Wow, this is utterly absurd. I'm no lawyer, but couldn't this set a dangerous precedent that could find people being federally indicted for circumventing CAPTCHAs and the like?
As far as I'm concerned, a program which automatically purchases tickets through TicketMaster is more of a feature than a federal crime; the process for a law-abiding citizen is horrendously convoluted and a complete UX disaster. Too bad TM gets away with it, thanks to their monopoly.
I've spent enough time in the ticketing industry to know that it's right up there with "accai berry" and the like in terms of shadiness. Anybody who thinks StubHub et. al. are "fan marketplaces" is severely delusional; 99% of all tickets are listed by brokers who do it for a living (most of whom use less-efficient ways to circumvent TM security, however. That 25MM number is the only reason this is being prosecuted so vigorously.)
At face value definitely seems like it should be civil, not criminal although I know that components of the "ticketing" business, like scalping tickets on event sites, can be criminal offenses set state-by-state.
"indicted by a federal grand jury on charges..." and "surrendered Monday to the FBI" definitely make this sound like a criminal case. I agree though, I wouldn't have thought much about automated purchasing being a federal crime.
I don't see how this is a criminal suit and not a civil suit. What they did was clearly against the wishes and TOS of TicketMaster, the MLB, and others. But criminal? Hardly.
They found a way to buy tickets better than the rest of us.
Why the government is pursuing criminal charges on behest of TicketMaster and Co. baffles me.
This isn't an industry, and these aren't companies, that I think need a lot of protection from Uncle Sam.
It's weird. If you went to a store and bought all the apples, the owner of the store would love you. Do the same thing online, and suddenly you are facing federal felony charges.
It's not really the online part, it's the tickets part. If you went to the box office in person and tried to buy all the tickets, they wouldn't let you more than online.
Sounds like a job for mechanical turk. Have a bunch of people buy tickets, pay them a dollar via turk, pay the cost of the ticket when you receive it, resell for profit. Then you are not committing fraud, you are just buying tickets from your friends that don't want them anymore. "First sale" and all that.
It's clear that TicketMaster doesn't really want to solve this problem. If they did, they could solve it the same way the airlines did. (Hint: not by having a captcha on the credit card info page.)
But if I had my friends buy all the tickets and I then tried to scalp them:
- It would be totally fair if the concert venue chose to not honor those scalped tickets since I violated their ToS, and if they told me what a d--- I was...
I kinda thought the same thing when I read this. I guess the fraud was that they intentionally went to great lengths to make it look like individuals were buying the tickets instead of a single company.
Pretending to be someone else to gain profit, is identity fraud regardless of if you stole a real persons identity or created one.
The reason the FBI is involved heavily is because virtually all identity fraud is related to organized crime and money laundering, the rest are usually linked to insurance frauds. Being the first real case of a major identity fraud online, I wouldn't be surprised if the FBI tries to put their heads on a pike as an example to everyone else.
Immaterial of what they did it for, identity fraud is taken as an exceptionally serious crime and as far as I could tell, they performed a thousand or more 'unlawful identity changes' by operating bots under false names for illicit means. The one exception to this is the use of a pseudonym for anonymity, however it's a colossal stretch to claim your bot army are acting as your pseudonyms for your anonymity reasons.
When I sneak my own soda pop into the movie theater, I have violated their rules. I am running the risk of being kicked out of the theater with no refund and probably be very embarrassed in the process. I am not, however, breaking any laws.
What these people did seems analogous. I don't understand how the FBI is involved.
Due to claiming to be about a thousand people that didn't exist, the FBI is likely investigating them under a major suspicion of being related to organized crime. Incidentally, it's very, very rare that using an unlawfully acquired name isn't related to a serious crime.
If I act like any murderer on the run, the FBI are going to investigate me like any murderer on the run. Similarly if you act like any organized crime money laundering syndicate, you'll be investigated like one!
You seem to be assuming that they fraudulently used the identities of real people. Is there any evidence of that? How do you know they weren't signing up as "John Doe #14812"?
The indictment has lots of interesting technical details about what they were doing.
Also very interesting and not mentioned in the article is on page 27: 41. It was further part of the conspiracy that, in or about 2008, having damaged the Online Ticket Vendors' ability to distribute Event tickets fairly on a first-come, first-served basis, defendants LOWSON and KIRSCH would establish and operate Renaissance Events Management ("REM"), a company that proposed to sell Event tickets on behalf of artists and venues as a competitor of Online Ticket Vendors.
