Concert Ticket Retailer AXS Collects Personally Identifiable Data Through Its App, Which is Mandatory To Download, and Sells It To 3rd Party Without Anonymizing

AXS, a digital marketplace operated by Anschutz Entertainment Group (AEG), is the second largest presenter of live events in the world after Live Nation Entertainment (i.e. Ticketmaster). Paris Martineau of The Outline reports that the company forces customers to download a predatory app which goes on to snatch up a range of personally identifiable data and sells it to a range of companies, including Facebook and Google, without ever anonymizing or aggregating them. From the report: The company requires users to download an app to use any ticket for a concert, game, or show bought through AXS, and it doesn't come cheap. AXS uses a system called Flash Seats, which relies on a dynamically generated barcode system (read: screenshotting doesn't work) to fight off ticket scalping and reselling. [...] Here's a brief overview of all of the information that can be collected from just the mobile app alone, nearly all of which is shared with third parties without being anonymized or aggregated: first and last name, precise location (as determined by GPS, WiFi, and other means), how often the app is used, what content is viewed using the app, which ads are clicked, what purchases are made (and not made), a user's personal advertising identifier, IP address, operating system, device make and model, billing address, credit card number, security code, mailing address, phone number, and email address, among many others. [...] AXS also shares the personal data collected on its customers with event promoters and other clients, none of whom are bound even by this (extremely lax) privacy policy.

Credit card #?

[b0s0z0ku]

Name, credit card #, CVN, and EXP? Can't wait till they're on the hook for a massive credit card fraud spree -- should be fun to watch them get sued into bankruptcy.

Re:Credit card #?

Yeah, just like Equifax was!

Oh, wait.

Re:Credit card #?

[b0s0z0ku]

Regardless, that's probably against the card companies' TOS. Can't wait for the firm to be hammered with lawsuits.

Re:Credit card #?

[DarkRookie]

Cmon. The Arctic Monkeys arent that bad.

Re:Credit card #?

Hahahahaha, you must be new here. Look at Equifax.

Can anyone point to ANY consequences they faced after their massive incompetence?

Re:Credit card #?

[originalGMC]

Nobody is forcing them to download anyhting. If you don't want the app then don't pay rip-off fees to go see some talentless shit-heel sing and dance.

It's this kind of shithead mentality that makes me proud to be an american.

Re:Credit card #?

[Luthair]

Its surprising they don't run a fowl of credit card processing agreements.

Re:Credit card #?

[Luthair]

Do they proactively disclose it upfront? Or do they bury this in the EULA?

I've said this before on similar topics, we need laws around the reasonable expectations of the average user. The normal expectations of buying a concert ticket do not include being doxxed.

Re:Credit card #?

"should be fun to watch them get sued into bankruptcy."

Cause that worked out so well for Experian.

Re:Credit card #?

Cmon. The Arctic Monkeys arent that bad.

Is that the new Firefox rebranding?

Re:Credit card #?

[CrimsonAvenger]

Its surprising they don't run a fowl of credit card processing agreements.

A CHICKEN??? Really?

Re:Credit card #?

The credit card companies are likely not going to do a single thing. They were not hacked, and people agreed to the ToS, which is a contract that holds up in court (stuff people learn in first semester law school.)

Nothing bad is going to happen. At worst, they might put out a blurb of being "privacy focused", with nothing else changing.

Anyway, if something bad did happen, like all the info being divulged, the CxOs likely will short the stock, make the announcement that the company is toast, and go order some new yachts to celebrate their optimized synergies.

Re:Credit card #?

[sconeu]

If you have season tickets to various sports teams, you have to use the f***ing app.

Re:Credit card #?

[Khyber]

The credit card companies will absolutely do something. That this info is easily identified means it's not protected or encrypted, which runs afoul of a slew of PCI-DSS compliance rules. The credit companies will stop anything of this size from happening. They do not want the fraud hit.

Re:Credit card #?

Much more likely a vulture. Or perhaps a buzzard. Whatever sort of fowl it might be in particular, you may rest assured that it is definitely some sort of carrion-eater in general.

Re:Credit card #?

[WolfWalker545]

In this post, we see someone that has never had to go through a PCI audit or training.

Re:Credit card #?

[DarkRookie]

It did
Where have you seen any kind of fitting punishment for Experian.
Nothing but a couple of slaps on the wrist.
Where is the $3.7 trillion fine they deserved.

