NextGen / FP+ / Magic Band. The official truth starts to appear

[RandomPrincess]

lazyboy97o is right.

Yes, a bad guy COULD use a reader to grab ID numbers off of wristbands. Then they would have to also embed that code onto another wristband, since you will need a wristband or KttW card to charge anything at stores, restaurants or snack carts. Even the worst CM would notice if you were tapping something that wasn't recognizable.

Assuming they DO go that far and start charging things, it's only being applied to your Disney account, which is then reconciled and charged to your card at the end of your trip, or when you hit the charging limit you set. When you get the statement on your door, you'll notice if there are a bunch of charges that you didn't make. That's when you head to Guest Relations to dispute them, and then to your Credit Card company as a last resort.

So, while the chance of someone pulling off the fraud exists, the chance of it coming out of your pocket is almost zero.

And they won't be able to break into your room, because they won't know where your room is. They can't use the ID to do any sort of reverse lookup, because only devices ON Disney's private LAN (network) would be authenticated to query the database. To pull off a feat like hacking that far into the system would mean the hacker is quite elite....and would just go straight for the pot of gold, bypassing the hassle of stealing individual IDs.

Long story short - you put yourself more at risk by carrying your actual Credit Card into the park than you will having RFID identification on your person.

They would also have to know your pin number to make any purchases.

 

[Tom]

They would also have to know your pin number to make any purchases.

Right! Forgot that.

 

[Gabe1]

The band itself does not carry the data. The hacker would have to be able to take the band's ID and properly correlate it with Disney's system. It'd be easier to skip getting individual IDs and just go after Disney's system where you can get data on a mass of people all at once.

So it is impossible to clone the data off my wrist after seeing me exit my room and use that stolen info to enter my room?

I have so much to learn.....

They would also have to know your pin number to make any purchases.

It did amaze me that Disney didn't initially require a pin for purchases under $50. Glad they fixed that.

 

[lego606]

So it is impossible to clone the data off my wrist after seeing me exit my room and use that stolen info to enter my room?

For someone to go to a specific room, follow you throughout the park, hack the band, encode it in the way Disney specifically encodes it to open the door, and get back seems a bit... extraordinary in my opinion.

 

[Tom]

For someone to go to a specific room, follow you throughout the park, hack the band, encode it in the way Disney specifically encodes it to open the door, and get back seems a bit... extraordinary in my opinion.

Quite extraordinary.

And I would hope you would notice if someone was creeping around your body, trying to lift the ID. If people were aware of their surroundings, many fewer crimes would be pulled.

 

[Gabe1]

For someone to go to a specific room, follow you throughout the park, hack the band, encode it in the way Disney specifically encodes it to open the door, and get back seems a bit... extraordinary in my opinion.

I am genuinely trying to understand. If some Disney Readers can read from a distance, it could happen very close to your room, no need for a thief to travel to a park and back again, right? The beauty for the evil, that wristband will always be on.

 

[lazyboy97o]

I am genuinely trying to understand. If some Disney Readers can read from a distance, it could happen very close to your room, no need for a thief to travel to a park and back again, right? The beauty for the evil, that wristband will always be on.

Again, spoofing an individual's specific ID and targeting them is a lot of extra work that is not going to happen quickly. It would again probably be easier to just go straight to hacking the door.

And just a note, hacking doors is not a new possibility. It is also possible to hack the standard key swipe doors used all over the country.

 

[pjammer]

The long range passive ID will only transmit you first name an celebration so the ID would be useless to hackers. They would need to get almost next to you to steal the active ID that transmits the important data. Also it would be easier to just steal the housekeeping lady's room key entrance than try to follow an individual around to get in there one room.

 

[bigAWL]

I'm pretty sure Disney is working on a drone program, too. No telling what they'll do with that. Surely, they'll find out who's skipping out to go to Universal and start working on a kill list.... or at least coordinate with the surrounding authorities to ensure that you hit every red light on the way over.

