June 24, 2017

Privacy, Price Discrimination, and Identification

Recently it was reported that Disney World is fingerprinting its customers. This raised obvious privacy concerns. People wondered why Disney would need that information, and what they were going to do with it.

As Eric Rescorla noted, the answer is almost surely price discrimination. Disney sells multi-day tickets at a discount. They don’t want people to buy (say) a ten-day ticket, use it for two days, and then resell the ticket to somebody else. Disney makes about $200 more by selling five separate two-day tickets than by selling a single ten-day ticket. To stop this, they fingerprint the users of such tickets and verify that the fingerprint associated with a ticket doesn’t change from day to day.

Price discrimination often leads to privacy worries, because some price discrimination strategies rely on the ability to identify individual customers so the seller knows what price to charge them. Such privacy worries seem to be intensifying as technology advances, since it is becoming easier to keep records about individual customers, easier to get information about customers from outside sources, and easier to design and manage complex price discrimination strategies.

On the other hand, some forms of price discrimination don’t depend on identifying customers. For example, early-bird discounts at restaurants cause customers to self-select into categories based on willingness to pay (those willing to come at an inconvenient time to get a lower price vs. those not willing) without needing to identify individuals.

Disney’s type of price discrimination falls into a middle ground. They don’t need to know who you are; all they need to know is that you are the same person who used the ticket yesterday. I think it’s possible to build a fingerprint-based system that stores just enough information to verify that a newly-presented fingerprint is the same one seen before, but without storing the fingerprint itself or even information useful in reconstructing or forging it. That would let Disney get what it needs to prevent ticket resale, without compromising customers’ fingerprints.

If this is possible, why isn’t Disney doing it? I can only guess, but I can think of two reasons. First, in designing identity-based systems, people seem to gravitate to designs that try to extract a “true identity”, despite the fact that this is more privacy-compromising and is often unnecessary. Second, if Disney sees customer privacy mainly as a public-relations issue, then they don’t have much incentive to design a more privacy-protective system, when ordinary customers can’t easily tell the difference.

Researchers have been saying for years that identification technologies can be designed cleverly to minimize unneeded information flows; but this suggestion hasn’t had much effect. Perhaps bad publicity over information leaks will cause companies to be more careful.

Comments

  1. I think that you should note that when this was discussed on /. that the general consensus was that they are not taking fingerprints but something more like hand/finger geometry measurements. Also, some seemed to be under the impression that they were only storing some one-way hash information about the scans not the whole scan. Finally, others pointed out that you could have the multi-day and season passes personalized with a photo and your name, but that the finger scanning was available to speed up the process.

    Now I know one shouldn’t believe everything that you read on the Internet (especially /.), but this discussion seemed to have some knowledgable folks participating, so I thought I’d throw it out there.

  2. The article does talk about extracting features from the presented fingers. Some people read that as meaning that they only measure finger geometry. But I’m not so sure about that. Most fingerprint matching algorithms extract distinctive features (“minutiae”) from the images and compare based on the nature and location of the minutiae. (Human fingerprint experts do this too.) So the description in the article seems to match full-on fingerprint scanning as well.

    Regarding the use of a hash, a simple hash won’t work (failing to account for minor variations from measurement to measurement), but there are sophisticated hash-like algorithms one could use. That’s what I had in mind when I wrote about more privacy-protective design alternatives. If Disney is actually using one of these, good for them!

  3. From a Jul 18 posting[1] to Dave Farber’s IP List from EFF attorney Lee Tien:

    http://www.interesting-people.org/archives/interesting-people/200507/msg00159.html

    Is it clear that Disney World is actually taking fingerprints? It’s
    my understanding that Disney World has been using finger geometry
    scanners for 6 or 7 years. If I recall correctly, finger geometry is
    much less distinctive than fingerprints (my recollection is that
    something like 1 in 1000 people have the same hand geometry; I don’t
    know the ratio for finger geometry). So it would seem less dangerous
    to privacy than fingerprinting.

