Disney’s MyMagic+ Good or Evil?

Written by Kevin Yee. Posted in Disney Parks, Walt Disney World

Tagged: , , , ,


Published on March 05, 2013 at 4:04 am with 64 Comments

Online reception to Disney’s NextGen initiative, called MyMagic+, has been far short of what one could charitably call lukewarm. In fact, the more appropriate term is, probably, outright hatred. I’ve done my share of moaning about the wretched possibilities with this new system, particularly when it comes to the one-two punch of privacy concerns and shafting the annual passholders. But vitriol seldom tells the whole story, and on this topic, like so many others, I think there are two sides.

Disney has been quick to point out the main advantage to MyMagic+: it enables advanced planning for people who prefer that level of preparation, and removes a whole lot of uncertainty from the typical vacation formula. Think about it this way: imagine planning a trip to an amusement park that you do not often visit — Universal in Singapore, for example — would you be so completely opposed to advance reservation system that would guarantee you access to the top five rides in prearranged reservations? I would probably find that comforting. Admittedly, it’s only a small section of the population that can truly be called ultra planners, but it is also absolutely true that a vacation with the big question marks removed can mean more relaxation for a wide slice of the population. I’m not the biggest fan of all-inclusive vacation packages, because I think they usually save no money at best, and might make you spend more money at worst. But it’s also true that I absolutely enjoy myself on the Disney Cruise Line, which is an all inclusive vacation. I have noticed, and remarked upon, the relaxation factor that can kick in once you realize that all the bills are taken care of. It’s very likely that advanced ride reservations will have a similar effect on the overall vacation. It may calm and soothe those parts of the trip that were previously fraught with tension and anxiety. I’m not saying that the system will be perfect or nirvana for everyone, but I *am* saying that the opposite extreme reaction — thinking that absolutely everyone hates to plan minute details of the vacation or that a planned out vacation is not any fun — should not be taken as gospel either. This is one of those topics where both sides have validity because the spectrum of travelers is actually that wide.

At one point, Disney was not going to require a PIN code for purchases under $50 made with a MagicBand. Possibly in reaction to the online uproar, wiser heads prevailed at Team Disney Orlando and now a PIN code will be required for every purchase. With that fix in place, I don’t really have any complaints about using RFID for purchases. My 10-year-old assures me that he will absolutely hate it if he has to wear the band full-time while in the park. Disney has not explained the policy either way yet, but my plan is to stuff the bands into a pocket once inside the park. Otherwise, the resulting tan lines would be irritating indeed for us frequent visitors.

It’s apparently relatively easy for bad guys to scan and read RFID chips, even at a slight distance. Because a PIN is required for all purchases and the bad guy would only get an ID number, I wasn’t that worried at first. This ID number can be disabled server-side as soon as the guest notices it’s been compromised (and again, the thief can’t make purchases with it). But then I realized the number *can* be transferred onto a fake MagicBand and used for park admission. I shrugged at that one.  Only Disney would lose in such a transaction, not the guest. But then I realized a PIN is not required for entry into hotel rooms, either. That has me worried. Your stuff will be a LOT less safe in your Disney hotel than was true even last year. Couldn’t a bad guy watch you leave your room, scan your RFID from a distance, wait until you leave the area, and then enter your room?

Privacy is a hot topic with lots of questions. I’m not going to go so far as to say that I am completely convinced Disney will be responsible with its data, nor do I think it is inconceivable that the system can be hacked. I’m guessing it’s less likely that an outsider would breach the defenses and be able to crosswalk the data with identifying information about the visitors. But it may be more likely that data misuse could come from within Disney’s own ranks. Are they making it absolutely impossible for a cast member in the right department to track a guest for dishonorable purposes? We know that a small percentage of people will give into cyber stalking if given the opportunity — the regular Internet is proof enough of that. So what will happen when you marry big data and personally identifiable information in an environment where the stalking victim can be seen and observed?

