Six Flags contests biometric law with Illinois Supreme Court

Posted Monday, November 26, 2018 9:25 AM | Contributed by Jeff

The case centers on the mother of a teenage boy, who brought a suit against Six Flags after her son’s thumbprint was scanned for season pass entry. Lawyers for the family argue that the move violated the law, but the company has said that, since there was no actual harm done by the collection of the print, they aren’t liable.

Read more from The Verge.

Related parks

Monday, November 26, 2018 9:29 AM

I think the biggest thing about these laws and these kinds of cases is that they probably don't make any technical distinction about what is actually being collected and used. In the case of these fingerprint readers, the result is an algorithmic hash that's literally useless for anything other than comparing it to another scan from the same model of device. If you could get the data, you couldn't do anything with it or reverse engineer it into an actual fingerprint. That's why I'm reasonably at peace with how these things work. The only thing they're good for is comparing your scan to a previous one, which is a valid use case for ticket verification.

Monday, November 26, 2018 11:47 AM

It amuses me how many people still miss-understand what biometrics is, how it works, and that it has nothing to do with an actual fingerprint. Yet many folks believe that they are scanning their fingerprint and it is being stored in some database somewhere attached to their profile or something.

Monday, November 26, 2018 11:51 AM

It's likely on the fine print of the ticket that biometric scanning is a condition of use. I know it was when I worked at Disney. The fake outrage is almost comical. No one is forcing anyone to go to these parks.

Monday, November 26, 2018 11:58 AM

We have been using biometrics at my park for probably close to 10 years now and surprisingly we don't encounter that many situations where a guest becomes outraged over the finger scan. And for the few guests who are difficult, 99% of the time when you explain how it all works, they are fine with it.

Monday, November 26, 2018 12:37 PM

At Disney (this is before the current MyMagic+ system and the barrier free "entry points" - this was when we still had turnstiles) we had a 3-step process. Step 1: use your finger for the biometric scan. Don't have that, we'll go to Step 2 and ask for your photo ID to ensure it matches up with the ticket information. "Forgot" your ID at the hotel, we'll go to Step 3 and have you verify your date of birth, phone number, address, etc to ensure it matches up. (note: this only worked with Annual Pass and multi day ticket media that was tired to a specific person)

What we typically found were that the few outliers who were uncomfortable with the finger scans were more than happy to show photo ID, and even would have it written on their pass to "show ID" much like a credit card. Those that pitched a fit and said we were the FBI spying on them (I could write a book) were also the ones who wouldn't produce photo ID and had a blank stare or responded "I don't know" when asked "what is your date of birth?"

Monday, November 26, 2018 9:49 PM

What a non-issue. I mean, at best, you get a refund for your season pass? What are they trying to accomplish here?

Monday, November 26, 2018 11:40 PM

I have an aunt (by marriage, no relation) who legitimately believes that flu shots are how the government inserts trackers into you.

I recently joined a Chemtrails FB group too, you should see all the crazy shizz these people post. It goes way beyond chemtrails.

So this doesn't really surprise me.

Tuesday, November 27, 2018 3:31 PM

But the Earth is really flat, right?

Last edited by Vater, Tuesday, November 27, 2018 3:32 PM
Tuesday, November 27, 2018 3:35 PM

What ever happened to the forum member that was screaming that all of the RFID technology that parks are using was going to be the end of the world?

Tuesday, November 27, 2018 4:08 PM

He stopped when someone more likely came along.

Friday, January 25, 2019 2:17 PM

The latest:

Friday, January 25, 2019 4:23 PM

The Illinois Supreme Court absolutely got it wrong. They don't understand what it is that Six Flags is collecting. While it is "biometric" in nature, it's data that is otherwise useless outside of the system using it. A measurement of a subset of points on your finger run through a cryptographic hash is only meaningful when the same system takes the same measurement run through the same hash and then they're compared. If you hacked Walt Disney World and got the hash for my scan, all you would have is a bunch of useless numbers that don't mean anything.

