snopes.com Post new topic  Post a reply
search | faq | forum home

  next oldest topic   next newest topic
» Hello snopes.com » Urban Legends » Disney » Disney fingerprint scan raises privacy concerns (Page 2)

 - UBBFriend: Email this page to someone!   This topic comprises 3 pages: 1  2  3   
Author Topic: Disney fingerprint scan raises privacy concerns
PrincessLeia
I'll Be Home for After Christmas Sales


Icon 604 posted      Profile for PrincessLeia     Send new private message       Edit/Delete post   Reply with quote 
So we aren't being violated... What about those people who haven't heard ahead of time and feel violated when they get to the park and are asked to get their fingers scanned. Even those who would research the issue aren't going to have time to see what Disney's intentions are.

If we are talking only about multiple visits in a single day and not about sharing or mixing up passes with others, can't Disney continue to do what they used to do? When I went to Disneyland 10 years ago, we had our hands stamped when we left the park so that we could come back in later in the day. I realise that this won't stop someone else from using the pass on a different day. But say if two people wanted to use only one pass between them, one could not use it in the morning, leave the park and let the other use it in the afternoon. The second person wouldn't have his hand stamped, so he would have to use up another day on the pass.

Posts: 185 | From: British Columbia, Canada | Registered: Jul 2005  |  IP: Logged | Report this post to a moderator
diddy
Markdown, the Herald Angels Sing


Icon 1 posted      Profile for diddy   E-mail diddy   Send new private message       Edit/Delete post   Reply with quote 
quote:
Originally posted by PrincessLeia:
The second person wouldn't have his hand stamped, so he would have to use up another day on the pass.

Unless somebody knows somebody that knows what the stamp looks like and duplicated it. Disney -prob ably abandoned that idea long ago. It may work for a small club, but not for a multi-park ara for a company as large as disney.

--------------------
W.W.F.S.M.D?
But this image of Bush as some sort of Snidely Whiplash tying the fair maiden to the railroad tracks is beyond the pale. - Joe Bentley

Posts: 2311 | From: Minnnesota | Registered: Mar 2004  |  IP: Logged | Report this post to a moderator
B Hamilton
Xboxing Day


Icon 1 posted      Profile for B Hamilton   E-mail B Hamilton   Send new private message       Edit/Delete post   Reply with quote 
I have an opportunity to visit the themeparks several times a week and have never witnessed anyone complaining about being violated by the biometrics. The only complaint I have heard is it takes longer to enter the parks. Disney isn't worried about someone sharing a one day pass. If that were the case, then a handstamp would suffice. It is the illegal selling of used tickets at the many stands around the Orlando area and the selling of used tickets on eBay.

--------------------
"This is my family. I found it all on my own. It's little & broken but still good."

Posts: 1338 | From: Orlando | Registered: Feb 2000  |  IP: Logged | Report this post to a moderator
Ganzfeld
Let There Be PCs on Earth


Icon 1 posted      Profile for Ganzfeld     Send new private message       Edit/Delete post   Reply with quote 
I rarely hear anyone complaining about being violated. That's why it gets to the point where people think it's a-okay to take fingerprints for the purpose of entering an amusement park. People think it's just something on the ticket that isn't stored in a database. People think it's just a meaningless mark. There are other solutions besides biometrics, I'm sure. Most of them are probably cheaper, too.

People don't complain now but they will when the news stories start surfacing of biometrics abuse (not necessarily at the parks). Just wait a few years. Then it will be damage control time for Disney. (That is, if they don't catch on before then.)

I'm not going to go to any park where they want to take my fingerprint to go in, that's for sure. So that will be one more person you won't witness complaining, Hamilton.

Posts: 4922 | From: Kyoto, Japan | Registered: Sep 2005  |  IP: Logged | Report this post to a moderator
B Hamilton
Xboxing Day


Icon 1 posted      Profile for B Hamilton   E-mail B Hamilton   Send new private message       Edit/Delete post   Reply with quote 
quote:
Originally posted by Ganzfeld:
I'm not going to go to any park where they want to take my fingerprint to go in, that's for sure.

It is not a fingerprint. They do not take a picture or inkblot of your fingerprint. It simply measures the distance of 5 points and stores that measurement. Let's just assume for a minute that all the records of those measurements are subpeoned by the FBI. What will they have? They will know that someone with ticket number 587256992723314972 has these 5 points on his fingerprint. They wil not have a picture of the fingerprint nor will they have the name of who used that ticket. If you're that worried, purchase your ticket with cash at the local Walmart or better yet have a friend purchase them with cash. Just like a movie ticket, your name is not attached to the ticket in a movie theater database nor is your name attached to Disney's or Universal or Seaworld ticket database of the fingerscan.

