Is killing privacy the best we can do against secondary ticketing?

In its push to become a data-driven business, event organisers smell opportunity by connecting ticketing to real identities.

It’s estimated that the market for secondary ticketing is worth $1bn in the UK alone. It’s a problem for fans and artists, since tickets are often bought in bulk by resellers and sold at a much higher rate to fans. None of that added margin goes to the artists (although there are some allegations…).

Recently, Iron Maiden opted to go ‘paperless’ for their UK arena tour in order to curb ticket touting. With success:

“In 2010, 6,294 tickets appeared overnight on three of the major resale platforms — Viagogo, Seatwave and Get Me In! — on the day of sale. In 2016 this had dropped to 207, all on Viagogo, as Live Nation/Ticketmaster had agreed delist the tour at Iron Maiden’s request.”

The tour didn’t go fully paperless, and paper tickets were available, but came with strict requirements towards the fans:

  1. Tickets must carry the name of the purchaser;
  2. Ticketholder must present ID and credit card at the door.

While effective, this is worrying and certainly not a “victory for concertgoers” as Iron Maiden manager Rob Smallwood called it.

It’s not just ticketing: privacy is under attack from all fronts. Many events have decided to go ‘cashless’, requiring people to top up chips in special event wristbands. This way, you know exactly who is ordering what, where, how much, and at what time of the night. If you’re a large organisation like Live Nation, you can build up an extensive profile of users over time.

Valuable data, which may help secure sponsors for alcoholic beverages and helps you to target fans with specific offers, but that data comes with a great responsibility.

Privacy in the age of artificial intelligence

The first multi-day conference and festival I attended that was nearly completely cashless was Eurosonic Noorderslag, earlier this year. It’s a music business conference and showcase event, and has lots of bands playing every night in nearly every bar and club in its host city, Groningen, in The Netherlands. It presented cashless payments as a convenience (ie. to reduce queues at bars).

I immediately researched ways to opt-out and found no good way. It was possible to ‘anonimize’ your chip, but you still have to charge it with your bank card, which ties your identity to it through the transaction records. I had good reason to opt-out and so do you.

On its own, “Bas entered venue X at 21:03 and drank a beer at bar Y at 21:24” seems like useless information. And it probably is. I’m not from a country or culture that frowns upon alcohol, so I’m unlikely to be blackmailed with such a bit of information. However, it is possible for someone to claim they met me there and try to pull some sort of scam. Or worse, for someone to claim they are me by using anecdotal evidence based on these random bits of data, and then scamming someone else.

Criminals are moving from the higher risk ‘traditional crime’ into ‘cybercrime’ which is perceived as lower risk.

More than how someone might use a specific data point, what we should really be worried about is larger data leaks. There are parties that try to collect all information from big leaks. Some use it for good, like Have I Been Pwned, where you can search your email address to see if your login info of any site has leaked. But some people store it for more malicious purposes.

Over time, patterns can emerge in these data sets. These become easier to identify through machine learning algorithms, which can go through large datasets faster than a person could, and can get better over time at making sense of data. Many great ones are open source, like Google’s TensorFlow.

Now, your attendance of live events and what exactly you do there can be tied to your hacked LinkedIn or Dropbox account. Whoever holds that data has power over you.

Artificial intelligence could be trained to send hypertargeted scam emails, which use all the data available about you to trick you. This could result in ransomware being installed on your computer, which often means your hard drive is encrypted and locked and the key to decrypt your data is only turned over after paying a certain fee (usually done through Bitcoin, which makes it harder to track the perpetrators).

This could happen to your phone, but also to your car, or any other devices which are likely to be connected to the internet in a few years from now.

The important take-away is that the more data someone has about you, the wider their ‘attack vector’ becomes. This means they have more paths to target you. Any data point on its own usually doesn’t have much value, but it’s when large amounts of data get combined that value emerges. Facebook, a data company, has a market cap of nearly $400bn.

Privacy is security

Privacy in music should not be an afterthought

We have learned a lot from events. We’ve learned not to use biker gangs for security. We’ve learned to have first aid staff at festivals that are trained to dealing with the effects of alcohol poisoning and mishaps with drugs. We have come a long way to providing experiences that are exciting and safe at the same time.

Now it’s time to worry about our guests’ safety before they arrive, and after they leave our events. Let me be clear:

  • If you request your guests to sacrifice their privacy for ‘convenience’, and you get hacked, leading to people getting blackmailed or scammed, it is YOUR responsibility;
  • If you request this data from guests, make it clear and easy for them to find out how you’re storing the data, what you’re using it for, and when it will be deleted. Don’t just refer to some boilerplate privacy policy full of legalese;
  • When things go wrong, be honest about it and communicate it immediately, so people can take security measures;
  • Never store data about people for longer than you need it. Not storing data is the best way to prevent it from being leaked.

(small sidenote: if anyone ever sent you a picture or scan of their passport, go delete that file and email now)

What can you do as a fan?

Do whatever best protects your privacy. If it feels like you’re being a pain in the ass by requesting an anonimized wristband, great. You should be a pain in the ass. Pain is a great motivator for change. So by all means, request information about how your data is stored and protected, how long it’s stored, for what purpose, etc.

Perhaps the hardest part is willing to skip concerts that don’t have privacy-friendly options. As a consumer we should understand that solving ticket touting by sacrificing guests’ privacy is not a solution. It just shifts the issue and places an additional cost on the consumer on top of the ticket price.

Event organisers need to find a way to mitigate or at the very least minimize that additional cost. This means ticketing organisations have to take measures to invest in technology which helps protect and secure guests’ privacy. But they need to feel pressure, or pain, in order to that.

Data, for ticketing companies, is the same as it is for malicious hackers: the more data you can get on a person, the more valuable it becomes.