Schneier on Security
A blog covering security and security technology.
« Exploding Baby Carriages in Subways |
| $5M Bank Con »
October 11, 2005
Theme Parks and Privacy
EPIC has information here, mostly on Walt Disney World.
EDITED TO ADD: Disneyworld scans hand geometry, not fingerprints.
Posted on October 11, 2005 at 12:14 PM
• 44 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
If they want fingerprints for daily or few-days passes, then that helps explain why they overcharge on their admission fees. But the article was unclear on this--are they going to require fingerprints no matter what kind of ticket you buy?
I am glad I saw this so if my family and I end up going to see one of the big Rat's playground, we can make alternative plans in case they refuse entry because we would give them our fingerprints. I am sure another place will be happy to take our money and not any biometrics.
It would be nice to see a lot of protests on what the Mouse is doing.
And for that DesitNY place--buyer beware.
Note that they don't scan fingerprints. The devices are hand geometry scanners, or two-finger geometry scanners in this case. The scanning is of the top of the hand or fingers. Not quite as bad as storing fingerprints, though still somewhat intrusive.
"Fingerprint" sounds like the wrong biometric. The "peace sign" described in the article, inserting the two fingers into the scanner, sounds like a two-finger geometry scanner, rather than a fingerprint scanner. These measure the geometry of the two fingers in 3-D, not the ridges of the fingerprint. There are similar looking systems that measure capacitance of the fingers. Did EPIC actually check whether the devices actually record fingerprints, versus another biometric? The image on the page looks like a Recognition Systems 4-finger geometry scanner (also not a fingerprint scanner), which doesn't match what they describe for Disney. An example of a two-finger geometry reader is an Accu-time 2102.
It doesn't matter if it's a fingerprint, finger geometry, or dna sample scanner (stick your fingers in here, it won't hurt much...)
If people are having this information kept about them they should be informed, they should be given the option to use an alternate form (they have the option at Disney according to the article, they're just not informed) and they shouldn't have the information kept beyond the necessary time. Preferably, the pass whould carry a secure version of the information that is checked at various points but not recorded... i.e. Pass #57263 was used, authentication successful. It doesn't need to know that it got Finger/fingerprint/whaterver hash 294762839 and that matched the biometrics presented.
I need to get a fake rubber hand and use that to authenticate.
Seriously, if this scanner measures finger lengths, how does it adjust for fingernails? If I go in with fingernails that extend over the ends of my fingers, and one breaks while in the part... what happens?
If we all vote with our feet and stop visiting, I think they will get the message loud and clear.
Money talks the loudest with these guys.
Zwack, the machine doesn't image past the tips. Nails that grow or egt colored don't cause a false reading. Gaining weight can though.
I support those scanners at work.
Here's a local (Florida) news item with a better picture and some more info. The description matches hand geometry as several have noted already. I suspect they are trying to avoid fraud in park hopping (A uses pass at 1 park in morning. B uses same pass somewhere else in the afternoon.)
What's the process for false negatives?
the reading is compared against the original scan, and a number is generated showing how close the original is to the just-snapped pic. Lower = closer. There's an adjustable threshold, if the number is higher than it, the scan is considered to be false.
Jon... I hate to be picky, but how do they know where the tips are. Is it a mechanical test, or an optical one...
If it is optical then how can they guarantee that the nails are not included? Nail polish could interfere with the opacity of the nail. One of my finger nails (ripped off when I was a kid) is about three or four times the thickness of my normal nails, which could also interfere.
If it is mechanical then the same question applies...
One of my fingers is scarred (badly) and so it wouldn't make contact in the middle, and the pad is significantly smaller than normal (I'm guessing about 1/2 size). I wonder how these scanners work with such "abnormal" fingers...
No matter what is recorded if it is anywhere other than the card I still don't like it.
they could put your picture on your ticket ^_^
or ask you for your photo id each time you enter the park...
wouldn't that be fun?
here's some more detail about how the scan works... it's not a unique identifier
I like the idea of a proportionality test, which EPIC uses to say Disney's method is too invasive, but I wonder how it compares/contrasts to the reasonability test now being used to regulate protection of consumer identity information?
My hunch is consumers will go along with this one. While a few us will boycott, more of us will cave soon as our kids nag... Businesses may not be trustworthy, but most Americans trust them anyhow.
They will take photo ID instead, and resort to that if you 1st use the finger ID and have later attempts fail. Gloves and rings will mess the scan up.