There are a few other comments on here who are surprised by this. How is it really surprising? The two main points:
a. Wire fraud. They probably had some type of fake bank accounts set up or something to launder the money because they knew what they were doing was wrong.
b. The tickets were sold at substantially higher prices than on Ticketmaster. They were able to do this by gaming the system/or cracking the schemes in place (captcha's) to prevent people from doing this.
c. On a lighter note, they named their company Wiseguys Tickets. That's like the Mafia naming themselves Mafia, Inc. - "We Handle The Rough Stuff". A name like Wiseguys Tickets is just asking to be investigated.
> a. Wire fraud. They probably had some type of fake bank accounts set up or something to launder the money because they knew what they were doing was wrong.
If they did that, then I can see the point of this case. But I didn't read the full suit. Anyone?
> b. The tickets were sold at substantially higher prices than on Ticketmaster. They were able to do this by gaming the system/or cracking the schemes in place (captcha's) to prevent people from doing this.
Nothing wrong with this. It happens all the time. When I was in college when course registration opened at 6am, the CS majors always "coincidentally" got their preferred courses more often than other students.
TicketMaster charges an arm and a leg for the "convenience" of buying tickets online. I'm happy someone was taking advantage of them.
> c. On a lighter note, they named their company Wiseguys Tickets. That's like the Mafia naming themselves Mafia, Inc. - "We Handle The Rough Stuff". A name like Wiseguys Tickets is just asking to be investigated.
I just read through the indictment, albeit rushed and IANAL.
a. Through the use of fake email addresses, domains, and IPs, Wiseguys claimed to be over 1,000 different people. Whether this is against Ticketmaster's TOS may be immaterial, since the "fraud" charge applies just to the act of claiming to be someone else, not the use or material repercussions of the claim (as opposed to a civil suit). There are also a number of cases where Wiseguys' bots gained access to tickets nominally only available to exclusive groups, of which neither the bots (obviously) or Wiseguys were a member.
Additionally, many of the ticket purchases were agreed upon ahead of time with specific brokers, which probably makes the false-identity charges much stronger. There's also one shell company run by Wiseguys that claimed to be selling tickets directly from the venue, which it was not.
b. The tickets say they are not allowed to be resold. I do not know the legal status of such claims, but you agree to those terms before the purchase, which removes one of the weak points of TOS enforcement.
On the personal side of things, while TicketMaster isn't my favorite company either, someone grabbing all their tickets to inflate the prices even higher by adding two additional middlemen doesn't really help things. I consider Wiseguys to be the scummier actor here.
> a. Through the use of fake email addresses, domains, and IPs, Wiseguys claimed to be over 1,000 different people.
If this becomes a crime then we're all in trouble. Who hasn't created a test account using a fake name, etc.? I don't want to be guilty of perjury or fraud because I created 2 digg accounts.
> b. The tickets say they are not allowed to be resold. I do not know the legal status of such claims, but you agree to those terms before the purchase, which removes one of the weak points of TOS enforcement.
I think TicketMaster would have been right to not honor these tickets then, but not sure how this could be a criminal offense.
Why is that illegal? Apart from acting against somebody's terms of service and circumventing some protections?
Selling tickets for fixed price is kinda strange idea. They should put up some continuous auction. Maybe that would better reflect the actual value of tickets at different moments in time.
I can understand how this might be a valid civil matter if the click-thru agreements were violated (as I'm certain they were). However, the criminal charges seem bogus.
What if Subway were to offer subs for a dollar next Tuesday with the stipulation that each customer could only purchase one. And, like Iraqi voting procedures, Subway would mark customers' hands to prevent them from making multiple purchases. Let's say I found some solvent that removed the marking and was therefore able to purchase 50 subs and sold them on the nearest corner for a profit. Is this illegal?
If you're pretending to be another person, and not just reentering another sotre as Joe Smith then yes, yes it's very illegal hence the criminal charges here. Wiseguys claimed to be thousands of people to game the system, that accounts to a thousand charges of identity fraud.
I still don't understand why Ticketmaster doesn't just sell all tickets as dutch auctions with some minimum price. They'd then easily cut out these brokers in the middle for popular events.
Because then everyone would have a bunch of taxable income to report. Much better to distribute the good tickets to your buddies and other insiders who can sell them on Craigslist for huge profits, tax-free.
