
On Botnets and Streaming Music Services - 6stringmerc
http://motherboard.vice.com/read/i-built-a-botnet-that-could-destroy-spotify-with-fake-listens
======
13thLetter
The takeaway I'm getting from this is, as with other websites, the attempt to
fund streaming music indirectly via targeted advertising is hopelessly unable
to keep up with ever-more-clever click fraud. At best, we end up with an arms
race of more and more powerful "criminal" botnets and more and more
heavyweight advertising tech crowding out the original content. I'm becoming
very sympathetic to the viewpoint of backing out towards either completely
untargeted advertising (which, paradoxically, can be far more effective) or --
and, admittedly, I'm going crazy out on a limb here -- paying for content.

~~~
ianlevesque
Paying for content worked great until the middle class collapsed.

~~~
krschultz
s/middle class collapsed/broadband became prevalent/

~~~
6stringmerc
"What do you mean people can use their computers to listen to music and copy
things infinitely? There's no money in that! We should try and kill this
Napster thing to protect selling CDs for $20 a pop and never support online
distribution no matter the customer demand!" \- The Music Industry
(paraphrased for sarcastic effect)

~~~
cwyers
And... were they wrong?

~~~
6stringmerc
That depends! Are you on the side of Cliff Burton era Metallica as a band that
encouraged tape trading as an avenue for exposure, or are you on the side of
Lars Ulrich era Metallica that feels people sharing music without paying money
are enemies of the band?

If you believe in the latter, then that's a perfectly reasonable position for
record labels and publishers who invest in "startup" acts hoping they get
enough ROI to cover the failures, and then give the successful bands only what
they're contractually owed after recouping. Sure, that's a business model. The
only number that matters is the number of people paying for the recording.

If you're in the camp of the former, you might think that organic growth and
demand for your supply means getting to hit as many ears as possible is a
chance to broaden the base of people willing to pay for more. Just because
somebody can get a recording for free doesn't mean they aren't interested in
giving you money for a live show or a t-shirt or a sticker. The bigger the fan
base, the better the income potential.

I'm going to assume you didn't live through the same era that I did, when
Napster was more prevalent in dorm rooms than illegal booze. After that window
got slammed shut, the industry narrative (backed by an ignorant Judge's
opinion that "the computer is not an audio device") was that anybody who
didn't buy retail was a criminal. Ever buy a used CD? That was another target.

There was a huge opportunity to embrace technological evolution. Not until
Steve Jobs and iTunes worked out the mechanics of DRM and "buying a license"
did the industry decide to get on board. It seemed like the industry had their
cake and could eat it too...until Eminem looked at his contract and saw that
digital downloads were being paid out at the "sale" rate of (est) $0.25 per
track, but the words on the page said any "license" should be paid out at
$0.50 per track. He took them to court, for himself, and also for clarity in
the rules of business. He won. A lot of money. Other artists started to notice
this...

There's an alternate reality where more forward people would've been thinking
about consumers as audiences instead of wallets, but that didn't happen, and
here we are, arguing over the table scraps that Sony/Warner/Universal leave
for the independents.

~~~
cwyers
> I'm going to assume you didn't live through the same era that I did

You're incorrect.

And... Jobs DID come along, iTunes DOES exit, it ate album sales without
providing similar revenue, now Spotify et al are eating iTunes' market share
while providing even less revenue, and it's a race to the bottom.

Everyone loves to talk about what would've happened if all the various content
industries had been more forward looking, and it's all ridiculous. One of my
favorite, quantifiable examples is the newspaper industry and the classifieds.
Yes, I guess the newspaper companies could've been Craigslist instead of
Craigslist being Craigslist. To what end, though? Look at Craigslist's
revenues. Look at what the newspaper classifieds' revenue was before
Craigslist came along. We're talking orders of magnitude difference. And
that's Craigslist's business model, right? Low overhead, passes the savings
onto the customer, skims a little cream off the top and it's more to pay their
bills because they're not using their cut to subsidize journalism, they're
just doing the whole Bezosian "your margin is my opportunity" thing and making
money where they can. If you split all of Craigslist's revenue up among every
newspaper in the country that lost classified revenue when Craigslist hit the
market and they could afford to pay everyone a few dollars more in their
severance packages as they keep laying off journalists.

