their data. T-Mobile appears to only need a one-time identity verification via CLEAR, so deleting the data right after shouldn’t matter.
Other security enhancements being enacted
In addition to the questionable CLEAR requirements, T-Mobile is also doing something that makes a lot more sense: requiring security keys as the only login authentication option.
The company provided employees with YubiKeys, a common brand of hardware security key that works as a safer alternative to passwords. Employees can simply plug the device in and the device works as a physical key to gain access to internal systems.
There’s not much pushback to be had on this particular move. In fact, it’s a good thing all around, and will prevent unauthorized access by bad actors. Now, even if someone runs in and steals an employee tablet (which has happened!) and has stolen login credentials, they still won’t be able to gain access.
The new hardware security key requirements went into effect on March 5th.
What comes next?
Security is, of course, important, and the methods to keep things secure is always changing. There are legitimate concerns with the new CLEAR requirements, however, and hopefully T-Mobile is indeed working on an alternative for employees that aren’t too keen about it.
Regardless, aside from the employee issues, the changes are technically an overall positive for the average customer.
We’ve reached out to T-Mobile about the CLEAR requirements and we’ll update if we learn more.
