News Archives

The “Database You”

In addition to my 22 years in the ski industry, the past 6 years I have made a career in personal Identity Theft protection and corporate ID Theft risk mitigation.  In the past few years we have seen a dramatic increase of corporate initiatives which utilize personal usage tracking and social media integration, and we find this to be alarming.

We have found that ID protection begins with a company focus of helping customer/consumer/user educate themselves to the risks. With proper user awareness initiatives incorporating RFID, social media, and customer usage can be a relatively safe, fun, and useful. Unfortunately marketing programs such as “Broomfield Resort’s” Epicmix creates serious concerns, and their reckless promotion of the program is what we find alarming. We don’t believe that the these companies can or should police themselves.

The purpose of this post is to let you know about the “Database You”, and how it has been created without your knowledge or permission.  Before I expand on the topic, be aware of the language spewed from PR departments to make you overlook the obvious.

Here are a few notable Privacy Breaches:

CBS News resports on Facebook -

General Breach

sexual orientation

December 31, 2011 Summit Daily Article -

Epicmix has users wanting more

In the case of Epicmix and your usage tracking, rather than informing its users of safe online practices, VR’s company policy has been to tell the users that there are “no privacy concerns”. The are mostly likely referencing their data handling policies and having them fall within their “Privacy Policy”. This stance is disingenuous at the very least as it is self-serving for the corporation which permits open usage data sharing with its partners. It is potentially damaging to the end user as data aggregation services using “public” and “user-shared” data continue to proliferate. When a user submits their “accomplishments” on social media sites such as Facebook and Twitter the data is now in the public domain ready to be data-mined. And as this “Public” information is merged with “private” database information which can be acquired through “affiliate or partner” agreements, comprehensive Heuristic Models are created and used by companies which maintain these models. Perhaps you are aware of this, and you are “OK” with it. And that is fine. But if you are not good with this, then you can email VR – commentsatvailresortsdotcom and ask NOT to have your data shared with their Partners.

Your data is out there. It happens globally.

You may not have heard of:    The Database You – 2006 Database you.ppt

You may download and keep the “Database You” attachment. I created these slides in 2006 for presentation around the US. Since that time we have seen the advent of Facebook and other social media sites in which an incredible amount of information is freely given, this has filled in the blanks for the database of “YOU”.

For a simple example of the Database You, go to www.Spokeo.com a new online USA phone book w/personal info: pics you’ve posted on FB or web, your approx credit score, home value, income, age, etc. You can remove yourself! Search for yourself on their site (don’t buy the access) , copy that URL of your page,and then go to the bottom of the page and click on the PRIVACY button to remove yourself. Copy & repost so your friends are aware. Also, for a more comprehensive list of these Online Data Brokers, you may visit the Privacy Rights Clearinghouse for more information.

Spokeo.com is only one of more than a hundred public sites which do this type of data aggregation. Private databases are even more numerous and comprehensive. The fact is the more information that is out on the web and stored in servers, the more your personal data and privacy is at risk. It is not just about how many vertical feet your skied or how many days you skied. And if you want to track it, fine. But be informed about the pitfalls of freely providing the your specific information and habits.

Your information CAN and WILL be used against you in some form. e.g. Increase in health insurance rates for the top Vertical feet “winners” on Epicmix by rewarding their “risky behavior”. User specific “Spear-phishing” emails sent to you from “friend look-a-likes” which can contain many types of malware. Or becoming a target of a theft ring, by posting something like “I can’t wait to take the entire family to Vail for the weekend”.

SPEAR-PHISHING -

The more specific information you give, the easier it is to create a method someone else profiting from you. Beware of being one of the Sheep. Protect your data where you can, and take it upon yourself to become educated. Because “Broomfield Resorts” and many of the corporations have their best interests in mind, not yours. We use SkiPassDefender to limit the amount of usage data we provide, and to shield our unique pass information. It is simple to use, and still allows the user to fully use Epicmix or a similar program like it, if YOU choose to do so.

With regard to taking time by trying to protect your information by shielding RFID passes, Breckenridge spokeswoman Kristen Petitt says there is little point.

“We’ve been tracking people and collecting information about them anyway for years,” she said with a wry smile. “With EpicMix, we just finally let you see that information.”

Jonathan Lawson has been an expert in the field of Identity Theft Risk Management since 2005.  Mr. Lawson has held dozens of education seminars for minors, adults, and seniors regarding identity theft and risk mitigation. Breckenridge Instructor since 1993, and former Keystone Golf Professional. Staff Trainer Vail Resorts until 2010.