    E.g., the National Academies study “Who Goes There” noted:

    * Disney World also uses a system that is designed to prevent a
    single-entry pass from being used by multiple users. Disney World
    issues each passholder a card at the time the pass is purchased. The
    name of the passholder is not recorded on the card, and, in fact, the
    card can be transferred freely from user to user until the first time
    it is used. At the time of first use, information about the
    passholder’s finger geometry (not related to the passholder’s
    fingerprint) is linked to the card. Any time after the first use of
    the pass, the person presenting the pass must authenticate ownership
    of the pass using a finger geometry verification check (by holding
    his or her hand up to a measuring device). If the check fails, the
    person presenting the pass is denied access to the park.

    Finger geometry is not distinctive enough to identify the passholder
    uniquely; therefore, verifying finger geometry does not provide
    sufficient certainty for accountability (see below). However, finger
    geometry varies sufficiently from person to person so that a randomly
    selected individual who is not the passholder is not likely to match
    the finger geometry linked to the card. Therefore, this system works
    well enough to prevent multiple users from using the same pass in
    most cases-an acceptable level of risk, given what the system is
    protecting. This system uses a loose form of biometric authentication
    to protect against fraud (here defined as multiple users) without
    collecting information that identifies the legitimate owner of the
    pass.

    “One unique application is at Walt Disney World® in Florida, where
    200,000 annual pass holders are enrolled in a finger geometry
    recognition system.”
    http://financialservices.house.gov/banking/52098jd.htm (Statement of
    Jeffrey Dunn, Chairman, Biometric Consortium) [both as of May 1998]

  4. Ed’s use of a 2-day pass reminded me of an interesting economic ploy by Disney World (but not Disney Land). There are no 2-day or 3-day passes — they only offer 1, 4, and 5 days passes.

    I surmise that this is Disney’s method of trying to maximize the amount of time a visitor spends at Disney World instead of the various other central Florida attractions. I no longer recall the exact details, but I remember Disney Land does offer shorter passes (probably because there somewhat is less to do, both within the parks and by the competition nearby).

    The one sop Disney World throws the customer is that the passes don’t expire. So if you expect to go there multiple times it may be worth getting a longer pass. Note that Disney World and Disney Land passes are not interchangeable.

    At the very least, this establishes that Disney has a fairly sophisticated effort to maximize revenue per customer. That thought reminds me of one other Disney tweak — Disney Land had no short “park hopper” passes. For some reason they did not want people to go back and forth between Disney Land and the California adventure unless they committed to a multi-day pass.

  5. Avi Flamholz says:

    I had a discussion with Professor Kernighan about a similar topic, when I was taking his class this past semester. The basic idea was this: I was making a web-system for my final project, and access required Princeton LDAP authentication. Brian wanted us to consider md5 hashing the password in Javascript on the user’s computer so that I would never get a string of your password on the server side.

    While I agree with him that the complete system should do that, this scenario highlights the same sort of dilemma as we see here with Disney. If I had done some client-side hashing, the vast majority of the sites users (Princeton students) would have had little way to verify that I was doing so. For them, it wouldn’t matter that I had the javascript source freely available, since they couldn’t read/understand it to verify that it works. So they are gambling in trusting me whether or not I implement the client-side hashing.

    With this Disney scenario, even if Disney only stored mapping of ticket number->finger print, how would clients be absolutely guaranteed that they were really doing so? Ultimately, no matter what Disney is doing on the back-end, it comes down to whether or not you trust them as a company.

  6. Alexander Wehr. says:

    It may be your opinion that ticket resale should be preventable, but personally I think it’s an invasion of consumer property rights.

    We bought the ticket.. to deny us the right to resell it is a direct spit in the face to the concept of private property. Tickets do not fall under the extraordinary constitutional provision for IP rights, and the bill of rights says we own what we buy.

    Of course.. I don’t give disney ANY money for reasons you should find obvious, but it should be a person’s right if they were intelligent enough to realize it to buy a ticket for longer then they were staying and make up some of that expense by passing it on to some willing purchaser.

    I think if disney doesn’t like this, they should cease selling multiday passes rather than continuing in justice souter’s misguided path.

  7. Michael Zimmer says:

    “We bought the ticket.. to deny us the right to resell it is a direct spit in the face to the concept of private property”

    Not if the transaction included a condition of “not for resale,” which I assume is printed on the back of each Disney ticket.