If enough people refuse to use the scan, or use it and then cause failures (thin gloves for original scan), the photo ID lines could get too long. Imagine going as a group of 50 or 60 people, all of whom refused the scan. Might cause Disney to rethink.
Could be problems if people hold some sticky food in that hand before scanning. The next person isn't going to be too happy, and may avoid the scanners in the future. Disney may need to add hand washing stations before the scanners.
What's wrong with photo ID? I have to show it if I write a check at the market. Finger scans, on the other hand...
Disney could really play this situation up to their advantage.
Imagine a new ad campaign "If you love what we're doing to you with the MPAA, just give us the finger".
"I wonder how these scanners work with such "abnormal" fingers..."
You mean like Mickey's? I used to think it strange that a mouse would wear white gloves, but it's starting to make a lot more sense.
I mean, in case you didn't catch the latest quiet and sneaky attempt by Disney and the MPAA to pass a law against sharing information (due Oct 26th) here's an update from the EFF:
Geometry readers don't infringe on very much privacy. And their data is not as good as a fingerprint in a court of law sense.
Even twins have different prints, and that's important.
A contractor installing a geometry reader at my facility asked me if we had any twins at the company. He asked because they installed some at company X and there were identical twins working there. it took them months to get the thing to distinguish between the twins.
Don't worry about geometry readers. Well, yet ;)
Thanks for the post and the EPIC link.
Twice this summer, I've been dragged to Disney in the company of my kids or my niece and nephews (all under 10.)
Both times were after the implementation of the fingerscan requirement for all ticketholders. On both occasions, I declined to provide my fingers for their geometry scan.
The multiple lines for the fingerscan crowd were relatively small, and moved quickly.
The single line for those of us who wanted to show our picture IDs was a bit longer. One occasion I had to wait 20 mins, the second time 15 mins. At times, this line can be much longer because all customer service requests go through this line.
If you're going to avoid the fingerscan, plan to budget for this time. Your kids will almost certainly be annoyed if they have to wait a long while with you. So if they're under 10, plan to have a trusted friend or relative take your younger kids thru for you.
From the numbers that I saw while in line, the fingerscan is much more popular than showing picture ID. You won't get far in arguing with Disney that the fingerscan is annoying to customers and they should get rid of it. (Which is what mark commented on above.)
Better to go with the EPIC argument. And hope to convince them from a privacy point of view.
On a related point to Tim's above, the individual ticket price for the Disney parks is now very high (> $120). I don't think this is directly related to the cost fingerscan technology. These prices have been rising year-on-year for most of the past decade.
These high prices do, in my opinion, creates a perverse feedback loop.
Disney claims that customers are genuinely glad to be able to spend time in the park, rather than waiting in line for tickets, so that justifies putting in place intrusive technology like fingerscans. Customers who've spend several hundred dollars to get their families into the park definitely agree that the time saved is a big advantage and will not go back to the non-fingerscan lines. (Never mind that the lines inside the park for the rides are as long as ever.)
So my recommendation? A pox on the house of Disney. Don't go to any of their parks. (They now have six or seven worldwide.)
so on the one hand (heh) you say fingerprints are reliable and on the other geometry is not. fingerprint "science" becomes less reliable by the day not more, and the technology just adds another bunch of failure points. the problem is not the theory, it is the practice.
Okay, so if YOU were the security manager for Disney how would YOU do it?
They are an obvious target.
What no suggestions of your own for preventing the Disney park visitor impersonator problem plaguing America? Are you sure there is actually a problem to solve?
Alas, if we're talking Disney here, then me'thinks rectal-scan would be most appropriate since it has far more geometry than scanning that fairy peace sign stuff. Why not check for cancer while they're filching $120 per person, adding a regular health-care component to the list of family attractions? As long as they become HIPPA-aware, Disney might just have a shot at replacing the common doctor.
This is nothing to worry about. This scanner will store a proprietary metric from the subject's hand. It is storing your fingerprint. There is no way to correlate this metric to anything else without using an identical scanner that is similarily calibrated. If this prevents you from showing ID when entering the park I would say that your privacy just increased.
The newly added article (http://www.biometricsinfo.org/handgeometry.htm) is self-contradictory on the point of the uniqueness of hand geometry. The second sentence says, "Because human hands are not unique...." Later on, the first sentence of the "How it works" section says, "Every hand is unique."
Ok, I have read through the articles and comments and I am not clear what security problem Disney is solving by capturing biometrics or personal data (picture ID?) of people that visit their park.
