Tales of the Michael Jackson lottery, eBay and security
I've been fascinated of late with the issue of eBay auctions of hot-hot items, like the playstation 3 and others. The story of the Michael Jackson memorial tickets is an interesting one.
17,000 tickets were given out as 8,500 pairs to winners chosen from 1.6 million online applications. Applicants had to give their name and address, and if they won, they further had to use or create a ticketmaster account to get their voucher. They then had to take the voucher to Dodger stadium in L.A. on Monday. (This was a dealbreaker even for honest winners from too far outside L.A. such as a Montreal flight attendant.) At the stadium, they had to present ID to show they were the winner, whereupon they were given 2 tickets (with random seat assignment) and two standard club security wristbands, one of which was affixed to their arm. They were told if the one on the arm was damaged in any way, they would not get into the memorial. The terms indicated the tickets were non-transferable.
Immediately a lot of people, especially those not from California who won, tried to sell tickets on eBay and Craigslist. In fact, even before the lottery results, people were listing something more speculative, "If I win the lottery, you pay me and you'll get my tickets." (One could enter the lottery directly of course, but this would increase your chances as only one entry was allowed, in theory, per person.)
Both eBay and Craigslist had very strong policies against listing these tickets, and apparently had staff and software working regularly to remove listings. Listings on eBay were mostly disappearing quickly, though some persisted for unknown reasons. Craiglist listings also vanished quickly, though some sellers were clever enough to put their phone numbers in their listing titles. On Craigslist a deleted ad still shows up in the search summary for some time after the posting itself is gone.
There was a strong backlash by fans against the sellers. On both sites, ordinary users were regularly hitting the links to report inappropriate postings. In addition, a brand new phenomenon emerged on eBay -- some users were deliberately placing 99 million dollar bids on any auction they found for tickets, eliminating any chance of further bidding. (See note) In that past that could earn you negative reputation, but eBay has removed negative reputation for buyers. In addition, it could earn you a mark as a non-paying buyer, but in this case, the seller is unable to file such a complaint because their auction of the non-tranferable ticket itself violates eBay's terms. Many listers offered two tickets, claiming (often with a photograph) that they had carefully removed the wristband on their wrist. Some auctions were presumably frauds as well. A number of auctions however only offered one ticket, the spare one. No security measures could prevent transfer of those tickets as winners were indeed free to take any guest they wanted. Contractually they were not supposed to take compensation but that's hard to stop.
Some eBay sellers played various tricks, including saying they would end auctions after just 20 minutes (to beat out the takedowns and 99 million dollar bids.) Some used buy-it-now well to end quickly. It is unknown how many reached success.
A number of sellers were auctioning off the voucher which could be taken to Dodger stadium, in particular non-California sellers. In theory this should have not worked, as the party arriving at the stadium would have to show ID matching the winner/seller's name. Those who bought those are in an interesting situation. Did they break the law? Can they file a criminal claim?
Some sellers showed photographs of the ticket, where the seat numbers and even bar code could be read. If the venue had desired, it could have flagged these ticket numbers for special security check at the gate. I don't know if they thought to do that.
The terms indicated that one would also have to bring ID to Staples Center. This could stop people who got their wristband off from selling, though without a requirement that the pair enter together, one could just claim to be holding the guest ticket, for which an ID check is not possible.
Presumably with all this, many winners did not show up at Dodger stadium. I have not heard reports of what was done with all those unclaimed seats. Presumably they had little trouble finding people to take them, though they made no public announcements to avoid being mobbed.
News reports indicate there was a brisk scalping scene outside the venue itself, as there is at any event, but especially a free-by-lottery one. Prices ranged up to $1,000. Short of heavy police presence, this is probably where a lot of the transactions really took place, facelessly for cash, particularly on the guest tickets.
Any time something scarce and valuable like this is given away by lottery, there will be much effort to game the system. Of course, because the terms of service indicated, IIRC, that they were allowed to use the lottery entry data for marketing purposes, I suspect that they also just collected a hugely valuable database to market MJ merchandise to -- perhaps with greater sales numbers than the tickets would have generated! I do hope that was not their motive, though.
That plan aside, I have always felt a more effective security technique than taking names and addresses would be to ask every lottery applicant to simply upload a photo of themselves, and possibly photos of some number of potential planned guests. Done properly, ticket collection (or even gate entry) can be secured with no need for ID cards or wristbands. Scan the voucher and have the photo appear on the ticket collector's PDA. (8,500 photos would trivially fit on an iPod or any device with modern flash memory.) If the person matches, they are in, otherwise they go to special security.
For people who can't upload a photo, do a co-marketing deal with a store like Kinkos or Starbucks or a major drugstore photo lab to have people come in and get a photo upload done for a low price (or even free, with upsell.) Not too many people would need this. Who doesn't have a friend with a cameraphone able to send a photo?
If winners also have to upload a photo of their potential guests, it pretty much eliminates resale. People could sell, "I will make you one of my possible guests, and if I win, you can pay me a large sum" rights but this starts getting into the margins. The photo approach has the privacy advantage of not creating a database of people's names, at least until face recognition gets better. But as noted, the operators may very much desire that database. The photo system would also have discouraged those who filled out applications from remote locations for no other purpose than to sell them. However, without names and addresses, it would have encouraged people to fill out multiple entries using multiple e-mails and multiple photos, which are easy enough to get. Some additional information might need to be added to prevent this, without having to go all the way to full ID info.
I also think that it would have been wise to put some of the tickets up for auction. For example, of the 17,000 seats, 2,000 could have been put up for auction -- all payments going to Mr. Jackson's favoured charities -- and the rest given by lottery. This keeps the egalitarian free nature of the event, raises a lot of money for charity and siphons off the demand for paid tickets away from scalpers and to something good. While each event is different, it might even make sense to try to use past histories to judge just how many people are the sort who would pay a scalper's price, and sell exactly that many, as long as it leaves enough free tickets.
One could do a standard dutch auction, where every bidder pays the price of the 2,000th highest bidder (the last winning bidder) or one could do a "pay what you bid" auction. Such forms are not normally done, but if the money is going to charity, it's really just a donation that you were ready to make, and most of it would be deductible. Game theory argues that the standard Dutch Auction can bring in more money because it encourages high bidding, since most bidders expect to pay less than they actually bid, and as a result they overbid. In addition, people resent paying different prices for the same thing in a traditional auction, but might not in a charity auction.
Also possible (but rarely done) would be a donation "auction" where you donate first, so that everybody pays whether they win or not. The top 2000 donors, or the top 17,000 would get the tickets. This would raise quite a lot of money for the charity, but might be illegal due to gaming laws, though there is no chance to the pure version. And of course people would, in spite of knowing and being told they were donating to charity, still resent it if they "lost," especially (and perversely) by a small amount.
While I have not seen the wristbands, the photos suggest they are similar to typical club security wristbands. For a high-value item like this, it would seem a custom wristband would be necessary. Any stock wristband which could be purchased in stores would be a large security hole once discovered. It seems that most organizations that use these for security rely on people not being able to go out and purchase the same wristbands, just as many high-ticket conferences rely on forgers not having access to things as simple as a scanner, printer and set of standard badge holders.
(Note) The placement of the 99 million dollar bids on items to block further bidding is a new type of auction sabotage. It is different, however, from the super-high-bid strategy that was used on Playstation 3s. In those cases, buyers wanting to be sure to win would create a fresh account and bid a huge amount, sure to win. When they won, if they liked the price, they bought, otherwise they just abandoned the account which would then have gotten a negative reputation point. For the sellers, however, re-listing was not an auction as the frenzy only lasted a short time; their efforts (and waiting in line) were ruined.