The world changed. We think we've figured out where the world is landing, but
we're pretty much just all sitting here in the post-apocalyptic wasteland
scavenging -- all the big names we think of when it comes to new media --
iTunes, Spotify, Netflix, Hulu -- are just selling us media produced under the
old business model at marginal cost. When Spotify and iTunes and all them
finally do get around to killing the music industry we're going to be in a
very, very different world. Maybe it's better! Maybe it's worse! I only really
trust people who say they don't know.

~~~
6stringmerc
>it ate album sales without providing similar revenue

Similar revenue for WHO? If you've studied the music industry then you know
that artist compensation - whether a physical sale or digital sale - are
equivalent from a practical standpoint. Of a $.99 sale on iTunes, Apple takes
the first $.30 for their role, and the rest is at the mercy of label and
artist agreements. Whether it was a CD or a digital sale, an artist was only
entitled to a certain defined compensation.

It's kind of funny you mention Craigslist, because you're citing it as a
reason that the predominant distributors - PRINT DISTRIBUTORS - should not
have to compete with a technological innovation with less overhead. It's a
middle man of the highest order. And you assert they should be propped up
because why?

Craigslist exploited a loophole of eliminating the friction between seller and
buyer without skimming a bunch of revenue in the process. Why are you trying
to argue that systems which benefit sellers and buyers should compensate
legacy entities which refused to adapt and change? In a digital realm where
rights management matters, the only people who argue for additional payout
layers are people I don't trust. I don't like the old business model, so
that's why I refuse to buy in and push for a new one.

~~~
cwyers
> Why are you trying to argue that systems which benefit sellers and buyers
> should compensate legacy entities which refused to adapt and change?

wat

~~~
6stringmerc
>Look at Craigslist's revenues. Look at what the newspaper classifieds'
revenue was before Craigslist came along. We're talking orders of magnitude
difference... they're not using their cut to subsidize journalism...

If you want to support a middleman business model, that's your prerogative. If
I want to support a direct-to-customer-as-much-as-possible one, then that's
mine. I don't want to support a label, I want to support myself.

------
dontreact
This seems to be another argument in favor of the model proposed here:
[https://news.ycombinator.com/item?id=9226497](https://news.ycombinator.com/item?id=9226497)

Split revenue per individual amongst artists, instead of splitting total
revenue amongst artists.

------
ChuckMcM
I wondered about this, I figured someone had figured out they could use pretty
standard click fraud techniques to milk money out of the pay-per-play
ecosystem.

No doubt someone in operations over at Spotify spends their nights trying to
detect these kinds of patterns. It would be interesting to hear their take on
it.

~~~
6stringmerc
Agreed!

Considering how much discussion there has been regarding transparency in the
music business - the leak of confidential information via the Sony hack being
one of the few instances where numbers are exposed - I think this could be a
viable avenue for Spotify to make their case better to artists.

Also, I'd hope it's one of the few areas where Spotify and other services can
legitimately have "free reign" to discuss their operations without being
handcuffed by non-disclosure clauses in contracts.

------
mootothemax
Isn't there potential here for a much more nefarious plan than merely earning
revenue from fake listens?

If you could do the same thing across a few services, spreading the number
listens out on a viral pattern, based on a bit of investment in highly
marketable songs, it sounds like you could create a bedroom-singer rags-to-
riches superstar story and potentially make millions upon millions.

~~~
paulasmuth
A similar thing has happened in the past:

>> "Gracia was selected to represented [sic] Germany in the Eurovision Song
Contest with the song "Run & Hide", produced and composed by David Brandes.
After the German national pre-selection for the Eurovision Song Contest it was
revealed that Brandes had bought thousands of his own CDs to ensure chart
placement, a requirement of the ESC"

[https://en.wikipedia.org/wiki/Gracia_Baur](https://en.wikipedia.org/wiki/Gracia_Baur)

