Special report: Bookies' use of ‘spyware’ under investigation

Bookmakers’ use of a specific piece of software, which they argue protects them from fraudulent activity, is under investigation for a potential breach of the UK data prevention act.

A large number of operators use the product, known as ‘iesnare’ – provided by fraud protection company iovation, in order to obtain and share information on devices used by customers when interacting with bookies.

A report by the BBC yesterday revealed the UK Information Commissioner’s Office (ICO) had recently found Betfred-owned Totesport.com to have used iesnare to collect certain data without consent.

The ruling followed a similar complaint against Sky Bet and, following those cases, the ICO is now investigating whether this use of this ‘spyware’ is in breach of the 1998 Data Protection Act.

“As a result of our inquiries into Sky Bet and Totesport.com, we are now also looking into the use of iesnare,” an ICO spokesperson informed EGR Intel.

“We have an ongoing investigation into the iesnare technology and website operators’ compliance with the rules around how peoples’ information is used,” the spokesperson added.

The Gambling Commission confirmed that it was in dialogue with the ICO with regards to the investigation.

What is it?

Iesnare is automatically installed onto a punter’s PC when using the site of an iovation customer, without the punter being notified at the time of the installation. The collected data is then stored centrally by iovation and is used to alert operators to potential fraudulent activity.

EGR Intel understands one of the main uses of iesnare is to help bookies unearth those who may have already had their original account closed or restricted but go on to open multiple accounts under different names.

However, Brian Chappell, who runs the pressure group Justice for Punters, told the BBC that iesnare was also used to monitor customer activity so operators could weed out successful punters.

While he provided no hard evidence to substantiate his claim, he believed information gathered informed operators whether a particular customer had accounts closed or restricted at other bookies.

“Some people don’t even get one bet when they open a new account,” Chappell said. “If the new bookmaker is not in the same corporate group, how do they know this person is a financial risk?”

Operators’ response

Speaking to EGR Intel, a spokesperson for Totesport.com said the use of iesnare was for fraud purposes only, and didn’t involve the collection of any personal data.

“Totesport, along with other online operators, use this product for fraud prevention, authentication and customer protection purposes by checking whether devices have been identified with fraudulent transactions in the past, such as reported instances of identity theft, account takeovers, or malware attacks,” the spokesperson said.

“It does not collect any client information. However we are constantly reviewing our procedures and working with the ICO.”

Similarly, Sky Bet told the BBC that iesnare was used for fraud detection and that it informed customers of this via a banner on its website and within its T&Cs.

“Like many other operators, we use iesnare to tackle fraudulent activity. We notify customers we use iesnare in a banner at the top of our website and in our privacy policy,” the firm said.

Many of the firms using iesnare have their trading teams based in Gibraltar, and speaking to EGR Intel, Gibraltar Gambling Commissioner Phill Brear said similar tracking methods were used in other ecommerce industries.

“While the issues raised are, ultimately, a matter for data protection regulators, in our experience tools such as IP trackers and machine code identifiers are essential tools for operators to prevent and detect crime, and to manage out problem gamblers,” Brear said.

“We know they are used in many other remote service industries for similar same reasons.  As we speak, we are aware of a huge IP address analysis that offers to unravel systemic corruption in one sport.

“The arguments against these tools are reminiscent of the arguments against CCTV. Properly used, they protect consumers and operators,” He added.

Blown out of proportion

According to Olswang gaming lawyer Anna Soilleux-Mills, the use of iesnare falls within cookie legislation, meaning as long as operators present customers with details of their cookie policy, there should be no problem regarding its usage.

“My understanding is that the purpose of iesnare is fraud prevention, and the cookie is used by operators to help ensure that customers are genuine, have not registered more than once and are not attempting to access accounts that do not belong to them,” Soilleux-Mills told EGR Intel.

“Provided that operators give clear and comprehensive information about their use of cookies and obtain consent to set the cookie, there is nothing remotely illegal about such use.

“This [media focus] is making a complete mountain out of a molehill,” she added. “I would be very surprised if any of the gambling operators are overly concerned. All the ICO can do is look at whether the gambling operators are giving information about their use of cookies and have a consent mechanism.

Soilleux-Mills also said the ICO had yet to levy a fine for breach of cookie rules and would be “extremely surprised” if they were to do so in the Totesport case.

Potential uses

However, speaking on a condition of anonymity, one data protection lawyer told EGR Intel that operators’ use of iesnare had to change, both in terms of its widespread application and the need to offer greater transparency around how the gathered data is used.

“While I have no reason to believe iesnare is used by operators for such means, the worst case scenario is that it can be used to spot good gamblers and bad gamblers,” the lawyer said.

“This would enable them to close the accounts of those that bring commercial risk and increase the marketing around customers that consistently lose – that would be both unethical and unlawful.

“However, to use iesnare for fraudulent activity is perfectly legitimate – even if operators don’t ask for permission for iesnare to be activated,” he added. “A fraudster is hardly going to give an operator permission.”

One former director of trading told EGR Intel that iesnare’s ability to monitor devices enabled operators to identify customers using multiple accounts.

“Duplicate activity on sportsbook is rarely a profitable activity,” he said. “Is it the same guy sat on the other end of the bet? This [iesnare] is simply more sophisticated than manual processes or bookies’ proprietary tools.”

The ICO investigation is believed to be at an early information gathering stage but comes at a time when operators are faced with a number of other regulatory investigations including FOBTs, marketing and bonus T&Cs.

“In terms of where I put this cookies issue in terms of importance among the FOBTs, CMA, AML and everything else, I’d put it right at the bottom of the pile,” Soilleux-Mills said. “I think it’s making a big fuss over nothing.”