The Illinois law is too broad, and the lawsuit isn't even correct: Six Flags does not store a fingerprint.

Saturday, January 26, 2019 9:16 AM

After reading a few articles, it isn't clear to me whether Six Flags has contested that they collect biometric information, or whether they still may have the opportunity to do so. The supreme court hearing seems to have revolved around whether the mother had any standing to sue, because she hasn't shown that any actual "harm" was done. Six Flags apparently filed a motion to dismiss on this point, and the courts seem to have said, more or less, "nah, the way the statute is written the collection of biometric data is itself the harm." (I'm not a lawyer etc.)

And (granted I'm not going to spend all day on this) I haven't seen anything that references an actual hearing by a trial court, at which presumably Six Flags could make the claim that they haven't collected biometric data.

So I suspect there's a great deal more to come.

As for your actual point about biometric data, Jeff, I wouldn't see a lot to prevent Six Flags from selling the measurement and the hash to anyone who comes along, such that in fact anyone with your fingerprint could establish your identity.

Saturday, January 26, 2019 5:59 PM

But that's not how it works. If I had that data, I can't do anything with it. Six Flags does not store the measurement, that's the point of hashing it.

Passwords (when not handled by inept services) work the same way. When you enter a password into this site for the first time, it's run through a hash algorithm, but not before a "salt" is added to it (i.e., "mypassword" + "saltvalue" = "mypasswordsaltvalue"). The resulting hash can't be reverse engineered to "mypasswordsaltvalue" ever. The closest you can get to it is to start comparing the hash to text values run through the algorithm, starting with "aaaaaa," then "aaaaab" and eventually "iofhf4fsdgSDGe4523#$%gr" until it gets a match. By taking this brute force approach, a simple 8 character password could in theory be matched on a modern computer with a fast GPU in a few days, or a few minutes in a distributed network of compromised zombie computers. However, if your password is like that last example, it could the single computer many years.

From what I understand, the mathematical representation of your finger is limited to some very general measurements, where ridges meet or something, and the distance between those points. From what I remember (I talked to a hardware vendor once years ago), this might actually be a number of different separately hashed elements, so the match threshold is about matching some percentage of these features. Even if you could reverse the hashed value, which is way more numbers to start with than a password, all you would get is a number of spatial measurements between features on your fingerprint, and nothing even remotely representing a fingerprint. It would probably look more like a constellation. That data is pretty useless.

Saturday, January 26, 2019 6:41 PM

I freely grant that you know more about how this works than I do (which is nothing) and that your general technical knowledge is stronger than mine. So I might not know what I'm talking about. But the scenario you describe isn't the one I'm thinking of. (Among other things, I'm not sure what value there would be from reverse engineering my fingerprint.)

However, let's say Six Flags decides, "we're going to sell all our whole biometric package to BiometricsRUs." BRU now has a big database that can be used to match a collected fingerprint to the specific biometric record on file. Then they turn around to WalMart and say, "Hey, WalMart, if you can collect fingerprints from your customers, we can run them against our dataset and see if we get any hits, and we'll turn around and sell you all the data about the person who owns that fingerprint." Which would include the individual's address, age, and all the other stuff Six Flags might collect like whether they order the vegetarian meal or the kosher meal, whether they buy diet sodas, what size clothes they purchase, what kind of car they drive, and a whole bunch of other data points whose value is less obvious but maybe indicates something.

It's arguably not so easy for WalMart to collect fingerprints, but imagine Six Flags does the same thing with facial recognition. And WalMart installs cameras at every entrance and check-out counter.

It's more like, what if Six Flags made you enter a password on entry, and everybody else in the world has the ability to collect that same password from you, and see which account it opens.

Does that scenario seem feasible?

Saturday, January 26, 2019 7:43 PM

No. The data outside of the system can't be matched, and even if it could, it would violate a bunch of privacy laws.


You must be logged in to post

POP Forums - ©2019, POP World Media, LLC