Privacy at Disney World Waning? RFID and Tracking Updates

Written by Kevin Yee. Posted in Walt Disney World

Tagged: , , , , , ,

frontpagepic_KY

Published on December 03, 2013 at 3:00 am with 73 Comments

All of a sudden last week, based on some first-hand reports, there was reason to suspect that the Disney MagicBands do, after all, contain the capability to be read at a distance. The assumption until now was that Disney would only be able to track its visitors when they took the step of placing their MagicBands (MB) within millimeters of the readers to pay for purchases or join the FASTPASS+ line, and that customers were therefore in charge of deciding when Disney would know where they were. But if Disney can read MagicBands from a distance, they will be able to track users much more closely, and without their knowledge or minute-by-minute consent. Visitors may feel their privacy is at its lowest ebb when on a Disney World vacation.

fastpass+ 2013-11-23-2179

There are several online reports in the past week or so of people returning from a Disney World vacation and discovering that in their online MyDisneyExperience account (the front end of the MyMagic+ system), there are not only those PhotoPass pictures they took when they scanned their bands, but also photos of them while on the rides — Space Mountain, Splash Mountain, Expedition Everest, and so on. This was at first perplexing for them, since they never “swiped” their MBs at the rides. Given the belief that Disney needed to swipe a band to know you were there, it didn’t seem possible for Disney to connect the right pictures to the right people. And yet there they were.

The implication is that the bands CAN be read at a distance, without needing the customer to hold it less than an inch from the reader. That seems counter-intuitive. If the bands are capable of that all along, why bother having them need to touch the scanners directly for FASTPASS+ and for room charges? One answer: it seems more prudent to require actual contact (touching) to pay for things, to avoid fraud and accidental payments.

When the news broke a few years ago that Disney World was moving to a system involving RFID chips, there was a lot of speculation about privacy. Many of those who fretted the most about being tracked were pooh-poohed as the “tinfoil hat” types, sensing conspiracies when none were present. RFID-capable keycards and annual pass cards – sized and shaped just like credit cards – did not seem to present any opportunity for Disney to track users unless they actively swiped their cards. The RFID chip was just too passive; it couldn’t transmit. The debate about privacy then seemed to just die out many months ago, as if the matter were decided: Disney could only track you if you swiped.

Guess what? The MagicBands (which I reviewed positively last week) *do* have batteries in them. Disney has recently said the MBs should last 1-2 years and mentioned the battery as one reason for the shelf life. Johnathen Hopkins, one of the podcasters from WDWFanBoys, cut open his MB to find out what was inside, and the battery was easy to find.

IMG_2108

There are many different types of RFID setups and the “read range” varies due to several factors (how large are the antennas, what frequency they are using, how much power is in the reader, is there a battery with the RFID chip, etc). It looks like current hotel keycards and annual pass cards use a more passive RFID chip with no battery, but MagicBands include a battery and thus could be read from further distances.

Confusingly, the plot thickens still more. Let’s dig a little deeper, as Mama Odie might say. Disney’s 2012 letter to the FCC (and other related documents here) specifies that the device, though it contains a battery, uses *PASSIVE* RFID, not active, and that at first glance might seem to limit the distance at which it can be read. But the science isn’t as linear as that (where passive=short distance, active=long). There are innovations in chip design and reader-power architecture that can still read from far distances of even a couple hundred feet. Based on similar devices, it looks like the MagicBand might be readable from 10 meters away, despite being passive. We know Disney is using a battery-assisted 2.4Gz RFID tag, and there exists a similar one on the market that can be read from 30 feet away.

There is even a technical explanation for the fact that MagicBands seem to work in two ways: up close for purchases and FASTPASS+, but long distances for ride photos and to-be-unveiled interactivity on attractions. Namely, the MagicBand FCC specs point out that it has two antennae–presumably, HF (short range) RFID for the restaurant, stores, and FP+ scanners; and UHF (longer range) RFID for the MyMagic enhancements on the rides.

