Coffee With Sabra – Mouseveillance: How Disney Spies on You

I am so excited to share this with you. I made an appearance on a weekly program called “Coffee Break With Sabra” which just launched its new website platform. So check it out. I talked about “Big Brother” watching and how even the “happiest place on earth” is now watching and collecting data on its guests. It’s a fascinating call where we even touch upon privacy rights, capitalism and consumerism and what you can do about it.

During my interview on Mouseveillance: How Disney Spies on You, you will learn:

  • What is mouseveillance?
  • Who does it affect?
  • Who else has access to their data?
  • Who else is using this technology?
  • What is the line between privacy rights and capitalism
  • What can be done about it?

Episode Transcript

SABRA: Welcome to the Coffee Break with Sabra, where we answer your burning questions, the questions you didn’t ask, didn’t know to ask, or were afraid to ask, we ask them for you. Each week we bring you another 20 minutes so that you can get your answers and get back to having a productive and fabulous day. Today we’re here with Raj Goel. He’s an author, entrepreneur, IT expert and public speaker. Raj is globally known as the go-to man in cybersecurity and privacy law. He is committed to educating individuals and organizations about online safety and how to protect the most important assets, people and data. His expert advice helps individuals, companies, and conglomerates navigate their way through the world’s ever-changing technology and increasingly complex IT compliance laws. He often appears in the media and at conferences worldwide to educate the public on cybersecurity and digital privacy, a subject he is passionate about. Raj is fueled by his passion for enhancing civil rights in cyberspace. His love of helping people keeping themselves, their families, and their companies safe online. He’s available as a consultant and public speaker, and often sought after major media outlets and companies. Welcome to the program Raj.

RAJ: Thank you Sabra, glad to be here.

SABRA: Yeah, I’m very excited to have you back. You had some great stuff for us at the end of 2014, and today you’ll be speaking with us about Mouseveillance, how Disney spies on you. I’m really curious about that and how Disney is spying on all of us it seems. Can you tell us a little… I was going to ask you can you tell us what Mouseveillance is and what do you mean by that?

RAJ: Absolutely. In the summer of 2014 I wrote an article for Security Magazine on life of a child 2014, how we’re compromising children’s privacy and safety at birth, before they’re born. How parents, grandparents, aunts and uncles, by Facebooking due dates, birth photos and so on compromise children’s privacy from the moment they’re born or before they’re born. And I was presenting this at an international conference in Orlando. [Unintelligible 00:02:15], I said, you know what. I’m at Disney. I’ve been talking for years about Google, Facebook, and the NSA, and now parents and grandparents, what is Disney doing? Because everywhere I went to Disney, it’s a great experience if you like Disney, but when I walked into the hotel and I checked it, they didn’t give me a room key, they didn’t give me a card. They gave me this really cool looking wristband with Mickey Mouse’s face on it, and I turned it over to look at it. On the inside there’s a serial number and my name was printed on it. So this band was not an anonymous band like your hotel room key would be. One Marriott room key looks like every others. This one was my room key, my resort pass, my resort credit card, my theme park admission card, all in one personalized to my name. And I look over, this family’s behind me with kids… Over a billion dollars building this technology to make it really easy for you as a guest at Disneyland, Disneyworld, Disney properties, to not have to worry about your wallet, your credit, leave them all in your room. You have this wristband on you. It’s your one pass to everything. And in doing this research I also learned that Disney has a lot of cameras on property to encourage customer safety. It keeps criminals out, hooligans out, keep an eye on their rides, make sure people are behaving. And what they discovered in their research is people don’t like cameras, people don’t like being watched. So Disney actually hired an Italian artist to disguise cameras in props and miniatures, and they make surveillance cameras really friendly looking. If Disney is the most heavily surveilled place on earth, and these two data points would’ve been cool, but as I read into magic bands there’s something else you should show. This is an article on Florida newspapers where they said if you have a magic band Disney knows whether you bought a balloon, which rides did you ride on, how long did you wait, did you shake Goofy’s hand, did you just walk by Snow White, they’re tracking all of this. Disney says publicly, they’re not going to market on the 13-year olds. Great, you can breathe a sigh of relief. No you can’t. Because if you got there a 6-month old, 2-year old, or a 4-year old go to Disney with you, which is a prime market, while we don’t market to the kid, they’re tracking the data for the life of the child. Of course they’re marketing for the parents, so as soon as the kid is 13 and they can legally market to the child, bam, your kid is getting hammered with customized marketing. And all of this, you know what, I can say great. What really shocked me is 2002, right after 9/11 Eric Haseltine who was the executive VP for R&D at Walt Disney left his job at Walt Disney to work for the NSA and national intelligence. And a year later Bryan Ferren, his other colleague also left Disney to go work for NSA and Homeland Security because it turns out that Disney Corporation is the world’s 5th largest security company. They have the most amusing patents on biometrics, surveillance, currency protection. And as a result of the technology Disney built to make Disneyland the happiest and safest place on earth is now being deployed at airports, foreign governments, and corporations around the world. And Disney has built this amazing mountain of data on their customers who are global citizens. Disney doesn’t just record the state on Americans, whether you got Euro Disney, or you come to Florida, or if you’re a Chinese and you fly to California, or Disney Japan, they’re building one of the world’s largest international database for a large part of the globally mobile, highly wealthy market. Because by definition if can afford to go to the house of the mouse you’ve got money, and you’ve got money to burn. Because as a father I walk into Disney world I just hand over my wallet. I know I’m going to get mugged. Might as well make it easy.

SABRA: Wait a minute. Are you saying that when somebody goes to Disney world now and they go this magic bands, not only are they tracked while they’re vacationing at Disney World, but even when they go home they’re continuing to be tracked if they keep their bracelet with them?

RAJ: They’re not getting tracked when they go at home, but Disney does encourage you to take these bands with you when you go home, so when you come back next time you can bring the band back with you. At one end they’re building brand loyalty because these are really good-looking bands. They’re really attractive, well designed, hallmark of Disney design. These are trading now as collectibles for Disney fans. They’re coming out with new charms you can buy for these bracelets. As part of your Disney experience, they’ve turned your room key into a collectible. When you go to a hotel resort you throw the room key away, throw it in the garbage at the airport or you give it back to the hotel.

SABRA: Yeah.

RAJ: Disney has made their room keys so attractive, kids, mothers, and fathers want to take them home and keep them. Right now they’re not surveilling you at home, but next time you go back to any Disney property they’re doing it. Also, they’ve created the My Disney Portal. So if you logged in to my Disney Portal and you have to plan your vacations through it. So whether you’re a mom or a dad planning for your family or a teenage kid who wants to go there with friends, you plan your vacation online. You tie in your magic band with your profile, and now they can track you at home or what you’re doing online, what Disney products you’re buying, what vacations your planning. They’re collecting these amazing mountain of data and then they’re licensing the data and the technology to anybody with a large enough checkbook.

SABRA: If I were to ask you who is this pertinent to, it sounds like just customers of Disney, or at least current customers who have gotten these bands.

RAJ: The bands themselves are for Disney park visitors and current customers of Disney. The Disney surveillance technology has been licensed to governments and other corporations so you’ll see variations of this at other theme parks, resorts, places you work at, the airports you go to. And it really surprised me that the happiest place on earth is almost by stealth… They built technology because they had to, to protect their customers, their guests, and do a better job of making more money, revenue extraction from fathers and mothers. But in building a great business they also ended up building an amazing surveillance corporation.

SABRA: That’s incredible.

RAJ: If you place the word Disney with the FBI or NYPD, how does that sit with you? Do your thoughts change just a little bit because the name on the band is not Disney but the NSA. Does that change your thoughts about them? What if the band was not Disney but Microsoft, or Facebook, or Google, or Uber?

SABRA: Yeah, it’s completely surprising, exactly. It’s not what you expect when you go to get the experience at Disney and the way that you’re treated when you’re there. You don’t expect to have somebody surveilling every move that you make. On the one hand it’s like you just mentioned, it sounds like they’re gathering information so they could deliver better, or deliver more to you to have a better experience. On the other hand they could be marketing different things to your kids and things like that.

RAJ: I don’t have the problem with them building this data and using it internally for their own operations. I do object somewhat to them licensing and selling it, or giving it to other companies and entities and without us knowing about it. What they’ve built internally for their own use I respect that. Because you have to make enough money to go to Disney to be part of the surveillance drag net. But now the same data Disney collect in their park attendees has been sold or given away to the government and to all the biometric details you left behind. What you eat, how you walk, all your camera photos… All the camera photos in Disney has an amazing facial recognition platform, and an amazing fingerprint recognition platform because you have to give your thumb or your fingerprint to get into the parks. Who else has access to that data? Government, your insurance agency, opposing council.

SABRA: I don’t know. Is that what you’re saying?

RAJ: What I’m wondering about they’re not telling who else they’ve sold it to. They’re not disclosing who else they’ve licensed it because they have no legal obligation to report that data.