We routinely go to our local Six Flags theme park and you buy a ticket, you go through a metal detector, they do a quick search of your bags, and you are in the park. I have never been asked to present a picture ID or to provide any other form of personal/private information. What would they do with it anyway?
I don't understand why Disney feels they need to capture biometrics. Are they correlating your personal data/biometrics against some national (FBI, TSA, etc.) watch list?
Why else would they need your personal info and/or biometrics? If you don't have a ticket, you don't get in the park. Seems simple to me!
I have never been to Disney, but my family is pressuring for a trip next year. Reading this, I am now uneasy about why Disney needs this personal/private data and what they are doing with the data they capture.
Well, the EPIC article is wrong in the technology used on Disney.
They are using Hand Geometry readers, no fingerprint readers.
Hand Geometry can't be used to identify you in a court case, for example, because is a technology to be used on small universe of users, and only in a 1 to 1 identification matching, thats the reason for the use of a codebar.
The handkey code consists of a vector o 9 bytes, with hand geometry features.
The False Matching Rate on this devices is high, for that reason is not used to identification process (search 1 to N).
In fact, the twins effect is true, even there is people with "simmetric" hands, so they can put the right hand, or the left hand on reversed position and will pass.
Handkey in this scenarios are like a token, or a id card. Don't see the problem on privacy here. BTW in USA the fingerprints are collected only to delincuents.
Consider other countries, where all people has his fingerprints stored on a central database, and we leave with no problem with this.
Relax, your handkey can not be used for many things.
Privacy is just a cultural convention, and for u.s. citizens appears to be important because I think they are turning more paranoids than the rest of the world.
I use it every day to mark my time attendance on my job.
The Handkey reader has the property of adjust the identity vector in the long time, because of changes on morphology of the hand, like becoming more fat, or wearing rings, even nails growth. But, for this to work, you have to update the handkey vector after every read.
This means that is you are storing this data in a card you must rewrite it after every hand scan.
I think that is not the case on Disney's parks, so the measure turn pointless, specially for children that have the bad habit get their hand bigger in every season :)
Hold on a sec. I personally worked on the software side of the Busch Gardens and Sea World biometric scanners, it's a hand geometry scanner, not a fingerprint scanner. We are implementing a 2 finger scanner soon and looking at a 1 finger scanner for the future.
your statement that in the usa, fingerprints are only collected for delinquents is incorrect. my old state california requires one as a condition of receiving a driver's license. my old state bar, also california, required a full set to backgroundcheck me before i was admitted. some places now require notaries public to collect one from people signing grant deeds and other documents prone to forgery. i'm afraid that the sanitized, disneyesque atmosphere has escaped the theme parks and is now encroaching on our streets and public squares.
When I visited Disney World in August, they scanned both my index finger and my middle finger *prints*. I was told the prints are only kept as long as my tickets are valid (can I get that in writing?). I was also told if I didn't want to give up my prints I could show a photo ID to gain entrance.
"the prints are only kept as long as my tickets are valid"
With that logic one would think they could just issue strong tokens instead of tickets and recycle the tokens when they expire, or let people keep them as souveniers.
"My hunch is consumers will go along with this one."
Agreed. Grocery stores don't seem to have suffered from the consumer loyalty card boycott.
I used to have to use one of these to clock in/out of work. So naturally I deceided to experiment a bit. The scanners seem to take into account hand geometry by measuring different pressure on the scanner area (there were a few little spikes between your fingers for this). With the scanner I used it was not possible to scan in under a different person's name - even if our hands were similar in size. Also wearing of rings did not seem to make much of a difference. I am not sure as to how exactly this scanner work but it looks exactly like the one shown in the picture in the second article.
My main concern with this system is how it copes with growing children. Presuming a child's hand will grow/change shape within a year even, would the scanner recognise it then??
Oh my god!! The government / CIA / FBI / secret Aliens / New World Order have the geometry of my fingers!!!
Clearly my life is no longer my own & I am merely the pawn of a sinister world plot!!!!
Dear me... Get a life folks...
@ Also Anonymous
You might have a good point save for the fact that you provide no facts other than one: you are afraid to reveal your true name on a blog.
So I hardly think you are in a position to say people shouldn't let Disney "mickey-mouse" with their biometric data.
Ooops, fat-fingered that one. It should have read "I hardly think you are in a position to say people *should* let Disney"...
