On this episode of the Self-Publishing News Podcast, Dan Holloway reports on a coordinated bot attack that hit indie authors using Shopify, leaving some with unexpected fees and limited recourse. He also covers new and proposed legislation across the UK, EU, and US, including the UK’s Online Safety Act, concerns over enforcement of the EU AI Act, and the US White House's pro-tech AI action plan—all with implications for author rights and content access.
Listen to the Podcast: Shopify Bot Attack Hits Authors
Sponsors
All our ALLi podcasts are proudly sponsored by Bookvault. Sell high-quality, print-on-demand books directly to readers worldwide and earn maximum royalties selling directly. Automate fulfillment and create stunning special editions with BookvaultBespoke. Visit Bookvault.app today for an instant quote.
Self-Publishing News is also sponsored by book cover design company Miblart. They offer unlimited revisions, take no deposit to start work and you pay only when you love the final result. Get a book cover that will become your number-one marketing tool.
Thoughts or further questions on this post or any self-publishing issue?
If you’re an ALLi member, head over to the SelfPubConnect forum for support from our experienced community of indie authors, advisors, and our own ALLi team. Simply create an account (if you haven’t already) to request to join the forum and get going.
Non-members looking for more information can search our extensive archive of blog posts and podcast episodes packed with tips and advice at ALLi's Self-Publishing Advice Center.
About the Host
Dan Holloway is a novelist, poet, and spoken word artist. He is the MC of the performance arts show The New Libertines, He competed at the National Poetry Slam final at the Royal Albert Hall. His latest collection, The Transparency of Sutures, is available on Kindle.
Read the Transcript
Dan Holloway: Hello and welcome to another Self-Publishing News podcast. Today we have not one, and not two, but three pieces of legislation and their impact.
Before I get into that, the main news this week is a piece about Shopify that has been prompted by communications from a number of ALLi members. Thank you very much to everyone who has been in touch with the ALLi team about this; apologies it has taken so long to turn into a story, but I am thankful for all your patience.
The background is that Shopify, of course, in the age of self-publishing 3.0 and indie's trying to do as much as we can for ourselves without relying on platforms to distribute on our behalf, we use shopfronts and we like to create our own stores, and one of the main platforms for doing that is Shopify.
Lots of indie authors, just like lots of people in every other sphere, use Shopify as a storefront from which people can buy physical books, eBooks, merch, all kinds of things that we have to offer.
Now at the end of May, on the 27th of May, a number of writers noticed a spate of suspicious activity that seems to have emanated from a co-ordinated bot attack. What people were noticing was hundreds, and in some cases thousands, of attempts to purchase eBooks all within a few minutes.
In some cases, this was also co-ordinated with attempts to mass sign up to email lists, to such an extent that in some cases, it was in danger of pushing people over their subscriber limit on the tier plans they had for their email lists.
Many of these were flagged as fraudulent by Shopify. Of the authors who spoke to us, most refunded what they could refund absolutely instantly, but in a number of cases it took Shopify more than 24 hour to process those refunds and as a result, people became subject to chargebacks, which I believe were charged at $15 a pop, which obviously is not an insignificant amount.
When you have thousands of purchases, even a tiny percentage of that, if it ends up as a chargeback, can be a huge expense, in some cases hundreds of dollars.
Also, people have ended up being hit with credit card fees. So, Shopify enabled the refund of the purchase price, but not the merchant's credit card payment fees.
Dan Holloway: People got in touch with Shopify; they weren't happy that they had lost out financially as a result of a fraudulent attack.
They had discovered from online forums that it clearly was a co-ordinated, fraudulent attack because it had happened to everyone at the same time, people had put their stories together. It seems that in several of the emails, even Shopify was acknowledging that this was a known bot attack.
So, what customers experienced was, and this is where they wanted the issue raised, was first of all some inconsistency in the messaging from Shopify. So, several of the customer services conversations that we have seen transcripts of suggest that customer service agents were saying to store owners that in no case would they be liable to fees from fraudulent transactions. Yet even though transactions had been flagged as fraudulent, they were known to be fraudulent, they were still not being refunded the merchant fees or the chargebacks. It seems that this is actually in accordance with Shopify's terms and conditions, that it's the case that credit card fees cannot be refunded even in the case of fraudulent transactions.