So I am at least a little concerned about privacy. But I promised this article would look at the flip side of everything, and there is a flip side here as well. Namely, there could very well be advantages to the individual guests in the privacy compromised world. It’s not just Disney that benefits, there are some for us little guys too. Let’s assume that Disney knows how often we ride certain attractions in the future. Let’s say you typically ride Space Mountain three times on every visit to the Magic Kingdom. Disney may not have known that before, especially if you sometimes used standby instead of FASTPASS. But they will know it in the future. It’s true that Disney could use this information to take actions that are unfriendly to guests, like closing attractions early or manipulating staff levels so that people really only get on eight rides per day and not more.

But it’s not hard to imagine ways that Disney could use the information for good as well. Now that they know you are a Space Mountain junkie, might it be possible that they will use CRM software to invite you and visitors similar to you to purchase a ticket for a special Space Mountain event? Before you dismiss that it is something you would never pay for, remember the target audience here. If you’re a frequent visitor, you might not pay for it, but the very infrequent visitor might. I go to Disneyland Paris only every few years. But when I go, I ride the Phantom Manor an awful lot, probably more than most visitors. If Disney knew that, they could send me an invitation to an upcharge party involving the Phantom Manor. And I’d probably pay it.

Think about merchandising opportunities. If your favorite ride is Splash Mountain, there has always been merchandise available for you to purchase. That’s less true if your favorite ride is the PeopleMover. Disney is likely to be able to suss out new nuggets of information from all this data, such as who exactly is riding each attraction. Disney presently knows that 1800 people may ride PeopleMover from 3 PM to 4 PM, but they have no idea who those people are. I suspect they will discover some patterns that will be useful in identifying new product lines. Many of the locals that I know, for example, love the PeopleMover. I’m guessing Disney will discover that repeat visitors really enjoy the ride. If they compare that data set with the data set of people who spend on merchandise — something else they will know due to the MagicBands — they can create a Venn diagram of people who like the PeopleMover and typically by theme park merchandise. Then they can send e-mails or physical mail to just that sub-population. I’m sure that sounds like Big Brother to some of you, but it’s not necessarily negative. It’s possible that this will create a win-win situation. You get to buy merchandise that you’ve always wanted and Disney has never yet created, and Disney gets to make the sale.

Will the Seven Dwarfs coaster inspire such loyalty?

It’s important to keep in mind that we may be dealing with a paradigm shift here, perhaps big enough to call it an epoch. Just as there was an Age of Computers, followed by an Age of the Internet, Western society may be moving toward an Age of Big Data. Futurists and prognosticators are already claiming that many of the jobs in the coming decades will involve analyzing big data and evolving appropriate marketing strategies. In other words, Disney may be merely leading the pack, though certainly there are other companies already doing with Disney is proposing on a smaller scale. What I find most intriguing about the possibility of an Age of Big Data is that these epochs tends to evolve organically without much rhyme or reason, lurching from side to side and latching upon new concepts so quickly that no one could have predicted the direction eventually followed. Computers were just a toy at first, until they weren’t. The Internet was of limited value initially for most users, but that of course didn’t last. No one can predict at the start of one of these eras just what will prove useful and what we will find indispensable in the future. It may be a great big beautiful tomorrow after all.

What do you think folks? Will Disney use all of this data for good? Evil? Or some purpose in between?


More information and updates

Kevin Yee is the author of numerous independent Disney books, including the popular Walt Disney World Earbook series and Walt Disney World Hidden History. Readers are invited to connect with him online and face to face at the following locations:

About Kevin Yee

Kevin Yee is an author and blogger writing about travel, tourism, and theme parks in Central Florida. He is a founding member of MiceAge and has written numerous books about Disney parks (see http://bit.ly/kevinyee).

Browse Archived Articles by

  • pumpkinmickey

    Guests will have the option of using the card that is in use now if they don’t want the band.

  • wdwprince

    “But then I realized a PIN is not required for entry into hotel rooms, either. That has me worried. Your stuff will be a LOT less safe in your Disney hotel than was true even last year”.

