Everything You Need to Know About Preventing Sneaker Bots
If you’re a sneaker retailer, you know bots are a huge problem in the $42 billion sneaker business.
According to Imperva’s 2020 Bad Bot report over 18% of traffic to ecommerce sites comes from bad bots.
But sneakerheads know that in their world, bots dominate the game. On hyped releases, close to 100% of traffic comes from bots, according to Akamai’s director of threat research.
Limited-edition releases and high-profile collaborations generate so much demand that an entire resale industry has emerged.
Sneakers become assets, just like stocks or artwork. If you visited StockX—what the New York Times called “A Nasdaq for Sneakerheads”—you’d be forgiven for thinking you were looking at shares of Nike stock, not a resale site for Nike sneakers.
Where the money and hype are, bots follow.
An example from StockX with financial market terms like “ask”, “bid”, “ticker” and “volatility”
Bad bots are bad for business. They erode the trust sneakerheads have in your brand. They sever the connection with genuine customers who could return to buy and evangelize your brand. And they create overwhelming traffic that can crash your site, losing sales on products across the board.
But what can retailers do? How did we get here? Will legislation fix things? How do sneaker raffles remove bots from the equation? Are there other options? These are the questions we’ll deal with in this blog.
How have sneaker bots evolved?
How do sneaker bots affect your business?
Are sneaker bots illegal?
Are sneaker raffles the solution to sneaker bots?
4 strategies to beat sneaker bots & keep releases online
Sneaker bots seriously kicked off in 2012 with the release of the Air Jordan Doernbecher 9.
Nike chose to release the shoe via Twitter. Shoppers could reserve the shoe by being first to direct message (DM) the company.
Quickly, people created bots to scour Twitter’s API and DM Nike after any tweets with terms like “reserve now” or “Doernbecher”. With these bots “you could send hundreds of DMs in a tenth of a second, ” says one botmaker.
Humans didn’t stand a chance.
At the same time, ecommerce platforms like Shopify appeared, making it easier to sell products online without technical expertise. With the Nike Twitter releases and increased online sneaker sales, botmakers began developing more advanced bots.
Originally, botmakers would sell their sneaker bots to shoppers who paid a premium to improve their chances of snagging sneakers. Whole sub-Reddit threads like /sneakerbots and /shoebots are dedicated to sharing knowledge on how to use bots to score a pair of kicks.
But then the botmakers realized: why sell a one-time product if they can charge a fee for every sneaker release and run the bots themselves?
And so the Add to Cart services were born. Sneakerheads go to a botmaker’s website, enter their order and payment information, and wait for the bot to do its dirty work. If successful, the sneakerhead pays a fee to the Add to Cart service for the bot-purchased sneakers.
Between the Add to Cart Services and individually run bots, the sneaker industry is currently at the point where close to 100% of traffic during sneaker drops comes from bots.
RELATED: Protect Against Bad Bots & Prevent Abuse With Queue-it’s Virtual Waiting Room
A Twitter user poses next to all his pairs after the Adidas Yeezy 350 v2 “Zebra” release in July 2017 (via Medium).
Using bots to buy and resell sneakers is a perfect example of rent-seeking behavior. That’s economist talk for profit-seeking without social value—in a word, leeching.
But sneaker bots are more than just a nuisance. When you sell a £140 pair of Travis Scott Air Jordans that middlemen then resell for 10-20 times retail price, your business loses out in several ways.
Missed connection with true customers
Many sneakerheads don’t have access to shoes at those price points. When they’re forced to buy on a secondary marketplace, your brand misses a crucial opportunity to connect with a real human customer and establish a strong, ongoing relationship. Bots don’t take part in upselling. They don’t return later to buy products from a brand they love. And they don’t evangelize your brand to friends and family.
Lost business intelligence
When fans use middlemen like Add to Cart services, it prevents you from interacting directly with the customer. You lose out on invaluable purchase activity that’s vital to business intelligence.
Flawed data for decision-making.