148000000 records times $25000 per record lost (since it was cause they didn't patch something. If it was something else, I would lower the fine amount.)

Re:Credit card #?

[Penguinisto]

...what sibling said - PCI is a mofo of a standard if you go about violating it, and yet still expect to have any payment processors even think of coming near you.

Re:Credit card #?

[originalGMC]

I have tickets to the local soccer team. They tried to get us to use the seat geek app (highly data collection / data leaking / full of adverts) so we asked and they printed us some plastic credit card looking things. Just have to ask is all.

Re:Credit card #?

[easyTree]

Lots of free press?

Re:Credit card #?

[easyTree]

Only individuals feel consequences of their actions.

Regulate the SOBs

It's long past time to regulate this data collection worldwide and put a stop to this "wild west" of privacy invasion. It's absolutely sickening.

Re:Regulate the SOBs

[Alain+Williams]

This is the sort of thing that the EU's GDPR is supposed to address. Hopefully it will provide a model for other jurisdictions, I think that California's Privacy Bill is along the same lines.

The other thing that we badly need are devices that let us lie to apps; show them the profile that we want them to know. It should also be illegal for apps to refuse to work if they detect that they are being lied to.

stoopit

[AndyKron]

Who the hell would download an app to buy a ticket?

Re:stoopit

[DarkRookie]

Most Americans at the least.

Re:stoopit

According to the article, the notice that you MUST install the app came AFTER they have your money.

Re:stoopit

[Opportunist]

Make it so that you save 1 dollar on a 150 dollar ticket and EVERYONE will.

Re:stoopit

[jetkust]

Who the hell would download an app to buy a ticket?

Someone who is told they must download an app to buy a ticket. But that isn't even what has happened here. They were told they have to download an app and create an account after already buying the ticket.

Re:stoopit

[crow]

So what if (like my wife) you don't have a smart phone?

Re: stoopit

[Tomahawk]

I was thinking the same. The argument is probably that a high enough percentage of people have them that they don't care about the others, and would likely just refund you the money and tell you you can't go. It would piss off those few people, but it's a small enough number that they would reckon it doesn't little to no harm to their business.

Unfortunately.

Re:stoopit

[whoever57]

They were told they have to download an app and create an account after already buying the ticket.

Their terms of purchase make no mention of the app, so this looks like AXS is breaking their contracts.

Re:stoopit

[originalGMC]

most venues in seattle don't charge the ridiculous fees if you show up in person to box office hours. Also I've bought tickets from this company before and never downloaded the app. They did tell me I had to download the app though, which I ignored. The tickets were emailed to me like immediately.

Re:stoopit

So what if (like my wife) you don't have a smart phone?

I frequently ask the same question, since like your wife, I don't have a smart phone either.

I can't tell you how often some helpful idiot of a cashier or whatever tries to direct me to their app .. sorry, no, don't have apps, don't want apps. What's that? You can't answer my question but you're sure the company app can help? Nope, sorry, I'm simply going somewhere else.

Fucking apps. Everything is a goddamned app. And every fucking one of them primarily exists to scrape your personal information and sell it. At this point, I think it's safe to conclude that all apps are written by incompetent morons on behalf of greedy assholes, so why would I trust anybody's app?

Sorry, no, I'm not playing that game.

Let me know when we've reached peak app, and I can stop hearing about it.

Re:stoopit

Wish I had mod points, but alas, as an anonymous coward, I do not. But your appraisal of the whole app thing is just spot on. Dead center. Peak app, indeed. Fuckem. Fuckemall.

Re:stoopit

They got me that way. I got tickets for my girlfriends birthday, only to find out there was no way to print them out, and you had to have the app. I didn't cave because of the show itself, but I did cave because I had already purchased them and gifted them.

Re:stoopit

Peak app, indeed. Fuckem. Fuckemall.

What's email got to do with this?

Re:stoopit

[squiggleslash]

Even better, make the ticket $150, but add a $15 "convenience fee" for using the app. Then pretty much everyone will get the app.

No, I'm not joking. You know full well it's true.

Re:stoopit

[Anonymous+Brave+Guy]

Everything is a goddamned app. And every fucking one of them primarily exists to scrape your personal information and sell it.

