The Future

Ticketing app AXS scrapes everything it can get from your phone

Seeing your favorite band live will probably cost you more in data than in dollars.
The Future

Ticketing app AXS scrapes everything it can get from your phone

Seeing your favorite band live will probably cost you more in data than in dollars.

The other week, I bought tickets from a friend to go see Arctic Monkeys. I Venmoed her eighty-five dollars, and an email containing my tickets arrived a couple minutes later. “Tickets Just Got Sent To You,” read the subject line, but the body was a bit different: “This email is not your ticket,” it explained. “Here’s how to accept the tickets: 1 – Get the AXS app, 2 – Create an AXS account (using the email address that got this email), 3 – And the tickets are yours!”

AXS, a digital marketplace operated by Anschutz Entertainment Group (AEG), is the second largest presenter of live events in the world after Live Nation Entertainment (i.e. Ticketmaster). It's the sole place fans can get tickets to the inaugural season of the Overwatch League esports competition, along with various other sporting events and musical performances. The company requires users to download an app to use any ticket for a concert, game, or show bought through AXS, and it doesn’t come cheap. AXS uses a system called Flash Seats, which relies on a dynamically generated barcode system (read: screenshotting doesn’t work) to fight off ticket scalping and reselling.

It looks kind of like an authenticator app, only with barcodes rather than strings of numbers. The only way to use the ticket is to pull it up in-app while at the venue, which seems innocuous enough, so, of course, I downloaded it. I was already 85 bucks in the hole, and wasn’t about to throw that away over the two minutes it would take to install some stupid app. But I probably should have. Though the app was technically free, I ended up paying with the wealth of personal data it scraped from me and sent to who knows.

Curious about your own data leaks? Listen to Paris Martineau dig deeper about her privacy policy reading habits on The Outline World Dispatch.

Here’s a brief overview of all of the information that can be collected from just the mobile app alone, nearly all of which is shared with third parties without being anonymized or aggregated: first and last name, precise location (as determined by GPS, WiFi, and other means), how often the app is used, what content is viewed using the app, which ads are clicked, what purchases are made (and not made), a user’s personal advertising identifier, IP address, operating system, device make and model, billing address, credit card number, security code, mailing address, phone number, and email address, among many others.

This is the part of the article where I’d usually include some sort of pithy quote from the company’s privacy policy to illustrate just how much data it’s collecting on the average user, but AXS’ policy is so lengthy — and the amount of data siphoned up by its apps, sites, and “Services” is so extreme — that an adequate quote would probably take up the entire page.

AXS shares all of this information with a laundry list of advertisers, marketers, unknown “Clients,” and third party services. Including but not limited to: Google, DoubleClick Ads (which is the company responsible, in part, for most of the obnoxious banner ads around the web), Facebook, and basically whoever else the company feels like deserves this personal information. “We reserve the right to share your Personal Information with our current or future affiliated entities, subsidiaries, and parent companies,” says AXS’ privacy policy. “We may also share your Personal Information and other information with trusted third parties, such as our Partners, sponsors, or their affiliates and subsidiaries and other related entities for marketing, advertising, or other commercial purposes, and we may occasionally allow third parties to access certain Sites for marketing purposes.”

AXS also shares the personal data collected on its customers with event promoters and other clients, none of whom are bound even by this (extremely lax) privacy policy. From there, who’s to say where my data may go. All of this was almost certainly combined with the personal profiles that advertisers and data brokers like Facebook, Google, and others have already created about me, and used to further sharpen the algorithms that shape our digital existences.

This is all well and fine when thought about in the abstract, but quickly becomes utterly infuriating when viewed as part of the massive corporate-fueled whole that it is. That some tech bro running a dumb insurance startup could probably buy this information through one of the countless data brokers it’s been shared with and hypothetically use it to up my premiums because, say, some study showed that people who regularly attend concerts in Brooklyn are, say, more likely to get injured is absolutely ridiculous. And while that’s a made-up example, it’s not too far off from what’s already happening. Health insurers are already making use of the wealth of data available on us to inform decisions and assess the risks associated with a particular person . Worse things have been done with more innocuous data. Take the Strava fitness app, which allows users to map and share their workouts with friends, for example. Back in January it accidentally revealed the location of remote military outposts and even the identities of some of the soldiers stationed there.

If a company knows your habits, purchases (and almost-purchases, like that online cart of Target clothes you’ve been sitting on for two weeks), and interests, it more or less knows you. The more and more data it can collect on our lives both online and offline, the more accurate its predictive power becomes. It’s how Target knows a woman is pregnant before she does, or how Facebook’s ads are so spot on you swear it must be listening to you. For far too long, there’s been this disconnect in the way we think about our personal data. Though these quantified versions of our digital lives have only grown more and more valuable in the eyes of corporations and tech bros, a stream of mind-numbingly lengthy privacy statements and terms of service agreements have lulled us into a state of tacit compliance. We trade buckets of our personal data away for cheaper movies and kitschy home DNA tests. Despite the lofty ideals of possible legal remedies to this mess like the European Union’s General Data Protection Regulation (GDPR), there’s no real way for users to have a say in how their data is being collected and shared, save turning off a few tracking cookies. You either agree to the terms of service, or you don’t use the product — which, in this day and age, often isn’t a viable option.

No reasonable person is going to take the loss of almost a hundred bucks to not see a concert just because the accompanying app siphons up an encyclopedia’s worth of their data. Most wouldn’t even have the time in their busy day (much less the patience) to wade through the thousands of words of nonsensical legalese needed to realize exactly what they’re agreeing to. The companies crafting these agreements know this. They know they can get away with collecting whatever information they want and selling it to the highest bidder, so they do. And so they will, until anyone with enough power to enact systematic change cares enough about one of the most boring aspects of our digital lives to actually do something about it.

AXS did not return The Outline’s request for comment, but we’ll update this article if we hear back.

Updated at 7/31/2018 2:00PM ET: This article was updated to reflect AXS's partnerships with various live events.