The Bot Wars: why you can never buy concert tickets online

Enterprising programmers are creating bots that can reserve, and in some cases buy, everything from restaurant tables to eBay goods before humans can even get a look in. Where will the bot wars end?

Diogo Monica was frustrated. All he wanted was to book a table at his favourite restaurant, but it seemed to be an impossible task.

State Bird Provisions, in the Fillmore district of San Francisco, was fully booked for 60 days in advance, and had been ever since last August, when Bon Appétit magazine named it the best new restaurant in the country.

No matter how many times he returned to the website, the answer was always the same: “No reservations are currently available. As tables become available, they will be shown here.”

Sure, the crispy spiced quail is “unparalleled”; yes, the rose-geranium ice cream is “a singular delight”; but could the promise of such culinary gems really rouse so many to try, every single day, that a table became literally unbookable?

Diogo wasn’t the only one having problems, a myriad of online complaints attested to that. “It’s the hardest place to get a seat in the city right now, full stop," said one. “Don’t even bother,” said another. “Tried every day last week = 0 bookings.” 

Where could all the reservations be going? Were they even going up at all?

Unlike most customers, however, Diogo had another weapon in his arsenal. As a computer programmer, currently working for Twitter founder Jack Dorsey's new venture Square, he had the skills to build a bot.

“A bot is essentially a computer program that automates the process that a human would go through when making a reservations,” Diogo explained via email. This bot would scan State Bird Provisions’ reservation page at regular intervals, emailing him every time it was updated. “I set it to run once every minute.”

At first he had some success. The resulting flurry of emails showed him that reservations really were being released, albeit at four in the morning. Other people were on to this too: each day, without exception, every table would be snapped up within the hour. Armed with this knowledge – and the occasional tip off about a last-minute cancellation – Diogo began to get reservations again.

It wasn’t fair – that he knew. Other fans without his technical skills were still going without a table. But it was a relief to have some success at last after expending so much time and energy on the project. 

But soon, even armed with this insider knowledge, the tables were being grabbed from under him – even the unexpected, irregular cancellations. “The moment they became available they would be gone in the time it took for the website to load.”

He realised that his bot was up against something more powerful. Someone else – or maybe several others – had created a bot that could both watch for and then reserve the available tables all by themselves.

“You fight fire with fire,” he said. “So I decided to fight back, creating my own.”

And so he did. The days when Diogo couldn’t get a table for love nor money are now a distant memory. His bot is so good at its job that sometimes he gets two or three reservations in his name in the same day – he thinks he’s now been to the restaurant “around 15 times”. But he doesn’t expect to stay top for long. If he wants to keep getting tables at State Bird Provision, he’ll have to constantly modify his bot as rivals are adapted to undercut him.

Diogo wrote about the "bot wars" on his website – releasing the code for anyone who wanted, in a bid to “level the playing field” for the less technically-minded.

Soon his competitors were coming out of the woodwork too, including Anil Bridgpal, a former Comcast software engineer.

News spread quickly among the foodie community: his tale of automatons, of reservations made in superhuman speed, rang true with many who had spent fruitless hours refreshing and refreshing the reservation page.

“Weird things go on,” agreed one thwarted diner, who had met with precisely the same problem with a restaurant 60 miles away. “I submitted my reservation within two-tenths of a second after midnight and was told I was too early. Within three seconds I resubmitted and the message said nothing was available. This is not the first time this has happened to me.”

It wasn’t just him, Diogo realised; it wasn’t just this restaurant.

***

Diogo’s dispatch from the frontlines of the new bot wars provided a rare insight into an underground community of unknown, unseen programmers who compete to build the fastest, most powerful bots in a virtual arms race.

Just as high frequency trading, via automated software, took over the financial markets in the early 2000s, the use of bots is a technique that is increasingly coming to dominate online sales of all stripes.

Diogo admits to deploying bots himself not only for dinner reservations, but to secure cinema tickets on busy opening nights and the cheapest flights to visit his family in Portugal. Anil knows of bots for “concert tickets, camping grounds and marathon registrations”. Such programs “are pretty easy to for any developer to write,” he told me.

Yet despite their ubiquity, in hacker circles there is little discussion of the ethics of bot use. There are no gentleman’s agreements to abstain from silicon wizardry when fighting it out with the general public. When there’s an online race, it’s every man for himself – and no one said the race would be fair.

While this might still be only a mild irritation when booking restaurants – where bot use is confined to only the most popular places – it already poses an enormous problem for the music industry. Online ticket sales for concerts are increasingly dogged by accusations of foul play from fans who feel they have been leapfrogged by so-called “scalpers” who buy up dozens of tickets as soon as sales open, then sell them immediately on, for a profit.

When Beyoncé announced an eleven-date UK leg of her 2013 “Mrs Carter” tour, fans knew that competition for the tickets would be fierce. So, on the morning of the 23 February, before the sun had risen, TV researcher Gemma Meredith was ready at her computer, the booking page on her laptop screen and her credit card on the table in front of her.

