Some members of Congress apparently think that by passing a law, they can beat ticket bots.
The response of IT experts: Good luck with that.
The intentions are the best, of course. Companion bills now pending in the House and Senate are aimed at stopping online ticket scalpers by banning the use of bots – software that can buy hundreds or even thousands of tickets or reservations before the average individual buyer even gets started.
But a law isn’t going to stop the scalpers, according to experts including Rami Essiad, cofounder and CEO of Distil Networks. “You’re trying to combat an enemy you can’t see,” he said. “Making it illegal doesn’t allow you to see them. There’s a lot of legislation saying it’s illegal to hack, but there’s plenty of hacking still going on.”
Indeed, legitimate players in the entertainment business – artists, promoters, venues and even the big ticket sellers like Live Nation/Ticketmaster – have tried to defeat online scalpers for years, with limited success.
Ticketmaster has reportedly spent millions of dollars since 2011, including hiring machine-learning experts to combat them.
It has revoked the tickets of buyers who exceed household limits, and has sued scalpers, including a ring in New Jersey.
At the venue level, the First Niagara Center in Buffalo and others have tried putting ticket buyers in a virtual “waiting room” and requiring human identification through the buying process, according to Sen. Chuck Schumer (D-N.Y.).
But the scalpers adapt. They can program their bots to behave in ways that make them essentially indistinguishable from a real person, including using a different credit card for each purchase.
This past August, tickets with a face price of $129 to a Billy Joel concert at the Nassau Coliseum sold out in five minutes, and then reappeared on resale sites where they were priced from $400 to as much as $8,000.
The story was similar with tickets to an Oct. 22 show by Paul McCartney at First Niagara.
In response, Schumer urged his congressional colleagues to support the Better Online Ticket Sales (BOTS) Act of 2014, filed this past February in the House by U.S. Rep. Marsha Blackburn (R-Tenn.). Schumer more recently filed a companion bill in the Senate.
It would define the use of bots to buy tickets as an "unfair and deceptive practice" under the Federal Trade Commission (FTC) Act. It would also become a federal crime, and create a right of action so that private parties can sue in federal court to recover damages.
At a news conference in September, Schumer said the FTC, “will find the websites, put a cease-and-desist order on them and prevent them from selling, plus level fines in the millions for unfair trade practice."
All of which sounds good. But legislation banning bots in purchasing tickets has already been tried in 14 states. Tennessee has had a law banning the use of bots to buy tickets since 2008, but the Tennessean reported a year ago that, “despite the apparent prevalence of the practice, no one has been prosecuted for this hard-to-prove crime in Davidson County.”
The first major reason for that, noted Bill Wright, director, government affairs of the Global Cybersecurity Partnerships at Symantec, is that, “the Internet is borderless. So even if a scalper, company, or organization is using coded automation (bot) illegally in one state, they may be physically located in a state that does not have anti-bot ticket purchasing laws, creating confusion about where the cause of action occurred and what state, if any, has jurisdiction.”
A national law, such as the BOTS Act, would cure that problem within the U.S. But Essiad and others note that ticket scalping is global – it crosses national, as well as state, borders.
And he and others say it is clear that members of Congress don’t understand the problem, if they think the FTC can solve it by penetrating and fining websites. Dr. Augustine Fou, an independent digital ad fraud researcher and blogger, said that language is evidence that those proposing the bills don’t really understand the problem.
“The websites themselves are not the ones committing the crime,” he said. “In fact, Ticketmaster is a victim as well – bad guys using bots to buy up the valuable tickets and reselling them elsewhere.”
A spokesman for Blackburn said he would try to respond to questions from CSO regarding the effectiveness of the proposed legislation, but had not done so by press time.
Wright said it is important to distinguish between what the ticket scalpers are doing with bots that amount to “coded automation” that is a part of their own infrastructure, and malicious “botnets” – the use of hacked “zombie” machines to launch attacks.
Still, this kind of coded automation is a form of theft, since it forces buyers to pay an inflated price for a product. And experts say making it illegal throughout the country is at least a start.
“It helps to shine a light on a problem,” Essiad said.
But he and Wright both say making it illegal will not end it. “If there is profit to be made, cybercriminals will continue to exploit it,” Wright said. “The Dark Web and underground black markets are thriving in stolen data, malware, and even attack services for hire. If the use of these bots to purchase tickets becomes illegal, the coded automation used would surely show up for sale on the underground market.”
Essiad said the problem extends beyond sporting events and concerts. Cyber scalpers buy up tickets or reservations for other desirable things like hotel rooms, airline seats, restaurants and more.
“Each airlines has certain number of tickets in each class,” he said. “Bots find all the cheap classes and then release them later.”
The only way to avoid bot purchasing, he said, is to avoid the Internet entirely. Some artists, like the rock band Foo Fighters, held a "Beat the Bots" day a year ago in advance of their tour, where the only way to buy tickets was in person at box offices nationwide. The tickets weren’t available online until more than a week later.
But that is not practical in a widespread way for an economy so dependent on the Internet.
Essiad said technology can make a dent in the problem, “but it has to be a collaborative effort.”
He said his firm and others can use machine learning to, “inspect every connection coming in. We can do that programmatically to help detect a bot, and block it. But at the end of the day, we still don't know who is sending them.
“If you really want to trace back the bad guy,” he said, “the law would need language that would allow us to go back to the hosting provider.”
And that, he said, would likely prompt fierce opposition from privacy advocates.
“When you start invading privacy, people push back, he said, “so it’s a tough battle.”