This issue of biometric scanning at the Walt Disney World parks has been frothing, as Greenspan would say, in the news for months now. The current change from scanning two fingers to one has increased interest in the subject again. So I think it’s important to clarify what Disney is actually doing. At least as I’ve been told by those who claim to know.
First, Disney is only scanning the fingerprints, not storing the images of them. As part of this process, they measure the distance between certain unique points in the finger print and then via a mathematical formula come up with a ‘score’ that represents the finger print. If you try to use the card again your score has to equal the score previously recorded on the card. It’s my understanding that this system is much simpler than would be required to proof identity in a court of law, but that might have changed with the new one-finger method.
You can choose to opt out of this system by showing an ID card at the gates, but Disney does not advertise this as it might slow the queue down. It’s slow enough with either system. Child-ticket holders also don’t have to scan their fingers.
My problem with this is that no one is allowed to verify that Disney is actually doing as they say and not keeping the data for more than 30 days after the ticket expires (and what does that mean if you buy a non-expiring ticket and never use the last day). And can the ‘score’ be used to link your WDW data to other finger printing data that the FBI or NSA might have on you. If it can, then there is a privacy concern as that data can be subpoenaed by the government or trial lawyers. If it has no use other than verification at Disney’s gates, I don’t see the reason for any hubbub. It’s the not knowing one way or the other that is the concern.
By the way, don’t even get me started about the system Disneyland is introducing for Annual Passholders. Not only will your photo be on your Annual Pass, but it will now show up on a little monitor that the ticket taker can see to verify that you are the person whose photo is on the card. Let’s hope that information is never stolen by hackers.
From what I’ve been told about the fingerprint system, it doesn’t take enough info about the fingerprint to be able to match it to a government database.
As far as the AP photos go, the photos that pop up on the new touch screens are from an existing database that has been used for a couple years. I was a ticket taker lead and when he had someone using an AP that didn’t appear to be theirs and they didn’t have another form of ID, we would take the pass and look it up. This produced a much larger photo to compare it to and give the birth date and other information so we could determine if it was actually the AP holder. You would not believe how many people try to use AP’s that aren’t theirs. On busy days I would revoke sometimes 4 AP’s in one hour. Once the first test touch screen turnstile was installed, the ticket takers using it started noticing many more people trying to use AP’s that weren’t theirs since the pictures are much more clear than the ones on the AP. As far as fear of hacking goes, the existing database has never been hacked to my knowledge. It’s on Disney’s ethernet, not the internet and would take some major work to be accessed from the outside. Not sure if it is even at all possible.
Brendoman, you’re missing the point on why citizens should be concerned. Keep in mind that most privacy violations/leaks are caused by those with internal access. Just look at the recent missing laptop with all the VA’s personal information. A Disney emloyee could easily have this data on their portable PC and lose it on accident. Are you will to take that risk given the escalated indentity theft cases? Not me.
BTW, ethernet is a standard, not a segmented network behind the firewall, I think you ment intranet.
I objected, but was not given the opportunity to show photo ID. Employees on the spot told me the info is only stored for 24 hours, so they lied to me too.
A friend recently went though and complained. They just turned the fingerprint feature off on that turnstile for a little while.
Even if it doesn’t hold the entire print, it generates what could be considered a “one way hash”. This is used in cryptography. Say I have a password or credit card number etc, I can munge it in a way that I cant reverse it, but if I get the original information again, I can munge it in the same way and compare the results. So this can still be used to match some other party who turn up with a finger print and want to see which ones match (or provide a short list). So, even if you can say “its not that bad” these things create an uncomfortable precedent. And as they impose more onto your rights, it can be justified because they are just extending “standard practice”.
I work in the security and banking industry and the claims of “we only store it for blah time” and “its secure” can be taken with a grain of salt for many reasons, including operational reasons, backups, theft and more commonly, incompetence.
Comments are closed.