I'd be more worried about getting a driver's license. For my last driver's license renewal, they got some pretty "private" information such as my full name, social security number, my home address, a photograph, and yes, even my thumb print. And that is from a government office. I am certainly not worried about a themepark having 5 measurements of points on my finger with no name or address attached to it.

--------------------
"This is my family. I found it all on my own. It's little & broken but still good."

Posts: 1338 | From: Orlando | Registered: Feb 2000  |  IP: Logged | Report this post to a moderator
Rehcsif
We Three Blings


Icon 1 posted      Profile for Rehcsif   E-mail Rehcsif   Send new private message       Edit/Delete post   Reply with quote 
If you don't like it -- it's simple. Don't go to Disney.

Privacy freaks can bitch, whine, and moan, but this isn't the government we're talking about. You don't HAVE to go there.

-Tim

Posts: 1039 | From: Minneapolis | Registered: Jan 2005  |  IP: Logged | Report this post to a moderator
chillas
Coventry Mall Carol


Icon 1 posted      Profile for chillas     Send new private message       Edit/Delete post   Reply with quote 
Because privacy is something only a freak would want.

[Roll Eyes]

--------------------
Come on, come on - spin a little tighter
Come on, come on - and the world's a little brighter


Posts: 5595 | From: Columbus, OH : The Soccer Capital of America | Registered: Sep 2002  |  IP: Logged | Report this post to a moderator
Mad Jay
Let There Be PCs on Earth


Icon 1 posted      Profile for Mad Jay     Send new private message       Edit/Delete post   Reply with quote 
quote:
Originally posted by B Hamilton:
I have an opportunity to visit the themeparks several times a week and have never witnessed anyone complaining about being violated by the biometrics. The only complaint I have heard is it takes longer to enter the parks.

Maybe the people who do feel violated do not go to the Disney park.
quote:

Disney isn't worried about someone sharing a one day pass. If that were the case, then a handstamp would suffice. It is the illegal selling of used tickets at the many stands around the Orlando area and the selling of used tickets on eBay.

I tink I missed something. How does this stop selling of used tickets?

--------------------
Nico Sasha
In between my father's fields;And the citadels of the rule; Lies a no-man's land which I must cross; To find my stolen jewel.

Posts: 4912 | From: VA | Registered: Jul 2003  |  IP: Logged | Report this post to a moderator
AnglsWeHvHrdOnHiRdr
Happy Xmas (Warranty Is Over)


Icon 1 posted      Profile for AnglsWeHvHrdOnHiRdr     Send new private message       Edit/Delete post   Reply with quote 
quote:
Originally posted by Rehcsif:
If you don't like it -- it's simple. Don't go to Disney.

Privacy freaks can bitch, whine, and moan, but this isn't the government we're talking about. You don't HAVE to go there.

-Tim

I wouldn't call myself a "privacy freak."

I do not, however, give up information to a retailer that they do not need in order to complete a transaction.

--------------------
"When a stupid man is doing something he is ashamed of, he always declares that it is his duty."--George Bernard Shaw

Posts: 19266 | From: Nashville, TN | Registered: Jun 2002  |  IP: Logged | Report this post to a moderator
Rehcsif
We Three Blings


Icon 1 posted      Profile for Rehcsif   E-mail Rehcsif   Send new private message       Edit/Delete post   Reply with quote 
quote:
Originally posted by AnglRdr:
I wouldn't call myself a "privacy freak."

I do not, however, give up information to a retailer that they do not need in order to complete a transaction.

I used the term "privacy freak" to describe people who take the slippery slope of the following sort "company XYZ is collecting this information, which of course will be sold to the FBI and the GOV'MNT and USED AGAINST ME!", even when the given evidence suggests that a) nothing of the sort is being collected, and b) the government isn't even involved. The big stink about "Google is READING MY EMAIL" when gmail first came out is a good example. They used automated software to do the equivalant of a virus-scan on your email to generate relavant ad links, and all the privacy people freaked out. ("They must be LOGGING this info!" (despite the fact that Google is greatly protective of personal privacy) "They're READING my email!" (despite the fact the volume of email would be far to great for humans to read))

I agree that you shouldn't give a retailer info that isn't necessary to complete the transaction. Of course, the retailer has every right to determine what is 'necessary', and you have every right to walk away without completing said transaction.