SABRA: But if they licensed the equipment, the ability to do surveillance, isn’t there a difference between licensing the ability for other companies to do surveillance, like you mentioned governments, airports, or other amusement parks? To me that doesn’t equate to that they’re also selling your personal data to those companies…

RAJ: Correct. Those are two separate things, and what we don’t know is where have they licensed technology, where they licensed data, or both. We do know that the government has asked for Disney’s data, and I’m pretty sure Disney gave some or parts of it. Post 911 a lot of corporations volunteered their data to the government to help catch the terrorists. The US government was the recipient of a lot of free surveillance data, or biometric data from a lot of corporations because they were being patriotic, or because they thought it was a good idea to help in the national security. Once the data goes in, it doesn’t go out. I don’t mind them building this technology, I actually don’t mind them building and collecting this data, I would just like to know as a consumer and a parent who else has this? I always put my credit reports, and it only took us 30 years to go from, “No, you can’t have your credit report”, to “Give me 20 bucks a month I’ll give it to you. At least with my credit report I can tell who accessed my profile? Because I applied for a loan or because somebody did ID theft and is now trying to open credit cards or loans in my name. I don’t have the same right to my data at Disney, or Facebook, or Google, or Uber, but after my credit profiles. Ultimately for us as a society data is our new currency. And I assert that just as we took 30-40 years to recognize credit profiles as a currency that the customers have right to look at and possibly modify errors in. We should have the same legal right to our social media and our biometrics data. I don’t know if they’ve got my profile confused with 20 million other guys named Raj Goel, how do I know that…

SABRA: Right. You don’t know if that have it accurately.

RAJ: We cannot validate the accuracy of this data because it’s all behind corporate and government secret firewalls and secret databases. And I would like to have rights to that data for your kids, nieces, and nephews. To me this is the real danger of a surveillance society. Uber records what tabs you order, where you go from point A to point B. Google records what you’re searching. Facebook knows who your friends and frenemies are. eHarmony knows who you’re sleeping with, and Tinder knows exactly who you’re sleeping with tonight. They are collecting this data, they’re licensing data. they’re marketing this data, they have errors in this data. And we as consumers, or in some cases product [Unintelligible 00:15:33] have no right to even look at what the data is, who has access to it, who should’ve access to it. [Unintelligible 00:15:40] tell my friends I don’t want my clients, or my wife, or my employers to find out about. But I have nothing to [Unintelligible 00:15:49]

SABRA: Right. It’s very hard. I’m just curious what you might propose as an option. Because here you have weighing the balance between capitalism and a free market society, and independent businesses, companies like Google, Disney, who they’ve created great success for themselves, and in addition been able to invest and create technology that is benefitting them and their business. And how do you balance their freedom and a free society do this but disclosure. Saying, “We are collecting data about you.” I didn’t know about Disney, but I knew about Google that they’re collecting data and whatnot. So if they tell us is that enough I guess is the question. And if it’s not enough how far do you go and can we really regulate this and tell businesses what they can and can’t do with data that they collect.

RAJ: Sure. So first off let me put out there that I am a capitalist and I love making money, and I support these companies’ rights to find new and creative ways to make like easier and make more money doing it. I think they ought to be rewarded and handsomely for what they do, and that needs to be balanced with our right as citizens and our rights as consumers. The two analogies I would say with this are cigarettes and credit profiles. Cigarettes came out at the height of being cool. You wanted a hot date… Movie stars smoked on film, it was a cool thing to do. And the companies made billions of dollars doing it, and it took a society 30 years to recognize the damage these companies had done to our health care budgets. And another 50 years to get them to finally agree to stop marketing to children and to pay for some of damage they caused by encouraging people to smoke. I don’t have a problem adults smoking, I have a problem with Joe Camel being marketed to 5-year olds on a Saturday morning cartoon. We took that right away from cigarette companies to market to children. Credit profiles, when they first came out and they’re still a private company, consumers had no right to their data, they don’t even know they existed. If only they had the rights over the credit bureaus, consumers have no right to look at the data, much less correct it. And it took the FTC a couple of lawsuits by the FTC and an act of Congress to give us the Free Credit Report Act which is once a year. You can look at your current report. And if there are material errors get them corrected and whereas the companies spend a decade arguing it’s too complicated it, it can’t be done. Within a quarter of Congress passing that law every credit bureau had their own for profit and subsidiary that was selling you credit profiles of $20 a month. Whether it’s [Unintelligible 00:18:49], or lifeblog, or these guys. So I don’t have problems these companies collecting data. They need to do it to build their business, to increase market share and to make money. Great. Yey capitalism, go for it. I also think that at this point we as a society need to demand that we have the same rights to our social media and our surveillance data that we have to our credit profiles, our bank accounts. Because look at the news, Target, Home Depot, Bebe Store, every company that we give money to has been broken into or will be broken into. And they pay some penalties, they buy more insurance, they put out some press releases, they don’t pay for the cost of clean-up. We do as consumers contrast that with cars. GM does not want to spend billions of dollars fixing bad cars. Toyota didn’t get out of bed one morning and say, “Oh, we’re going to spend $20 billion fixing bad breaks.” But they have to because they’re required by law to fix defects in their product.

SABRA: Right.

