In its push to become a data-driven business, event organisers smell opportunity by connecting ticketing to real identities.
Itâs estimated that the market for secondary ticketing is worth $1bn in the UK alone. Itâs a problem for fans and artists, since tickets are often bought in bulk by resellers and sold at a much higher rate to fans. None of that added margin goes to the artists (although there are some allegationsâŚ).
Recently, Iron Maiden opted to go âpaperlessâ for their UK arena tour in order to curb ticket touting. With success:
âIn 2010, 6,294 tickets appeared overnight on three of the major resale platformsâââViagogo, Seatwave and Get Me In!âââon the day of sale. In 2016 this had dropped to 207, all on Viagogo, as Live Nation/Ticketmaster had agreed delist the tour at Iron Maidenâs request.â
The tour didnât go fully paperless, and paper tickets were available, but came with strict requirements towards the fans:
- Tickets must carry the name of the purchaser;
- Ticketholder must present ID and credit card at the door.
While effective, this is worrying and certainly not a âvictory for concertgoersâ as Iron Maiden manager Rob Smallwood called it.
Itâs not just ticketing: privacy is under attack from all fronts. Many events have decided to go âcashlessâ, requiring people to top up chips in special event wristbands. This way, you know exactly who is ordering what, where, how much, and at what time of the night. If youâre a large organisation like Live Nation, you can build up an extensive profile of users over time.
Valuable data, which may help secure sponsors for alcoholic beverages and helps you to target fans with specific offers, but that data comes with a great responsibility.
Privacy in the age of artificial intelligence
The first multi-day conference and festival I attended that was nearly completely cashless was Eurosonic Noorderslag, earlier this year. Itâs a music business conference and showcase event, and has lots of bands playing every night in nearly every bar and club in its host city, Groningen, in The Netherlands. It presented cashless payments as a convenience (ie. to reduce queues at bars).
I immediately researched ways to opt-out and found no good way. It was possible to âanonimizeâ your chip, but you still have to charge it with your bank card, which ties your identity to it through the transaction records. I had good reason to opt-out and so do you.
On its own, âBas entered venue X at 21:03 and drank a beer at bar Y at 21:24â seems like useless information. And it probably is. Iâm not from a country or culture that frowns upon alcohol, so Iâm unlikely to be blackmailed with such a bit of information. However, it is possible for someone to claim they met me there and try to pull some sort of scam. Or worse, for someone to claim they are me by using anecdotal evidence based on these random bits of data, and then scamming someone else.
Criminals are moving from the higher risk ‘traditional crime’ into ‘cybercrime’ which is perceived as lower risk.
More than how someone might use a specific data point, what we should really be worried about is larger data leaks. There are parties that try to collect all information from big leaks. Some use it for good, like Have I Been Pwned, where you can search your email address to see if your login info of any site has leaked. But some people store it for more malicious purposes.
Over time, patterns can emerge in these data sets. These become easier to identify through machine learning algorithms, which can go through large datasets faster than a person could, and can get better over time at making sense of data. Many great ones are open source, like Googleâs TensorFlow.
Now, your attendance of live events and what exactly you do there can be tied to your hacked LinkedIn or Dropbox account. Whoever holds that data has power over you.
Artificial intelligence could be trained to send hypertargeted scam emails, which use all the data available about you to trick you. This could result in ransomware being installed on your computer, which often means your hard drive is encrypted and locked and the key to decrypt your data is only turned over after paying a certain fee (usually done through Bitcoin, which makes it harder to track the perpetrators).
This could happen to your phone, but also to your car, or any other devices which are likely to be connected to the internet in a few years from now.
The important take-away is that the more data someone has about you, the wider their âattack vectorâ becomes. This means they have more paths to target you. Any data point on its own usually doesnât have much value, but itâs when large amounts of data get combined that value emerges. Facebook, a data company, has a market cap of nearly $400bn.
Privacy in music should not be an afterthought
We have learned a lot from events. Weâve learned not to use biker gangs for security. Weâve learned to have first aid staff at festivals that are trained to dealing with the effects of alcohol poisoning and mishaps with drugs. We have come a long way to providing experiences that are exciting and safe at the same time.
Now itâs time to worry about our guestsâ safety before they arrive, and after they leave our events. Let me be clear:
- If you request your guests to sacrifice their privacy for âconvenienceâ, and you get hacked, leading to people getting blackmailed or scammed, it is YOUR responsibility;
- If you request this data from guests, make it clear and easy for them to find out how youâre storing the data, what youâre using it for, and when it will be deleted. Don’t just refer to some boilerplate privacy policy full of legalese;
- When things go wrong, be honest about it and communicate it immediately, so people can take security measures;
- Never store data about people for longer than you need it. Not storing data is the best way to prevent it from being leaked.
(small sidenote: if anyone ever sent you a picture or scan of their passport, go delete that file and email now)
What can you do as a fan?
Do whatever best protects your privacy. If it feels like youâre being a pain in the ass by requesting an anonimized wristband, great. You should be a pain in the ass. Pain is a great motivator for change. So by all means, request information about how your data is stored and protected, how long it’s stored, for what purpose, etc.
Perhaps the hardest part is willing to skip concerts that donât have privacy-friendly options. As a consumer we should understand that solving ticket touting by sacrificing guestsâ privacy is not a solution. It just shifts the issue and places an additional cost on the consumer on top of the ticket price.
Event organisers need to find a way to mitigate or at the very least minimize that additional cost. This means ticketing organisations have to take measures to invest in technology which helps protect and secure guestsâ privacy. But they need to feel pressure, or pain, in order to that.
Data, for ticketing companies, is the same as it is for malicious hackers: the more data you can get on a person, the more valuable it becomes.