So, this mixed messaging had caused a certain amount of confusion and a large amount of distress. It has also left people wondering if stores like Shopify are subject to potential fraudulent attacks like this, and if they are going to be left footing the bill, then what are they paying for and is it worth having a store with a platform like Shopify, if you are potentially leaving yourself open to this, which in many cases we simply can't afford.
This is further exacerbated by the fact that Shopify has tiers of security levels and many of the most stringent tiers of security levels, which enable you to make your settings such that you manually process all credit card transactions before they go through, are only available to the Shopify Plus accounts, which authors have pointed out, are not necessarily something that an indie author can afford to do. It's almost like a pay-for security.
So, people have been left questioning whether it is actually a wise or even a viable thing for indie authors to have their shopfronts using Shopify given the response there has been to this known attack.
So, it's an awareness raising piece. It's news to the extent that this happened recently, it happened at the end of May. I'm sure Shopify are taking action to prevent such things happening again, and to increase the amount of transactions that they are internally stopping going through.
But in the meanwhile, people should be aware of these issues. Be aware of what they're leaving themselves open to if you have an account with someone like Shopify, and certainly make sure that your settings are as stringent as they can be.
So, where possible make it that you have to approve transactions before they go through, for example.
That's Shopify, which is our main news of the week, and I promised you some legal stuff or some legislative stuff.
Online Safety Act
Dan Holloway: In the UK, at the end of July, the Online Safety Act came into force, which requires sites allowing people to access adult material, which is the phrase that is going to go down in history alongside various comments on obscenity laws from the past, “harmful but not illegal.”
So, any sites that allow access to that kind of material have to put in place reliable and robust age verification procedures, and this came into effect on Friday, the 25th of July.
There are already many sites under investigation for not putting these into place, needless to say. But among the sites who are, this is clearly not just affecting adult content sites. It's X, it's Reddit, it's Blue Sky, and Spotify are even talking about putting it into place for example, songs that have explicit lyrics.
So, this is something that affects everyone. There has been somewhat of a backlash in the UK and beyond, from people who didn't necessarily realize what it meant when the law was first mooted.
But this is clearly going to affect how people access books, and it's going to affect how, if you make snippets from your books available online, if you use social media to promote your books. In particular, if you write any erotica, or certain sort forms of non-fiction, or certain forms of violence or horror, then it's going to make it harder for UK audiences to get access to your books because lots of people are not confident verifying their age because of the way that this is being mandated, which is basically through a number of essentially, I believe at the moment, unregulated third party companies.
As the saying goes, what could possibly go wrong with giving personal details about yourself and the sites you access to random third-party companies?
So, that's the big piece of legislation from this week, which is in the UK.
AI Regulations in the EU and US
Dan Holloway: In the EU, there has been some handwringing amongst creatives about the way the AI Act has been put into force.
The AI Act is designed to regulate the AI industry and ensure robust protection of the rights of copyright holders. It's the most creative-friendly AI legislation that we've seen so far, but there are worries that it's not actually being enacted in this way, and it's actually quite easy for big tech firms to get around it. Obviously, more remains to be seen about this.
Then finally in the US, not yet enacted, but the White House's AI action plan has been much talked about. As we said about the EU, the EU has put in place the most creator-friendly legislation.
This really is in America. It looks very tech friendly, and the publishing industry is somewhat worried about this. So, the phrase that Maria Pallante of the Association of American Publishers has used, is that high quality AI depends on high quality authorship, and what the White House's Action Plan seems to be calling for is a reduction in regulation that prevents tech companies from accessing the training information that they need.
So, if that does get put into law, that is very much something that I will be updating you on and we need to keep an eye on.
With that, thank you very much for listening. As always, I very much look forward to speaking to you again at the same time next week.
