RFIDs and Privacy at Walt Disney World and Beyond

Friday, December 14, 2012

I've never worn a tinfoil hat. But the way things are going, it looks like next time I go to Walt Disney World, I might just be wearing a tinfoil bracelet.

Some folks in the Disney fan community got into quite a huff earlier this year, when Disney tested RFID tags in the refillable mugs sold at counter service restaurants at Disney resort hotels. The tags determined whether a mug (or even a disposable beverage cup) was eligible for a refill. If you'd refilled your mug two minutes ago, you couldn't get another refill for another three minutes. Presumably, if your mug was beyond a certain vintage, it would be considered invalid for refills at all (since mugs are only eligible for refills at the resort they're purchased, for the duration of the stay during which they're purchased). 

Reportedly, the test didn't go all that well, so that particular implementation of RFIDs was scrapped, at least for now. And honestly, I wasn't all that worked up about it. I've only bought refillable mugs a couple times, and I've used them within the rules. But more importantly, the refillable mugs weren't being linked to individual's personal identity.

But RFIDs at Walt Disney World aren't going away -- in fact, they're about to come into use in a much bigger, more invasive way: They're being embedded into (at least some) guest room keys, which are linked not only to individual identities, but ultimately also to credit card information, and perhaps more.

The convenience to Guests is significant, and soon will likely become more so. It's been said that the Next Generation wristband will allow ticketless park entry, ticketless FastPass, attraction personalization, and touch-to-pay purchasing. But the cost to privacy is potentially great. It's not just that they'll be able to track us in the same ways they already can (when we enter a park, when we make a purchase, when we enter our hotel room), but that we'll be tracked every moment that we're wearing the wristband, or carrying the RFID-enabled room keys.

Just think of all the information that Disney will be able to collect within Walt Disney World. As a student currently working on a Masters degree in business, I must tell you it is a marketer's dream. Even without the RFID, Disney could accumulate a wealth of knowledge just by associating your purchases with your identity. Now, they will know more about the paths you take through the park. They'll know I stood in front of the rack of Dooney and Bourke handbags in the jewelers shop on Main Street 5 times during my last trip, with at least one stop every day, plus cruised by it without stopping another dozen or so (though they won't know that I did it to sneak a quick peek), and never bought one. They'll know that while I rode Haunted Mansion 3 times, I only stopped to look at the merchandise cart on my last day, when I was with my friend Lisa and my son. 

They'll know more about who we spend our time with, assuming that our friends are also wearing the Next Generation wristband. If I'm sharing a room with my spouse, but our RFIDs aren't traveling together, will this suggest to Disney that there's trouble at home? What products will they then market to me? And remember, they'll have this depth of information about anyone wearing one of the wristbands, including any children old enough to need a park ticket. Children's privacy is protected online, but as far as I can tell, there's no offline equivalent of the Children's Online Privacy Protection Act.

And speaking of online information . . . imagine combining the on-site information Disney can gather from the wristband with all that ABC/Disney might be tracking online. Purchases, viewing habits, website visits. . . you name it. Disney won't just know I lingered in front of those Dooney and Bourkes 5 times during my trip; they'll also know I looked at the same bags online the day after I left Walt Disney World. If you use Gmail or Facebook you're probably quite familiar with how online tracking influences the ads that you see. Imagine how much more potentially intrusive this could be if Disney knows how frequently I visit the bathroom, or how long I lingered in front of Enchanted Tales with Belle before finally going to see it, or how many times I rode Dumbo. It's not the privacy intrusion of any one of these items that's a big issue, but rather the inferences that can be made by compiling and analyzing the data. Remember when Target figured out a teenager was pregnant before her father knew? Yeah.

You probably won't be surprised to hear that the ACLU has a position statement on RFIDs, and that one of its key statements is that RFIDs should never be used to track people. But there don't seem to be many consumer protections in place regarding RFIDs at the local, state, or federal level. Disney's RFID implementation had to pass muster with the FCC, but the issues at hand there appear only to be related to the potential physical risks of RF exposure, not any privacy issues.

In the short term, our best protection probably comes from the fact that Disney does not seem to do a very good job integrating its various databases. Well into the age of Caller ID, Disney still needs me to tell them my name when I call. And last I checked, dining reservations made through my WDW web site account didn't automatically appear under "My Reservations" until I added them manually. Their systems integration seems to be happening verrrryy slowly, at least with regard to those features that would be convenient for Guests.

But in the long term, I'll be hoping some savvy retailer whips up unofficial Disney Parks privacy shields: RFID-blocking metal bracelets that cover your Next Generation wristband when you want your privacy, and conveniently slide out of the way when you want to identify yourself. Otherwise, expect to see me with a wristful of tinfoil.