 

[Rasvar]

There are ways to capture and spoof the room key/room charge portion of the band from a distance. However, it would take an amazing amount of work to do it without someone seeing you as the equipment to do it is not easily contained. It requires a significant directional antenna and a transceiver. The antenna would be very to hard to conceal in most places. I suppose someone could camp in a parking lot and do it but the payback to risk ratio makes no sense. So, technically it is possible but the reality is that it is not likely at all.

 

[ParentsOf4]

Here's where I'm not making the connection. What constitutionally protected civil liberties have corporations eroded from us? I could get behind the argument of GOVERNMENT taking civil liberties from us. The only way a corporation, such as Disney, can "violate" your civil liberties is if you voluntary agree to their terms of entrance/use/agreement and thus consent to having those liberties "violated." But even still, no liberties would have been violated anyway, because a corporation is not a government.

When can a corporation go too far for me? Simple answer: never. I am not entitled to consume a product a company offers. If I do not like the conditions set forth to consume their product, I will simply stop doing so, or migrate to their competition, provided they have more amenable terms. The only way the company will have an incentive to change is by you ceasing to give them your dollars.

Of course private companies can violate our civil liberties. Just consider the Civil Rights Movement for numerous examples. Prior to the passage of several pieces of legislation, most notably the Civil Rights Act of 1964, it was legal for private businesses to discriminate as part of its “terms of business”. The events that led to the passage of the Civil Rights were decades in the making.

Please note that I am not comparing the use of tracking devices to the Civil Rights Movement; only using the Civil Rights Movement as a well-known example of how the government stepped in to protect violations of people’s civil liberties by private businesses, even though those private businesses were engaged in (at the time) “legal” and well-established practices.

The ability for private companies to track individuals’ movements is new. There may very well be reasonable uses of such devices but today it’s effectively the Wild West era for tracking devices. The technology is new and laws have not kept pace with their use. GPS (for example) has been available for civilian use for less than 20 years. Compared to the timeline of other civil liberty disputes, 20 years is a drop in the proverbial bucket.

As long as corporations with vested interests in the technology and deep financial pockets lobby Congress, no laws are going to be passed protecting us against unfettered use of such devices to affect our lives.

What happens, for example, when insurance companies, as part of their terms of business, decide that we need to wear tracking devices so they can monitor whether we are engaging in “risky” activities? What happens when banks requires us to wear monitoring devices in order to take out loans? Or grocery stores require us to wear tracking devices to purchase food? Today, what laws are in place that would prevent these scenarios from happening?

Once we conceptually accept that Disney has the “right” to have us wear devices that allow our physical movements to be tracked for whatever reason, where does it end?

Quoting Justice Samuel Alito in United States v. Jones:

In the pre-computer age, the greatest protections of privacy were neither constitutional nor statutory, but practical. Traditional surveillance for any extended period of time was difficult and costly and therefore rarely undertaken. The surveillance at issue in this case — constant monitoring of the location of a vehicle for four weeks — would have required a large team of agents, multiple vehicles, and perhaps aerial assistance. Only an investigation of unusual importance could have justified such an expenditure of law enforcement resources. Devices like the one used in the present case, however, make long-term monitoring relatively easy and cheap. In circumstances involving dramatic technological change, the best solution to privacy concerns may be legislative.

Even a conservative justice such as Alito recognizes that a legislative solution might be in order.

In the past, our privacy was protected as a matter of practicality. It was impractical for government agencies or private corporations to follow us unless there was a reason for it. However, technology has reached the point where it has become cost-effective to "stalk" all of us all the time. I don’t want to be stalked. I want Disney to stop stalking us.

If a complete stranger followed us and our families for a week, 24 hours-per-day, we’d have a reasonable case of bringing up stalking charges against that person. Disney is a complete stranger and has the technology to track our movements throughout an entire week-long vacation. Although Disney certainly would fail to meet the “credible threat” criteria necessary for aggravated stalking, a (weak) case could be made that Disney is engaged in simple stalking, usually a misdemeanor. The fact that Disney arm-twists us into accepting their “stalking terms” with the threat of being denied nearly all services we paid for suggests we are not truly volunteering to be tracked by Disney. Legally, I am certain the case would be thrown out but, hopefully, this makes it a bit more apparent Disney intends to engage in a behavior that might end up landing an individual in jail. There will be legal ways individuals can be tracked but, as suggested in Alito’s opinion, laws have not kept pace with technology.