    As a guest, I don’t understand this concern or fear. Your room number will not be listed on the band, it wasn’t even on the room key card.

    If someone is roaming the resort waving their band at every door hoping to get lucky for a break in, surely it will go wrong. That behavior would be suspicious. And noticed.

    I would not worry about this at all.

    • RosevilleDisfan

      The theives would know who they stole the data from and simply follow them back to their hotel and see which room they are in.

      • Gregg Condon

        Probably just like any card, etc, once you report the band stolen it would be deactivated at any hotel or park guest services area. It wouldn’t be very hard to do and I’m sure Disney has considered this.

    • The real concern is wether a MagicBand can be cloned from the data it transmits. If so, crooks are going to obtain a lot of info and access.

      • ericg

        Opportunistic thieves are a lot smarter than the fools that fear of RFID technology and spread false information about it.

        It’s a fact that it’s a lot easier to just kick in the door on a hotel room than it is to steal the RFID code and then clone it in some device to gain access.

        The fact is most RFID readers (practical, portable ones) read from a distance of 5 inches or less. Furthermore, the data that is obtained is really just an anonymous serial number, so without access to the database that links that serial number to the rest of the data then you’ve really got nothing.

        I’m willing to bet that 99.9% of future hotel break-ins at the WDW resort will not occur because of stolen RFID info.

  • MrTour

    Life is all about chance. When we try and control an experience and remove the element of chance, it becomes sterile. Is that how we want to spend a day in the park?

  • mkcoastie

    I understand the concern about a baddie using MM+ to gain access to your hotel room, but that fear is mostly unfounded. My phone reads RFID info and I noticed when I stayed at the BCV at the end of last year, that I could get the number from my room key. I thought this was pretty neat and was trying to think of ways that I could use my phone to unlock my room. This is something I theoretically could have done…..because I knew which room I was in. Fortunately, a person in the parks who passively scans my card has no way of knowing what room, or even what resort, I’m staying in. To gain this info they would need to have access to the resorts computer and cross reference the random number to a room. If someone had access to this info, they wouldn’t need to scan my card in the first place. Anyone who had access to the front desk computer system would have been able to make a key card for my room, even under the old system. I suppose they could scan your card, follow you back to your resort and up to your room and then come back the next day and wait for you to leave in the morning……but this starts to get a lot more difficult and frankly more noticeable. Add to this the fact that RFID room entry keys are not unique to Disney. Great Wolf Lodge (a chain of indoor water park resorts), for example, has been using a system where an RFID bracelet is used as both a room key and a way to pay for things throughout the resort. I know from experience that this system has been in place for at least 5 years. Starwood Resorts (Sheraton, Westin) has also been changing many of their hotels over to RFID room keys. I would imagine that Disney has payed close attention to these situations before moving ahead with their own version. I have my own qualms with MM+, belive me. These are mostly related, however, to what else could have been done with the billions spent on this system.

  • RosevilleDisfan

    Get the card, not the wrist band and keep it in a foil lined pouch of some sort. The foil will prevent the tracking (and possible data theft) while inside the pouch. Only take the card out when you need it and put it away promptly.

    • Westsider

      Sears sells a line of RFID-blocker wallets and pocketbooks. The leather has a metallic lining that blocks any RFID reader from scanning the contents.

  • eicarr

    This is fine to use in parks in china and Florida, but this will not fly in California. Lawyers from LA to San Francisco will work with Silicon Valley cyber activists to gut it.

    The kids spending aspect sound like a disaster. Imagine giving your kid a credit card to make all the bad decisions near the check out counter at any store(all the candy bars and overpriced items they’ll never use). 70% of stuff sold there is junk or junk food and needs parental approval to buy.

    There needs to be a card with a chip AND a magnetic strip for purchases and room entry for California. Kids can wear wristbands only.

    Preplanning does not fit Californian visitors who visit Disneyland on a whim from throughout the most populous state. The inevitable hacking that will show I rode the embarrassingly bad Winnie the Pooh ride 2X on my last visit could ruin me. Sadly, this will allow Disney to increase park capacity without having to build more attractions. But the idea of being tracked all day for the benifit of a company and the government is beyond disturbing. There is no real “+” for guests themselves.