RAJ: So if I can buy a car and sleep well at night knowing that if it’s materially defective, the manufacturer will take care of it or the law will compel them to. I don’t have that same confidence with Google, Facebook, Disney, Uber, Lyft, or any of these other entities.

SABRA: Right, that’s true. And maybe the same way that the credit bureaus now charge people to have an on-demand access to their credit files, perhaps these companies might do the same. It’s maybe the direction if they get [Unintelligible 00:20:30]

RAJ: I expect them to do the same. Once we compel them to share this data, whether it’s something like the European right to data… A couple of years ago at [Unintelligible 00:20:40] a law student who study German law said, “Hey, I can ask Facebook for my data.” He did, and much to his surprise, Facebook sent him a DVD with 800 pages of CD, 800 pages of data on his profile. And within months hundreds of thousands of Germans have asked for their own data. And just a couple of months ago EU ruled that Google have to forget search results on demand. And within a matter of weeks half a million Europeans applied to be forgotten from Google. I think we need to do something similar. Why is it American corporations give the Canadians, Germans, British, French better privacy than they give Americans?

SABRA: That’s a great question. I don’t know, why do they?

RAJ: I have to say this but at minimum I like [Unintelligible 00:21:32] as well as the French by Google and Facebook. I will take that as a minimum standard, treat me like the French, as embarrassing as that sounds.

SABRA: Yes, sometimes it does feel like other government to protect their citizens more than our American government, which is a sad thing. But maybe more of us need to have conversations like this and speak to our Congress people, and see if something can be changed.

RAJ: Absolutely, we didn’t get clean air, clean food until [Unintelligible 00:22:03] demanded society take up and notice that we have a right to clean air and clean food, and not be poisoned by manufacturers. Ford, GM, Toyota didn’t build better cars because they were altruists. They were forced to by Ralph Nadir, a one crazy man who demanded, “Geez, we paid these companies thousands of dollars, we should get a good product in return.” Similarly, I think it’s our turn to demand that the companies that we give money to, whether it’s GM, Ford, Disney, Geico, or Microsoft, the companies we give our hard-earned dollars to should at minimum be able to tell us what they’re doing with our information, who they’re selling it to, who they gave it to. And when they have a mess on their hands they should be the ones paying for clean-up. No one’s going to make you whole if you died in a car accident. And if you lost a parent or a spouse, no amount of money can make that whole. But you know what, they’ve built a lot safer cars. And I’m a lot more comfortable behind the wheel of my car because it’s been built with 40 years of great engineering because the executives of the companies know that any large defects, they’re going to be held liable. They’re going to be in calls by the media, by Congress, by their own consumers to build better cars at a better price. We don’t see that in software, we don’t see that in social media, we don’t see that online. No one is building a more secure retail point of sale system. No one is building a more secure social media site. No one is building a more secure taxi ordering app because they’re not required to. If Home Depot, or Target, or Bebe, or any of the industries that got broken into. If they hadn’t illegally compelled to pay for the damage created by losing credit card data, I promise you they would’ve [Unintelligible 00:24:02] credit card records much more seriously than they ever have. They treat their coffee budget more seriously than to treat our credit card data.

SABRA: Exactly. I’m sure this is an ongoing conversation and discussion, and we definitely need to get to the bottom of this and there needs to be some changes. I think it’s a great opening and you definitely opened my eyes, and I’m sure the people who are listening, their eyes to what’s going on. Maybe being a little bit mindful of the information that they voluntarily put out there when they’re using some [Unintelligible 00:24:38] out there, some of the ones that you’ve been before. And places that they visit and really make a conscious decision they want to subject themselves and do this. Or if they want to take more different actions and maybe make changes in the way that [Unintelligible 00:24:54] right now.

RAJ: I completely agree. We as consumers, citizens, parents, and adults in society need to be more vigilant. And we need to enforce the rights we have, demand new rights, because it’s our job as adults to actually safe guard civil society. If we don’t, nobody else will.

SABRA: A hundred percent. I think it’s our obligation to. I want to thank you for enlightening us with this interesting and enlightening, a little bit scary information that you provided. and perhaps it’ll motivate people to start taking some action, myself included, to put us in a step of making some changes.

RAJ: Absolutely. And one action you could take today if you’d like is I’ve already shared my presentation with you, make it available to your listeners. So not only can people read what I have to say and look at the research, but also independently verify the data so they can draw their own conclusions for where they want to be in this conversation. All my research available for free, with attribution to sources so you can read the same news articles that I have read to come to this thesis.

SABRA: Thank you. I didn’t know you provided that. That’s awesome. I’ll definitely make sure to make that available. That’s really terrific. Thank you Raj.

RAJ: You’re welcome.

SABRA: I want to thank you again for joining us this week on Coffee Break with Sabra and join us again next week.