Posts: 1039 | From: Minneapolis | Registered: Jan 2005  |  IP: Logged | Report this post to a moderator
Rehcsif
We Three Blings


Icon 1 posted      Profile for Rehcsif   E-mail Rehcsif   Send new private message       Edit/Delete post   Reply with quote 
quote:
Originally posted by Mad Jay:
Maybe the people who do feel violated do not go to the Disney park.

Which of course, is exactly what I suggested above. Money talks -- and if enough people take their money elsewhere, Disney will respond. Much more so than the general "OMG my PRIVACY is being violated" whining, and then people going anyway...

-Tim

Posts: 1039 | From: Minneapolis | Registered: Jan 2005  |  IP: Logged | Report this post to a moderator
AnglsWeHvHrdOnHiRdr
Happy Xmas (Warranty Is Over)


Icon 1 posted      Profile for AnglsWeHvHrdOnHiRdr     Send new private message       Edit/Delete post   Reply with quote 
Rehcsif, there was, however, a subpeona-ing of google search record. Not of emails, but of search results. That was just earlier this year.

And the retailer hardly has "every" right to determine what is necessary in order to complete an exchange.

--------------------
"When a stupid man is doing something he is ashamed of, he always declares that it is his duty."--George Bernard Shaw

Posts: 19266 | From: Nashville, TN | Registered: Jun 2002  |  IP: Logged | Report this post to a moderator
Rehcsif
We Three Blings


Icon 1 posted      Profile for Rehcsif   E-mail Rehcsif   Send new private message       Edit/Delete post   Reply with quote 
quote:
Originally posted by AnglRdr:
Rehcsif, there was, however, a subpeona-ing of google search record. Not of emails, but of search results. That was just earlier this year.

And the retailer hardly has "every" right to determine what is necessary in order to complete an exchange.

Yes there was -- and a) Google refused to turn over the info, and won their right to not do so, and b) Google has denied keeping stats on individuals in the first place, so it's not clear what info would have been gathered (assuming this is true) on individuals in the first place.

The retailer has every right to determine what is necessary, at least operating within the law, so long as they're not being discriminitory, etc. If I have a store, and I demand you give me your phone number and email address before I sell you anything, I should be able to have that right, just as you have the right to not shop there. (Now if this were being done as a way to descriminate against certain classes of people, e.g. if it were well established that certain minority groups generally didn't have telephones, this probably wouldn't fly).

-Tim

Posts: 1039 | From: Minneapolis | Registered: Jan 2005  |  IP: Logged | Report this post to a moderator
Mad Jay
Let There Be PCs on Earth


Icon 1 posted      Profile for Mad Jay     Send new private message       Edit/Delete post   Reply with quote 
I think a more elegant solution would be to encrypt the fingerprint information and store it on the pass itself. That way, if a park visitor doesn't want his/her fingerprint stored, they just shred the pass when they are done with it. I don't think that considering the price of Disney passes, it would be cost-prohibitive to install some card writers into their turn-stiles

Or they could use the age-old solution of making the visitors use their card when they leave the park. That's what my local metro does. It works for them, and DC metro handles a lot of volume everyday.

The point is that Disney could have come up with differrent solutions with their customer's privacy in mind. They could have atleast provided options to visitors who want to pay extra for their privacy. Atleast they are giving the option of using your photo ID

--------------------
Nico Sasha
In between my father's fields;And the citadels of the rule; Lies a no-man's land which I must cross; To find my stolen jewel.

Posts: 4912 | From: VA | Registered: Jul 2003  |  IP: Logged | Report this post to a moderator
Griffin at the Maul
Joyeux New Sale


Icon 1 posted      Profile for Griffin at the Maul     Send new private message       Edit/Delete post   Reply with quote 
But they ARE being discriminatory. They are discriminating against people with no fingers!

--------------------
Where are we going, and why are we in this handbasket?

Posts: 782 | From: Arlington, TX | Registered: Jul 2005  |  IP: Logged | Report this post to a moderator
AnglsWeHvHrdOnHiRdr
Happy Xmas (Warranty Is Over)


Icon 1 posted      Profile for AnglsWeHvHrdOnHiRdr     Send new private message       Edit/Delete post   Reply with quote 
quote:
Originally posted by Rehcsif:
quote:
Originally posted by AnglRdr:
Rehcsif, there was, however, a subpeona-ing of google search record. Not of emails, but of search results. That was just earlier this year.

And the retailer hardly has "every" right to determine what is necessary in order to complete an exchange.