Sneaker bots skew the analytics you need to make informed business decisions. Fake accounts give a false impression of your customer base. And sneaker bots that hold product without buying ruin your cart abandonment metrics.
Damaged brand reputation
Then there’s just the fundamental unfairness of it all. Without using bots, people buying sneakers to actually wear them stand little to no chance of doing so. When customers feel this way, it hurts brand reputation.
As Yoav Cohen, senior VP of Product Development at Imperva, says, “Retailers aren’t technically losing profits by unintentionally selling products to malicious bots, but they are losing consumer trust. ”
Just look at how Shopify is belittled as “Botify” on social media channels.
Website crashes & slowdowns
Bots and the increased traffic they generate can bring down websites all together, making it impossible for you to sell your products.
For an example of scope, realize that a Supreme launch saw 986, 335, 133 pageviews and 1, 935, 195, 305 purchase attempts to their server in ONE DAY alone.
Queue-it customer SNIPES frequently attracts 100, 000 sneakerheads on release days. When your website goes down, it means lost sales from other products on the website, too.
Bot activity was behind website issues that led Strangelove Skateboards and Nike to cancel their recent Valentine’s Day collaboration.
On the day of the launch, the company said via Instagram that “raging botbarians at the gate broke in the back door and created a monumental mess for us this evening”. “Circumstances spun way, way out of control in the span of just two short minutes, ” they wrote.
Bots crashed the site, forcing the sneaker drop offline.
At least in the U. S., the answer is no. While using automated bots to buy goods online often violates the retailer’s terms and conditions, there are no laws against it at the current time for sneakers.
The U. S. BOTS Act of 2016 made it illegal to buy tickets with bots by evading security measures and breaking purchasing rules set up by the ticket issuer. U. politicians introduced the Stopping Grinch Bots Act of 2018, which would broaden the scope to all products or services sold on the internet, shoes included. But the bill died in Congress.
RELATED: Everything You Need to Know About Ticket Bots
And even if passed, the BOTS Act has highlighted the difference between legislation and enforcement. Just because a law is on the books doesn’t mean it’s followed. Strong enforcement is necessary to curb illegal behavior. The Federal Trade Commission—the agency tasked with enforcing the law—couldn’t comment on any instances of enforcement in the year after the BOTS Act’s passage.
Sneaker retailers could sue botmakers for damages for violating their terms of service. But a 2017 Wired article claimed that, until that point, no sneaker or clothing company had done so.
Given the game of whack-a-mole that would likely ensue when going after shady, often international, bot companies, you can’t really blame retailers.
If you’re a retailer who cares about maintaining fairness, you’re forced to step up your sneaker bot prevention game.
RELATED: Protect Against Bad Bots & Prevent Abuse With Queue-it’s Virtual Waiting Room
Faced with hordes of raging botbarians, several sneaker retailers decided to take the process offline by holding sneaker raffles.
What is a sneaker raffle?
In a sneaker raffle, shoppers enter a contest to win the right to buy a pair of sneakers. Sneaker raffles operate differently from a fundraising raffle, where people pay to enter the contest and, if someone’s entry is chosen, he or she wins the prize for free.
To run a sneaker raffle, a retailer collects all entries, either in-person or electronically. Then they choose one or several entries at random to decide who gets to buy the sneakers within a timeframe.
Most raffles require pickup at an in-person location, though some will ship the winners their shoes without in-person verification.
What are the benefits of a sneaker raffle?
Bots only operate online, so taking the raffle offline is effective in removing them from the sneaker equation.
In recent years, several large retailers like Nike and Foot Locker have moved the raffle entry system online to their apps, which opens the chance for bots to manipulate the entry process.
Sneaker raffles are primarily effective because they tie the purchase to something in the physical world. The raffle winners need to show up in person and show a form of ID, like a credit card or driver’s license. This erects a huge barrier for resellers who operate on getting as much inventory as possible.
Finally, sneaker raffles helped avoid the heated tensions that came with the long store lines. There are many documented cases of releases turning violent and requiring police intervention, which a raffle can help prevent.