That Disney buries use of RFID devices in a mind-numbingly long “terms and conditions” disclaimer might make it legal today; it does not make it acceptable. Both liberal and conservative elements oppose the use of tracking devices on human beings. However, as long as large corporations continue spend millions to lobby Congress and local state houses, what is the likelihood of effective legislation being passed? According to Media Matters (http://mediamatters.org/blog/2012/02/03/how-much-did-media-companies-spend-lobbying-on/184807):

Disney's fourth quarter disclosure form indicates the company spent $1,190,000 on lobbying expenditures between October and December of 2011, and some of this money was spent to lobby on SOPA and PIPA

That’s just the amount spent by Disney in one quarter to lobby Congress. Corporations are spending obscene amounts of money to influence federal and state legislative bodies. They are spending that to protect their financial interests, with all other considerations, including civil liberties, taking a backseat. As suggested by Alex Carey decades ago:

The 20th century has been characterized by three developments of great political importance: The growth of democracy, the growth of corporate power, and the growth of corporate propaganda as a means of protecting corporate power against democracy.

The situation has only grown more extreme since he penned that thought.

Disney wants to use RFID devices. Disney is spending millions to lobby. What’s the likelihood of laws being passed to limit the use of tracking devices?

For me, I simply want my children to be able to live their lives without being bodily tracked.

 

[MattM]

For me, I simply want my children to be able to live their lives without being bodily tracked.

**Only quoted last line to save space***

@ParentsOf4 you know I respect your opinion. But you keep citing a supreme court decision that cannot be applied to this example, regardless if conservative Justice Alito wrote the opinion or not. With Disney, nobody is forcing you to do anything that you do not want to do. There are no requirements to wear any tracking device for any period of time anywhere in Disney World. This is the trump card in this debate. I don't see how we logically get from voluntarily wearing a tracking device on a private entity's property to being tracked 24/7 by the big bad corporations.

You want your children to be able to live life without being tracked. Nothing Disney is doing prevents that from happening. You just may have to give up voluntarily going to Disney if you really don't want them to be tracked. But you have to be prepared to do that. If and only if enough people do that, then Disney may consider changes. You could never make the case of Disney stalking you while in their parks/property because you agree to be monitored by entering their parks. Again, nothing is going to happen that you do not allow to happen.

This is what I'm not understanding in any of these arguments. Nothing is going to happen to you outside of Disney's private property if you do not allow it to. It doesn't even have to happen INSIDE of Disney's property.

Just curious, do any Floridians here use SunPass?

 

[Bolna]

Of course private companies can violate our civil liberties. Just consider the Civil Rights Movement for numerous examples. Prior to the passage of several pieces of legislation, most notably the Civil Rights Act of 1964, it was legal for private businesses to discriminate as part of its “terms of business”. The events that led to the passage of the Civil Rights were decades in the making.

This is such an important aspect. Human rights do not only exist as a way to protect the individual against infringement by the state. It has been very well established in international human rights that a state is also responsible to empower the individual to live according to his or her rights. While some people might believe otherwise, this is a well established opinion. And as can be seen with regard to the civil rights issue, it has been applied in the past already.

Also, the notion that data protection has nothing to do with civil liberties at all is just plain shortsighted. As @ParentsOf4 keeps pointing out: these are new issues. So of course the law is still in the process of forming. In Germany the Supreme Court has ruled already in the 1980s that every individual has a right to informational self-determination and the Charter of Fundamental Rights of the European Union (most likely the most modern human rights charter existing at the moment) does recognize a specific right to protection of personal data.

Some people might not believe that society should regulate these issues in some way. But others believe the opposite. That's how laws evolve. However, claiming that this topic is not a civil liberties issue is just plain wrong as it is discussed in this context by many people - not the least at the moment by the European Parliament.