~~~
mahouse
Instead of that pedantic "sic" you could have, you know, fixed the article.

~~~
thedufer
Can you really call it a direct wrote at that point? [sic] is an accepted way
to avoid integrity issues when quoting.

------
SeanAnderson
(I misread. It's 8/100th of a cent. Much more realistic.)

Artists on Spotify earn 8 cents each time their song is played? That figure
seems really, really high to me.

I'm not especially surprised this is possible, but it comes as a huge shock
that it would be financially profitable for someone.

A quick glance at some other articles
([http://www.theguardian.com/technology/2015/apr/03/how-
much-m...](http://www.theguardian.com/technology/2015/apr/03/how-much-
musicians-make-spotify-itunes-youtube)) shows drastically different figures:

"For example, Spotify says that its average payout for a stream to labels and
publishers is between $0.006 and $0.0084 but Information Is Beautiful suggests
that the average payment to an artist from the label portion of that is
$0.001128 – this being what a signed artist receives after the label's share."

This would make it much more expensive to run a botnet through AWS than any
potential profits it could generate.

Some other thoughts after reading more closely:

\- It's surprising that the minimum listen time required for payout is 30
seconds when average song length is 3 minutes (or even higher? A reported 3m
45s:
[http://www.statcrunch.com/5.0/viewreport.php?reportid=28647&...](http://www.statcrunch.com/5.0/viewreport.php?reportid=28647&groupid=948)).
Is listening to 3/18th of a song really enough to warrant payout? Maybe.

\- The opening sentence isn't all that truthful. It's implying that an average
user is just going to open Spotify, mute it, and go to sleep. That means they
won't be there to skip every 30 seconds. So, we fall back to the 3 minute
average. Assuming you sleep for 8 hours that means you're only going to get
160 plays or ~12 cents not 72.

~~~
EC1
Spotify is shit for artists. Anyone that says otherwise is a liar.

~~~
6stringmerc
I'm not a liar when I say Spotify has expanded my global listener base beyond
any other service I've used in the past. Through DistroKid, I can actually
examine where, when, and how my music gets to listeners. That includes country
of origin.

Yes, the prospect of worthwhile income is shit, but it always has been whether
on the radio or signing over a license just "for exposure." Or, yeah, Spotify
is shit for people who signed a shit contract with a shit label who doesn't do
shit for their artists other than point the finger elsewhere. I'll give you
that.

So I guess this is a matter of perspective, because I'm not a liar and I don't
think it's shit for artists.

~~~
EC1
It's not a matter of perspective. The numbers you would need to be pulling on
Spotify are huge to sustain yourself on a decent level. By that point, you're
already big enough where you wouldn't need Spotify's income because you're big
enough to have other sources.

~~~
6stringmerc
Okay, I'll give you one more response after you "moved the goalposts" so
quickly: The only perspective that Spotify or iTunes is an avenue to make a
living is straight up delusional. Getting a hit song on the radio, on iTunes,
or Spotify is about opening up opportunities where there is a demand for the
commodity - the music - and gives the artist a better bargaining position.
Making a living in music is about having other sources _as a fundamental rule
of the industry_. One good contract for a license to a commercial on broadcast
television likely would dwarf the income one would receive from an entire year
of streaming income. Selling t-shirts will make more than streaming income.

I've made more money busking with an acoustic guitar on a busy corner in 2
hours than I've made from streaming. This is how I use Spotify - it's a street
corner that pays in pennies. However, I can't afford to travel the world to
get in front of people. Thus, while it's very close to the "exposure" concept
of compensation, at least there's an exchange of monies as a matter of
principle.

~~~
SyneRyder
As a music purchaser who doesn't torrent music, I like that Spotify lets me
try new music in a convenient & legal way. It's a step in the purchasing
process, not the final destination.

There's a German metal/rock band called Unheilig that I heard about in 2013.
After seeing a YouTube clip [1], Spotify / Rdio let me try more of their songs
& add them to my playlists. That hooked me enough to add the album to my
Spotify offline downloads so I can listen on the train.

At that point, I'm a committed fan who doesn't want to lose the album... so
that's when I buy the CD. Two years later, I've bought all their albums, 2
limited Super Deluxe editions, t-shirts & hats & merch, and been to two of
their concerts. Unheilig probably got nearly nothing from me via Spotify, but
it was an important step in getting me hooked & ultimately spending hundreds
of dollars.