By 9.29am, she was refreshing the page repeatedly, jostling for first place in the queue. At 9.30 exactly she had been redirected to a "virtual waiting room" – then minutes later, the verdict: “Tickets could not be found. Please try again.”

So she did. Again, then again. Twelve minutes later, while she was still waiting, Ticketmaster announced that every single ticket had been sold. “It was incredibly frustrating,” she said. “Who was buying these tickets faster than I could reload the page? I don’t see what else I could have done.”

Across London, events manager Philippa Brady was in exactly the same position. “Me and a friend were both trying on two different computers – and neither of us got anything. I'm usually pretty good at getting tickets, but the Beyoncé sale was a joke.”

Even Olympic swimmer Rebecca Adlington had no luck, telling her followers on Twitter: “Three computers, refreshing like crazy but no Beyonce tickets! Hope anyone else trying has had more success!”

Yet within moments of the tickets selling out, touts were already offering them on eBay for as much as £1,000 for a standing ticket. “"There were so many, someone was obviously making a lot of money. But what I didn't understand was how they had bought so many when I couldn't even get one," said Gemma.

Ticketmaster, like all the other major ticket outlets, is in the midst of a huge battle with tout-controlled bots. During the Beyoncé sale alone, it thwarted 120,000 ticket requests from bots, and the number that got round the defences cannot be known.

A spokesman for the company said: “Attempts are made during every busy on sale to purchase tickets unfairly using bots. This is an arms race between the technology companies like us and the individuals who create bots. These people are continually innovating and refining bots to make them harder to identify. 

“Ticketmaster is committed to investing in technology that thwarts these bots and we will continue to work hard to ensure that tickets go directly into the hands of genuine fans.”

In the US, bots are thought to account for 90 per cent of traffic to the Ticketmaster website, and 60 per cent of ticket sales to some of the most desirable events. Equivalent statistics were not available for the UK, the spokesman said.

Ticket scalpers can be found advertising online, seeking programmers to develop ever more advanced software. One advert, now ended but still visible online, requests a program to “automatically search for tickets to events on Ticketmaster.com the moment they go on sale”. It must be able to “solve CAPTCHA screens with 75 to 100 per cent accuracy” and evade “cookie or IP conflicts that will lead to Ticketmaster blocking me”. A freelancer based in India was paid $450 for the job.

Indeed, anyone with the money can now buy ready-made bots from hackers "off the shelf". Websites like ticketbots.net offer, for a price, ticket-buying bots to suit a number of different sites - including that of Ticketmaster (£645), eBay-owned Stubhub (£385) and even the Royal Albert Hall (£490).

“Grabs tickets and hold for you instantly,” the Royal Albert Hall bot promises. “Specify section and/or row. . . automatically purchases tickets as soon as they are found.” It is the modern day equivalent of paying someone else to queue. The botmaker declined to reveal how many he had sold.

Yet despite this burgeoning market, some benevolent developers have been willing to use their skills for the greater good.  Adam Naisbitt, an entrepreneur from Milton Keynes, was so frustrated by the difficulties of buying tickets to the London Olympics that he created a bot to notify him when seats became available. But instead of keeping it to himself, he released the information on Twitter, under the @2012TicketAlert username.

“The response was overwhelming,” he said. “We had over 100,000 followers, reached over 2.5m people, helped thousands get tickets and raised over £2,000 for the Olympic Foundation.”

The popularity of his feed, and the success of bots more generally, comes down to the fact that these (often quite simple) automated programs can surpass human abilities in several ways. They are faster, making instantaneous ticket choices, or lodging eBay bids in the final milliseconds of a sale, and capable of making more rational decisions that humans – which has led to them being marketed for use in online gambling. “They do not make mistakes or stake more money because they believe a particular team or horse will win,” said Rade Jaramaz, director of a British-based company that develops bots for use on the Betfair exchange.

Some bots are simply successful because they don’t get bored, and will repeat the same action, again and again, without a drop in accuracy or motivation.

For this reason, many hackers built their first bots for use in computer games. Online games often feature a requirement to complete repetitive tasks to earn virtual wealth, such as mining for gold – the profits of which can then be traded for in-game bonuses or even real-life money. By writing a program to automate this process, a player can benefit from hours of mining without having to do any of the boring work themselves.

Just as in real life, the effect of the bots was to skew the market. For those who use the bots, your task becomes easy – whether that be mining virtual gold or buying real, sought-after concert tickets. For those that don’t, well, they are at an enormous disadvantage.

In many of those games, the same pattern emerged. As more and more bots came online, the situation spiralled out of control. Inflation skyrocketed as the gold-rich bot-owners priced out everyone else. Some games, like Diablo III, saw a total collapse of their virtual economy.

In the end, for the rule-abiding players, it stopped being fun. It stopped being fair. So they stopped playing altogether.

