Congress joins battle against ticket bots

Legislation now pending in Congress would outlaw the use of bots – coded automation used by scalpers – to buy up tickets to concerts and other events before the average buyer can even get in line.

Some members of Congress apparently think that by passing a law, they can beat ticket bots.

The response of IT experts: Good luck with that.

The intentions are the best, of course. Companion bills now pending in the House and Senate are aimed at stopping online ticket scalpers by banning the use of bots – software that can buy hundreds or even thousands of tickets or reservations before the average individual buyer even gets started.

But a law isn’t going to stop the scalpers, according to experts including Rami Essiad, cofounder and CEO of Distil Networks. “You’re trying to combat an enemy you can’t see,” he said. “Making it illegal doesn’t allow you to see them. There’s a lot of legislation saying it’s illegal to hack, but there’s plenty of hacking still going on.”

Indeed, legitimate players in the entertainment business – artists, promoters, venues and even the big ticket sellers like Live Nation/Ticketmaster – have tried to defeat online scalpers for years, with limited success.


Rami Essiad, cofounder and CEO, Distil Networks

Ticketmaster has reportedly spent millions of dollars since 2011, including hiring machine-learning experts to combat them.

It has revoked the tickets of buyers who exceed household limits, and has sued scalpers, including a ring in New Jersey.

At the venue level, the First Niagara Center in Buffalo and others have tried putting ticket buyers in a virtual “waiting room” and requiring human identification through the buying process, according to Sen. Chuck Schumer (D-N.Y.).

But the scalpers adapt. They can program their bots to behave in ways that make them essentially indistinguishable from a real person, including using a different credit card for each purchase.

This past August, tickets with a face price of $129 to a Billy Joel concert at the Nassau Coliseum sold out in five minutes, and then reappeared on resale sites where they were priced from $400 to as much as $8,000.

The story was similar with tickets to an Oct. 22 show by Paul McCartney at First Niagara.

In response, Schumer urged his congressional colleagues to support the Better Online Ticket Sales (BOTS) Act of 2014, filed this past February in the House by U.S. Rep. Marsha Blackburn (R-Tenn.). Schumer more recently filed a companion bill in the Senate.

It would define the use of bots to buy tickets as an "unfair and deceptive practice" under the Federal Trade Commission (FTC) Act. It would also become a federal crime, and create a right of action so that private parties can sue in federal court to recover damages.

At a news conference in September, Schumer said the FTC, “will find the websites, put a cease-and-desist order on them and prevent them from selling, plus level fines in the millions for unfair trade practice."

All of which sounds good. But legislation banning bots in purchasing tickets has already been tried in 14 states. Tennessee has had a law banning the use of bots to buy tickets since 2008, but the Tennessean reported a year ago that, “despite the apparent prevalence of the practice, no one has been prosecuted for this hard-to-prove crime in Davidson County.”

The first major reason for that, noted Bill Wright, director, government affairs of the Global Cybersecurity Partnerships at Symantec, is that, “the Internet is borderless. So even if a scalper, company, or organization is using coded automation (bot) illegally in one state, they may be physically located in a state that does not have anti-bot ticket purchasing laws, creating confusion about where the cause of action occurred and what state, if any, has jurisdiction.”


Bill Wright, director, government affairs of the Global Cybersecurity Partnerships, Symantec

A national law, such as the BOTS Act, would cure that problem within the U.S. But Essiad and others note that ticket scalping is global – it crosses national, as well as state, borders.

And he and others say it is clear that members of Congress don’t understand the problem, if they think the FTC can solve it by penetrating and fining websites. Dr. Augustine Fou, an independent digital ad fraud researcher and blogger, said that language is evidence that those proposing the bills don’t really understand the problem.

“The websites themselves are not the ones committing the crime,” he said. “In fact, Ticketmaster is a victim as well – bad guys using bots to buy up the valuable tickets and reselling them elsewhere.”

A spokesman for Blackburn said he would try to respond to questions from CSO regarding the effectiveness of the proposed legislation, but had not done so by press time.


Dr. Augustine Fou, independent digital ad fraud researcher and blogger

Wright said it is important to distinguish between what the ticket scalpers are doing with bots that amount to “coded automation” that is a part of their own infrastructure, and malicious “botnets” – the use of hacked “zombie” machines to launch attacks.

Still, this kind of coded automation is a form of theft, since it forces buyers to pay an inflated price for a product. And experts say making it illegal throughout the country is at least a start.

“It helps to shine a light on a problem,” Essiad said.

But he and Wright both say making it illegal will not end it. “If there is profit to be made, cybercriminals will continue to exploit it,” Wright said. “The Dark Web and underground black markets are thriving in stolen data, malware, and even attack services for hire. If the use of these bots to purchase tickets becomes illegal, the coded automation used would surely show up for sale on the underground market.”

Essiad said the problem extends beyond sporting events and concerts. Cyber scalpers buy up tickets or reservations for other desirable things like hotel rooms, airline seats, restaurants and more.

“Each airlines has certain number of tickets in each class,” he said. “Bots find all the cheap classes and then release them later.”

The only way to avoid bot purchasing, he said, is to avoid the Internet entirely. Some artists, like the rock band Foo Fighters, held a "Beat the Bots" day a year ago in advance of their tour, where the only way to buy tickets was in person at box offices nationwide. The tickets weren’t available online until more than a week later.

But that is not practical in a widespread way for an economy so dependent on the Internet.

Essiad said technology can make a dent in the problem, “but it has to be a collaborative effort.”

He said his firm and others can use machine learning to, “inspect every connection coming in. We can do that programmatically to help detect a bot, and block it. But at the end of the day, we still don't know who is sending them.

“If you really want to trace back the bad guy,” he said, “the law would need language that would allow us to go back to the hosting provider.”

And that, he said, would likely prompt fierce opposition from privacy advocates.

“When you start invading privacy, people push back, he said, “so it’s a tough battle.”

Join the CSO newsletter!

Error: Please check your email address.

More about BillBuffaloCSOFederal Trade CommissionFTCGoogleNiagaraSymantecTicketmaster

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts