Senators slam Ticketmaster for reporting just one bot case to FTC despite Taylor Swift fiasco claims
Several U.S. Senators criticized Ticketmaster during a Judiciary Committee hearing on Tuesday for only reporting one case of bot abuse to the Federal Trade Commission despite previous claims that the company was dealing with unprecedented attacks by resellers using automated tools.
Companies like Ticketmaster can report bot abuse to the FTC following the passage of the BOTS Act in 2016, which makes it illegal for companies to create systems that circumvent ticket sellers and resell tickets.
But Joe Berchtold, president of Ticketmaster parent company Live Nation, confirmed to senators that the company has only reported one incident involving bots since 2019.
Berchtold was appearing in front of the Judiciary Committee because of the outrage that resulted from Ticketmaster’s system crashing when tickets for musician Taylor Swift went on sale.
Ticketmaster blamed the fiasco on bots that allegedly overloaded their system. In November, the company said they saw 3.5 billion total system requests – four times their previous peak – when the Swift tickets went on sale. According to their data, 14 million fans and more than 3 billion bots attempted to reach the site all at once.
Berchtold said the disruption was the result of “industrial scale ticket scalping” that has increased as more cybercriminals and ticket resellers now have access to powerful bots that can scoop up thousands of items far quicker than any fan can. He added that the ticket resale industry is now worth $5 billion each year, prompting steep escalations in bot use.
“We knew bots would attack [the Taylor Swift] onsale, and planned accordingly. We were then hit with three times the amount of bot traffic than we had ever experienced, and for the first time in 400 Verified Fan onsales, they came after our Verified Fan access code servers,” Berchtold said.
“While the bots failed to penetrate our systems or acquire any tickets, the attack required us to slow down and even pause our sales. But in this forum where we are here to discuss public policy, we also need to recognize how industrial scalpers breaking the law using bots and cyberattacks to try to unfairly gain tickets contributes to an awful consumer experience.”
BOTS Act scrutiny
Berchtold went on to say that the BOTS Act is “too narrow” and criticized the FTC for not enforcing the provision that makes it illegal to sell tickets obtained by bots. He also argued that companies like Ticketmaster should be able to bring civil actions to enforce the BOTS Act.
But much of Tuesday’s hearing hinged on the debate about whether Ticketmaster’s controversial merger with Live Nation made them a monopoly – something every other witness at the hearing said they believed.
Several witnesses argued that because of Ticketmaster’s dominance of the ticket selling market, they had no incentive to create better systems that could withstand bot attacks similar to what happened in November.
Some also said the bots actually help Ticketmaster, raising the prices of the remaining tickets and forcing customers to simply accept exorbitant processing fees in order to get whatever tickets are left.
Multiple senators criticized Berchtold and Ticketmaster for blaming bots for the Taylor Swift fiasco, noting that the company has only approached the FTC with BOTS Act violations once since 2019.
The FTC announced its first ever legal action under the BOTS Act in 2021, fining three ticket brokers based in New York $31 million for using automated software to illegally buy up tens of thousands of tickets through Ticketmaster.
The FTC found that the three companies bought more than 150,000 tickets using automated ticket-buying software to search for and reserve tickets automatically, software to conceal their IP addresses, and hundreds of fictitious Ticketmaster accounts and credit cards to get around posted event ticket limits. The FTC declined to comment on the hearing for this story.
Senator Richard Blumenthal (D-CT) slammed the FTC for not being more proactive in its enforcement of the BOTS Act and said he is planning to put forward another bill that would make the rules banning bots more stringent. The FTC did not respond to requests for comment.
But Senator Marsha Blackburn (R-TN) noted that part of why the bot problem is getting worse is also because they have figured out that Ticketmaster “will not report them.”
“You have not built the kind of cyber safeguards that are necessary to protect the consumer and you are building a treasure trove of information on these consumers,” Blackburn said, expressing further concern about whether Ticketmaster’s inability to address the bot issue was indicative of other cybersecurity lapses.
“You told me yesterday that you have a difficult time telling what is a bot and what is a consumer. Why is it that you have not developed an algorithm to sort out what is a bot and a consumer? Why is it that the bank can do it? Why is it that the local power company can do it but you can’t?”
Berchtold responded that while Ticketmaster has invested more than $1 billion in cybersecurity and bot protection measures, it has now “become an arms race” among ticker resellers, in his view.
Enforcement ‘difficult to impossible’
Several cybersecurity experts said enforcing the BOTS act is practically impossible.
The proliferation of affordable bots-as-a-service tools has made it even more difficult for buyers of tickets and products like sneakers or Playstation 5s. Bots now beat out everyday people thanks to powerful technology made readily available by sites like Cybersole, Kodai, GaneshBot and more.
Boaz Gelbord, chief security officer at Akamai, said enforcing the anti-bot legislation will remain a challenge going forward because bot attacks are often launched by threat actors based internationally, and they are notoriously difficult to identify when they’re continuously adapting their strategies.
“There are also many bot services for hire, which creates multiple layers to untangle. Strong enforcement would take robust international cooperation to align on definitions and for threat information sharing,” Gelbord said.
Cequence Security bot expert Jason Kent said the U.S. laws in place made what happened to Ticketmaster during the Taylor Swift fiasco illegal, but that enforcement is “difficult to impossible” without being willing to set up a sting and arrest people that actually get the goods.
Kent noted that the FTC says the person that writes the software is as guilty as the person that resells the item and as guilty as the person that writes the online platform to trade.
But many times, even if some operators are in the U.S., many use systems or infrastructure that is offshore.
“If you look at the penalties the FTC has handed out here you can see that it takes huge amounts of time and investigative energy to do anything and the FTC just doesn’t have the teeth or the person power,” Kent said.
He suggested a range of actions that could be taken to address the issue. The secondary ticket sale market should be hit with penalties or rules should be instituted making it impossible to profit from the resale of tickets – something that was mentioned repeatedly during the hearing.
“This would remove the ‘fence’ and would stick a bunch of bot operators with things they have to pay for without revenue on those items,” he said.
“More and more companies should report bots to the FTC. Perhaps it is something that vendors for bot management companies can build a pipeline for. Our organization could open hundreds of cases per month, the challenge is that the FTC isn’t the right organization for that sort of volume.”