This is a guest contribution by Martin Owens. If you would like to submit a contribution please contact Bill Beatty for submission details. Thank you.
Part I: Intro and the problems for operators.
“There is no such thing as perfect security, only varying levels of insecurity”
Salman Rushdie
No doubt about it, the snakes have come to Eden.
A barely-foreseen dark side to the Internet moon is now emerging. For while it is true that Internet access allows you to communicate with practically anyone, practically anywhere, so long as they also have access – at the same time, it allows THEM to get to YOU, like it or not, ready or not.
Privacy, as it was known in the pre-Internet era, scarcely exists anymore. Unless you have taken extraordinary measures to disappear “off the grid”, it is more than likely your name, address, and various pieces of sensitive information about you are parked on multiple databases. Some are governmental and some private, but all are vulnerable, in various degrees, to penetration, hacking, and manipulation by outside parties
The cyber-security problem has only become more acute as cyber-access has grown exponentially worldwide. Today it is nothing extraordinary for an American corporation to be robbed by cyber criminals operating out of Siberia. Online scam artists from West Africa have become so common as to be a joke. Scarcely a month goes by without the revelation that the online operations of some nationwide retailer or Internet service have been penetrated and robbed, opening the door for unknown damages in identity theft, fraud, and quite possibly even blackmail. Most recently, the credit reporting service Experian was hacked and the credit information of 143 million US residents was exposed and compromised. This was ten times the size of the Experian hack of 2015, a mere 15 million.
But it gets even worse. Because one movie offended its government, North Korea is credited with hacking into American movie studios, causing the early release of certain films such as the latest Spiderman and James Bond epics (clearly cruel and unusual punishment). Meanwhile, Russia’s intelligence service is accused of using its cyber expertise to influence the 2016 American presidential elections. The mere possibility of this being true has rocked the American political establishment to its core, calling the very legitimacy of our government into doubt. There are even fears that cyber-strikes against national infrastructure could emerge as Pearl-Harbor style sneak attacks. And there is no relief to be found in the camp of the “good guys”. The US government’s own antics with unauthorized data collection from the accounts and communications of private citizens, dating back years, have cast doubts on the constitutional legitimacy of many of the actions of our executive branch, Russians or no Russians. And bringing the parade of doubts full circle, such formerly respected institutions as Wells Fargo Bank have been revealed as establishing unauthorized accounts and charging their customers for it. It is now quite outdated to worry about someone using the Internet to rob a bank; today the banks use the Internet to rob you. And finally, the biggest commercial security hack to date was organized around the so-called “Wannacry” software– which had been leaked from the U.S. National Security Agency itself.
Concern is growing that even the largest intrusions and data losses are yet to be revealed, that we are only looking at “the tip of the spear”. The instrumentality that was supposed to lead to so much freedom, creativity, and liberation has suddenly also revealed itself as a knife, held uncomfortably close to our rights to privacy, freedom of speech and even individual liberty, held in unknown and unaccountable hands. Just when cascading technological refinements have given us an Internet of things, where the dream of every good or service being only a click away seems about to come true. we wake up to the shock that everything in such networks may be watching us, from desktop computers down to wide-screen TV’s , refrigerators and even E cigarettes.
Clearly, the cyber- ground has shifted under everyone, including I-gaming’s operators, players, service providers and regulators, too. In this three part study we will consider some of the new challenges and liabilities emerging for the I gaming industry in this Brave New World.
Part One: For the Operators
Protecting the Money
On one level, it’s business as usual for online gaming operators. Gambling businesses have always had the responsibility of with taking in, holding and paying out large sums of money. The particular methodology varies with the format, but generally speaking, I gaming businesses have to guard against direct intrusion ( i.e. hacking to directly access and divert funds from the business and or player’s accounts). This is not common; in fact, with the growing reliability of anti-intrusion software it would seem the only parties capable of direct theft are operators themselves (E.g fly-by night operations that take players’ money with rigged games, and either refuse payout or disappear altogether). Disgruntled former employees can also seek revenge on their ex-employer by hacking into customers’ sensitive personal and financial data.
Apart from direct intrusion there is also cheating. Online forms of this ancient sin include outside collusion,“bots” (software playing online against humans),“beards” (syndicate gamblers disguised as private bettors), and anythng else the cheating fraternity can dream up, online gambling, however, has encountered a new hazard that seldom if ever troubled land-based operations., namely, extortion. The oldest form of online extortion is the distributed denial of service (DDoS) attack. From the early years of this century, online gaming operations have been the target of various iterations of this method. The bad guys distribute an attack program to unsuspecting hosts using “worms”, generally introduced by false -flag inquiries and offers from apparently legitimate sources ( also known as ” phishing”). This creates a “botnet”- lots and lots of infected computers that will, on a preset signal from the bad guys, bombard the target business from all directions. Depending on the particular architecture and format, a given victim’s servers, router, firewalls and Internet bandwidth may all be targeted.