    • chesirecat

      I doubt that California will enact any law to “gut it” as DLR is entirely private property, there is no right to enter Disneyland. You buy a ticket and play by Disney’s rules, i.e. you wait inline for attractions and such. I doubt that the MagicBand will be required by all guests any any point in time, (at least not within the next twenty to thirty years) hence anybody can pay cash and ride all of the same rides. No legal case there that I can see.

      Parents decide the purchasing power they give to the kids, doubtless the parents with responsible kids will love this gadget as their kids can easily go off into the park for a couple of hours without having to get them some cash.

      Disney already has tons of data with daily ride counts, Pooh is a lame ride, yes, but knowing that there are “repeat customers” in a given would just tell them that there are diehard Pooh fans, or folks ride again because the line is short, either way it means a fewer percentage of guests are enjoying the attraction due to repeats.

      Remember that it is the computer tracking tens of thousands of guests, nobody would care to look at a bunch of dots with actual names . . . why? Obviously nobody would be paid to do this as I don’t see any useful reason.

  • StevenW

    Modern hotel room keys are the plastic cards that you insert above the door knob. They don’t tell you the room number and they don’t require a PIN number. I think Disney’s approach is the same where the RFID is scanned at the door knob and it opens automatically. No PIN is needed since it is rare for anyone to follow anyone home from the park.

    However, why bother following someone home? It is easier to just stand by the hotel hallway and follow a departing guest. The thief will wait around the hotel elevators and automatically scan numerous RFID bands. Within a few minutes, he will make a counterfeit band and quickly scan the rooms. He will be gone from the site before housekeeping or the guest returns from the park or breakfast.

    On second thought, they should have a PIN or retain the room cards.

  • chesirecat

    The RFID bracelet interactions are all tracked by a computer. So, Disney knows when you are in the parks, buying something, or even riding something, so if somebody opens your room door while you’re in DHS . . . a red light goes off somewhere, and likely security will arrive at the hotel room.

    Besides the computer tracking the use of this tech, there will also be counterfeit measures associated with the wrist bands, which Disney obviously won’t be discussing with the general public, there is a ton of anti-cloning technology that can be used with RFID, making them actually safer than magnetic swipe cards such as credit cards and the old room entry cards.

    I don’t get the closing down Space Mountain because somebody is riding it alot. WDW/MK, of course, needs more attractions, and closing down one attraction means more guests at others and longer lines.

    You actually don’t have to data mine to sell a t-shirt in the park, just print up some PeopleMover t-shirts and put them out on a shelf and see if the public buys them.

    Disney may send folks e-mails advertising stuff, but if you don’t want this stuff then you can turn it off, though some APers might likely highly specialized announcements, in the end it is more work for Disney to do this, and just to get somebody to buy a PeopleMover t-shirt?

    Studies show that RFID wristbands increase spending by about 20%, due to convenience. Disney will make millions in the first years with this technology, not hard to see why it was adopted.

    • mkcoastie

      I actually have to agree with you. Reading this article caused me to do some research on RFID security and I have found that there are MANY ways that RFID cards can be protected against cloning. my reading also brought up an interesting article on the magnetic strip key cards. apperantly with about $50 in parts there is a way to open any room you want with a homemade device.

  • chesirecat

    That’s correct mkcoastie, the old magnetic strip hotel room system wasn’t very safe to begin with. Of course with any security system, crooks will try to find a way around the safeguards, but RFID offers a new layer of protection, and luxury hotels are using them for room entry and even in-room safe security as a security upgrade.

    MagicBands are kinda little computers, and they are tracked everywhere by the mother computer, so it will be immediately apparent if somebody actually cracked the encryption and was able to clone and RFID and then used it, the computer knows that two such items can not exist, will alert security and could even “reprogram” the MagicBand with an new encryption. AND the mother computer can easily be programed to figure out which MagicBand is legit, probably the one that was used to enter MK and is getting in for the Princess FairyTale Hall and was used first during the day is legit and the duplicate room entry is not, LOL, be funny to see a family stopped by security for duplicating their own RFIDs. Disney will make sure the system is secure, and it will be monitored on a daily basis as they are going to make tons of money.