The clues seem to be stacking up. Disney has a battery-operated RFID tag that matches those on the market which CAN be read from long distances, we’ve got first-hand reports by some travelers that on-ride photos are being added to their accounts, and we know of many spots in rides where videoscreens await their first power-up to offer customized greetings to tourists wearing MagicBands. It looks like long-distance RFID scanners are in the cards from these arguments alone.

fastpass+ 2013-09-08-9225

To make absolutely certain, we could turn to Disney’s own privacy policy on Magic Bands, which states (in part):

The MagicBands can also be read by long-range readers placed in select locations throughout the Resort used to deliver personalized experiences and photos, as well as provide information that helps us improve the overall experience in our parks. Guests can participate in MyMagic+ and visit the Resort without using the MagicBand by choosing a card, which cannot be detected by the long-range readers; however, certain features of MyMagic+ are dependent upon long-range readers, including automatic delivery of certain attraction photos and some personalized offerings are only available to guests using a MagicBand.

Well, there’s no doubt left now. I wonder if that explanation of long-range readers was there months ago, when this topic was more hotly debated online. I’m guessing it’s a more recent addition. In any event, we’ve got our answer: Disney is installing long-range readers, at least on the rides.

I’ve got no information about Disney’s intent with these readers. Maybe they are just there to enable convenient connections to your account, like the example of Space Mountain pictures appearing in your online account after your vacation even though you didn’t seek them out. Or maybe Disney wants to install more readers throughout the park. From a technology point of view, there is no reason Disney couldn’t build a sophisticated “war room” with a giant digital map of the Magic Kingdom, and show people by name moving through the park in real-time. Think of it as the Marauder’s Map from Harry Potter… except this would be real, not fiction.

Now, Disney might not want to engage in that much tracking, especially if coupled to individuals and their names. It would probably be bad for business if the public knew. But the salient point is that the technology exists to do that, and the MagicBands make it possible. So the customer is essentially trusting Disney NOT to do it.

What Disney probably wants is to harness the power of Big Data. If they track people by patterns and amalgamation (rather than bothering with what individuals are up to), they can spot ways to save money (shift workers to and fro) or to make money (open additional shops and restaurants). There’s nothing inherently evil in this, but the national conversation about privacy and Big Data is just beginning. One public school’s use of similar RFID chips faced legal challenges (specifically, against unreasonable search and seizure), but ultimately the school won out in court (and ironically discontinued the RFID program later anyway). Let’s also remember Disney is a private corporation, not the government.

fastpass 2013-11-03-1296

Disney *does* know who each RFID chip belongs to. What’s stored on the chip is just an account number that makes sense only to Disney. But Disney can decipher it and crosswalk that number to its own databases, and thus easily figure out who is doing what in the parks. If they wanted to, they could “drill down” to specific individuals, at least from a technology/data point of view (policy aside).

Some portion of the population won’t be bothered by this. Even if the parks installed enough sensors to know how long it took between your purchase of a burrito to your visit to the bathroom (and how long you stayed there), some folks won’t mind. Reading with the grain, such intrusions into privacy can give Disney valuable information to make the parks a better place. They’d know which bathrooms are the most visited, for instance–maybe this could cause them to take action and build relief facilities nearby? Besides, as they argue in similar discussions around the Web, privacy is already an illusion in today’s society. And they point out (correctly) that we are being tracked already to some extent. Those EZ Pass/Sunpass toll road devices use RFID, and their data is used (in aggregate) to give real-time traffic information.

But I suspect there will also be a portion of the population that will be less charitable if Disney does install sensors everywhere, and these customers discover that Disney knows who they are, where they are, how long they stayed there, and who they were with. One hesitates to invoke Big Brother, as the phrase is so hackneyed by now as to be emptied of almost all meaning, but RFID really and truly might be able to function as a way to track with that much granularity.

Earlier in 2013, Disney was in the headlines when a Congressman (Rep. Markey, D-Mass) asked in a letter if Disney’s new technology could be used to exploit children. Disney CEO Iger responded vigorously, but this was not the kind of national press the company usually seeks out. Will we see a repeat of that scrutiny now?

fastpass+ 2013-11-23-2130

Disney is often a leader not just in theme park rides, but in using technologies in general. I wonder if Disney is risking national exposure–and not in a good way–but being out in front with this level of power to track. Even if Disney elects not to *do* the tracking, it looks like the *potential* is there, and I suspect that alone might be enough to convince some people not to come at all. If that scenario happens, a big chunk of MyMagic+ will have collapsed in on itself. It’s supposed to be a money-maker (and I still think it can be!), not a money loser.

