NO SECURITY is a new, semi-regular dispatch about tech history, and (sub)culture in the underground and abroad.
Last week, my parents took my son Oliver and me to Disney World. I haven't been to Disney since the 1980s, and while I was expecting lines and crowds, what awaited us was an unsettling, dystopian security aspect that could have been out of a William Gibson or Bruce Sterling novel.
The Disney World adventure begins in the aptly named, "heroes or villains" parking lots. After parking, visitors are transported by a shuttle bus of golf carts, and then a monorail. After making it through the byzantine ticket line (buy presale if you can), there is a fingerprint scanner adorned with a glowing, 21st Century adaptation of the trademark Mickey Mouse ears on it.
I expressed some concern about the device to my parents, but was dismissed as being an alarmist. My dad reminded me after 9/11 the government designated Disney as one of the top terrorist targets at the dawn of the "War on Terror". I understand and respect that position, yet something still didn't sit right with me. What kind of database does the scanner hold? Will my fingerprint now carry eternal metadata on it? Have I just forfeited my last remaining bit of identity to ride Space Mountain?
Does Disney World take a fingerprint? After some investigation I found that Disney claims that it DOES NOT scan your fingerprint. The finger scanner takes a biometric measurement based on three different points on your finger. This biometric measurement is unique only to your finger's size and proportions. The three points scanned then take this information and convert it to code as not to violate your identity or match your fingerprint. According to Disney, this process is nonreversible, meaning you can't turn the code back into the finger scan.
Most of the research I've done supports Disney's claim that they're not collecting fingerprints and that visitor data is discarded within 30 days, but not all of the research indicates this. There are still many doubts as to whether or not biometric code can be hacked. Germany's Chaos Computer Club demonstrated how this technology can be abused when they hacked the iPhone 5s' Biometric lock within days of the phone's release. At the 2010 DefCon, the hackers at the convention gave a demonstration on biometric lock picking. This was also shown on the popular Discovery show Mythbusters when they found that all you needed to do was lick the latex copy of the lifted fingerprint to simulate sweat.
There are some great uses for biometrics, particularly in criminal investigations where it's much easier to match a print and solve cold cases. The use of such data in society is still undetermined and will eventually require a Supreme Court decision. According to Scientific American, we don't yet have the legal framework to handle this amount of DNA evidence: "Current law is not even remotely prepared to handle these developments. The legal status of most types of biometric data is unclear. No court has addressed whether law enforcement can collect biometric data without a person's knowledge, and case law says nothing about facial recognition."
Socially, what I found so fascinating was watching this line of people readily giving their "biometric finger measurements" to Disney, myself included. The amount of trust that is put into their hands was strange given the long history Disney has with the United States government. Disney World, as we know it, would not exist if the CIA didn't help Disney secure the land in Florida, well below market value in the 1960s. They created two phantom cities, filled them with Disney loyalists who would then vote in the interests of Disney's puppet government; a clear violation of the Equal Protection Clause in the United States Constitution. The Daily Beast published an excerpt from Finding Florida by noted journalist TD Allman, he wrote: "A month before he died Disney confirmed it was all a trick. There would "be no landowners, and therefore no voter control," Disney responded, when asked how he planned to maintain control." These connections go back further into the 1940s when Disney was contracted to make propaganda films for the Government during World War II.
When I told filmmaker and former hacker Dave Buchwald about my experience he said: "I caused a big stink at Disney several years ago when I wouldn't enroll in their fingerprint program. Apparently I was the first person that had ever said "no", at least to the people who working when I was there. I went back again for an afternoon with my daughter last year and I let them scan my middle finger instead of my pointer. Security through obscurity."
I could be wrong, but I believe this is the last straw in privacy. Much of what I've read is overblown with paranoia, however it's possible that biometric measurements are simply encoded fingerprints that can be decoded. Biometrics are currently being introduced into flights, ATM withdrawals, and debit purchases. In the future, your fingerprint will be as vulnerable and meaningless as your signature.
Once that measurement is compromised you can never use your finger the same way again.