Mobile apps seem to be a two-sided race to the bottom. Users think anything, no matter how complicated or how much work is required to create it, should be a $2 app. Consequently, people with something serious to offer struggle to do it at a viable price point through mobile apps. There are some useful free apps provided in conjunction with something else: some exhibitions have really good tour guides as mobile apps now, for example, and there are some helpful journey planners and the like provided by governments and transport services. There are a very few decent apps that are relatively cheap to produce and mass-market, so they can afford margins measured in cents and make it up on volume. And then the other 95% is dominated by cheap, exploitative junk.

Re:stoopit

[easyTree]

Fucking apps. Everything is a goddamned app.

You should write a letter listing your concerns.

Here's a link to the Complaint Letter app.

Re:stoopit

[thegarbz]

Who the hell would download an app to buy a ticket?

Someone wanting to go to a concert? Installing an app is a frigging low bar for people these days.

Congratulations breaking it

A technological fix that turns out to be much worse than the ailment.

Go progress!

Reselling tickets

[110010001000]

Companies hate reselling tickets because it blows holes in the demand/price relationship. You can see that for some events the tickets are priced much too high. For instance baseball tickets when resold can go for as low as $5 (or aren't sold at all), because the demand really isn't there.

Re:Reselling tickets

[Anonymous+Brave+Guy]

There are some more legitimate grounds for trying to limit the resale market as well. Some high profile artists have been really cracking down on this in the UK recently, because it had reached the point where automated bots were just buying up all the tickets to gigs within moments of them becoming available and then the tickets were being sold on almost immediately but at much-inflated prices on the second hand market.

Re: Reselling tickets

This doesn't help with that to can buy a new low end unlocked phone for well under $50, so the scalpers can simply pass the bucket of ten year old android used phones and treat that as if it were the physical ticket.

WTF

[darkain]

Try reading the actual article. I couldn't muster the entire thing because the amount of asinine bullshit in it. It really reads as through the guy just read through the TOS for AXS app, and didn't understand half of it, and so made false conclusions based on piecing unrelated parts together.

Can the app collect your credit card number? Of course, it is a commerce app for purchasing tickets.

Can the app share information to Facebook? Of course, what app DOESNT have a "SHARE THAT I'M AT THIS CONCERT RIGHT NOW" feature.

Are these two features directly linked? Of fucking course not. But both exist in the same TOS, therefor the article writer is making false conclusions based on their own idiotic click-baitery sensationalistic bullshit.

Re:WTF

Of fucking course not. But both exist in the same TOS, therefor the article writer is making false conclusions based on their own idiotic click-baitery sensationalistic bullshit.

Well, you are free to refute what he said, but since you've basically said nothing but "yarg, I disagree" ... I'm going to conclude you've made your own false conclusions based on your own form of idiotic bullshit.

Re:WTF

[originalGMC]

Dude, why would anyone READ an ARTICLE? Too many ads anyways, can't tell what's an article and what's not anymore. Just stick to the headlines. lulz

Re:WTF

[Registered+Coward+v2]

Try reading the actual article. I couldn't muster the entire thing because the amount of asinine bullshit in it. It really reads as through the guy just read through the TOS for AXS app, and didn't understand half of it, and so made false conclusions based on piecing unrelated parts together.

I would agree. Going to the AXS website shows you can still do the email ticket to print at home, will call, or "Download the app and no more worries about losing a ticket or realizing you left the ticket at home the moment you arrived at the venue. " I'm guessing the writer assumed the app was the only way to get a ticket, didn't bother to check the AXS website, and then went off on the rant.

Re:WTF

[MiniMike]

I'm still going to be outraged that this app will post my location to Facebook without encrypting it.

Re:WTF

Try reading the actual article. I couldn't muster the entire thing because the amount of asinine bullshit in it. It really reads as through the guy just read through the TOS for AXS app, and didn't understand half of it, and so made false conclusions based on piecing unrelated parts together.

I would agree. Going to the AXS website shows you can still do the email ticket to print at home, will call, or "Download the app and no more worries about losing a ticket or realizing you left the ticket at home the moment you arrived at the venue. " I'm guessing the writer assumed the app was the only way to get a ticket, didn't bother to check the AXS website, and then went off on the rant.

I bought tickets for a show this upcoming weekend through AXS. Indeed, during the transaction, snail-mail and will-call are shown as alternatives to downloading the app. However, there was a $20 PER TICKET delivery fee for all options other than using the app. That's correct, a $20 delivery fee.... for will-call!

