Data-Free Disneyland

Cell phone with Disneyland app, cracked screen
The burner phone that got us through our Disney Day. Janet Vertesi 2022

(Note: This is the companion post to my article at Public Books about evading data detection at Disneyland. For the fun story, read the Public Books version; for tech details and the "why" of my choices, read on here).

We're definitely not the only family who planned a Pandemic Revenge trip to Disneyland. How could we not? The Cars series was on constant repeat in our home for months on end.  An in-class presentation about California elicited feedback from other first-graders that the only thing that really mattered, the only part of California that everyone knew, was the Land of the Mouse (take that, Yosemite). Once that genie was out of the bottle, the writing was on the wall.

So how does a conscientious data collection objector go to Disneyland? What was once just a fun and overpriced amusement park pushing the boundaries of "Imagineering" and entertainment has transformed into a land of constant surveillance.

The change has been a long time coming, but not without precedent. About fifteen years ago, I gave a talk with my friend Irina Shklovski at Ubicomp, the Ubiquitous Computing conference, which happened to be at DisneyWorld that year. We were talking about GPS tracking of sex offenders and the problems that arose with the circulation and commodification of location-based data--problems that, incidentally, would soon extend to everyone with a smartphone.

We didn't know that then. Instead, we found ourselves in what was clearly a Ubicomp dreamland, DisneyWorld. Wristbands for park access. Music that stayed the same volume no matter where in the park you went. Personalized experiences. And the Mouse himself everywhere, in every carpet design and archway and headboard and--you get the point. It was creepy.

Fastforward to 2022, when I needed to take my family to Disneyland, have an amazing time, and not be data-surveilled. How would we do it?

If you want the fun story, head on over to Public Books, where I wrote a full essay about our untraceable trip. This post assumes you've already read the piece and want to know more about my tech stack, as these are details the editors thought were best placed elsewhere. Geekery ensues: you've been warned!

The inside scoop

I am fortunate to know more than one person who worked at Disney and so I tried to get the inside scoop on the status of their tracking tech. How advanced is their facial recognition? Where and when would we be scanned, photographed, or otherwise detected through the park? What were my obfuscation options?

My understanding, from these conversations, is that it is still possible in Disneyland (not World) to evade because they rely on the app and credit card swipes to generate single user ID's, not on a wristband which is subject to infrared detection throughout the parks in Florida. 

I also learned that at no time did the Disney ID I set up have to match any actual ID, like real names and birthdates on a driver's license.  So we could go with pseudonyms, and keep that identity circulating within the park. The onus was on us to keep up the gag, and keep our real identities separate from our activity at the park that day.

At this point I also had to consider: how much did I care about Disney knowing I was at their park, versus knowing that my young family was there? I decided that I don't mind Disney knowing about me. I've been to Disneyland before, and I'm an adult. I am not telling them a lot about myself by being there. But I do care about my children's identities, so that's where my obfuscation techniques were the most intensive.

Note that I am not on Disney+ and ensure that most of my online interactions with Disney related sites and stores stay obfuscated through alternative browsers and cash purchasing. I also do not have home subscriptions to Disney related products, like NatGeo Kids, which is owned and operated by the Disney Corporation (more on that in another post). In general, I'm not a big Disney person, with the exception of my dedication to Star Wars--but of course, I've been a fan since long before the Skywalker clan became the property of The Mouse.

The Burner Phone

Disneyland is now entirely managed via app. I had it on good authority from many families who had visited recently that the app was a necessity, a non-negotiable. It is the locus for smart passes, for ride checking, maps, and basically everything. Of course, phones are a great way to identify a person. Everything from the IMEI to the SIM to location pings to contacts and other traces on the phone will give you away. 

I do run Linux on my phone and applications on it are relatively firewalled from each other. Even so, I didn't trust it and wanted to go one further. I had to get a burner phone.

I figured that a device purchased on eBay with no SIM wouldn't be registered to my identity in any official sense. It would have no contacts, no network access, nothing. It could in principle ping my location but it wouldn't know who I was. There also wouldn't be any purchase data to align with that information and figure it out. I didn't trust an iPhone for this job, as you need an Apple ID to get things working. So despite my hatred for Google, Android it had to be.

I can swallow my hatred for Google products if it is only for a brief, constrained period, and in support of my larger obfuscation goals. Like when I flash phones over to alternative operating systems. I figured this counted.

I needed something that ran at least Android 9. Those phones were running in the $250+ range. It's expensive enough to go to Disneyland without having to buy a new phone (more on my thoughts about Opting Out as a privileged sport later). So I looked for something damaged to draw down the cost. I didn't need anything fancy: just a smartphone.

I found something for $90-something that was nearby. It was in my hands two days later, cracked screen and all. I wiped the OS and put on stock Android Oreo. I didn't want a record of a home wifi connection point, so I tethered to my phone briefly to download a Disney Genie APK from a third party site. 