[1] [https://www.youtube.com/watch?v=Cl-
mvbxAf-k](https://www.youtube.com/watch?v=Cl-mvbxAf-k)

~~~
6stringmerc
Just wanted to say thank you for sharing this personal story, as I really
think there are a lot of "music consumers" who think - and act - like you. The
funny thing about music is that it, well, has no "inherent value" as soon as
it's created. It's a matter of finding an audience that values the music
enough to want more. I feel culinary art is sort of similar - there's no
"perfect recipe" for a successful restaurant. If there's an audience, there's
demand, and just because, in theory, somebody could make the same dish at home
(i.e. download a pirate / clone recipe) doesn't mean the original loses all
its merit.

I'll admit that Napster, to me, was an avenue to find things that I couldn't
get my hands on otherwise. My favorite search term was "remix" and I got
unreleased / international tracks that I still love to this day. I'm a
consistent Beatport Pro customer, about $20 a month, and I buy physical CDs
for artists to both help their traditional sales metrics and simply for
nostalgia. I can't tell you how happy I was to buy the last Columbia release
by Weird Al and be a part of giving him his first #1 album release of his
career. Yeah, it's kind of hokey, but that's what's so fun about music - from
cradle to grave, there's no shame in loving what we love.

------
z3t4
The difference between a "bot" and a real person is that the real person have
money to spend. Now, how do you figure out if someone is a real person or not?

~~~
justindocanto
What if the bot had an allowance and periodically bought music (on iTunes, if
they were using Apple Music) OR if the bot had a 'premium' Spotify account.

What is the difference then?

Also, what is worse? A bot with a premium account or a human with a free
account?

~~~
6stringmerc
Damn, that's a stone cold divergence based on priorities. I think asking a
"label" versus an "artist" might yield different results, depending on
priorities. Nice food for thought on that logic tree.

------
ryanlol
I think calling this a botnet, albeit technically correct is both really silly
and clickbaity.

~~~
6stringmerc
So, what would you call it then? If it's technically correct then being
needlessly contradictory is silly and superfluous.

~~~
ryanlol
"Botnet" almost always refers to compromised computers, that's not what this
article talks about. The article describes a ridiculously ineffective approach
of buying a bunch of EC2 instances to run 50(!) copies of spotify each, when
you should be able to easily support thousands of instances of spotify running
on a single server.

There's no need to do this using a botnet, there's no point in doing this
using a botnet... It's utter nonsense. The only reason they talk about one is
to make the whole thing sound far more nefarious than it is.

And to reiterate my point once more, nobody ever refers to remotely managing
their own computers as a "botnet".

~~~
tragic
OK then, it's proof of concept for a botnet. That would make the headline
awfully long.

~~~
ryanlol
It'd be ridiculously stupid to have a botnet do this instead of running it on
your own hardware. Again, you can easily run thousands of spotify clients on a
single computer.

~~~
6stringmerc
Fair enough. I think his assertion that using an exploit to compromise Spotify
Premium account users (via targeted malware) is kind of the extreme example to
justify the term botnet. Unless I'm mistaken, running thousands of clients on
the same computer would take a lot of effort to 'distribute' over enough IPs
as to cloak the operation? I get that you have some beef with the phrasing
used, but I think for the sake of practicality calling "a network of robots
posing as humans" a botnet is fine and not click bait at its core. Not to
belabor the point but I'm pretty sure I could scold you about some improper
music terminology usage when you'd be trying to make a point.

------
mschuster91
As long as Spotify doesn't make a loss on the payout per streamed listen event
and the pay-in from advertising, I don't see any problem.

Spotify has a pretty much working monetization model, they could just tell
advertising to fuck off. Their free model is like classic radio, where
advertisers pay without knowing if there is one listener tuned in or millions
(literally).

------
tracker1
In the end I feel we need better captcha options.. images for most people with
options for the impared. In the end stuff that's relatively easy for a person
(click the picture of a cat), but harder for a computer to do...

Another option might be regular challenge-response that makes interaction
harder and more costly for a fake listener.. having to run a pbfdk, scrypt or
other result on a given input at regular intervals... (the service could have
a pre-computed pool to randomly serve out, so they wouldn't have the same
costs).

They could also flag accounts that get my than N hours of play in a day, or
number of days that's much higher than a typical listener... or who plays more
artists/songs outside the top 10k songs the previous month. Asking them to
login to their account, or validate their email address at that point...
Anything that makes the process much more complicatied to automate but would
affect a very low number of real people.