I intend to install the app on an old iPod Touch with no personal data on it, then completely disconnect it from the internet and uninstall it the moment I'm inside the venue.

I have to ask

[Opportunist]

Is that app available in the EU, too?

Re: I have to ask

[Tomahawk]

I doubt it. The GDPR would protect from most of what oc is saying about it, or would fine the company to the ground. GDPR violations are based on turnover, not profit. So if a ticket seeks for â100 plus â2.50 handling, the fine is based on â102.50, even though â100 is going to the concert venue.
There are lots of provision in the GDPR as to what you can collect (typically data that you must have in order to do business with the customer, and no personal data, like religious view, sexual orientation, etc), who that data can be shared with, under what terms the data can be shared (is. Compatible terms to your own T&Cs), etc etc. It's quite strict and comprehensive.

Re: I have to ask

[Registered+Coward+v2]

I doubt it. The GDPR would protect from most of what oc is saying about it, or would fine the company to the ground. GDPR violations are based on turnover, not profit. So if a ticket seeks for â100 plus â2.50 handling, the fine is based on â102.50, even though â100 is going to the concert venue.

I wonder if they block purchases based on IP addresses. An EU citizen could install the app on a visit to the US, use it in the EU to buy a ticket if they don't block via IP address (or using a VPN if they do); thereby potentially opening them up to a GDRP complaint.

Re: I have to ask

[sajavete]

https://www.gdpreu.org/complia... Actually, the GDPR sets fines to as high as 2-4% of the violating company's annual revenue or €10-20B (whichever is higher :)), not just one transaction. Basically it means that: "if you mess with our people's rights, we will bury you in the smoking ruins of your HQ"

Re: I have to ask

[Opportunist]

Hold my beer, gotta check when the next flight to the US takes off.

No more concerts

I don't buy tickets for concerts anymore. Ticket companies are to blame. I'll buy from Bandcamp.

4 letters

[Tomahawk]

GDPR

It's because of stuff like this that the GDPR was put in place in the EU. The rest of the world really should follow suit.

https://en.m.wikipedia.org/wik...

Re:4 letters

No- you should stop using companies that fuck you over. The GDPR is evil and I had to revamp our operations and now those in Europe can't easily get a hold of products from my company and given we're selling a niche item there is *NO OPTION* and the goal of my company is explicitly to give people an ability to gain privacy (so yea- it's humorous that a law supposed to enhance privacy actually undermines it for those who genuinely care and aren't just sheeple using shitty products and services).

I don't use Microsoft, Apple, Sony, Dell, Toshiba, Lenovo, System76, Adobe, Google (except search sometimes), Stock Android, Gmail or any other Google product(s) outside of search, Yahoo!, Amazon (directly anyway), Uber & Lyft (directly anyway), Facebook, MySpace (when it was like a thing), Comcast, and numerous other companies and products for which I don't like. The moral of the story is don't use the products and services of evil companies if you don't want them to abuse you (or others for that matter). A free market enables choices and it's up to you to pick the ones that suits you. Places where we don't have a free market (internet) because of shitty government laws (passing in the 1980s and prior largely) I'm totally willing to undermine with more shitty legislation (net neutrality) to whatever degree I can (even though net neutrality is a shitty answer to shitty regulations that created the problem in the first place I don't exactly see any good way to fix the problem, but certainly opening up the market by tearing down the legislation that gives these companies a monopoly and inhibits competition would be a good start- and somehow forcing the companies that have a monopoly to load funds to those who want to enter the market in such a way to enable an even playing field might be workable).

The real issues generally come down to government interfering in the free market and mandating privacy invasive laws. From drivers licenses and license plates to laws thrusting individuals to provide identity documents to open bank accounts, post office boxes, or purchase property. I don't have a choice in whether or not I want a government, but to the extent I have a choice of which government(s) I do. And I have picked New Hampshire because New Hampshire is one of the few states with a government and population that is less abusive and because there are more and more freedom-minded people migrating to the state as part of the Free State Project and Shire Society for the purpose of bringing about freedom. I didn't say restore our freedom because we never really had it. Though things have certainly gotten a lot worse in this area over hundreds of years. Certainly we didn't have drivers licenses or license plates and even in the 1960s there wasn't any tests to get a drivers license because safety wasn't the real objective of drivers license. It was control and discrimination by those who disliked motor vehicles prior to them taking off.