The effect is to drown the victim in an impossible number of service requests. Unable to respond, the targeted business is no longer capable of serving its customers or meeting their needs. The standard modus operandi is to inflict a DDoS attack and then cease. The target is then presented with a demand: pay up or get hit again. The response of most online gambling sites, however, has been to ” armor up” with improved anti-DDos software, and this has been generally effective.
A more recent development is so-called “ransomware”. Accessing an infected item or page triggers a software booby-trap, which seizes and encrypts the victim’s files in a code that only the attacker possesses. A message is displayed on the victim’s screens announcing that the code key will be released only on payment to a designated recipient (most recently payments were specified in the Bitcoin cryptocurrency). Otherwise victims lose that data. The cyber security industry has responded quickly, and so far effectively, to this latest threat and for the moment the Internet gambling sector seems to have been spared particular attention. Nevertheless, it is quite clear this will not be the last outbreak of this phenomenon.
Protecting the Customer
In addition to directly protecting the money, the online sector must cope with the additional challenge of collecting- and protecting- sensitive personal and financial data on its customers . In fact, unauthorized access to that data may pose a bigger risk to the customer than any direct losses via an ADW account.
While the amount held in a particular ADW account will vary with the taste and income of each individual bettor, and the individual house rules, a good average can be taken from Oregon- based Premier Turf Club: minimum $500 deposit, maximum amount allowed for any single wager $2500; maximum amount allowed for deposit in any 30 day period, $10,000. This can amount to a serious loss if hacked and stolen. But according to the US Department of Justice, the average loss from identity theft is around $1400, totaling something like $15 billion nationwide. This dwarfs the total of all legal sports betting in the state of Nevada, by comparison, which totals about $1 billion a year.
Nor is the problem confined to purely gambling and gambling-style games such as DFS. Many non-gambling games have perfected arrangements to separate the customer from his money without crossing the line into actual betting or wagering. In the most common version of so-called alternative financing, a given game will allow players to enter, register, and play for free. An initial supply of in game currency/expendables (“points”, “chips”, “gold coins”, and so forth) is even provided. And it is perfectly possible for a given player to enter, play, and win contests and even prizes, without paying any money upfront. This is how many of these concerns avoid the charge of “gambling”: if no money or anything of value is handed over merely for the chance to participate, it does not fit the legal description of “consideration”. No consideration, no gambling.
Non-gambling gaming online has had another security requirement thrust on it, namely protection of property. It is now affirmatively established that the “magic items”, “super weapons” and other game boosters generated by participation in games, most notably the Massive Multiplayer Online ( MMO) fantasy worlds ., are genuine property, subject to the law as such, even if this contradicts the terms of the operators’ End User License agreements ( EULA).
Even more far reaching frontiers of liability may be generated by so-called ‘gold farming’. Since players can enter and play for free, and by dint of application and luck acquire in-game currency and “magic items”, and because these acquisitions may be traded, legally or illegally, outside of normal gameplay, certain parties have established a cottage industry of so-called “MMO sweatshops” wherein players are recruited and paid ( poorly) to play online MMO games by an employer who keeps and sells the online loot. There have even been reports of labor camp prisoners in some countries being forced into these arrangements. As a practical matter the aforementioned EULAs are a poor prevention. For one thing, actual supervision is extremely light. Most operators rely on customer service representatives to do any observing or inspecting for violations, and the ratio of reps to customers may be as thin as fifty per million. For another, even if provided for in the contract language of the relevant EULA, anything like legal recovery, beyond simply cutting off the offending account, can be very problematic. Extension of jurisdiction across national or even state lines can be difficult, particularly when the amount at stake may be less than the relevant threshold for actual court cases versus small-claims actions.
Nevertheless, because “gold farming” syndicates can and do hijack individual accounts as cover for their activities, this could lead to compromise of sensitive player information .And while an online gaming or even gambling site will typically not have the customer base of a large multinational corporation such as an online bank, retailer or credit card company, such incidents do carry with them the risk of civil action, especially class action suits in the event of massive data loss, and administrative action by parties such as state attorneys general, consumer protection bureaus, or even the FTC.
Mr. Owens is a California attorney specializing in the law of Internet and interactive gaming since 1998. Co-author of INTERNET GAMING LAW with Professor Nelson Rose,( Mary Ann Liebert Publishers , 2nd ed 2009) ; Associate Editor , Gaming Law Review & Economics; Contributing Editor, TSN. Comments/inquiries welcome at [email protected].