One operational note on the system; the hand-geometry scans are keyed to a particular ticket, so groups need to keep the tickets straight. I saw one family having problems with this when dad held the tickets for all the kids, and hadn't marked which card went with which fingers...
(To Disney's credit, the helper for that line was very patient, helped him get it straightened out, and explained why he had a problem.)
The system is obvuously intended for fraud control, preventing use by multiple people, and to reduce customer complaints, as many of these "tickets" can double as both resort room keys and credit cards (up to $1000 per day in the parks, charging back to the room). I wonder how many of these "multi-passes" were getting lifted...
I think this might be an overreaction - my understanding is that the scan is linked to the ticket - but there is no way of linking the ticket to you. What it's trying to do is stop people buying the 10 day passes and sharing/selling them on - hence the need to link a ticket to a scan. I'd have thought showing photoID was more worrying - then they really do have a way of linking your ticket use to you personally. Unless Disney have access to the police/FBI fingerprint databases (and that would be a whole different question) then the scan doesn't identify you as anything other than the person who was scanned with the ticket the first time it was used.
Perhaps there is a silver lining somewhere in the belly of the beast, and your post almost tempted me to go buy a ticket just to find out how much data they collect. But you have to admit that there must be some kind of payment info taken when the ticket is purchased, and perhaps even personal information to send you event updates/notices, etc.
You might think that biometrics and identitities should never be mingled, but that goes against the very nature of the control. Moreover it goes against the trend of coporations over the past ten years who have operated under the assumption that amassing payment/identity information about consumers is the first step to help increase revenues.
A disclaimer from Disney would be great, and an independent verification that they are not warehousing biometric data would be even better.
Then again, Disney is a huge proponent of tracing and tracking consumer use of their products in order to crack down on any "unauthorized" sharing of any kind. Their need to not only authorize someone with a ticket but also authenticate them necessarily raises the question of how identity information will be handled.
You make a good point about photo IDs, but the current theory is that while it is easy to alter your overall appearance, and very hard for scanners (usually the untrained eye) to do an accurate match, it is nearly impossible to alter the geometry of your prints and very easy to match (by expensive technology or the trained eye). I believe we will soon (if we haven't already) lose faith in the accuracy of fingerprints and be forced to again treat them as just one of several controls rather than some sort of infalliable identifier.
I have moved my job has security at a high school and moving to a new job has security a new theme park to be built and looking for ideas on writing new policies, where can I go? Be nice. LOL
let them do there job
i wish you all would stop being bitches
Just returned from the not so magical kingdom. Bought 4 three day tickets 2 kids two adults. Took a cleansing for almost 900 samolians. My mother-in-law took a day off from the festivities...she is 69 and was a little pooped from traveling. So I used the ticket for the first day. The ticket bounced on the next two days when she used it, but they let her in anyway. God forbid if the customer acts like a reasonable economic engine seeking to maximize the value of his expenditure on entertainment. Disney wants to make sure you lose at this game too. Denying the bulk purchaser the value of the volume discount is just downright greedy. And if it takes a bite out of your privacy and personal space, tough luck buddy, get in line for your Horrible French toast and a snapshot with ol' Mickey.
The policy has absolutely nothing to do with security and everything to do with $$$$. Prevent ticket sharing and destroy the value of any multi-day discount. They already charge for extended validity rather than 14 day validity. Multi-user fee is just around the corner.
There is no length that is too far for this company in order to vacuum your wallet.
Kind of hard to enjoy the place when at every instance of park experience you are treated first like a criminal and then like a wallet with legs. Meanwhile, you can spend 50 minutes in line for the insipid Winnie the Pooh ride. Ski areas responded to long waits with more lifts and new trails. The experience is thereby preserved for the most part. Disney's response is to invest in queue line innovations (add a couple of more S curves into to the ropeway line controls).
The suckers role in day after blessed day and stick their fingers into the geometry machine.The ticket has your name on it and was purchased with a Credit Card.
The next story will be the breach of Disney security and the misappropriation customer identities and personal/credit information.
I see a business opportunity in fake slipon fingers. There is no sign saying that the fingers you submit must be nude!
I don't plan to return anytime soon. I recommend the lovely Storyland Theme Park in New Hampshire. The don't take fingerprints and actually treat their patrons like guests. What a concept!!!!!!
what are the chances of someone actually getting away with using someone else's ticket
In our country the technology is more advanced i think they should implement the new strategy now not that fingerprint one we are not old folks!!!!!!!!
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.