What are the drawbacks of a sneaker raffle?
Sneaker raffles take the process fully or partially offline in an attempt to beat sneaker bots, but not without consequences.
Eliminates first-come, first-served process
First-come, first-served is the gold standard for a fair purchase process.
For the sneakerhead community, where being on top of the latest trends, drops, and collaborations is a point of pride, it can be immensely frustrating to feel everything is left up to chance.
Sneakerheads have no control over whether they get the shoe. And the amount of L’s (coming up empty-handed) among raffle entrants can be staggering.
Also, raffles can still benefit resellers who aren’t interested in wearing the shoes themselves. They can easily enter every raffle possible, stacking the odds in their favor and letting them continue to flip kicks for a profit.
Open to multiple entries
Raffles are also prone to allowing multiple entries, decreasing their fairness. For in-person raffles, sneakerheads often bring several friends or family members to enter the drawing, increasing their chances. For online raffles, YouTube videos show how bots let shoppers create multiple accounts across many countries to improve their odds.
Removes marketing hype
Because raffles involve a delay between entering and winning (or more likely losing), they end up deflating the hype that a popular online launch can generate.
Is not transparent
How raffle winners are selected is not at all transparent. It conjures up images of store managers picking the names of their friends out of a hat, or shoppers bribing store managers to pick their name.
Customers don’t have insight into what’s going on, or how the raffle is run. Because raffles lack transparency, they score low on perceived fairness.
Limits to physical locations
Bringing the sneaker retail online equalized access to the market.
The hottest releases were no longer limited to sneakerheads living in metropolitan areas like New York or Los Angeles. A kid in rural Nebraska had the same chance to buy a pair of limited-edition kicks as someone in Manhattan.
With raffles that require in-store pickup, however, many sneakerheads in rural and suburban areas are unfairly left out.
Strategies to beat sneaker bots & keep releases online
If done well, you can run transparent, first-come-first-served sneaker releases that let you serve a wide audience of sneakerheads and harness the marketing hype.
But beating sneaker bots isn’t easy.
There’s plenty of money to be made in sneaker resale. So botmakers and operators will keep plowing money into the arms race against retailers.
You need to change the economics of bot attacks. That means targeting each attack vector and increasing bot operators’ costs to beat your protections.
An especially effective strategy involves tying the online purchase to something in the physical world, like a driver’s license or membership ID.
Here’s what you should investigate if you’re serious about preventing sneaker bots:
Monitoring is key because behavior will let you tell real sneakerheads from bad bots.
For example, if there’s a high concentration of visitors using the same IP address, it’s a red flag that bots are at play.
At Queue-it, we’ve found over 50% of the bots blocked by our virtual waiting room’s abuse and bot protection emanate from the same IP address. The bots are trying to simulate real users on a massive scale. But getting unique IP addresses is an additional step that not all bot operators take.
Preventing account creation & takeover
When bot operators try to buy many pairs of sneakers, they need several accounts for the purchases.
On account creation, bot mitigation tools like Akamai, Imperva, and PerimeterX validate biometric data like mouse movements, mobile swipe, and accelerometer data to distinguish bots from real users, and then feed that data into machine learning algorithms. You can also block or enforce Google’s reCAPTCHA on traffic from known bot hosting providers and outdated browsers typically used to run bots.
Managing traffic during the sale
Bots enjoy a speed and volume advantage. They use their speed advantage to blow by human users and their volume advantage to circumvent per-customer purchase limits. When the sneakers drop, you need to target the speed and volume advantages simultaneously.
A tool like a virtual waiting room can help neutralize both. Bots that arrive before the sale starts are placed in a pre-queue together with legitimate users. When the event launches, everyone in the pre-queue is randomized. This eliminates any advantage in arriving early or hitting the web page milliseconds after the start of the sale.
Retailers can require visitors to enter known data, such as a membership number, email address, or driver’s license ID to enter the virtual waiting room. Combining known data makes impersonating real users exceptionally expensive and complex. This makes it a powerful tool to combat bots’ volume advantage.