Such is the challenge facing the online sales industry. Every time a wall is built to keep out the bots, the hackers will be programming around it, popping up behind it, whack-a-mole style. But unchecked, the bots will cause havoc, undercutting the real fans, who will be forced to buy from touts, at spiralling prices.

Too many disappointments will see customers turning away altogether. Or, perhaps, they will buy their own software, hoping to beat the scalpers at their own game.

And thus the bot wars shall escalate. 

Is it fair that programmers can build bots to buy things you want? Photo: CJ Isherwood on Flickr, via Creative Commons

Cal Flyn is a freelance journalist, who writes for the Sunday Times, New Statesman and others. Find more of her work at www.calflyn.com and her Twitter handle is @calflyn.

Photo: Getty
Show Hide image

The Prevent strategy needs a rethink, not a rebrand

A bad policy by any other name is still a bad policy.

Yesterday the Home Affairs Select Committee published its report on radicalization in the UK. While the focus of the coverage has been on its claim that social media companies like Facebook, Twitter and YouTube are “consciously failing” to combat the promotion of terrorism and extremism, it also reported on Prevent. The report rightly engages with criticism of Prevent, acknowledging how it has affected the Muslim community and calling for it to become more transparent:

“The concerns about Prevent amongst the communities most affected by it must be addressed. Otherwise it will continue to be viewed with suspicion by many, and by some as “toxic”… The government must be more transparent about what it is doing on the Prevent strategy, including by publicising its engagement activities, and providing updates on outcomes, through an easily accessible online portal.”

While this acknowledgement is good news, it is hard to see how real change will occur. As I have written previously, as Prevent has become more entrenched in British society, it has also become more secretive. For example, in August 2013, I lodged FOI requests to designated Prevent priority areas, asking for the most up-to-date Prevent funding information, including what projects received funding and details of any project engaging specifically with far-right extremism. I lodged almost identical requests between 2008 and 2009, all of which were successful. All but one of the 2013 requests were denied.

This denial is significant. Before the 2011 review, the Prevent strategy distributed money to help local authorities fight violent extremism and in doing so identified priority areas based solely on demographics. Any local authority with a Muslim population of at least five per cent was automatically given Prevent funding. The 2011 review pledged to end this. It further promised to expand Prevent to include far-right extremism and stop its use in community cohesion projects. Through these FOI requests I was trying to find out whether or not the 2011 pledges had been met. But with the blanket denial of information, I was left in the dark.

It is telling that the report’s concerns with Prevent are not new and have in fact been highlighted in several reports by the same Home Affairs Select Committee, as well as numerous reports by NGOs. But nothing has changed. In fact, the only change proposed by the report is to give Prevent a new name: Engage. But the problem was never the name. Prevent relies on the premise that terrorism and extremism are inherently connected with Islam, and until this is changed, it will continue to be at best counter-productive, and at worst, deeply discriminatory.

In his evidence to the committee, David Anderson, the independent ombudsman of terrorism legislation, has called for an independent review of the Prevent strategy. This would be a start. However, more is required. What is needed is a radical new approach to counter-terrorism and counter-extremism, one that targets all forms of extremism and that does not stigmatise or stereotype those affected.

Such an approach has been pioneered in the Danish town of Aarhus. Faced with increased numbers of youngsters leaving Aarhus for Syria, police officers made it clear that those who had travelled to Syria were welcome to come home, where they would receive help with going back to school, finding a place to live and whatever else was necessary for them to find their way back to Danish society.  Known as the ‘Aarhus model’, this approach focuses on inclusion, mentorship and non-criminalisation. It is the opposite of Prevent, which has from its very start framed British Muslims as a particularly deviant suspect community.

We need to change the narrative of counter-terrorism in the UK, but a narrative is not changed by a new title. Just as a rose by any other name would smell as sweet, a bad policy by any other name is still a bad policy. While the Home Affairs Select Committee concern about Prevent is welcomed, real action is needed. This will involve actually engaging with the Muslim community, listening to their concerns and not dismissing them as misunderstandings. It will require serious investigation of the damages caused by new Prevent statutory duty, something which the report does acknowledge as a concern.  Finally, real action on Prevent in particular, but extremism in general, will require developing a wide-ranging counter-extremism strategy that directly engages with far-right extremism. This has been notably absent from today’s report, even though far-right extremism is on the rise. After all, far-right extremists make up half of all counter-radicalization referrals in Yorkshire, and 30 per cent of the caseload in the east Midlands.

It will also require changing the way we think about those who are radicalized. The Aarhus model proves that such a change is possible. Radicalization is indeed a real problem, one imagines it will be even more so considering the country’s flagship counter-radicalization strategy remains problematic and ineffective. In the end, Prevent may be renamed a thousand times, but unless real effort is put in actually changing the strategy, it will remain toxic. 

Dr Maria Norris works at London School of Economics and Political Science. She tweets as @MariaWNorris.