    This whole the MagicBands are not safe and will be cloned is just a malicious rumor started by some disgruntled APers.

  • WesternMouse

    How about this–I fill out a survey where I decide what parks I want to go to, what rides I want to go on and how many times, and where I want to eat and when, and where I want to sleep. I pay Disney a ton of money and they send me the schedule options and I go. No tracking needed because everything is done for me and up front.

  • Johnny

    Certainly there are security concerns. It really seems that this new system benefits Disney more than guests. Isn’t a good touring plan combined with the existing FastPass system adequate? Aren’t key cards adequate for accessing hotel rooms? Do people really want to be tracked that closely?

  • chesirecat

    Oh, and if Disney uses Wi-Fi to track the location of the RFIDs, then obviously they could program the door to be locked to all but maids and security when you leave the hotel. This would not be hard to do with the technology they are installing, as far as I can tell. As Kevin pointed out, they could use pseudonyms, and changing identification numbers so somebody “reading” your bracelet would get a ton of gibberish, be confused, etc. Encryption on both ends will probably also be put in place, and it could change on a daily/hourly basis.

    Of course, Disney will *not* be telling us what security will be installed, and there will likely be several layers, but the most effective is tracking the legit MagicBand geographically.

  • chesirecat

    If a parent loses a child, then MagicBand can be used to locate that child, seems like a plus there. Otherwise, the information would probably by analyzed as anonymized bits of data for security purposes, same thing as Disney having security cameras everywhere . . . they would be watching “everybody” yet no one person specifically, and since they have hundreds of thousands of guests each day, the computer would be doing this and only flagging security issues for a human being to look at.

    As interesting as guests think they are, nobody wants to see at a computer and watch Mr. Smith ride Space Mountain for a third time while plotting how to see him a Space Mountain t-shirt.

    • BrianFuchs

      “They” would be watching no person specifically, but a bad person who hacks into the system could track specific people – like a child. They would know when a child was separated from an adult and what the distance between them was.

      That make you feel better about Disney putting RFID trackers on kids?

    • pumpkinmickey

      Chesirecat,There is no GPS in the RFID There would be no way to track guests exact location or lost children through that system

  • Cjedwards44

    I haven’t done too much research on this but I have some questions. Does the band/card only apply to Disney hotels? I have always stayed across the street and even up to a mile away. How do you make purchases with it? Is it optional or mandatory? I’m a guy that uses cash, everywhere. I have no bank accounts or credit cards. Would I have to make purchases with the band or can I just use cash? I understand they want to KNOW their guests to the point of maximizing the parks profitability but I am not a planner. Now that fastpasses are having to be used during their time I’ll probably hardly get one. What’s wrong with strolling the park and going with the flow? A good vacation is one that unfolds naturally.

    • There is a great deal of flexibility with the system. You do not have to tie a credit card for purchasing. And you can choose which Magicbands on your reservation have charging privileges.

  • sandiegomousefan

    I just have my doubts. Some of the MM+ sounds great, I am sure, in a powerpoint but its opportunity to be actually USED seems pretty problematic because of:

    A) the sheer number of guests we are talking about at WDW at any one time
    B) the challenges of actually tailoring meaningful personalized offer in respect to labor and time.

    Yes, you COULD get an email about the brand new commerative people movers pin over at Startraders. But what is the value of actually crafting such an email, personalizing it to any great degree and then delivering it? More likely it will be like a lot of Disney marketing emails – bland, unpersonalized and sorta “ho hum”.

    Disney is in the business of MASS entertainment. Far better, I would think, to pay CM a wage comparable to Starbucks and get very high customer service with a smile than spends billions so that an robotic character can mispronounce a child’s name for the 100th time on a dark ride.