Yes there was -- and a) Google refused to turn over the info, and won their right to not do so, and b) Google has denied keeping stats on individuals in the first place, so it's not clear what info would have been gathered (assuming this is true) on individuals in the first place.
Not exactly. Your point stands about the usefulness of the information google kept, but that is rather beside the point.

The point is: why does Disney need to keep records (remember, they are keeping it on file for 30 days) of these at all. And is there some other, less intrusive way Disney can protect their interests that does not keep information on file for 30 days?

quote:
The retailer has every right to determine what is necessary, at least operating within the law, so long as they're not being discriminitory, etc. If I have a store, and I demand you give me your phone number and email address before I sell you anything, I should be able to have that right, just as you have the right to not shop there.

Why, though? Why would a business need to have that information in order to exchange a product for money?

And I would, and do, absolutely refuse to give that information out. It is simply none of the business' business who I am.

--------------------
"When a stupid man is doing something he is ashamed of, he always declares that it is his duty."--George Bernard Shaw

Posts: 19266 | From: Nashville, TN | Registered: Jun 2002  |  IP: Logged | Report this post to a moderator
Rehcsif
We Three Blings


Icon 1 posted      Profile for Rehcsif   E-mail Rehcsif   Send new private message       Edit/Delete post   Reply with quote 
quote:
Originally posted by Mad Jay:
I think a more elegant solution would be to encrypt the fingerprint information and store it on the pass itself. That way, if a park visitor doesn't want his/her fingerprint stored, they just shred the pass when they are done with it.

But the privacy "advocates" (to use a more polite word than I did before) would still claim that Disney could be storing the info, even if they claim it was only stored on the pass itself. It seems an awful lot of 'privacy advocates' are also 'conspiracy theorists' as well, at least in the sense that they always assume the worst case as to how your data is going to end up in the wrong hands...

I'm assuming Disney stores it for 30 days so that only one person can use the pass in that 30-day period? Isn't that the point of the whole scheme, to prevent multiple users from sharing a single (including multi-day) pass?

-Tim

Posts: 1039 | From: Minneapolis | Registered: Jan 2005  |  IP: Logged | Report this post to a moderator
Mad Jay
Let There Be PCs on Earth


Icon 1 posted      Profile for Mad Jay     Send new private message       Edit/Delete post   Reply with quote 
quote:
Originally posted by Rehcsif:
quote:
Originally posted by Mad Jay:
I think a more elegant solution would be to encrypt the fingerprint information and store it on the pass itself. That way, if a park visitor doesn't want his/her fingerprint stored, they just shred the pass when they are done with it.

But the privacy "advocates" (to use a more polite word than I did before) would still claim that Disney could be storing the info, even if they claim it was only stored on the pass itself. It seems an awful lot of 'privacy advocates' are also 'conspiracy theorists' as well, at least in the sense that they always assume the worst case as to how your data is going to end up in the wrong hands...

They could claim all they want. If Disney can prove that they do not store the infromation, then their claims would be baseless.

But, as it stands, Disney does store the information, and the news report in the OP is about storage of fingerprints not reading of fingerprints
quote:


I'm assuming Disney stores it for 30 days so that only one person can use the pass in that 30-day period? Isn't that the point of the whole scheme, to prevent multiple users from sharing a single (including multi-day) pass?

-Tim

My understanding is that multiple users can't share the pass on the same day. They want to stop multiple people from entering the park on the same pass together. Disney doesn't stop someone else from using the pass on a differrent day.

--------------------
Nico Sasha
In between my father's fields;And the citadels of the rule; Lies a no-man's land which I must cross; To find my stolen jewel.

Posts: 4912 | From: VA | Registered: Jul 2003  |  IP: Logged | Report this post to a moderator
Rehcsif
We Three Blings


Icon 1 posted      Profile for Rehcsif   E-mail Rehcsif   Send new private message       Edit/Delete post   Reply with quote 
quote:
Originally posted by Mad Jay:
They could claim all they want. If Disney can prove that they do not store the infromation, then their claims would be baseless.

It's pretty hard to prove you're not doing something like that, short of an external audit of some sort (and even then, conspiracists would claim they changed it just for the audit). It's like the electronic signature things in checkout lanes -- they can claim that they don't store signatures, but how do you really know?

Remember, there are lots of people out there who think the moon landing was faked, and the WTC disaster was ordered by Bush... Doesn't matter how much someone explains how their "evidence" is wrong...