  8. Well, it boils down to, is “not for resale” a concept that ought to exist? I don’t think so. It’s really not much different from DVD region codes or overpriced domestic textbooks, or for that matter the right of first sale with copyrighted works. Allowing such restrictions to be placed on a sale doesn’t benefit society.

  9. I’m sure the music industry would love to print “Not for resale” on CDs and sue any passing second hand shop.

  10. The restriction of consumers reselling goods caused a recent stir with Counter Strike Source. When you install it it gets tied to a unique account, and without passing on the account details (which may be linked to other products you have bought) it requires the payment of a $10 fee to get your copy disassociated with your account. It wasn’t a popular move — the second hand computer games market is very lucrative, and (if I recall correctly) restricting the resale of goods is illegal in parts of Europe, regardless of whether or not your print “not for resale” on it.

    With the Disney tickets, I’m guessing you don’t get told about not being able to resell the ticket until after you’ve purchased it, and I would have thought that not being given the full details of a contract before you enter into it would render the “surprise” terms null and void. IANAL, of course, but it all sounds as though its on shaky ground to me.

    One solution, of course, is for someone to work out exactly what method they’re using and use that to set up a central repository for reselling tickets. Stick your hand on the doofer, and a “compatible” ticket can be located… Complicated logistically, and would require a high volume of resellers and co-operation between those little ticket places dotted around Orlando, but possibly doable. Like they say, it’s a million to one shot, but it might just work! 🙂

  11. Does Disney World allow you to opt out of the finger-scan?

    What do they do with visitors who are missing a hand or two?

  12. Paul Mattal says:

    Ironically, I haven’t had time to read this blog lately, at least in part because I was at Disney World, encountering and wondering about this technology.

    A few brief points:

    1) I purchased and used a 3-day pass. There is definitely such a thing.

    2) Some comments on the scanners: they were annoying. Specifically, they usually had a person manning each one, and you would often have to fiddle and try a few times before it would work properly. The trick seemed to be to make sure your fingers were pushed all the way inside and squeezed together around a piece of plastic in the middle.

    3) For whatever reason, these metrics failed on my dad every time. As a fallback, they just made him show his ID.

    4) It occurred to me that the crux of the problem is that Disney no longer takes something from you or attaches something to you when you enter and leave a park. Years ago, you got a physical ticket that was taken from you at the entrance. If you exited and wanted to re-enter, you got your hand stamped with a special ink that glowed under UV light. Obviously both the paper ticket and hand stamp were much easier to understand (and probably also to forge) than the biometrics, so I see what they were going after.

  13. “Disney Land had no short “park hopper” passes.”

    They do, but it’s for SoCal residents only.

    “If you exited and wanted to re-enter, you got your hand stamped with a special ink that glowed under UV light. ”

    They do still do this – but that only works for that day – it doesn’t keep people from sharing multi-day passes.

    Although, is re-selling multi-day passes really that much of a problem? Multi-day passes needed to be used within a certain time – or at least they do at Disneyland, so the turn around needs to be pretty quick. It’s certainly possible, it just doesn’t seem like it could get out of control that easily.

  14. “With the Disney tickets, I’m guessing you don’t get told about not being able to resell the ticket until after you’ve purchased it, and I would have thought that not being given the full details of a contract before you enter into it would render the “surprise” terms null and void.”

    In Disney’s defense – if you buy the ticket that day, possibly. But I’d imagine a lot of people who are vacationing in Florida buy their multi-day passes before they leave as part of a package, and I know they are very up front about their nontransference policy on their website. It’s “fine print” but the print isn’t all that fine, and they state it as you are still “shopping” for tickets, they don’t wait until you are about to pay, much less after you have done so.

  15. JEFFREY BJUR says:

    Disney is quite capable of putting strategy and creativity together, its what the company was founded upon. What we have here is neither a marketing nor PR problem, but a larger corporate communication issue within the confines of Disney, where separate business units are capitalizing on their strategic efforts to implement new technologies.