Your opinion on all this is welcome in the comments. Are you OK with being tracked on the rides even when you don’t swipe? Would it make you hesitate to visit Disney World if you knew your movements would be tracked, charted, and recorded for Big Data posterity?

WDW Clicks #6

This week we bring the telephoto lens to Seven Dwarfs Mine Coaster, explore the Norsk Kultur stave church gallery in Norway, tour the new bus loop at the Magic Kingdom entrance, see the Christmas tree in Be Our Guest, look at the new Joffrey’s coffee carts in DHS, see the altered AFI store and Sid Cahuenga’s, gawk at new Disney posters in Magic of Disney Animation, sample some new holiday food items at World Showcase, and glance quickly at Spice Road Table.

Direct link: http://youtu.be/ysX9WxZ31dc

Creepy Cherubs?

I’m a big fan of insider tributes and homages at the theme parks (seeing as I am the author of WDW Hidden History, this is no surprise!), so of course I have long been fascinated with the cherubs in the ceiling of Be Our Guest. These cherubs are representations of the children of the Imagineers who worked on this part of Fantasyland.

Front line Cast Members were told when the restaurant opened that there were also images of the Imagineers themselves mixed in. Looking at the final results, this makes sense. Some of the cherubs appear to have pretty mature features and hairstyles!

!cherub

Does the old-young combination look creepy to you? Have a look at all forty cherubs and let me know what you think!

About Kevin Yee

Kevin Yee is an author and blogger writing about travel, tourism, and theme parks in Central Florida.

Browse Archived Articles by

  • parker4fm

    I’m trying to figure out why this is a surprise? Disney had stated in the past that this would allow for interactivity while on rides. Therefore this would mean that there has to be a certain level of distance for say, Scuttle on Mermaid to say something directly to a passenger on the ride. I personally have no problem with this. Our cell phones provide a way of tracking us, so do our GPS systems in our vehicles. If Disney is able to make a better guest experience, it does not matter to me.

  • Kevin Yee

    I too have always felt long-distance scanning would be their solution. But the MagicBands require SUCH precise positioning and almost touching to work that a long-distance solution seemed not in the cards at first (maybe they were planning to have you manually scan a reader when you stood in front of Scuttle?)

    I’m not surprised either, particularly, but I wanted to point out that any debates people had about privacy were previously squashed since the consensus was that the Bands were short-distance only, and now that we know it’s not true, I wondered if people had any different perception about privacy.

    • danlb_2000

      It’s pretty clear from last years’s FCC application that the bands have a long range active component. The cover letter says “arm band that transmits a 2.4 GHz
      signal” and “The band has no on off switch and is powered with a non-replaceable coin cell”. The frequency and battery tell you that it’s an long range active transmitter. The cover letter then goes on to say that the bands will ALSO have two passive RFID radios.

    • TheBig2na

      This shouldn’t really be a surprise to anyone. Perhaps the answer is more in the types of scanners they are using. Some work at very close range others can be up to 30 feet. I was surprised so many are surprised.

    • HanoverFist

      We were there 2 weeks ago. It’s definitely transmitting. Long range? dunno what you want to consider “long range” but our ride photos showed up on our PhotoPass account without me doing a thing. The only way this could have worked is if the camera scanned our MB’s when we by and tagged the photo. This happened on several rides. However you are correct in that the payment terminals or FP terminals require you to touch your band with precision and can be a little frustrating. Presumably this is to prevent the scanner from picking the bands from everyone around you.

  • ti2gr

    Disney has been able to track people at the parks since the day Disneyland opened. Just by selling a ticket, they can track how many people were in the park, how many people went on a specific ride and so forth. When the magnetic swipe came to the tickets they could tell when the ticket holder entered the park, right down to the time they entered the park. If that ticket got a fast pass they could tell which ride and time it was for. Key to the World Cards with your tickets on them could do the same in addition would say which resort you were at and if needed a lock interrogation a the resort could tell when that key was used to open the door.

