Disney World Facial Recognition Tests Have Me Concerned...
According to the Disney World website, they've started testing facial recognition technology at some entrances for Magic Kingdom from March 23 through April 23. And anytime someone mentions facial recognition, my first gut response is "umm, data retention? Secure storage? Privacy policy? GDPR?" Basically I have questions.
Here are the details straight from their site:
About the Facial Recognition Technology Test
"At Walt Disney World Resort, we're always looking for innovative and convenient ways to improve our Guests’ experience—especially as we navigate the impact of COVID-19. With the future in mind and the shift in focus to more touchless experiences, we’re conducting a limited 30-day test using facial recognition technology (length of test subject to change). The technology we’re testing captures an image of a Guest’s face and converts it into a unique number, which is then associated with the form of admission being used for park entry. Participation in this test is optional. For those interested in volunteering to participate in this effort, please make sure you arrive with valid theme park admission and a Disney Park Pass reservation. Note: children under the age of 18 who wish to participate may do so with the consent and in the presence of a parent or guardian."
For guests, you'll enter a specific line for facial recognition. You'll have to remove any accessories on your head or eyes but must keep your face mask on. Then you face the camera, position the park admission or magic band to a scanner to activate the technology. Then the camera will capture your face, and convert it into that unique number associated with your valid ticket media.
If you return to Magic Kingdom more than once during testing, they ask that you enter through the same gate both times so they can better "understand how the technology works". Again, participation is optional. All their normal entry points still exist as well.
And in small text at the bottom of the screen, they mention "Images and the associated unique numbers captured for this technology test will be discarded within 30 days after the test concludes. We will not share the images and unique numbers captured for this test with third parties."
DisneyWorld posted an announcement on their Instagram so we have an idea of what the process looks like. The comments on their Insta post are pretty cringe worthy... so skip them, come here, and I'll share some thoughts as an security educator.
But are you subscribed yet? Click that subscribe button for security and privacy tutorials! I'll wait.
XXX
I've only been to DisneyWorld when I was a lil wee Snubs so I never used any of their new tech, but I've been a frequent Disney Land visitor. Magic Kingdom is located towards the northern side of Disney World and it's only ONE of the many parks that are located within this area of Orlando. Visitors can buy a Magic Band (they used to be free but they aren't anymore), and scan this band at entries whenever they visit or use them to buy merch or buy food or enter their hotel room if they stay on location. MagicBands use RFID technology to be used at touchpoints. But DID YOU KNOW, they also include a long range antenna that is used to track guests for crowd trends and photos on rides.
Also: general photos at the gate is not new. My experience at DisneyLand is that they started taking photos of you when you enter turnstiles for the first time with your ticket. That photo is entered into a ticketing system to ID you upon subsequent park entries. That cuts down on abuse and the photos can be used if a child is lost.
Facial recognition is different. It makes some sense that DW would want to introduce this tech. They've probably seen a financial incentive from using photos, so upping the game with facial recognition from that perspective could be profitable. It could be faster, too, which means the lines get into the park faster - so they can buy things instead of standing in a line getting grumpy!
There's also the health issues. Less contact to surfaces or interaction with employees means less chance of infection.
If they did implement facial recognition as a requirement, they could use this within the parks to find lost children or for crowd control or to understand flows of traffic better. They could also use it to ID criminals. From a business standpoint, it makes sense.
EEK, privacy though! I know! I'm getting to it! Facial recognition also has downfalls.
The tech isn't great for diversity. There's been several research findings showing that the tech is less effective at IDing women and folks of color. So there's an inherent unintentional bias based on the fact that the recognition algorithm has tons of databases of white dudes but not as many women or black folks or asian or latino folks etc to learn from. The AI needs better data.
False positives are a thing. Just imagine if FR accidentally flagged you as a criminal and you were escorted away from the gate. Yikes! Way to ruin a vacation.
FR can be fooled by paint or masks that have faces printed on them. It's a thing. It's hilarious to see how people have fooled it, but it's a concern and can prove that FR is still in it's infancy in terms of abilities. DisneyWorld still has employees at these gates so not necessarily a problem if it's just used for entry points...
And oh boy the privacy issues. ANYTIME you introduce a new way to collect data, that also opens up the potential for a breach of this data. While DisneyWorld publicly said they turn photos into numbers, how are those numbers generated? If they're tied to your ticket, then would there be a way for an attacker to determine WHO that number belongs to? They say both the photos and numbers are deleted after 30 days, but how are they stored? Is it encrypted? And if they ask visitors to use the same entry gate for each visit, how is their technology "learning"? Would it be able to match you to previous visits? Would your unique number change each time you visit or just stay the same for the ticketed time? What company are they using for the technology?
I unfortunately don't have the answer to these questions, and I doubt Disney would tell us anything publicly about how the technology was built. But these are the kinds of questions that run through my mind. Companies need to be respectful of privacy of their guests consider all aspects of the security as well before implementing that technology.
Hopefully this video opened up your mind to the very-reasonable criticisms of facial recognition since - just because you might be ok with face unlock, that doesn't necessarily mean you should be compliant about all private companies identifying you with your facial data.
LINKS:
https://www.instagram.com/p/CMxGPASB1mJ/
https://wdwprepschool.com/how-magicbands-at-disney-world-work/
https://allears.net/disneyland/dlr-planning/ticket-frequently-asked-questions-faq-disneyland-resort/
https://disneyworld.disney.go.com/guest-services/park-entry-test/?CMP=VAN-FY21Q2ParkEntryTest0001A