Forced?

[sinij]

I recently went to a show, and while many people used apps to show bar codes, printed version that I presented worked just as well.

Re:Forced?

[thegarbz]

AXS uses Flash Seats to control entry. The barcode is dynamically generated right when you go to the concert. There's no printed version of anything, no screenshotting, no sharing, nothing.

No App, No concert.

Re:Forced?

[sinij]

I understand you are tied to your smartphone, but ticket booths and paper tickets still exist. Give up some of the convenience of booking online and this issue completely goes away. You just need to get off your ass and find physical location. I yet to go to a concert, show, or talk that would not accept some form of a paper ticket.

Re:Forced?

[thegarbz]

I understand you are tied to your smartphone, but ticket booths and paper tickets still exist. Give up some of the convenience of booking online

Lol what are you watching, some small local musician no one has ever heard of? In all seriousness though there's a large number of shows these days that never make it to any ticket office. A small group are reserved for registered fan clubs, some for competitions, and the rest will sell out within minutes online. Ticket offices just aren't a thing for many events.

All of that is also beside the point. At no point during the ticket purchase was the app required for this. The app requirement came *after* the ticket was purchased, even by people who've never heard or used the app. Your local office doesn't help you there, thought it would give you the opportunity to vent your disagreement with a person in front of you when they tell you their (IMO) idiotic policy.

Re:Forced?

This probably won't be seen, but I've had no trouble getting them to send me paper tickets that work just fine.

App is not mandatory.

I've used ASX plenty of times to buy concert tickets and the app is not mandatory. I don't have it installed on my phone. All you need is the credit card used to purchase the tickets to present at the venue. As far as selling my info goes, well that's a different matter.

Re:App is not mandatory.

For the show I bought tickets to a few days ago, any ticket delivery option other than their app is subject to a $20 per ticket "delivery charge." Even will-call or print-at-home.

So the app IS mandatory unless you don't mind paying additional, exorbitant fees.

sheeple

Wow

AEG = Philip Anschutz

Wikipedia page is here. He's a Christian conservative, worth over $12B, and owns a multitude of businesses in a variety of different industries.

Re:AEG = Philip Anschutz

What's your point?

Re:AEG = Philip Anschutz

If he's worth $12B he may be a conservative, but he's sure as hell not a fucking Christian. Jesus would eat him for dinner.

luddite solution

Makes me want to get a flip phone and order a ticket.

Wrong bird

[bagofbeans]

Not a chicken, they'll parrot the usual excuses and nobody in management is touched. Possibly a cost of doing business fine, less than the cost of doing security properly

nope

Any business that requires a smart phone app doesn't get my business. Not entirely for myself, but because not everyone has or can afford a smart phone. There should be alternative ways to buy things or secure coupons. Also, it's best to keep your personal communications device free of vendor apps, they are just scraping your phone and require too many permisions. Use an old/cheap wifi only phone with a junk gmail account that lacks your contacts and private info if you really have to do that. Same damn problem as a thousand loyalty cards, just a pita.

And they probably know who you vote for.

[Myself]

Several years ago, we were talking about Gracenote's metadata, it came up that your musical tastes are a shockingly accurate predictor of your political leanings.

So consider that this metadata just helped all those "partners" build an even more accurate profile of you.

23 and me sells to big pharma

Lesson learned? Don't use apps.

WTF?

WTF is it with these goddamn paragraph-sized article titles? The novel-sized summaries are bad enough as it is. I truly miss the old slashdot.

Yep

[JustAnotherOldGuy]

This is just one more reason I rarely install apps on my phone.

It seems as if most apps do suspicious shit in the background, and/or harvest your data, display ads, drain your battery, etc etc etc.

I mean seriously- why does a flashlight app need access to my contacts or my location information?

Re:Yep

[EETech1]

I use a network monitor on my Android phone (network monitor mini) and I am amazed how many apps hit the network the instant you wake your phone up. I've even tried restricting background data for the apps that show up, but it made no difference.

I really miss Windows Mobile, and that's saying something!

Damn you HP for killing PalmOS!!

Jolla?

I'll bet it's hard to get venture capital without a good plan to capitalize on your users personal information.