How is this different from automated trading by investment banks? I've written really basic articles on cracking captchas and this has me considering removing that content and code.
Because automated trading is done on exchanges that permit it, doing it on an exchange that didn't permit it could expose you to much more serious criminal financial abuse charges.
Interesting, I always thought reCAPTCHA randomly combined words for each instance. These guys were able to get around it because each CAPTCHA has an id. Have some people from mechanical turk build a database of responses and you're set.
Assigning a non-unique id to CAPTCHAs that are reused kind of defeats the purpose I guess.
"The four men resold 1.5 million tickets for performances by Bruce Springsteen, Bon Jovi, Barbra Streisand, Billy Joel, Kenny Chesney and Hannah Montana, the popular teen character played by Miley Cyrus, federal prosecutors said" asserts that federal prosecutors stated something. Remove the attribution and suddenly you are the one doing the stating. Since newspapers are supposed to print facts, this creates a problem in the event that the perpetrators are acquitted. Easy libel case.
This is also why TV newscasters always say so-and-so is alleged to have committed a crime, even if there are like 43 eyewitnesses and the guy turned himself in.
The activity described isn't hacking... it's just creating an alternate, more efficient interface to the website, to increase their ticket purchasing efficacy.
I wish the article had more details, so I could confirm or refute my suspicion that nothing was "hacked".
Circumventing security measures to make a computer behave in unintended ways sounds pretty close to the definition of hacking, at least the Computer Misuse Act has a definition which is close to that.
It's hacking in the more general sense. While they may not have gotten root access on an internal server, they still circumvented security measures in the ticket-purchase system in order to do something that was forbidden. They're leveraging a design flaw. I think it's a valid use of the term. I do disagree with the preposition in the phrase "... by hacking into online vendor systems such as..." as that's simply inaccurate.
Holy shit, this hits really close to home! I almost worked for this company a year ago!
No really—here's proof: http://i.imgur.com/nrGSm.png
I was a dev at Ticketmaster for 2 years(Perl, blech!), got laid off(during the worst job market of all time, thanks!), then out of the blue got a call from a recruiter to interview with this company. They were going by the name "REM", one of their shell companies. Their office was Beverly Hills adjacent on a top floor in the AIG building, across the street from the fancy hotel where the President stays when he's in LA. Snazzy real estate indeed, so they were obviously making a lot of dough to afford that kind of rent. I interviewed with Ken, the company owner and primary defendant in the DOJ's doc, for a little over an hour.
I realized pretty quickly into it that this wasn't a legit smaller indie ticketing company, but an all out scalper company. Ken did talk too openly about his operations, so my spidey-sense was going off that it wasn't legit. Having been in the ticketing industry, I was able to have a more detailed conversation with him about various practices. It was pretty clear all his money was coming from scraping TM. I think the first thing he said that set off my red alarm was "every programmer I have is paired with an off-shore Romanian programmer who does the work." (My mind's translation: "Uh-oh, run, you'll be miserable here, at yet-another company that doesn't really get nor care about software.")
I did find it fascinating to hear about ticketing from the other side of the fence, after being at TM, where the daily war of attrition against brokers & bots is permanent and unwinnable, the scalpers attain an aura of mystery & annoyance. If you sell a lot of tickets, but don't lock down your site with captchas and go all out with engineering clever session/identity persistence strategies, the scalper bots of the world will absolutely kill you on traffic, while continuously holding up your entire inventory, and ruin your real customer's experience.
After realizing it was a scalper company and deducing that they were making millions on a startup-sized skeleton team, I thought why the hell not go work for them, for a few months maybe, it'll be awful (the ticketing industry sucks to develop in because you can't do anything customers really want), but nobody else in West LA was hiring and I was desperate that month. The way I see it, merely scraping a web site violates TOS, not criminal law. I had no idea that the logistics of this kind of enterprise also involved complex financial fraud, so I wouldn't have pursued this if I knew that aspect. I figured at the time that if I was going to do thankless development for a scam company getting rich off of skimming off of an even bigger unofficial monopolist who themselves are skimming off from the general public under a blind and lumbering gov't regulator, who just got rid of my job at the height of all-out market panic, all in an industry I want to get out of, and in a niche where I can't be open about anything I do and where loyalty is valued more than my programming-wizardry, then I better charge those jerks a high price.