ESPN article on Ski Pass Defender and RFiD

The word is getting out. ESPN’s Olivia Dwyer wrote a well-balanced article about RFID and the ski industry. With nearly 700 resorts worldwide using RFID in their lift tickets and ski passes, and there is much room for innovation and security issues relating to initial and on-going rollouts of products. Look for 3rd party “resort partner” data sharing arrangements, expanded RFiD networks which go beyond the base of the lifts.

Initial skimming and cloning of an individual’s ski pass can easily be done now. Even a “Web ID” or “Socket Key” used on passes currently offers value to hackers and skimmers. A privacy policy which allows companies to freely share a users/guest data is really no “privacy policy” at all, especially when it allows their 3rd party affiliates to use the information as they see fit. And it is silly for a person to think that a resort will not leverage this information beyond simply mountain operations.

Finally, to the readers of the ESPN article, Ms. Kelly Ladyga’s comments at the end of the article do NOT accurately reflect the dealings between Vail Resorts and me. In true VPof Communications fashion, Ms. Ladyga tries to spin as defamation, rather than what I was told by Breckenridge’s COO – Pat Campbell, ‘Your business conflicts with our on-going RFID initiative, and you must choose to cease your business and work for us after signing a code of conduct agreement, or keep your business and not continue to work for Vail Resorts” But I guess that would not read as well, so they imply that I lied. Shame on you Vail Resorts, and shame on your Machiavellian ways in communicating with the public.

“We cannot comment on any personnel matters,” Ladyga said. “But Vail Resorts will not permit its employees from purposefully [and] publicly spreading inaccurate, false information on the company or its products or activities.”

NOTHING that I have said prior to my decision to not return to Breckenridge for my 18th season, or after have been inaccurate or false.

Enjoy the read. I believe that individuals should have the right to determine what information can be taken and collected on you, especially during your free and recreational time. Just because they frame it as a game and tell you that they have your privacy or best interests in mind, you should be rightfully aware of data collection and its risks to your personal privacy.

RFID in the ski resort industry is inevitable. Its ease of use for the guest and large potential ROI and on-going marketing data for the company make it no-brainer. The easier it is to use, the more guests will use it, the more sales will be made.

Squeezed to read, release to ride technology

Squeezed to read, release to ride technology

Aspen Ski Company announced the new “Resort Charge” feature for their ski passes. We originally caught wind of this in a Computer World December, 2009. This is when we came up for the need of Ski Pass Defender.

This post is not meant to be an indictment of AspenSnowmass, but rather information and call to action for skiers and riders using RFID enabled passes.
Taken from the Aspen Snowmass Website:

RESORT CHARGE – CASH FREE, HASSLE FREE!
NEW THIS SEASON, attach a credit card to your season pass and never carry cash on the mountain again. Use your season pass as you would your credit card at Aspen Skiing Company-operated restaurants* and Four-Mountain Sports/D&E locations. This plus hands-free gate access gives you the ultimate hassle-free experience!

The RFID enabled ski pass will mostly likely have a “Socket Key” code which is a unique ID. It is now also contained on the RF chip laminated within the pass.

Sample Ski Pass of a Socket Key "WebID"

Sample Ski Pass of a Socket Key "WebID"

This number can be cloned, and it just makes sense to shield your RFID information from would be “Skimmers”

This ID code will tell the computer system who you are, and what your privileges include. RF will continue to serve a number of purposes for the ski resorts:

1) Convenience as a RF enabled lift pass

2) Convenience to charge at authorized locations (mainly company operated)

3) Trackable around the mountain (where RF scanners are placed).

Notice that large financial firms do not want to show you about their security measures when tested by an “un-sponsored: 3rd party source:

A ski resort desires is to add convenience, generate profit, and gain adoption of the product. Don’t forget their largest partners. They would like to get a piece of your usage dollars and information as well. American Express, Aspen and Vail Resorts Official Partner, has been well documented for their customer tracking plans. Look for Insurance company partners soon. As more data gets easier to be pulled from you without your knowledge, you now have a way to protect your data accessible when using RFID with a Ski Pass Defender.

Also, passholders should be aware of security concerns with syphoning of data through mobile apps. The apps are free, and they offer function to the user. But until companies disclose what information they take (including GPS info), and who the information gets shared with (Resort Partners & Affiliate partners) we suggests to stay away from those phone apps.

Jonathan Lawson has been an expert in the field of Identity Theft Risk Management since 2005, and a ski professional since 1991.  Mr. Lawson has held dozens of education seminars for minors, adults, seniors, and corporations regarding identity theft and risk mitigation.

 Page 1 of 5  1  2  3  4  5 »