-Tim

Posts: 1039 | From: Minneapolis | Registered: Jan 2005  |  IP: Logged | Report this post to a moderator
Mad Jay
Let There Be PCs on Earth


Icon 1 posted      Profile for Mad Jay     Send new private message       Edit/Delete post   Reply with quote 
quote:
Originally posted by Rehcsif:
quote:
Originally posted by Mad Jay:
They could claim all they want. If Disney can prove that they do not store the infromation, then their claims would be baseless.

It's pretty hard to prove you're not doing something like that, short of an external audit of some sort (and even then, conspiracists would claim they changed it just for the audit). It's like the electronic signature things in checkout lanes -- they can claim that they don't store signatures, but how do you really know?

Remember, there are lots of people out there who think the moon landing was faked, and the WTC disaster was ordered by Bush... Doesn't matter how much someone explains how their "evidence" is wrong...

-Tim

But, you are talking about cuckoo tin-foil hatters here. Who cares what they say? Not all people who are concerned about privacy are tin-foil hatters

--------------------
Nico Sasha
In between my father's fields;And the citadels of the rule; Lies a no-man's land which I must cross; To find my stolen jewel.

Posts: 4912 | From: VA | Registered: Jul 2003  |  IP: Logged | Report this post to a moderator
Singing in the Drizzle
Jingle Bell Hock


Icon 1 posted      Profile for Singing in the Drizzle     Send new private message       Edit/Delete post   Reply with quote 
quote:
Originally posted by Rehcsif:
[QUOTE]I'm assuming Disney stores it for 30 days so that only one person can use the pass in that 30-day period? Isn't that the point of the whole scheme, to prevent multiple users from sharing a single (including multi-day) pass?
-Tim

Disney could just as easly incode the information on the ticket as well. Since I'm one of the few people in the US that has never been to a DIsney park. I can not tell you anything about the tickets them selves. When issued the dates and number of times to be used can be incoded onto the ticket. If it is 30 day from first use then that date is recorded the first time used with the finger print info. The number of times used can be tracked on the ticked just as easly.

The only information that I can think of that Disney would have any intrest in tracking. Is the number of poeple entering the park each day and were the tickets were sold.

Posts: 597 | From: Bellingham, WA | Registered: Nov 2005  |  IP: Logged | Report this post to a moderator
B Hamilton
Xboxing Day


Icon 1 posted      Profile for B Hamilton   E-mail B Hamilton   Send new private message       Edit/Delete post   Reply with quote 
The system does not store a picture or data of the fingerprint. It stores a number. The finger print is scanned and some junctions are pinpointed that the program uses to generate a number. This number only is stored. Each time you put your finger on the pad, the unit scans to see if the number generated matches the one on file. The system does not store a picture or a electronic copy of the fingerprint. To store a simple multiple digit number that corresponds to the ticket only uses very little computer memory. Disney does not need or want to have to store the much larger information that a recording of a full fingerprint would require.

I don't understand why all the hoopla has occurred recently. Seaworld, Universal, and Disneyworld have been using biometrics for over a year.

--------------------
"This is my family. I found it all on my own. It's little & broken but still good."

Posts: 1338 | From: Orlando | Registered: Feb 2000  |  IP: Logged | Report this post to a moderator
TrishDaDish
Let There Be PCs on Earth


Icon 1 posted      Profile for TrishDaDish   Author's Homepage   E-mail TrishDaDish   Send new private message       Edit/Delete post   Reply with quote 
quote:
Originally posted by AnglRdr:
quote:
The retailer has every right to determine what is necessary, at least operating within the law, so long as they're not being discriminitory, etc. If I have a store, and I demand you give me your phone number and email address before I sell you anything, I should be able to have that right, just as you have the right to not shop there.

Why, though? Why would a business need to have that information in order to exchange a product for money?

And I would, and do, absolutely refuse to give that information out. It is simply none of the business' business who I am.

Radio Shack (at least, the ones in my state) ask for your address when you buy something. I know they use it so they can send you fliers in the mail, but come on - why is it needed so much, when I want to buy freakin' batteries? Which is why I don't get batteries there anymore, even if it is the closet place to get them at the time.

There's a few stores here that want my phone number or zip code when buying something (Marshalls and Yankee Candle, respectively). I can deal with just a zip code, I'm sure they use it to determine what their customer base is. But why my phone number? TMI for wanting to buy my supply of Walker's Shortbread.

--------------------
I would prefer not to.
My blog

Posts: 4789 | From: Rhode Island | Registered: Feb 2004  |  IP: Logged | Report this post to a moderator
Sandman
Deck the Malls


Icon 1 posted      Profile for Sandman     Send new private message       Edit/Delete post   Reply with quote 
I'm not entirely sure why the government would ever want to know if I went to Dinsneyworld on a specific day. What would be the point? Going to Disney isn't illegal, and a better way to tell if I was there would be to just look at the security camera footage from the front entrance.