So I told Ken I wanted at least $125k/yr and I never heard back from him after he said he wanted to make me an offer. I figured good riddance, no sense in getting involved with a crap job if they won't put their money where their mouth is—company's who talk big are a dime a dozen. However, I was puzzled why he didn't complete the offer, as everything they were doing was stuff I knew all about from my time at TM, so I thought I was his ideal candidate. Based on the DOJ pdf case file, they were making $40 million a year, making my salary request mere pocket change to them.
As you can see from my linked email screenshot, they weren't looking for any specific technical skills,
but were instead soliciting blind loyalty above all. If that's the primary skill you need from your devs, then it's another red flag indicating a pretty bad working environment and crappy development process.
Ultimately I think he didn't hire me because of something I said during the interview along the lines of "TM could put you out of business overnight if they just knew you existed, because scraping simply isn't a technically feasible solution on a growing scale large enough for it to work indefinitely." Scam artists hate being outed by smarter people, so I proved I wasn't a lackey-type. Knowing TM's system, it simply can't be scraped on a wide scale without privileged insider access(i.e. scalping your own tickets, ala the Ticketsnow fiasco) without getting noticed and shut down. Plus they have the greatest security-by-obscurity of any other company I know: there's an entire 2nd back-end, behind the entire customer facing LAMP stack, of emulated VAXen running legacy Pascal code originally written in 1982 and left running since then. Yes, when you buy a ticket from TM, the tickets come out of a VAX, which is embarrassing as far as "innovation", considering it's now 2010.
I think it's really too bad the DOJ went after these guys instead of truly fixing the broken ticketing industry. This action by DOJ helps TM more than it helps anyone else(getting the gov't to kill your competition is sweet deal and an ancient tactic). I think the DOJ has their priorities backwards. Ultimately the consumers lose because they pay higher prices for lower quality, non-innovative services. They knock out one of the little parasites, who's botnet was probably causing huge headaches for TM, yet allow the LN+TM merger to go through, creating a whole new type of unfair monopoly. It's forrest for the trees, man.
Ideally I'd like to see the ticketing market resemble a stock exchange, and not an airline. I wish some startup would build this site! Every ticket that can be sold should be publicly listed, so nobody can unfairly profit by having private information about ticket inventory and price levels. (This ideal can be proven using game theory with asymmetric information!) There would be a few more mechanisms to design the right way to balance out the dynamics of the system and keep it fair, similar to how financial companies are regulated. Right now TM has a sweetheart deal, getting to play both sides of the fence—being an unregulated, de-facto market-maker, while not having to make the same kinds of fair concessions to the pubic in exchange for being allowed to be a market-maker(such as no front-running like Goldman Sachs).
Also, if on the off-chance anyone out there is thinking about doing something innovative with ticketing platforms + web + iphone, and if your plan is "crazy enough that it just might work", and if you're in LA, and if you're hiring, and if you're using Rails, hit me up! I'm looking for a job! I keep an eye out for this type of idealized ticketing company. I think it'll be a few more years until I see it, when some player can get enough leverage to take on LN+TM, both of whom truly are technical dinosaurs just waiting to get taken down by a pure Internet company. The real get-rich mystery to solve is what form that leverage will appear in. Really, the ticketing industry really is that inefficient, it's like someone left $100 million dollars just sitting there, for anyone to take, if they can spot how.
One more thing: reading the linked PDF case file and seeing all the emails clearly establishing criminal fraud, it looks like this company could have benefited grealy by the infamous advice:
"Never write when you can talk, never talk when you can nod, and never nod when you can wink, and never write an e-mail because it's death."
-- Eliot Spitzer
Spitzer also should have ironically added "and never leave a tangled financial trail that can be unravelled back to yourself."
As far as I'm concerned, a program which automatically purchases tickets through TicketMaster is more of a feature than a federal crime; the process for a law-abiding citizen is horrendously convoluted and a complete UX disaster. Too bad TM gets away with it, thanks to their monopoly.
I've spent enough time in the ticketing industry to know that it's right up there with "accai berry" and the like in terms of shadiness. Anybody who thinks StubHub et. al. are "fan marketplaces" is severely delusional; 99% of all tickets are listed by brokers who do it for a living (most of whom use less-efficient ways to circumvent TM security, however. That 25MM number is the only reason this is being prosecuted so vigorously.)