Unlike an iPhone, my phone doesn't learn much about who is tethering to it, nor does it relay to the access point what is going on or who is accessing it. With no data like ID or contacts on the burner phone, there was no data to transmit that would be useful.

My goal was to access park wifi, which I understood could be spotty. In rough cases I would try the tethering trick, but my goal was to keep my phone on airplane mode so that it didn't identify me in Mouseland.

Untraceable purchasing

To guarantee entry, as crowds are limited during Covid19, we had to buy the tickets online in advance. This had to happen through a browser, using a credit card. It wouldn't work over Tor so I had to use another browser. 

Browser fingerprinting is a popular way to pinpoint people online. A lot can be detected about a machine remotely from its browser. When I want to do something relatively untraceably I often download a browser afresh, and use that in combination with a VPN or some kind of relay. The site knows it's being accessed by, say, Opera or DuckDuckGo, running on a Mac OS or Ubuntu, somewhere in Alabama or perhaps Atlanta.

Because there is zero history attached to the fresh browser there is not a lot that can be instantly detected. Because my IP address is masked, it's not traceable to where I am or where my other devices are. When I access things from a Linux machine (like my trusty and gorgeous StarLite, or my Sailfish phone), information is even more limited.

This is about as obfuscated as I can reasonably get. Again, I'm not trying to give them no information, just useless information, information that they can't combine with other datasets to identify me.

Then I follow all my best practices for shopping online untraceably. I grabbed an email address at mail.com via a different browser accessing from a different VPN location. I gave over our pseudoyms, paid with privacy.com (missing all the airline points I could accumulate with an official credit card). And I created a burner phone number just in case--not for the burner phone, but for any other throwaway uses.

As for in person purchasing untraceably, like when it came to buying lunch and souvenirs, see my blog post on untraceable in person purchases

Automated recognition

There are cameras all over the park, so I knew we needed to thwart facial recognition. Fortunately it's still Covid era, so masks were okay. And it's Anaheim, so hats are a must. Those offer a lot of protection, especially taken together. But you still have to pull the mask down and remove hats at the gate for a photo.

Fortunately, there's been a lot of work recently in facial recognition thwarting. Personally, I've always had a soft spot for CV Dazzle, and the idea of drawing asymmetrical, blocked lines of color all over your face to confuse computer systems. And the nice thing about Disneyland is it's a great excuse for facepaint. I took the excuse to decorate our faces with an homage to our favorite characters, taking care to use brights, whites, and asymmetrical blocks across features.  It does mean that some of our family snaps from the day look a little strange. But everyone was enthusiastic, and I figure that's what matters. 

Of course, I didn't have a technical way to check that this worked. I could have uploaded our photos to a facial recognition system online, but then I would be putting potentially identifiable photos of my family on the internet, which is a hard no. I could have pinged a colleague who works on facial detection systems to see if there was a preferred offline tool I could try out, but short on time I settled for being as reasonbly informed as I could--and as enthusiastic with the facepaint as possible.

Another worry was detection at the parking lot. Should we park further away at a hotel lot, and walk across? Or was it safe to use the Disney lot knowing they would have license plate readers?

I ended up going for the Disney lot, although they learned that they do have license plate readers. I was driving a rental car. Certainly, my name and driver's license are attached to that car, but that's through a different corporate database. A corporation that Disney does not own or have data rights to or share board members with (I checked via Crunchbase and TheyRule).

Here I follow a different rule for obfuscation, which is to store data across corporate databases where the corporations have no prior relationship--or even an antagonistic one. I can be reasonably sure that, failing an acquisition, that data won't migrate. No one is going to just let their precious user data walk away to the competition.

I made a bet that the two hops between the Disney reader and the car rental database was enough to ensure some protection. Law enforcement would be able to put it together, but Disney doesn't have that authority. And if they were doing it anyway, well, I had already decided that I didn't care whether Disney knew I visited (remember?), just the minor members of my family. (And if you happen to know that Disney is reading rental car databases, well, I think we'd all like to know that.)

Final words

Taking evasive action at theme parks is a good reminder that companies will even piggyback on our pleasure and leisure to sell us more things. There is no respite even when you're looking for a way to unwind.

Opting out meant accepting that I just wouldn't be able to order food via app, and walking the extra half mile to a cash machine with small humans in tow.  While it wasn't convenient, it was functional. And it was fun. It was a reminder, perhaps, that things don't actually have to be convenient to be fun, and they don't have to be tracked to be optimized. While I wouldn't necessarily recommend you follow in my footsteps, I would be tickled to know if you tried something similar, and what you encountered when you did.

Again, this is a companion piece with technical details. More musings about what convenience means, and how we are hooked using microconveniences, are to be found in the full account at PublicBooks.org

P.S. Absolutely no, I do not have a Disney+ account. Now that Disney+ is asking for birthdates and gender information, I'm highly unlikely to get an account any time soon. Amazing as it sounds, there are many ways to watch Cars and Star Wars and other Walt Disney films legally without having a subscription streaming service. I recommend you give it a try.