Bruce Springsteen fans were thrilled when he announced a 2016 concert tour ... until they tried to get tickets and discovered who’s really The Boss. Ticket vendors using shadowy computer programs called bots scooped up good seats within seconds and put them up for resale at huge markups.
Springsteen enthusiasts weren’t the only ones singing the bot blues. A frustrated Adele fan made a viral video, "Hello from the Parking Lot." Producers of the hit Broadway musical "Hamilton" are reportedly considering nearly doubling the price of the best seats to $995 because resellers are siphoning tens of thousands of dollars from every show. Even Pope Francis was exploited when online scalpers hawked free tickets to his appearance in New York City’s Central Park in September for hundreds of dollars.
Those of us in the internet security business have watched with great interest as ticketing issues have cast a bright public spotlight on bots, the pieces of software that crawl the web and perform automated tasks at a volume and speed beyond human capability.
Bots are everywhere
Bots carried out 74 billion interactions with websites in 2015. It’s amazing to consider that human activity accounted for 54 percent of traffic on the internet last year while bots weren’t far behind at 46 percent, according to an annual analysis by my company, Distil Networks, of the sources and types of bot attacks.
Bots aren’t all malicious electronic vermin. In fact, 60 percent of them are "good bots" that deliver useful services such as search engine indexing, stock trade execution, airfare discount notifications, news updates and weather alerts.
But the rest — 40 percent — are able to mimic human behavior and perform an array of nefarious activities, from denial of service attacks to unauthorized data gathering to spam and automated scalping.
Scalper bots, by rigging ticket sales in a fundamentally unfair way and hurting consumers, clearly are bad bots.
Scalper bots, by rigging ticket sales in a fundamentally unfair way and hurting consumers, clearly are bad bots. And one of the most disturbing things about them is that the software to create them is cheaply and widely available on the internet. All an unsavory ticket broker has to do is download the code and they’re in business beating you or me to enormous quantities of seats.
These digital troublemakers aren’t the most technologically sophisticated bots in the world — for example, they’re not as adept at disguising themselves or tampering with websites as today’s most advanced bots are — but they certainly get the job done.
Using these programs, a shady broker can constantly monitor the sites of primary ticket sellers to detect the release of tickets, automatically search for and reserve tickets that are for sale, and robotize the process of buying tickets. In effect, one scalper can use bots to turn himself into a million-ticket buyers.
The bots are also able to elude the CAPTCHA test ("Completely Automated Public Turing Test to Tell Computers and Humans Apart") — the Rorschach-like combination of letters and numbers that legitimate ticket vendors make you solve. It’s not really a fair fight because most modern bots are able to outsmart all kinds of CAPTCHAs.
Ticketing is a fixed game
A report released in January by New York Attorney General Eric Schneiderman noted that even before bots enter the picture, more than half the tickets for popular concerts are diverted from the general public to industry insiders such as agents, venues, promoters, marketing departments, record labels and sponsors as well as pre-sales for fan clubs, specific credit card customers and the like. So bots are making an already smaller playing field tinier for average consumers.
A flurry of legislation and legal activity has tried to tackle the issue the last couple of years.
In all aspects of digital life, not just online ticket sales, hackers have a habit of staying one step ahead of the good guys and the law.
On April 27, Schneiderman announced a settlement with six ticket brokers that illegally resold thousands of tickets in New York since 2011 without obtaining a license. Five of the six also violated New York’s ticket laws by using bots to buy large numbers of tickets on websites such as Ticketmaster.com before consumers could purchase them. The six companies agreed to pay a combined total of $2,760,000 in penalties to the state.
Thirteen states — California, Florida, Indiana, Maryland, Minnesota, Oregon, Pennsylvania, New York, North Carolina, Tennessee, Vermont, Virginia and Washington — have laws that ban ticket bots, according to the Council of State Governments.
A federal bill — called the BOTS Act and introduced by Rep. Marsha Blackburn, R-Tenn — would make it a crime to use bots to circumvent control measures used by internet ticket sellers.
Laws are hard to enforce
But Schneiderman’s recent action notwithstanding, even in states that heavily regulate ticket reselling, there appears to be little enforcement of the laws.
That’s hardly surprising. In all aspects of digital life, not just online ticket sales, hackers have a habit of staying one step ahead of the good guys and the law. Battling an enemy you can’t see is difficult, and legislating against ticket bots doesn’t help you see them.
And because online ticket scalping crosses state and even national borders on the borderless internet, it can be problematic for laws to have teeth.
Instead of more laws, what’s needed is collective agreement among legitimate ticket sellers, venues, artists, promoters and the entire music industry that enough is enough. They need to demonstrate a call to action to solve this problem once and for all.
The way to a level playing field
Ticketmaster/Live Nation, which has taken steps in recent years to try to get a leg up on bots, needs to do more. It should ramp up its anti-bot technology investments and set "100 percent bot-free" as one of its top corporate priorities.
Artists need to pay more attention to the issue and get more creative with solutions, as Foo Fighters did when the band named its 2015 North American tour "Beat the Bots," and made tickets available only in-person at venue box offices. The Foos may have thrown the baby out with the bathwater to some extent, since online ticket sales remain popular with consumers for their convenience, but surely artists could come up with other innovative tricks.
More public officials should follow Schneiderman’s lead in New York and proactively and aggressively go after illegal scalpers.
With a multipronged effort that relies on technology and stronger human intervention, getting tickets to a Springsteen show no longer has to be an exercise in "Bots To Run."
Rami Essaid is the co-founder and CEO of Distil Networks, a bot detection and mitigation company. Reach him at @ramiessaid.
This article originally appeared on Recode.net.