What exactly are people afraid that Disney is going to do with this information? They aren't actually collecting fingerprints anyway, but even if they were, what would they do with it?

You can't spam e-mail at me using my fingerprint. You can't send me thick envelopes of coupons in the mail using my fingerprint. You can't call me with a one-time-not-to-be-missed offer with my fingerprint. You can't check my credit with it, you can't really do anything with my fingerprints, even if you do have a name attatched to it.

Am I supposed to be worried that someday I will be suspected of a crime and the police will get my fingerprints from Disney to see if I'm guilty? If they want to check my fingerprints against a crime scene, they just get a warrant. Or they can just get them from my military service, my teaching license, or when I was a kid and my mom had them taken for safety.

The worst possible case scenario is that they are covertly gathering the fingerprints of every person in the US, so that when the police need to they can just scan them and find out who they belong to. Um...OK. I'm not too worried about that since I'm not a criminal, don't intend to ever be a criminal, and if I ever did commit a crime I would be smart enough to not leave my damn fingerprints behind.

--------------------
"I will tell you in another life, when we are both cats."

Posts: 308 | From: Cleveland | Registered: Aug 2005  |  IP: Logged | Report this post to a moderator
AnglsWeHvHrdOnHiRdr
Happy Xmas (Warranty Is Over)


Icon 1 posted      Profile for AnglsWeHvHrdOnHiRdr     Send new private message       Edit/Delete post   Reply with quote 
Trish, Radio Shack stopped asking for addresses a couple of years ago, as I recall. But it was always optional, even though some overzealous associates would insist it was mandatory.

And Sandman, you're certainly welcome to leave your fingerprints if you like. I don't know if I said it before, but, even if I did, it bears repeating: the "you only have to worry if you're doing something wrong" excuse reminds me of the poor job we do teaching about freedom in this country.

Why would you trust Disney to protect your personal information as well as you would?

--------------------
"When a stupid man is doing something he is ashamed of, he always declares that it is his duty."--George Bernard Shaw

Posts: 19266 | From: Nashville, TN | Registered: Jun 2002  |  IP: Logged | Report this post to a moderator
Rehcsif
We Three Blings


Icon 1 posted      Profile for Rehcsif   E-mail Rehcsif   Send new private message       Edit/Delete post   Reply with quote 
quote:
Originally posted by AnglRdr:
Why would you trust Disney to protect your personal information as well as you would?

Even if this "personal information" consists of a hashed check digit that happens to be garnered from your fingerprint, but is mathematically impossible to reconnect back to said fingerprint, short of having your finger back to re-generate it and compare with the previous number?

-Tim

Posts: 1039 | From: Minneapolis | Registered: Jan 2005  |  IP: Logged | Report this post to a moderator
AnglsWeHvHrdOnHiRdr
Happy Xmas (Warranty Is Over)


Icon 1 posted      Profile for AnglsWeHvHrdOnHiRdr     Send new private message       Edit/Delete post   Reply with quote 
quote:
Originally posted by Rehcsif:
quote:
Originally posted by AnglRdr:
Why would you trust Disney to protect your personal information as well as you would?

Even if this "personal information" consists of a hashed check digit that happens to be garnered from your fingerprint, but is mathematically impossible to reconnect back to said fingerprint, short of having your finger back to re-generate it and compare with the previous number?

-Tim

Yup. Except that if they didn't keep it on file for 30 days, I'd probably not care so much.

They can come up with a better way to do this.

--------------------
"When a stupid man is doing something he is ashamed of, he always declares that it is his duty."--George Bernard Shaw

Posts: 19266 | From: Nashville, TN | Registered: Jun 2002  |  IP: Logged | Report this post to a moderator
Rehcsif
We Three Blings


Icon 1 posted      Profile for Rehcsif   E-mail Rehcsif   Send new private message       Edit/Delete post   Reply with quote 
quote:
Originally posted by AnglRdr:
[QUOTE]Yup. Except that if they didn't keep it on file for 30 days, I'd probably not care so much.

They can come up with a better way to do this.

I don't think you understand the 'risks'. For example:
1) Lets take your real name, actual address, and phone number, and SSN. This is personal information that you might want to protect.
2) Now, take every digit in each piece, character by character, take the ASCII value, and sum them all together.
3) Take the result in #2 and divide by 500.
4) Store result of #3 for 30 days.