Yes, it's an arms race, but there are a lot of things that could be done that
could keep the barbarians out of the gates... Not to mention other suggestions
that split per-user royalties to artists, instead of the pool as a whole...
That combined with other models could go a long way here.

------
acd
You can filter this out. Using Spam filtering bot detection security methods.

------
pandog
There is really no need to call this a botnet

~~~
NullCharacter
But the point is a botnet could, instead of mining bitcoins for example,
stream content of which the rights are owned by the botnet operator.

~~~
ryanlol
Except this would be infinitely more traceable and would still require quite a
bit of development work, whereas bitcoin mining is really easy.

And using a botnet to do this offers no benefits from just running it on your
own hardware. Unlike bitcoin mining, running spotify clients isn't resource
intensive.

------
hiou
I feel like the writer of this article has a fundamental misunderstanding of
Spotify's business model. The number of plays influences how much money
Spotify brings in from advertisements. As far as they are concerned fake and
real plays are not much different beyond maintaining credibility with their
advertisers.

~~~
forrestthewoods
"beyond maintaining credibility with their advertisers"

This may come as a surprise to you, but advertisers are deeply concerned with
click-fraud and impression reliability/value. So it's not important to
Spotify... except for this one reason that actually makes it super important.

~~~
hiou
Right, that is exactly what I said. I feel like you misunderstood my comment.

~~~
ZoF
I feel like you're misunderstanding the situation to be honest...

>As far as they are concerned fake and real plays are not much different

This is flagrantly false given that they do care whether plays are legitimate
because they do want to be able to verify with advertisers that plays are
served to credible clients...

Are you implying that Spotify would expect that advertisers are stupid/inept
enough to not notice when a large number of ads are served to fake/bot
consumers?

Spotify as a company has the prerogative of acting with integrity in these
situations if only for future maintainability/acquisition of relationships
with advertisers.

Even if an advertiser was inept enough to not notice their ads were served
largely to bots the value of those ads would still ultimately be lowered by
them being served to bots. e.g. if 1000 ads are served and 500 are sent to
bots, the overall value of each clicked ad is eventually lowered by 50%. This
is assuming an advertiser is so inept they aren't measuring clicks per served
ad, which doesn't even occur.

I think you're fundamentally misunderstanding why spotify _does_ have to
maintain the credibility of those ad clicks/listens/etc...

~~~
hagbardgroup
Advertisers may or may not care. Many are indeed both stupid and inept. Their
clients should care, but may not be technically savvy or aware enough to care.
Fragmentation in advertising also makes accountability a lot harder.

Spotify definitely has to care in the long run, but it may be better for their
chances of making it through that IPO window to see no evil, hear no evil, and
speak no evil until someone forces it upon them. If it worked for Facebook and
Twitter, why wouldn't it work for Spotify?

Honestly, this is one of the reasons why 'free' services provide such low
value to advertisers unless there's world class fraud fighting capability at
the company. If the service is paid, it's significantly more expensive to
generate fake traffic. But that'd be bad for the loosey goosey user numbers
(AKA 1990s era 'eyeballs') that so excite momentum investors.

~~~
ZoF
Sure, maybe they could get to an IPO without addressing the issue, that
doesn't in any way invalidate the legitimacy of the posted article.

There is a vulnerability. It is exploitable. In the long run spotify _will_ be
negatively affected if it isn't addressed.

Honestly surprised that there is any arguement whatsoever to the contrary.

If it was, 'well they can make it to IPO before addressing it' as you've
stated, sure, that's valid. The parent was saying, 'it's not an issue, it's a
matter of perception'.... Which is extremely naive and shortsighted.
Perception is the very thing that drives advertisement cost.

~~~
hagbardgroup
Nope, doesn't invalidate what he did. Everyone would be better off if this was
either cleared up or if other streaming services with models less prone to
fraud could pop up.

~~~
ZoF
Is it my tone then?

Rereading my posts I do seem like a braggadocios douche, but I'm not incorrect
at all I don't think; the comment I'm replying to is incorrect though.

That I genuinely feel is true.

~~~
hagbardgroup
Yes the parent comment you were replying to was off base and you were right to
correct him. You didn't seem rude to me. I was being a little bit sarcastic
about Spotify riding a fraud-wave to a public offering based on inflated
numbers.

