The 2016 Better Online Ticket Sales Act and Advanced Persistent Bots

November 17, 2016 Stephen Singam

Can the 2016 Better Online Ticket Sales Act Beat Advanced Persistent Bots?

Executive Summary

According to Northcoast Research, the U.S. ticket resale market is big business—booming to $5 billion dollars. And CNBC’s Zach Guzman mentions that, as primary market leaders such as TicketMaster (a unit of Live Nation Entertainment) have entered the space, software advances have made price scalping even easier for those wanting to enter the business.

Guzman particularly mentions TicketUtils as one such software that posts and pushes inventory to multiple resale markets—nearly 90% of all tickets posted to eBay come through it. TicketUtils admits that while most of its users are professional ticket brokers, many resell on the side. Yet the top 1% of its sellers provide over half the site's inventory.

According to a New York attorney general report, tens of thousands of tickets are being purchased every year by bots. Moreover, third-party brokers resell tickets on sites such as StubHub and TicketsNow at an average 49% above face value—sometimes at more than 1,000% above that.

Bots are the engine that drive the ticket resale market, according to Distil Networks’ 2016 Bad Bot Report. These are a web scraping tool that harvest data, intellectual property, price lists, product availability, and other information that comprises the competitive advantage of legitimate website owners.

In the end it’s the fans who get a raw deal. U.S. Sen. Charles Schumer calls bot operators (or scrapers in this context), “Nefarious bottom-feeding people who take people’s joy away.”

On September 12th, the U.S. House of Representatives—faced with growing concerns about bots— approved a version of the Better Online Ticket Sales Act, or BOTS Act, to resolve the online ticket scalping problem.

The two major components of this legislation are:

  1. It prohibits intentionally using or selling software to circumvent a security measure, access control system, or other control or measure on a ticket seller's website that is used by the seller to ensure equitable consumer access to tickets for any given event;
  2. It prohibits selling any ticket in interstate commerce knowingly obtained in violation of such prohibition. Moreover, it treats a violation as an unfair or deceptive act or practice under the Federal Trade Commission Act. It authorizes a person who suffers injury as a result of a violation of this Act to bring a civil action for damages plus $1,000 for each distinct use or sale of software, or sale of a ticket, that caused such injury, along with reasonable attorney fees. Additionally, it amends the federal criminal code to prescribe criminal penalties for such an offense.
Legislation is a useful additional tool to thwart scrapers, but it’s not a silver bullet. Scrapers generate too much revenue for legislation alone to be a deterrent. What’s worse, the BOTS Act doesn’t offer clarity on means of enforcement—it needs teeth. Organizations looking to protect themselves can’t rely on law enforcement; consider the well-known difficulty of herding multiple law enforcement agencies (federal, state, and local) into a single effective body.

At its core, scraping is a technical problem. The BOTS Act does not account for the recent development  of sophisticated bots and their ever-evasive, exploitive technologies. After all you can only legislate against bots you can actually identify.

About the Author

Stephen Singam

Stephen Singam is Managing Director of Security Research at Distil Networks. He's a veteran Information Security & Technology Management professional with extensive experience in the Financial Services, Healthcare, Media & Entertainment and Cybersecurity Consulting industries, having held senior cybersecurity positions at Hewlett Packard (Asia Pacific & Japan), Commonwealth Bank of Australia (Sydney), 20th Century Fox/News Corporation (Los Angeles), Salesforce.com (San Francisco), IBM Corp (New York City & Singapore) and Nokia (Helsinki, Finland).

More Content by Stephen Singam
Previous Article
Reviewing IoT Security Vulnerabilities: The Real Cost of Interconnectivity
Reviewing IoT Security Vulnerabilities: The Real Cost of Interconnectivity

Technology has improved greatly since 2007 with billions of interconnected devices, but IoT security standa...

Next Article
Shortening the Rust Edit/Feedback Cycle
Shortening the Rust Edit/Feedback Cycle

Casey Robinson discusses one of the most common frustrations when working with rust, the speed of the compi...