Virtual waiting rooms create a highly transparent online experience by giving detailed information on place in line and estimated waiting time.
And a virtual waiting room has the added benefit of giving you full control over traffic inflow so demand doesn’t crash your site. This can happen from human shoppers alone, but bot traffic only makes it worse. Placing visitors in a first-in, first-out online queue off your infrastructure keeps your website performing its best when you need it most.
Stop the sneaker bots & bring back fairness to sneaker drops
Many sneakerheads relate to the below Twitter user when he wrote:
Sneakerheads feel like they need a bot to have any shot at copping sneakers on the primary market.
And they’re not wrong.
Bots provide the fuel for the secondary market and their sky-high prices. All this has understandably strained retailers’ and brands’ relationships with their real customers.
At Queue-it, we believe it’s possible to keep sneaker releases in the 21st century while ensuring shoes get in the hands of true sneakerheads.
Online sneaker sales have many advantages compared with in-store or raffle sales—but only if bots are under control.
Unfortunately, legislation isn’t likely to help any time soon.
So to keep the bots truly at bay, you need a best-in-breed, combined bot mitigation solution. Crafting a tailored strategy to mitigate unique attack vectors before, during, and after the sneaker drops gives you the best chance of achieving successful, bot-free sneaker sales.
Are Bots Legal? – McCarthy Garber Law
November 30, 2020November 19, 2020 //
Bots are perfectly legal. Unless, of course, they’re programmed or designed to do illegal things.
To paraphrase legal scholars Mark Lemley and Bryan Casey, well-drafted laws prohibit verbs, not nouns. There are millions of ways that you could code or program an automated system that generates almost no legal risk whatsoever. And there plenty of ways that someone who codes an automated system could get into legal trouble.
A Roomba that goes around your house cleaning up pet hair is totally fine. A Roomba that is souped up with razor blades that goes around chopping away at people’s lower extremities is not.
There is only one law in the United States that is targeted specifically at bots, and that is California’s, B. O. T. (“Bolstering Online Transparency”) Act. What that law says is that it is illegal for a person or entity to use a bot to communicate or interact online with a person in California to incentivize a sale or transaction of goods or services or to influence a vote in an election without disclosing that the communication is via a bot.
It only applies to public-facing websites that have a presence in California and that have at least 10 million monthly U. S. visitors or users.
Other than that, bots (and the people and entities who code them) are generally governed by the same laws that govern people. Of course, some laws tend to apply to bots more often than others. For instance, bots have been subject to breach of contract laws, the Computer Fraud and Abuse Act, and the Digital Millennium Copyright Act when allegedly being used to buy huge amounts of concert tickets in advance of human buyers. Ticketmaster LLC v. Prestige Entertainment, Inc., Dist. Court, C. D. Cal. 2018. They’ve been sued for breach of contract, trademark infringement, trespass to chattels, and fraud for allegedly manipulating viewer counts of offensive videos on Twitch. Twitch Interactive v. Does (N. 2019). And they’ve been sued for fraud and breach of contract for allegedly mimicking fake users (specifically, female users) on the Ashley Madison website in order to induce actual (mostly male) users to make purchases. In Re Ashley Madison Customer Data Security Breach Litigation (E. Mo. 2016).
In essence, if a person could get in trouble for certain behavior, there’s a good chance a bot (and the people and entities who code them) could get into trouble for them, too.
If you have any more questions, you should get into touch with a law firm that has expertise in the Computer Fraud and Abuse Act, trademark infringement, and law of trespass to chattels.
FTC’s first BOTS Act cases: Just the ticket to help protect …
By: Lesley Fair | Jan 22, 2021 12:09PM
Remember live music? Remember the thrill of enjoying a performance or sporting event with a packed house of fans? As we look forward to a return to in-person entertainment, it’s easy to forget the frustration of trying to buy tickets as soon as online sales opened only to be shut out by companies that used tricks to grab them up and sell them at much higher prices. That’s the conduct Congress intended to stop with the passage of the Better Online Ticket Sales (BOTS) Act. The FTC just settled its first cases against defendants charged with violating the statute.
