Skip to main content

Remember live music? Remember the thrill of enjoying a performance or sporting event with a packed house of fans? As we look forward to a return to in-person entertainment, it’s easy to forget the frustration of trying to buy tickets as soon as online sales opened only to be shut out by companies that used tricks to grab them up and sell them at much higher prices. That’s the conduct Congress intended to stop with the passage of the Better Online Ticket Sales (BOTS) Act. The FTC just settled its first cases against defendants charged with violating the statute.

The BOTS Act gave consumers a national defense against ticket bots – software that could buy up big blocks of tickets faster than mere mortals could type and click in an effort to score two on the aisle. To ensure that consumers had equitable access to tickets, Congress made it illegal to “circumvent a security measure, access control system, or other technological control or measure on an Internet website or online service that is used by the ticket issuer to enforce posted event ticket purchasing limits or to maintain the integrity of posted online ticket purchasing order rules.” The law applies to public concerts, theater performances, sporting events, and similar entertainment at venues that seat more than 200.

The FTC cases name New York-based defendants Concert Specials and owner Steven Ebrani, Cartisim and owner Simon Ebrani, and Just in Time Tickets and owner Evan Kohanian. You’ll want to read the complaints for the specifics, but at various times since the BOTS Act has been on the books, the defendants bought tens of thousands of tickets from Ticketmaster’s websites and then resold them, raking in big profits. Despite security measures Ticketmaster implemented to limit how many tickets a person could buy and to enforce its posted online sales rules, the FTC says the defendants illegally used ticket bots to circumvent the system and covered their tracks with other illegal tactics.

For example, the complaints allege the defendants used various bots that would automatically reserve any tickets that fit their search criteria, effectively blocking anyone else from buying the tickets at least until the reservation clock expired. The bot also would bypass any of those CAPTCHAs designed to make sure the buyer is a real person. (Factoid for the day: CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart.” OK – there are some extra Ts in there, but we won’t quibble.) By using bots, the defendants were able to buy multiple tickets across multiple Ticketmaster accounts within seconds, effectively freezing out consumers who honored the rules.

To evade detection, the defendants allegedly used thousands of different IP addresses, as well as hundreds of fictitious names and addresses and hundreds of different credit card accounts. Put it all together and the complaint charges the defendants with violating both the BOTS Act and the FTC Act.

Among other things, the proposed orders require that when buying event tickets, the defendants must stop using bots, CAPTCHA bypass services, fictitious identities, multiple IP addresses simultaneously on a single device, and credit cards in the names of anyone other than themselves or their employees. In addition, the order against Concert Specials and owner Steven Ebrani imposes a $16 million civil penalty that will be suspended upon the payment of $1.565 million. The order against Cartisim and Simon Ebrani imposes a $4.4 million judgment, suspended upon the payment of $499,147. Just in Time Tickets will pay $1.642 million with the rest of the $11.2 million judgment suspended. All three judgments were partially suspended based on the defendants’ ability to pay.

If you have clients in the ticket industry, hold on to these compliance stubs for future reference.

Violating the BOTS Act can earn you a one-way ticket to law enforcement. It doesn’t matter how the defendants do it. It’s the act of circumventing “a security measure, access control system, or other technological control or measure . . . the ticket seller has put in place” that violates the BOTS Act. That means ticket purchasers who evade ticket limits by using fictitious identities, multiple credit cards, or multiple spoofed IP addresses on the same device are in violation of the BOTS Act, even if they don’t use ticket bots. Furthermore, as these cases demonstrate, BOTS Act violations may result in corporate and individual liability.

Serial violations are looked upon with disfavor. Before the enactment of the BOTS Act, the defendants all had signed Assurances of Discontinuance with the New York Attorney General relating to, among other things, their use of ticket bots. Encores are great for performers, but in this context, we call it recidivism. By the way, the FTC and the State Attorneys General share enforcement authority under the BOTS Act.

The BOTS Act covers “double features.” The BOTS Act addresses more than just using bots to circumvent sellers’ security systems. Although not alleged in the cases the FTC just brought, the BOTS Act makes it illegal to sell tickets obtained in violation of the statute if the seller participated in the illegal purchase or knew or should have known the tickets were acquired in violation of the law.

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

Get Business Blog updates