 

[MattM]

This is such an important aspect. Human rights do not only exist as a way to protect the individual against infringement by the state. It has been very well established in international human rights that a state is also responsible to empower the individual to live according to his or her rights. While some people might believe otherwise, this is a well established opinion. And as can be seen with regard to the civil rights issue, it has been applied in the past already.

Also, the notion that data protection has nothing to do with civil liberties at all is just plain shortsighted. As @ParentsOf4 keeps pointing out: these are new issues. So of course the law is still in the process of forming. In Germany the Supreme Court has ruled already in the 1980s that every individual has a right to informational self-determination and the Charter of Fundamental Rights of the European Union (most likely the most modern human rights charter existing at the moment) does recognize a specific right to protection of personal data.

Some people might not believe that society should regulate these issues in some way. But others believe the opposite. That's how laws evolve. However, claiming that this topic is not a civil liberties issue is just plain wrong as it is discussed in this context by many people - not the least at the moment by the European Parliament.

How would the Protection of Personal Data article in the Charter of Fundamental Rights be violated by Disney?

Article 8
Protection of personal data
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.

 

[lazyboy97o]

You want your children to be able to live life without being tracked. Nothing Disney is doing prevents that from happening. You just may have to give up voluntarily going to Disney if you really don't want them to be tracked. But you have to be prepared to do that. If and only if enough people do that, then Disney may consider changes. You could never make the case of Disney stalking you while in their parks/property because you agree to be monitored by entering their parks. Again, nothing is going to happen that you do not allow to happen.

I don't even think it has to go that far. The only device that has the potential to be tracked is the MagicBand. The RFID card seems to be not much more than a replacement for the magnetic strip, removing the physical contact that wears down the equipment. Who has not experienced a card reader that wasn't wanting to read perfectly good cards? Simple point of sale systems can create profiles by identifies such as a credit card number and have been able to do this for years now. Grant it, this is Disney, but I doubt having the system look for a match between reservations and the on-file card and a card used for purchases would be all that difficult.

I'm not a Floridian, but I do have a SunPass.

 

[RSoxNo1]

Never forget your:
Keys
Cellphone
Wallet
Rear-ends that rhymes with glasses
Glasses
Hats
Prosthetic legs
Hearing aids
Dentures
Small Children
or anything else you could bring on a conceivable occasion.

I'm very tempted to post the George Carlin bit when he talks about how your house is just a place for your stuff. It might result in getting banned though.

 

[sshindel]

I'm very tempted to post the George Carlin bit when he talks about how your house is just a place for your stuff. It might result in getting banned though.

My mind went to the airline bit. The one with "...any personal items you may have brought on board."

 

[Vernonpush]

OK, here's my 2 cents on the "tracking" debate:
Last Sunday we went to DAK for our morning walk (exercise), we did our "power walk" at rope drop to be the first to walk the trails in Africa (since these trails are usually filled with tourists after the first Safari Ride lets out) followed by our usual walk through the trails in Asia . As we made our way past Expedition Everest at 10 am, we noticed that the Stand-by Line Wait Time was only 5 minutes. We entered the queue and only had to pause when the people in front of us were taking pictures. We were on the ride in less than the 5 minutes posted.
If Disney had a way of tracking Guests and noticed that everyone was in some other part of the Park they would have the means (texting, etc) to let people in nearby areas know that they could go to EE for a minumal wait, thus dispersing the crowds to less conjested areas.
I think that the main reason for the "tracking" feature is for crowd control, of course I could be wrong.

 

[dhall]

They would also have to know your pin number to make any purchases.

There's also the very real possibility that part of the budget is fraud detection analysis. In this case, if the band's location trips sensors/counters in diverging locations, then an alarm could very well go off.

 

[dhall]

How would the Protection of Personal Data article in the Charter of Fundamental Rights be violated by Disney?

Article 8
Protection of personal data
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.

The devil's in the details. The legislation that backs up these principals is why we have what little protection that we have, and the companies involved wiggle & squeeze well into (and in some cases a little past) the fuzzy gray area that the law creates. It's still an evolving area, and it takes a lot of diligence on the part of privacy advocates to keep the line from moving in the wrong direction.