    Solution: simply take their photo on the first day of use. This eliminates resale. Fingerprinting is unnecessary as is signing the ticket, although fingerprinting could easily be paired with other information to further profile a guest. But for what purpose? This is not needed. What is needed, I will explain as voluntary. Surely there must be less-intrusive and more cost-effective steps to get the same information. Solution: Voluntary information. For some time, Disney has collected information from guests online, in the parks, at the resorts, Disney Store, etc. Increasing interaction on the guest level builds the brand equity of the parks, resorts, whatever. Believe me, Walt would want to keep things simple for the guests. Don’t get me wrong, technologies such as biometrics, fingerprinting, or other technologies are very powerful tools for creating a stronger overall guest experience

    By the way, the solution to multi-day passholders without changing to ticketless entry is as simple as having multi-day passholders utilize a separate entrance. An alternative solution is to have guests sign in without a ticket. But how to be done?? Lines are always a problem for the guests and the park operations teams. Lines are also opportunities to inform and even market to guests. So if a ticketless entrance adds to the line, then its as simple as finding a creative way to benefit the guest, which benefits Disney, etc.

    It’s uncanny really. Increased traffic brings dollars and it brings infrastructure changes. The need for a FASTPASS system is the result of not being able to have a way to manage the flow of people throughout the park. Yes the parade, fireworks, shows and related events scattered throughout the park do help, but they can also be headaches to the guests when they want to get in or out of the entertainment. Disney has to be able to manage the interest of the guests so that they can flow through the park in a more educated and efficient way, this way lines are minimized as much as possible and any slowdown is supplemented with opportunities for entertainment. Can a line be fun? Absolutely!

    On the issue of ticketless travel: Can ticketless vacationing be error free? Well, think about fandango and ticketless travel at airports. Perhaps you are familiar with NTT DOCOMO in Japan. Ticketless solutions exist among every major entertainment industry in the United States. Surely the can work for Disney.

  16. It is written on the ticket not for resale and I believe somewhere its also written that the ticket remains property of Disney World, meaning it isnt yours to sell/give to someone else.

    But the whole idea is you pay for it you use it, not use it for a day and pass it on. You dont pay to get a passport use it for a holiday and sell it somone else do you? (may not be the best example but it is an example non the less).

    Also I have seen some DVDs/VHS tapes with not for resale on them, so there are many different places where it can apply/appear.

    But the moral is buy what you need, i.e. buy a ticket for the length of time you wish to visit, e.g. want to visit for 1 day dont buy a 2+ day ticket as you dont need it.

    Its the same story for many shows/sports events, and its within the law for them to do so. So reselling your ticket is illegal!

  17. how many people enter disnyworld a day? How much crime occurs on the parks. One obvious benefit for them is reducing on park crime by having police ready to catch wanted people by comparing the taken fingerprints to police wanted records. (there are currently over 100,000 murder cases in the US where the fingerprints of the suspect are known but there is no corresponding information about who those fingerprints belong to since not all US citizens are required to have their fingerprints taken)

  18. Disney is probably working hand in glove with the the US government. Bush wants oil and nothing but oil. Here Disney is helping Bush to keep tabs on all the world. Nothing to do with terrorism because terrorism is US created anyway. Why can’t we all jusy live in peace?
    How can “terrorists” kill innocent people? How can Bush kill innocent civilians? Why do people kill other people? Useless and mindless deaths.
    God should bring on Doomsday because the human race does NOT deserve this world. People have become sick and don’t care about each other.
    When I was a kid ordinary people actually cared about each other even strangers but the way the world is going now, humans will become extinct soon.

  19. They are not taking fingerprints – it is only measuring certian points on your fingers to make sure only you use the ticket.

    FACT: A real fingerprint scanner has to be cleaned between each print it scans. Remember that you will leave your prints on anything you touch. If they were scaning fingerprints then when you go through the gate your prints would be left on the scanner. Now I go in after you, and it will have both prints and not get a read.

    I have been finger printed by the FBI for employment purposes and you should see how cranky their scanner got because even with a good windex cleaning between finger scans there was still a small trace of my last fingerprint on the glass.

  20. the crow says:

    what is the solutions to overcome the unethical issue in pricing such as price discrimination? please give me some methods..tq

  21. the crow says:

    what is the solutions to overcome the unethical issue in pricing such as price discrimination? please give me some methods..tq

    please email me at ()