The BOTS Act gave consumers a national defense against ticket bots – software that could buy up big blocks of tickets faster than mere mortals could type and click in an effort to score two on the aisle. To ensure that consumers had equitable access to tickets, Congress made it illegal to “circumvent a security measure, access control system, or other technological control or measure on an Internet website or online service that is used by the ticket issuer to enforce posted event ticket purchasing limits or to maintain the integrity of posted online ticket purchasing order rules. ” The law applies to public concerts, theater performances, sporting events, and similar entertainment at venues that seat more than 200.
The FTC cases name New York-based defendants Concert Specials and owner Steven Ebrani, Cartisim and owner Simon Ebrani, and Just in Time Tickets and owner Evan Kohanian. You’ll want to read the complaints for the specifics, but at various times since the BOTS Act has been on the books, the defendants bought tens of thousands of tickets from Ticketmaster’s websites and then resold them, raking in big profits. Despite security measures Ticketmaster implemented to limit how many tickets a person could buy and to enforce its posted online sales rules, the FTC says the defendants illegally used ticket bots to circumvent the system and covered their tracks with other illegal tactics.
For example, the complaints allege the defendants used various bots that would automatically reserve any tickets that fit their search criteria, effectively blocking anyone else from buying the tickets at least until the reservation clock expired. The bot also would bypass any of those CAPTCHAs designed to make sure the buyer is a real person. (Factoid for the day: CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart. ” OK – there are some extra Ts in there, but we won’t quibble. ) By using bots, the defendants were able to buy multiple tickets across multiple Ticketmaster accounts within seconds, effectively freezing out consumers who honored the rules.
To evade detection, the defendants allegedly used thousands of different IP addresses, as well as hundreds of fictitious names and addresses and hundreds of different credit card accounts. Put it all together and the complaint charges the defendants with violating both the BOTS Act and the FTC Act.
Among other things, the proposed orders require that when buying event tickets, the defendants must stop using bots, CAPTCHA bypass services, fictitious identities, multiple IP addresses simultaneously on a single device, and credit cards in the names of anyone other than themselves or their employees. In addition, the order against Concert Specials and owner Steven Ebrani imposes a $16 million civil penalty that will be suspended upon the payment of $1. 565 million. The order against Cartisim and Simon Ebrani imposes a $4. 4 million judgment, suspended upon the payment of $499, 147. Just in Time Tickets will pay $1. 642 million with the rest of the $11. 2 million judgment suspended. All three judgments were partially suspended based on the defendants’ ability to pay.
If you have clients in the ticket industry, hold on to these compliance stubs for future reference.
Violating the BOTS Act can earn you a one-way ticket to law enforcement. It doesn’t matter how the defendants do it. It’s the act of circumventing “a security measure, access control system, or other technological control or measure… the ticket seller has put in place” that violates the BOTS Act. That means ticket purchasers who evade ticket limits by using fictitious identities, multiple credit cards, or multiple spoofed IP addresses on the same device are in violation of the BOTS Act, even if they don’t use ticket bots. Furthermore, as these cases demonstrate, BOTS Act violations may result in corporate and individual liability.
Serial violations are looked upon with disfavor. Before the enactment of the BOTS Act, the defendants all had signed Assurances of Discontinuance with the New York Attorney General relating to, among other things, their use of ticket bots. Encores are great for performers, but in this context, we call it recidivism. By the way, the FTC and the State Attorneys General share enforcement authority under the BOTS Act.
The BOTS Act covers “double features. ” The BOTS Act addresses more than just using bots to circumvent sellers’ security systems. Although not alleged in the cases the FTC just brought, the BOTS Act makes it illegal to sell tickets obtained in violation of the statute if the seller participated in the illegal purchase or knew or should have known the tickets were acquired in violation of the law.