This is roughly equivalant to what Disney is doing. Nobody can get your personal info from the number in step #3. But given your personal info again, the number can be recomputed, and recompared to the original number stored in #4.

The fact that it originated from a valid piece of personal info is irrelavant after processing...

-Tim

Posts: 1039 | From: Minneapolis | Registered: Jan 2005  |  IP: Logged | Report this post to a moderator
Singing in the Drizzle
Jingle Bell Hock


Icon 1 posted      Profile for Singing in the Drizzle     Send new private message       Edit/Delete post   Reply with quote 
quote:
Originally posted by Rehcsif:
quote:
Originally posted by AnglRdr:
[QUOTE]Yup. Except that if they didn't keep it on file for 30 days, I'd probably not care so much.

They can come up with a better way to do this.

I don't think you understand the 'risks'. For example:
1) Lets take your real name, actual address, and phone number, and SSN. This is personal information that you might want to protect.
2) Now, take every digit in each piece, character by character, take the ASCII value, and sum them all together.
3) Take the result in #2 and divide by 500.
4) Store result of #3 for 30 days.

This is roughly equivalant to what Disney is doing. Nobody can get your personal info from the number in step #3. But given your personal info again, the number can be recomputed, and recompared to the original number stored in #4.

The fact that it originated from a valid piece of personal info is irrelavant after processing...

-Tim

Biometrics only takes a sample of the information, not all of it. So if they were to use my real name, actual address, and phone number, and SSN. The data may look like this "EE4AEA8647342". Its repeatable and chances are not to many are a like.

Go ahead pass the infomation round or try to get something about me from it. I'm sure that if someone had all the information of everyone in the US and new how the code was made up. They could track me down and posibably a couple of other wrong people.

Posts: 597 | From: Bellingham, WA | Registered: Nov 2005  |  IP: Logged | Report this post to a moderator
Ganzfeld
Let There Be PCs on Earth


Icon 1 posted      Profile for Ganzfeld     Send new private message       Edit/Delete post   Reply with quote 
quote:
Originally posted by Singing in the Drizzle:
quote:
Originally posted by Rehcsif:
quote:
Originally posted by AnglRdr:
[QUOTE]Yup. Except that if they didn't keep it on file for 30 days, I'd probably not care so much.

They can come up with a better way to do this.

I don't think you understand the 'risks'. For example:
1) Lets take your real name, actual address, and phone number, and SSN. This is personal information that you might want to protect.
2) Now, take every digit in each piece, character by character, take the ASCII value, and sum them all together.
3) Take the result in #2 and divide by 500.
4) Store result of #3 for 30 days.

This is roughly equivalant to what Disney is doing. Nobody can get your personal info from the number in step #3. But given your personal info again, the number can be recomputed, and recompared to the original number stored in #4.

The fact that it originated from a valid piece of personal info is irrelavant after processing...

-Tim

Biometrics only takes a sample of the information, not all of it. So if they were to use my real name, actual address, and phone number, and SSN. The data may look like this "EE4AEA8647342". Its repeatable and chances are not to many are a like.

Go ahead pass the infomation round or try to get something about me from it. I'm sure that if someone had all the information of everyone in the US and new how the code was made up. They could track me down and posibably a couple of other wrong people.

That seems pretty naive to me. If I have all the information but your SSN (not too hard to get) and I know the function (all secure systems must be constructed with the assumption that the function is known) then it would take all of an afternoon to get your SSN. You don't need the information on all the people in the US because there are a limited number of SSNs.
Posts: 4922 | From: Kyoto, Japan | Registered: Sep 2005  |  IP: Logged | Report this post to a moderator
I saw Mommy kismet Santa Claus
Happy Xmas (Warranty Is Over)


Icon 1 posted      Profile for I saw Mommy kismet Santa Claus   E-mail I saw Mommy kismet Santa Claus   Send new private message       Edit/Delete post   Reply with quote 
Ganzfeld, how could you possibly reconstruct the entire SS#, or name, or address if the metric only recorded selected digits of each for its record? Even if you knew which digits it selected, the information would be useless. Even if you got the entire name, a piece of the SS# would mean nothing. OK, so Joseph Reynolds has x72-x9-3x21 as his SS#. So what?
Posts: 2115 | From: Texas | Registered: Sep 2003  |  IP: Logged | Report this post to a moderator
SoToasty
Flock to malls with boughs of cash


Icon 1 posted      Profile for SoToasty   E-mail SoToasty   Send new private message       Edit/Delete post   Reply with quote 
quote:
Originally posted by kismet:
Ganzfeld, how could you possibly reconstruct the entire SS#, or name, or address if the metric only recorded selected digits of each for its record? Even if you knew which digits it selected, the information would be useless. Even if you got the entire name, a piece of the SS# would mean nothing. OK, so Joseph Reynolds has x72-x9-3x21 as his SS#. So what?