    The Magic Band is no different. The Magic Bands do exactly the same thing that the KTTW cards did, with the addition of the My Disney Experience app you are able to now create those Fast Passes instead of walking up to a machine. In regards to PhotoPass, it’s taking the information that would normally be on a PhotoPass card and associating it with a Magic Band. On the inside of the Magic Band is a unique number, that number is associated with the owner of that band. If the reader can detect the Magic Band and associate that band with a rider on the ride, then why should that guest have to wait for their ride photos. If they purchased the PhotoPass package that includes the ride photos there is no reason for them to stand in line just for a photo.

    If you are worried about Big Brother watching you then get rid of your Smatphones and GPS deices, they tell a lot more than what a Magic Band will.

    Quit being such a fear monger

    • ParkerMonroe

      To paraphrase Ben Franklin, “Anyone that willingly gives up privacy to gain a little leisurely convenience deserves neither and will lose both.”

      • Aviator621

        That basically changes the entire context and meaning of the original quote, but ok….

      • johnnylately

        Gak! You can’t use quote marks if you are paraphrasing.

        And indeed you have changed the words, which completely changes the meaning, so it isn’t something Ben Franklin said or meant, it is now a quote of yours.

        Poor Ben is spinning in his grave…

    • danlb_2000

      The difference between the KTTW card and the band, is you know when the KTTW card is being read since you need to bring it close to the reader. The band on the other hand can be read at any time anywhere in the part. With the proper equipment they can also track your exact position in the park the entire time you are there.

      I am not trying to make a case for this being good or bad, just trying explain what is possible.

  • steve2wdw

    Having just returned from a trip to WDW two weeks ago, after reading this post, I decided to check out the PhotoPass section of MDE, and guess what? There were pictures of me riding Buzz Lightyear and Space Mountain, that I did not expect to be there. As Arsenio Hall used to say “things that make you go hmmmmm….”

    • parker4fm

      I have to say that I love the photo idea. I hardly ever check the photo after getting off the ride. I can imagine that a lot of people don’t check it, or for some reason decide not to buy. Once they get home they see this, like the picture, and boom…there’s an extra bit of money for Disney.

      Remember…if the company makes more money…then we will get new attractions.

      • DLFan1995

        Not necessarily.

      • billyjobobb

        but what happens when the company realizes that they don’t need new attractions to make more money. They need new restaurants and new gift shops?

  • jediblueman

    Didn’t they say very early on that there are two RFID devices in the band, one for short range for secure thing (opening doors, purchases, park entry etc.) and one for long range for less secure things and interactions (ride photos, other magical moments)?
    I feel like this has been known for a while.
    I also still don’t understand the privacy concern. Nobody complained about using a KTTW card for park entry, getting fastpasses, opening your door, and making purchases, all of which is traceable. The magic band only goes a little bit further than that, even counting the long range stuff.
    For example…if you’re concerned about privacy related to ride photos automatically showing up on your band. Isn’t the privacy already lost by the fact that they took your photo at all? What difference does it make if it automatically ended up on your My Disney Experience account using magic band technology? Either way, there is a photo of you. That’s about as un-private as it gets.

    • steve76

      The point about on-ride photos is a really good one. Disney takes your photo, and then sells it to the other people in your boat/car/train. I’ve often wondered if somewhere someone has got a Splash Mountain photo on their mantlepiece with my ugly mug on it! Of course we effectively sign away our rights when we enter the park or attraction, but to me that’s a greater breach of privacy (albeit one I’m willing to accept) than being tracked in the parks.

      • olegc

        to make it even more interesting, the supreme court just rules that one person’s personal photo post on social media is owned by them, and can’t be used for commercial purposes. So funnel that down to the example of your picture on someone else’s offer for a Splash mountain photo. Were you made aware that your image was placed for sale to someone else. I know – there is the idea that the park has rights to your image if you enter – but if that’s true then why do you sign a separate release when you come to an event that is in the general park population? its a muddy discussion when you get into details – and will be interesting to see down the road if anything comes of it.

