The legislation would both ban the resale of goods acquired using bots and the resale of tech products above the manufacturers’ price.
A group of lawmakers in the United Kingdom are looking to take on powerful bot organizations openly scalping gaming consoles by proposing potential legislation that would both ban the resale of goods acquired using bots and ban the resale of tech products above the manufacturers’ price.
In what is called an “early day motion,” six SNP members of parliament said the United Kingdom should change its laws to stop scalpers from clearing out stores and charging exorbitant resale prices.
“This House believes that new releases of gaming consoles and computer components should be available to all customers at no more than the Manufacturer’s Recommended Retail Price, and not be bought in bulk by the use of automated bots which often circumvent maximum purchase quantities imposed by the retailer,” the motion to create legislation said.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
The lawmakers called on the government to create legislative proposals similar to ones that were written and passed concerning ticket resale, which is often plagued by many of the same bot organizations.
According to the motion, the MPs are seeking a prohibition of “the resale of gaming consoles and computer components at prices greatly above Manufacturer’s Recommended Retail Price and furthermore this House; and further calls on the Government to bring forward legislative proposals making the resale of goods purchased using an automated bot an illegal activity, thereby denying unscrupulous vendors the chance to make themselves vast profits at the expense of genuine gamers and computer users, while also deterring fraudulent cybercriminal activity.”
For more than a month now, people across the globe have complained about their inability to get their hands on the new PlayStation 5 and other new gaming platforms due to sophisticated networks of bots that are immediately alerted about restocks. Some bot organizations have tools that allow the bot to automatically fill carts with as many devices as possible as soon as a seller restocks.
The people behind the bots then sell the devices on sites like eBay for nearly triple the price. PlayStation sells the disc version of the PS5 for $499, yet some sellers on eBay are offering it for as much as $1,899. Dozens of people selling it for more than $1,100 have sold hundreds of devices already as exasperated parents scramble to get their hands on one ahead of Christmas.
A number of bot experts, like Jason Kent of Cequence Security, said legislation was unlikely to solve the problem because it is so difficult to track the bot writers and operators.
Some retailers, he said, may not be motivated to work too hard to mitigate this threat because at the end of the day they are guaranteed to sell their inventory.
But now that there is widespread consumer dissatisfaction, particularly with the fiasco over the PS5, manufacturers are realizing that something needs to be done.
“Manufacturers have started to put real pressure on retailers to put an end to this behavior,” Kent said. “The only retailers that are succeeding—and the only way to effectively mitigate these bots—is by utilizing automated behavioral analysis to differentiate between human and bot web traffic. The retailers that are able to do that are being rewarded for their efforts.”
It is also unclear how any laws against bots would be enforced, as cybersecurity expert Melody Kaufmann noted.
The motion being proposed would only cover the UK and still leave them open to bot networks from the rest of the world.
“A more effective means might be a similarly worded international bill or several bills of this nature in markets such as the EU, Asia, and the Americas. All of which have no current restrictions,” she said. “Without multi-nation support, enforcement will be difficult across borders.”
The United States has tried its hand at rules against bots with the FTC’s 2016 “Better Online Ticket Sales Act,” which was designed to regulate secondary market ticket sales as a response to bots being used to drive up ticket prices.
But cybersecurity expert Karen Walsh said that act, as well as the UK law being proposed, were performative, calling them “a type of regulatory ‘gaming,’ if you will.”
“Ultimately, we’ve seen this fail miserably from an enforcement standpoint. In April 2018, the US Government Accountability Office reported that all suggested ways of reducing secondary market sales failed. The report, the most recent information available despite this law being four years old, specifically noted that as of February 2018, the FTC had not taken any actions,” Walsh said.
“The report also notes that industry, consumer, academic, and government stakeholders all doubted that the BOTS Act could be enforced because bots are designed specifically to evade detection.”
A recent report from USG Corporation data engineer Michael Driscoll estimated that using bots, PS5 scalpers have made $19 million in profit just from eBay since the platform’s release. There are dozens of other sites or platforms that are used by scalpers like Discord, Craigslist, and Facebook Marketplace.
Many of the scalpers have become increasingly brazen, even using Facebook ads to attract others interested in scalping. Some have spoken openly in interviews about how the economic fallout of the coronavirus pandemic is what pushed them into the scalping business.
Kim DeCarlis, CMO at bot detection cybersecurity company PerimeterX, said these kinds of bots have long plagued the concert and sports ticket industry as well as the sneaker industry, becoming “an industry in and of themselves.”
“They rapidly evolve and improve, and are available for rent by aggressive scalpers who use them in what has become a constant cat-and-mouse game between the bots and the retailers. When the most sought-after items like limited edition sneakers or new gaming consoles become available online in a flash sale, two-thirds of the purchases can be made by these bots,” DeCarlis said.
She cited a recent report from Javelin Strategy & Research that found how prevalent bots are on retail sites.
Between 60% and 70% of traffic to checkout pages is made up of malicious bots, according to the 2020 Identity Fraud Report. When it comes to retail login attempts, 40% to 80% of those are by malicious bots and during a flash sale, as much as 90% of a website’s traffic may be generated by bots waiting for the new products to begin to sell.
“Unfortunately, bots harm regular online shoppers by jacking up the prices or by preventing them from buying coveted products. They also hurt the brands that want to ensure fairness and a good online experience for their customers, and who dislike seeing their offerings go for such high prices on secondary markets,” DeCarlis said.
“Bots can also impact an e-commerce business’s infrastructure and can crash websites. It is important to note that while this action may not be fair or ethical, it is also not illegal.”
She added that in her experience, many retailers hire bot mitigation companies to proactively monitor and block sophisticated bots. But scalpers are taking advantage of the influx of online shoppers to mask their efforts amid legitimate public interest over an item like the PS5.
DeCarlis was wary of how effective legislation would be considering how quickly these bot networks are able to evolve and shift methods, noting that it was on the retailers themselves to do a better job of distinguishing between malicious bots and humans.
Jasen Meece, CEO of identity and authorization tech company Cloudentity, said that is a lot easier than it sounds, explaining that it is difficult for many companies to manage the sheer number of bot interactions they now deal with.
“It becomes highly complex for enterprises to manage the identities of thousands of automated bots, especially when they are interacting with APIs and services at machine speed,” Meece said, eventually agreeing that legislation like the one proposed in the UK would not work.
“While the government can help even the playing field for consumers, these regulations will ultimately fall on corporations to police this activity. Very quickly, companies will need to understand how to identify, govern, and enforce these policies at the API level on machine identities that are accessing their networks. Looking ahead to 2021, the identities of bots must be managed and protected by the enterprise, similar to employee and customer identity, so that they aren’t compromised by malicious actors,” Meece said.
Since the motion was released, 20 more MPs have come forward in support of it. But all of the lawmakers are either from the SNP or Labour Party, neither of which is in power right now, making it unlikely the legislation will get far.