Six Flags contests biometric law with Illinois Supreme Court

Posted | Contributed by Jeff

The case centers on the mother of a teenage boy, who brought a suit against Six Flags after her son’s thumbprint was scanned for season pass entry. Lawyers for the family argue that the move violated the law, but the company has said that, since there was no actual harm done by the collection of the print, they aren’t liable.

Read more from The Verge.

Related parks

Jeff's avatar

I think the biggest thing about these laws and these kinds of cases is that they probably don't make any technical distinction about what is actually being collected and used. In the case of these fingerprint readers, the result is an algorithmic hash that's literally useless for anything other than comparing it to another scan from the same model of device. If you could get the data, you couldn't do anything with it or reverse engineer it into an actual fingerprint. That's why I'm reasonably at peace with how these things work. The only thing they're good for is comparing your scan to a previous one, which is a valid use case for ticket verification.

Jeff - Editor - - My Blog - Phrazy

It amuses me how many people still miss-understand what biometrics is, how it works, and that it has nothing to do with an actual fingerprint. Yet many folks believe that they are scanning their fingerprint and it is being stored in some database somewhere attached to their profile or something.

It's likely on the fine print of the ticket that biometric scanning is a condition of use. I know it was when I worked at Disney. The fake outrage is almost comical. No one is forcing anyone to go to these parks.

We have been using biometrics at my park for probably close to 10 years now and surprisingly we don't encounter that many situations where a guest becomes outraged over the finger scan. And for the few guests who are difficult, 99% of the time when you explain how it all works, they are fine with it.

At Disney (this is before the current MyMagic+ system and the barrier free "entry points" - this was when we still had turnstiles) we had a 3-step process. Step 1: use your finger for the biometric scan. Don't have that, we'll go to Step 2 and ask for your photo ID to ensure it matches up with the ticket information. "Forgot" your ID at the hotel, we'll go to Step 3 and have you verify your date of birth, phone number, address, etc to ensure it matches up. (note: this only worked with Annual Pass and multi day ticket media that was tired to a specific person)

What we typically found were that the few outliers who were uncomfortable with the finger scans were more than happy to show photo ID, and even would have it written on their pass to "show ID" much like a credit card. Those that pitched a fit and said we were the FBI spying on them (I could write a book) were also the ones who wouldn't produce photo ID and had a blank stare or responded "I don't know" when asked "what is your date of birth?"

ApolloAndy's avatar

What a non-issue. I mean, at best, you get a refund for your season pass? What are they trying to accomplish here?

Hobbes: "What's the point of attaching a number to everything you do?"
Calvin: "If your numbers go up, it means you're having more fun."

Tommytheduck's avatar

I have an aunt (by marriage, no relation) who legitimately believes that flu shots are how the government inserts trackers into you.

I recently joined a Chemtrails FB group too, you should see all the crazy shizz these people post. It goes way beyond chemtrails.

So this doesn't really surprise me.

Vater's avatar

But the Earth is really flat, right?

Last edited by Vater,

What ever happened to the forum member that was screaming that all of the RFID technology that parks are using was going to be the end of the world?

He stopped when someone more likely came along.

Jeff's avatar

The Illinois Supreme Court absolutely got it wrong. They don't understand what it is that Six Flags is collecting. While it is "biometric" in nature, it's data that is otherwise useless outside of the system using it. A measurement of a subset of points on your finger run through a cryptographic hash is only meaningful when the same system takes the same measurement run through the same hash and then they're compared. If you hacked Walt Disney World and got the hash for my scan, all you would have is a bunch of useless numbers that don't mean anything.

The Illinois law is too broad, and the lawsuit isn't even correct: Six Flags does not store a fingerprint.

Jeff - Editor - - My Blog - Phrazy

Jeff's avatar

But that's not how it works. If I had that data, I can't do anything with it. Six Flags does not store the measurement, that's the point of hashing it.

Passwords (when not handled by inept services) work the same way. When you enter a password into this site for the first time, it's run through a hash algorithm, but not before a "salt" is added to it (i.e., "mypassword" + "saltvalue" = "mypasswordsaltvalue"). The resulting hash can't be reverse engineered to "mypasswordsaltvalue" ever. The closest you can get to it is to start comparing the hash to text values run through the algorithm, starting with "aaaaaa," then "aaaaab" and eventually "iofhf4fsdgSDGe4523#$%gr" until it gets a match. By taking this brute force approach, a simple 8 character password could in theory be matched on a modern computer with a fast GPU in a few days, or a few minutes in a distributed network of compromised zombie computers. However, if your password is like that last example, it could the single computer many years.

From what I understand, the mathematical representation of your finger is limited to some very general measurements, where ridges meet or something, and the distance between those points. From what I remember (I talked to a hardware vendor once years ago), this might actually be a number of different separately hashed elements, so the match threshold is about matching some percentage of these features. Even if you could reverse the hashed value, which is way more numbers to start with than a password, all you would get is a number of spatial measurements between features on your fingerprint, and nothing even remotely representing a fingerprint. It would probably look more like a constellation. That data is pretty useless.

Jeff - Editor - - My Blog - Phrazy

Jeff's avatar

No. The data outside of the system can't be matched, and even if it could, it would violate a bunch of privacy laws.

Jeff - Editor - - My Blog - Phrazy

It seems Six Flags has stopped using the fingerprint readers, I assume as a result of this lawsuit. At Six Flags Great Adventure they were using the SeaWorld/Busch method of taking one's picture at the entry turnstiles.

You must be logged in to post

POP Forums - ©2022, POP World Media, LLC