  • LoveStallion

    Just visiting the whole Florida property now sounds like a hellish experience. I hope this never makes its way to local-heavy Anaheim.

    • FerretAfros

      While the experience is different now, I don’t see how this element of it is even remotely “hellish”. Everything indicates that the NextGen project will come to Anaheim in some form in the next few years; personally, I think it’s kind of fun to watch all the Californians squirm at the thought of it! :)

      • LoveStallion

        We don’t want your soulless absurdity in SoCal! Ironic statement, no? :)

        I do question how much value NextGen has in Anaheim. Much of the money to be made from it is from meal plans, pictures, purchases, etc., and while Anaheim surely has those out-of-towners, the overall mindset of the place is just totally different from that of Florida.

    • KISSman

      I did the MM+ thing in August and could not fathom how this could ever fly in DL. The FP+ aspect of MM+ is nothing short of ‘hellish’. I disliked it enough to see it as a reason to not go back to WDW.

  • steve76

    I have to admit that I am one of the people you mention that doesn’t really have a problem with being tracked in the parks. Whilst I am on Disney’s property, then I think that they have a reasonable right to know where I am on property, which services I use and when, and what transactions I have with them. If they want to know that I went on Pirates and then went to the other side of the park for lunch, and went shopping whilst I waited for my Space Mountain FastPass, then fine – I don’t consider that to be particularly sensitive information. Someone in Mickey Control could probably follow me on CCTV the same way if they were so inclined (was there an outcry when CCTV and undercover security was brought into the parks?). I’m not sure what people are doing in the Magic Kingdom that is so private and secret that they don’t want its owners to know.

    Now, if they were to use a system that monitored your movements after you’ve left property or going around Universal, then that would be another thing entirely. But whilst I’m on Disney property, and with the exception of inside my hotel room, I don’t think it’s an issue. The Magic Band system is very clearly “bounded” to Disney property, which is why I think it’s OK.

    • TodAZ1

      “I’m not sure what people are doing in the Magic Kingdom that is so private and secret that they don’t want its owners to know.”

      That’s not really the point of privacy. What you’re saying is, basically, “As long as you’re not doing anything wrong, you have nothing to hide.” There’s a reason that search and seizure laws exist. And, I think, what Kevin is saying with this column is how close Disney is getting to that. Orwell’s ’1984′ could be very right. But it may turn out the corporations are the “Party.” And we let them do it. Comcast has cameras you can put in your house to monitor when you’re away from home. Disney has RIFD monitors. Cell phones are already being monitored.

      I’m not a huge fan of things like this, or even interactivity. I like to watch shows and be entertained. If I wanted to be part of the show, I’d take acting classes.

  • ParkerMonroe

    I can see the advertisements already: Goofy lugging a cart load of cameras, video equipment, cards, coins, lanyards, and other miscellany around the park while Mickey and Minnie stroll through the park (hand in hand) carrying only their MagicBands; taking comfort in knowing all their picture and video needs were being taken care of by hundereds of hidden cameras.

  • jcruise86

    The stalking capabilities will not really be utilized extensively until Disney implements “Magicbands 2.0″ in 2016. (I read about Magicbands 2.0 on the internet! Google it for yourselves.)

    And Magicbands 3.0 will involve tracking you with drones more advanced than these–coming soon from Amazon.
    http://www.usatoday.com/story/tech/2013/12/01/amazon-bezos-drone-delivery/3799021/

    When you wish upon a drone
    Under Mickey you’ll be prone.
    Anything your heart desires
    will come to be known by the Disney Corporation.

    It begins!
    I for one welcome our mouse overlord and. . .

  • OprylandUSA

    I guess I missed the news that Sid’s closed. That was the one of the few unique (only?) places left to shop in any of the Disney parks. It will be truly missed.

  • chesirecat

    I believe this feature has been known for a while, and I think it is already used on the cruise ships. It can actually be a great safety feature for parents who lose their child in the parks, now they can find them more quickly before a pedophile guest takes advantage of them. I don’t find it creepy because the guest is on Disney property, and 99.9999% of guests aren’t up to anything bad, and your position in the park, like where you are on the cruise ship, doesn’t reveal anything . . . scandalous/embarassing about you, yes?

