Skip to content
Naked Security Naked Security

‘Grinch bots’ are ruining holiday shopping. Lawmakers hit back

The bill would outlaw automated scripts that snap up discounted holiday must-haves so resellers can gouge people with exorbitant markups.

US legislators have introduced a bill to stop bad bots from buying up all the hot holiday toys in bulk and then gouging parents by reselling them at exorbitant prices.
Bots are automated scripts and programs that can be used for good or bad: the good ones do useful things such as crawl the web, and they’re also used on social media to generate everything from poems to memes to self-care reminders to randomly generated awesomeness.
Then there are the bad bots: like, the ones that snatch up all the Super Nintendo and Barbie products before you can even log into an e-commerce site.
Fittingly enough, the Stopping Grinch Bots Act of 2018 was announced on Black Friday.
The bicameral bill comes from US Senators Tom Udall, Richard Blumenthal, and Chuck Schumer, along with US Representative Paul Tonko. Udall said in a press release that resellers are gaming the system with bots that snatch up toys and highly discounted products to sell at “outrageously inflated markups,” all “with a few keystrokes,” and often before any human has managed to even put an item into their online shopping cart.

These Grinch bots let scammers sneak down the proverbial chimneys of online retailers and scoop up the hottest products before regular Americans can even log on – and then turn around and sell them at outrageously inflated prices. That’s just not how the marketplace is supposed to work.

The bot problem is just one example of how consumers get preyed on when they venture online, Udall said. Bots enable “unscrupulous” scammers to game the system and “steal hard-earned money from Americans who have saved up just to buy gifts for their family and friends during the holiday season,” he said.
Yes, but is bulk buying from bots illegal? Yes and no – that’s why the Democrats think that a new, comprehensive bill is needed.
The Grinch bill builds on an earlier bot-aimed bill that was more narrowly focused. Specifically, it addressed only one aspect of bot scalping: online ticket sales. In 2016, Congress passed the Better Online Ticket Sales Act, aimed at ticket scalpers. It made it illegal to skirt event ticket limits for public events with more than 200 people in attendance.
In October 2017, Ticketmaster sued a scalping company that used bots to do just that, buying 30,000 tickets to the hot-hot-hot “Hamilton” musical. According to the lawsuit, while Ticketmaster’s terms of service forbid the use of bots, the reseller managed to override warning or error messages and allegedly used special software to sneak past CAPTCHA codes meant to screen out bots. It then used thousands of separate accounts to place hundreds of thousands of ticket orders.
The company, Prestige Entertainment, was already in trouble for bot chicanery: It signed a $3.5 million settlement with New York after buying 1,012 tickets to a 2014 U2 concert at Madison Square Garden in one minute and then reselling them at markups averaging 49%. (Take note: bot badness might extend to e-businesses themselves. In June, Prestige and other brokers filed counterclaims, accusing Ticketmaster of creating and disseminating its own bots, placing the blame for “Hamilton” ticket resells right back on the ticket seller itself.)

At any rate, because the 2016 law only focused on ticket reselling, bots designed to snap up and scalp other products have gotten a free pass. Time to fix that oversight, according to Representative Tonko:

The American people should be able to spend the holidays with their loved ones, not forced to camp out at store openings or race against an automated buying algorithm just to get an affordable gift for their kids.

The proposed Grinch Bots Act goes beyond toys or tickets to apply to all online retailers, be they selling Nintendo consoles or special-edition Nikes: a comprehensive approach that should help smaller, more specialized retailers.
Rami Essaid, co-founder of Distil Networks – a company that helps corporations battle bad bots – told the Washington Post that it’s not the Amazons or the eBays that get hurt by the practice, rather, it’s smaller retailers and consumers. In fact, the resellers turn to the bigger markets, such as Amazon, to resell the goods.
Essaid says the buyers behind the bots tend to go after products that retailers offer in limited quantities: for example, limited-release Nike sneakers or concert tickets.
Ticket sellers have been dealing with scalping bots for years, he said. According to Distil Networks’ Bad Bot Report 2018, 21.8% of all website traffic in 2017 was from bad bots: up by 9.5% over the previous year.
The top targets of bad bots were gambling sites, followed by airline websites. Bad bots swarm around the holidays, in particular: Essaid said that his company noted a 20% spike in bot traffic during Black Friday and Cyber Monday for a sample of about 300 e-commerce companies.

It is absolutely always happening. These bots are trying to get as much inventory as possible as quickly as possible, and they can even end up bringing your site down. We actually saw that last year where bots took down a company’s site because of a Black Friday sale.

The proposed bill would make it illegal to circumvent website controls meant to enforce posted purchasing limits or to manage inventory. It exempts security researchers: they’ll still be allowed to use bots to research vulnerabilities and to develop security products.


> race against an automated buying algorithm
…said the tech writer helping to pen the bill.
> It exempts security researchers
Holy smokes! Is Congress (dare I say it)


> the Stopping Grinch Bots Act of 2018 was announced on Black Friday
AH. Mystery solved.
A lawmaker or two couldn’t buy the latest Barbie Goes to Hollywood Dream House or Playstation 17 and put some “sour grapes” wrath into productive use.
eh. We’ll take what we can get.


If it had only been suggested on Black Friday, I could buy that logic. But sour grapes don’t usually work that quickly. Call me a cynic, but I think it’s more likely that somebody saw a golden opportunity for some good PR, and grabbed it.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!