« Deploying a New Hash Algorithm | Main | More on Disney »
July 16, 2005
Welcome to Disney World, please let us scan your fingers
Blake Ramsdell writes in to point out that Disneyland has started fingerprinting visitors:Tourists visiting Disney theme parks in Central Florida must now provide their index and middle fingers to be scanned before entering the front gates.The scans were formerly for season pass holders but now everyone must provide their fingers, Local 6 News reported. They have reportedly been phased in for all ticket holders during the past six months, according to a report.
Disney officials said the scans help keep track of who is using legitimate tickets, Local 6 News reported.
This coverage is pretty vague (legitimate tickets? That seems easy to deal with with non-biometric anti-counterfeiting measures) but based on the fact that it used to be just season ticket holders and now it's everyone, it seems pretty clear what's going on. The following table shows Disney World's price structure:
| Days | Price Per Day | |
| Ages 10+ | Ages 3-9 | |
| 1 Day Ticket | $59.75 | $48.00 |
| 2 Day Ticket | $59.50 | $48.00 |
| 3 Day Ticket | $57.00 | $45.67 |
| 4 Day Ticket | $46.25 | $37.00 |
| 5 Day Ticket | $38.60 | $31.00 |
| 6 Day Ticket | $32.67 | $26.17 |
| 7 Day Ticket | $28.43 | $22.86 |
| 8 Day Ticket | $25.25 | $20.25 |
| 9 Day Ticket | $22.78 | $18.22 |
| 10 Day Ticket | $20.80 | $16.70 |
As you can see the price per day drops pretty sharply the more days you buy. This is an obvious price discrimination move: the marginal value to you of staying your 9th day at Disney World is surely less than the value of staying your first day. However, as with all price discrimination, it only works if the seller can stop arbitrage between people they're trying to sell cheaply to and people they want to charge full price. I expect that the concern here is that people will buy 10-day tickets and then share them, thus bringing Disney's price per guest down to the 10 day price.
This is where the fingerprints come in: they stop people from sharing their tickets, thus letting Disney continue to collect their monopoly rents. This is a fairly standard solution, of course; back when I used to go to Great America, they would put your photo on your season ticket pass and the guards would ostensibly check it when you went by. In practice, of course, they didn't check it very carefully and the low-resolution bitmap photos they used make everyone look the same anyway. I imagine that the problem is even worse when most of the customers are kids, who, at least to my eyes, look more similar than adults.
All that said, I wouldn't be that excited about giving Disney my fingerprints, though I can't necessarily put my finger (hah hah) on why. If nothing else, wide use of fingerprints for casual authentication represents a serious threat to their use in high-value authentication contexts. It's well known that given someone's fingerprints its possible to make fake fingers that will fool sensors. Disney says they're not collecting fingerprints but just a representation of the unique features, but it's known to be possible to reverse these representations in some cases, so this isn't as comforting as it should be. Imagine the effects of a compromise of Disney's database should fingerprint authentication ever become widespread.
Certainly, there are ways to make this more private. For instance, you could encode the user's fingerprints on a smart card (digitally signed?) or even a 2-d bar code like with passports and never store them in a back-end database. That way, at least you wouldn't have some database that could be compromised. You'd still need to trust Disney, but not as far.
This leaves us with the question of whether there's a way to salvage Disney's business model without recording people's fingerprints. The other common technique that people use is to have tamper-resistant wristbands. In practice, however, these just aren't that hard to bypass, and when sums of money on the order of $20-50 are at stake you can bet people will, so I think this is a non-starter.
Another option would be to sell a one-day, no in-and-out ticket that doesn't require any kind of authentication. This would let people who wish to maintain their privacy do so, but let you offer a discount to people who don't care. This seems like it would be hard to explain to customers. You could fingerprint people only on the way out, in the same way as clubs hand-stamp you on the way out. That would make the value proposition a little clearer.
The final option, of course, is to stop price discriminating. It's hard to believe that any sane monopolist would do that. Come to think of it, given the ease of forging fingerprints, I guess we should be glad they're not asking for a DNA sample.
Posted by ekr at July 16, 2005 7:47 PM | Filed under:
Comments
I'm wondering. How hard would it be to retrieve a DNA sample while taking someone's fingerprint?
Posted by: Ralph Meijer at July 17, 2005 12:37 PM
Asking them to run the same credit card each day should stop most of the fraud. Failure to have the credit card could require check of IDs. There are flaws in this scheme but I would have suggested this before the fingerprint readers.
Posted by: Steve Purpura at July 19, 2005 10:05 AM