    • Rebekkap

      Given the blanket CCTV coverage of Disney parks, it’s ludicrous to suggest a paedophile would be lurking around to take advantage of kids. They’d be caught in a second, and it can’t remember any news stories about paedophile a being caught at Disneyworld, can you? Not to mention the whole stranger danger thing drives me a bit nuts, as kids are far more likely to be abused by someone they know.

  • StevenW

    Long Distance tracking doesn’t bother me as much as potential for fraud. There is no reason to doubt that long distance tracking will make it easily for a hacker to identify a user, duplicate the RFID, and utilize the benefits without knowledge of the user. If Disney is able to buy the equipment, a hacker will be able to do the same with off-the-shelf devices.

    I do find it interesting that the tracking of ride photos is viewed as a negative in some cases. I think it is a plus, a clear advantage, but somehow Disney has made it seem like a negative with their strange privacy policy. Why write it like that? It is a strange why to advertise a benefit. It is also strange that the user can’t opt out.

    This does vindicate Congressman Rep. Markey, D-Mass. Iger’s response was very rude.

    • Wedbliss
      Long Distance tracking doesn’t bother me as much as potential for fraud. There is no reason to doubt that long distance tracking will make it easily for a hacker to identify a user, duplicate the RFID, and utilize the benefits without knowledge of the user. If Disney is able to buy the equipment, a hacker will be able to do the same with off-the-shelf devices.

      This is exactly what bothers me about this. You know that criminals are working hard to come up with ways to “pick your pocket” in the parks. I am not schooled in this technology, but seeing as how every measure has a countermeasure, how is Disney going to protect people by being spied on by those intent on fraud?

    • Hastin Zylstra

      Have you tried to duplicate RFID? Not nearly as easy as taking any simple magstripe card (such as a credit card) and running it through a scanner. A mag stripe card simply stores a number, the CID, and the expiration. Lots of potential for fraud there.

      There’s at least a level of encryption, and a key pair, that doesn’t expose the direct account number. Even then (compared to a credit card) – you are looking at at least 3 layers of security. The PIN code, the obscured credit card number, and the encryption on the RFID number.

      Much more secure than handing a credit card to your server, or the printed barcodes on the Disneyland tickets.

      • Wedbliss

        Well, that’s good news. Thank you.

  • Dan Heaton

    I don’t have a problem with Disney tracking me in the parks. Do they really want to know that I rode Pirates 10 times? Okay. I also don’t suspect nefarious goals from the company about what to do with the data.

    However, this brings up the question that’s been on a lot of people’s minds about how Disney plans to really turn a profit with MyMagic+. Decorating the bands and upcharging for certain experiences doesn’t seem to be enough. The way for them truly to make money is to use the data and sell it (following legal guidelines) to vendors. Combining this with the potential to “personalize” the experience, and there’s a route for MyMagic+ to do well.

    Still, I suspect this is going to collapse onto itself like you mention. The guest benefits just aren’t there, and the lack of new attractions puts more focus on what those Magic Bands really do.

    • lionheartkc

      It’s all about targeted marketing. They learn about you, they learn what you like and don’t like, and then they direct all of their marketing efforts to your touch points. It’s an extremely effective way to make A LOT more money while making the customer feel like they are actually getting better service instead of being fleeced.

  • solarnole

    In 2013 no company should be this wasteful. You can tell by the way the battery is fused to the band that it cannot be recycled. Plus they do not even have a recycling program set up for the bands. I will not be going to Disney as long as they support such wasteful practices. Wall-e taught then nothing I guess.

    Green is Universal

  • lionheartkc

    While I can’t say I’m a fan of a lot of what they are doing with Magic Bands, the one thing I am a fan of is that they are going to fix the transportation problems that have developed at Disney World. Disney is finally going to know how many people are at what bus stop and where they are waiting to go and then be able to route buses appropriately. A cast member who worked for My Disney Experience told me that the new bus stop at Magic Kingdom already has this tech installed.