Ed Felton discusses issues of privacy, price discrimination, and identification related to Disney World’s reported use of fingerprinting (some say its only finger/hand geometry) to make sure people aren’t selling their multi-day passes to third parties. Prof. Felton questions whether Disney truly needs to know one’s actual identity to accomplish their goal:
They don’t need to know who you are; all they need to know is that you are the same person who used the ticket yesterday. I think it’s possible to build a fingerprint-based system that stores just enough information to verify that a newly-presented fingerprint is the same one seen before, but without storing the fingerprint itself or even information useful in reconstructing or forging it. That would let Disney get what it needs to prevent ticket resale, without compromising customers’ fingerprints.
If this is possible, why isn’t Disney doing it? I can only guess, but I can think of two reasons. First, in designing identity-based systems, people seem to gravitate to designs that try to extract a “true identity”, despite the fact that this is more privacy-compromising and is often unnecessary. Second, if Disney sees customer privacy mainly as a public-relations issue, then they don’t have much incentive to design a more privacy-protective system, when ordinary customers can’t easily tell the difference.
Researchers have been saying for years that identification technologies can be designed cleverly to minimize unneeded information flows; but this suggestion hasn’t had much effect. Perhaps bad publicity over information leaks will cause companies to be more careful.
What Prof. Felton is calling for here is value-sensitive design: how can we design a system to help Disney meet their goal of ensuring that the person who is using a pass is the same person who bought it without actually knowing exactly who that person is — can we build a such a system that protects the value of privacy?