Disney: The Happiest Privacy Breaches on Earth
The 84-year-old Walt Disney Company has its fair share of detractors, but it also has a sizeable contingent of fervent supporters. And what do we mean by “fervent”?
They’re the type of people who, like Irving Plummer, will admit that “just about everything in my house is Disney, except for the TV.”
So what happens when these super-fans reach out to Disney, (specifically, Disney Cruise Lines, or DCL) to let them know about a problem they’re having?
According to Mr. Plummer, the answer in a recent case was, essentially, not much.
Plummer was eager to book a spot on an upcoming Disney cruise, along with many of his fellow participants on the unofficial Disney-related message board Three Circles. But when he went to make his final payment and complete his reservation, he was shocked by what he found–a link that enabled him to access personal information about his fellow passengers.
But it wasn’t just their reservation number, room number or email address–it was sensitive information like home address, date of birth, and even how much each passenger had paid for their rooms and their outstanding balances.
According to Lillie Coney, Associate Director of the Electronic Privacy Information Center (EPIC), a public interest research center in Washington, D.C., these types of privacy problems are an “epidemic in the US.” A breach of this type could easily lead to identity theft, she said.
Realizing the gravity of the situation, Plummer, an information technology professional who has supported Web sites from UPS to the federal government, contacted DCL immediately. He pointed out that Disney seemed to be in violation of its own privacy policies.
After trying to convince a supervisor of the gravity of the situation, Plummer said that the supervisor had responded that there was nothing she could do. In fact, this Disney representative asserted that Plummer had effectively given permission for others to view his information.
Why? The reason given was that because members of the Three Circles message board used the DCL site’s linking feature to sign up for a large private dining room together, they were “traveling together” and thus could access one another’s information.
“Just because people are linked for dining purposes, doesn’t mean their private information should be available to those [to whom they] are linked,” Plummer responded.
Frustrated that he couldn’t get this serious issue resolved, he reached out to PeterGreenberg.com.
At first, when contacted by our research team, DCL Director of Public Affairs Rena Langley stated that there had been “a few problems” with the site regarding the making of reservations. She claimed those had already been fixed. When presented with Plummer’s assessment of the problems, she denied that Plummer could have accessed other cruisers’ personal information.
But Plummer wasn’t the only Disney fan to see personal information on DCL’s Web site.
Teresa Whitmore, another Three Circles user, enjoyed two DCL cruises in the past, and was excited to sign up for her next one. So she was similarly shocked to discover the personal and financial information of other cruisers at her fingertips.
“It happened every time I made a payment,” she said. According to Whitmore, a “Cruise Summary” box in the upper right-hand corner of the site revealed the information of several fellow passengers.
“But what really scared me,” she says, “was the kind of information on there–especially the home addresses.”
Whitmore claimed the safety and security of her family was being compromised by the DCL Web site through the revelation of her information to people she’d met only through the Internet. And though Whitmore is still planning on signing up for an upcoming DCL Panama Canal cruise, she says the situation has made her concerned about linking up with any of the folks she’s met online for upcoming cruises.
These types of privacy violations are widespread, according to EPIC’s Coney. This is likely because of the fact that there are essentially no blanket privacy protections for American consumers.
“What’s funny is that these same companies go to Europe and can’t engage in these [behaviors]” Coney says, explaining that European consumers are protected by European Union laws regarding privacy. “And these companies aren’t closing up shop because they’re not making money…because they’re all held to the same standard. It’s a level playing field.”
And so we went back to DCL and revisited the issue. DCL’s Langley reports that the Disney Web team looked into the situation again, and has finally fixed the problem. Now, Disney claims that passengers who are linked together will not see each other’s personal information beyond the barest essentials (like their name).
“The fact [is] that Disney Cruise Line has finally owned up to the issue and corrected it, [and for that] I am thankful,” passenger Plummer wrote us. “I truly believe that had it not been for you…DCL would have just ignored us.”
Happy to hear we’ve had a positive impact. But the more serious question remains:
What can you do when you discover privacy violations like this online?
“You have to understand the power dynamic in this relationship,” says EPIC’s Coney. “This is Disney…you’re not really in a great position to harness market forces that as a consumer might give you power, since there aren’t a lot of other places you can go for that type of experience” that Disney provides.
But consumers aren’t totally powerless. Coney suggests complaining directly to the Federal Trade Commission, online at https://ftc.gov. The FTC does have the power to both investigate and levy fines against companies. And as she notes, “Companies don’t like being investigated.”
A few state attorneys general, especially those in New York and California, have also taken up privacy cases on behalf of consumers, using their respective state laws. If your state does have privacy protections, a call to your state’s Attorney General’s office could help. Communicating your concerns about privacy issues to your state and federal representatives is useful, too (although in a more long-term sense).
But to prevent these privacy issues from arising in the first place, Coney suggests that you approach the problem this way: “Would you disclose this information to a stranger? Because that’s essentially what you’re doing with a Web site, even if you’re familiar with the company.” Well known, trusted companies are able to get more information from their consumers, but that also makes them juicier targets for identity thieves.
Further, Coney recommends asking questions before turning over information, such as “How long is my information stored, who has access to it, and how can I delete it once I’ve completed my transaction?” She warned consumers to be very leery of any company that could not, or would not, answer these types of questions.
The bigger problem, according to Coney, is that there are almost no laws and regulations on the books that actually protect privacy information. There are bits and pieces of privacy legislation, such as those protecting health and financial information, or the information of minors, or regulating government-run websites. But the vague assurances of data protection like Disney’s are, in Coney’s words, “smoke and mirrors.”
Additionally, Disney provides no clear way to remove personal information once it’s been collected, a situation Coney likens to your information “being held hostage.”
So before you turn over your information, just ask yourself: “Would I give this information to a perfect stranger?”
By New Media Manager Matt Calcara for PeterGreenberg.com.