It's called a brute force attack. You use a computer, and if you know the function, you start with the SSN of 000-00-0000, compute the number, then compare it to the stored number. If it matches, you know what the SSN is. If not, increment by 1 (000-00-0001), compute, compare...

Is this useful? Maybe. On a good PC, you should be able to break several a day. If you get lucky (low number SSNs) you could probably do 50 a day. If you did it on a stripped OS Linux system with an optimal program, probably 500.

As for the OT. I don't have a problem with this. People use biometrics every day. Your DL photo other picture ID is a form of biometrics. It is just at this point, the technology to computerize this particular biometric is not entirely feasable (sp?). And for those of you who say, but your face impression is not left behind where ever you go, I know that already. However, that is slowly changing as there are cameras everywhere, and their number is increasing. Someday soon, it is entirely possible, your "face print" will be in more places than your finger print.

--------------------
Wherever ya go, there ya are.

Posts: 816 | From: Florida | Registered: Jan 2003  |  IP: Logged | Report this post to a moderator
Ganzfeld
Let There Be PCs on Earth


Icon 1 posted      Profile for Ganzfeld     Send new private message       Edit/Delete post   Reply with quote 
What SoToasty said. It depends on how long the hash (algorithm to produce one encoded record) takes. Usually they are simple and short. They can be impossible to reverse but the only way they can be impervious to brute force is when the number of possible records are too large to search. For fingerprints, I have no idea. For the SSN example, it would be a cinch.

ETA - I forgot to mention one other way that brute force attacks could fail and this would be a serious challenge: if more than one record can have the same encoding. For example, more than one SSN would give the same result. That's the problem with trying the brute force attack to decode the fingerprint info. There may be thousands of possible fingerprints to match one encoding. That's no problem for the park because the chances two randomly selected prints have the same encoding is still extremely small so they have a good deterrent. (I still don't think it's a good idea.)

Posts: 4922 | From: Kyoto, Japan | Registered: Sep 2005  |  IP: Logged | Report this post to a moderator
Rehcsif
We Three Blings


Icon 1 posted      Profile for Rehcsif   E-mail Rehcsif   Send new private message       Edit/Delete post   Reply with quote 
Let's not get hung up on picking apart my hypothetical analogy. It isn't a perfect parallel to the OT's scenario. It was supposed to illustrate how the stored numeric Disney is holding for 30 days does not contain any actual personal data.

Besides, it's not a given that the generating function is known. This might be true for common things like PGP encryption, etc., but a proprietary algorithm by Disney (or their vendors) probably isn't going to be published.

-Tim

Posts: 1039 | From: Minneapolis | Registered: Jan 2005  |  IP: Logged | Report this post to a moderator
Mad Jay
Let There Be PCs on Earth


Icon 1 posted      Profile for Mad Jay     Send new private message       Edit/Delete post   Reply with quote 
quote:
Originally posted by Rehcsif:
Let's not get hung up on picking apart my hypothetical analogy. It isn't a perfect parallel to the OT's scenario. It was supposed to illustrate how the stored numeric Disney is holding for 30 days does not contain any actual personal data.

Besides, it's not a given that the generating function is known. This might be true for common things like PGP encryption, etc., but a proprietary algorithm by Disney (or their vendors) probably isn't going to be published.

-Tim

Propriety algorthims are a piss-poor way of ensuring your customer's privacy.

OTH, not storing the customer's private information is an excellent way of ensuring your customer's privacy

--------------------
Nico Sasha
In between my father's fields;And the citadels of the rule; Lies a no-man's land which I must cross; To find my stolen jewel.

Posts: 4912 | From: VA | Registered: Jul 2003  |  IP: Logged | Report this post to a moderator
  This topic comprises 3 pages: 1  2  3   

Quick Reply
Message:

HTML is enabled.
UBB Code™ is enabled.

Instant Graemlins
   


Post new topic  Post a reply Close topic   Feature Topic   Move Topic   Delete topic next oldest topic   next newest topic
 - Printer-friendly view of this topic
Hop To:


Urban Legends Reference Pages

Powered by Infopop Corporation
UBB.classic™ 6.7.2