The online gambling industry can exploit data in the most harmful way, by monitoring and manipulating the behaviours of vulnerable people.
🆕 We examined how a major UK gambling firm tracks and profiles players, and how it shares sensitive data with many other data companies ⬇️
We've been working on it for more than a year, probably the most detailed investigation into data flows in the online gambling industry to date, commissioned by @cleanupgambling
You can download our report (plus a technical report) here, published today:
cleanupgambling.com/news/cracked-l…
"A major betting company harvested troves of data from a suicidal gambling addict to target his weaknesses and predict his losses ... [and] to groom the high-value gambler that they wanted to win back"
The Daily Mail's story about it:
thisismoney.co.uk/money/markets/…
Based on GDPR access requests, we found that Signal, a company owned by the credit reporting giant TransUnion, collected up to 186 profile attributes on Data Subject 1, a person who has been an extensive SBG user for years.
Data Subject 1, or Michael in the Daily Mail's article.
Signal recorded how often he opened emails from Sky Betting and Gaming, identified him as 'positively influenced by promotions', calculated his 'customer value' for different gambling products, and predicted how much the company can spend to 'win him back' and 'grow' his account.
Who else does Sky Betting and Gaming (SBG) share data with? To find out, we assisted another person (Data Subject 2) with observing data processing in the web browser.
Only 37 visits to SBG websites led to 2154 data transmissions to 83 domains controlled by 44 third-party firms.
During visits to Sky Betting and Gaming's skycasino.com, the website transmitted extensive data on gambling activities and behaviours to several third-party companies, including Facebook, Google, Microsoft, Adobe, MediaMath and Iovation, another TransUnion subsidiary.
For most of these firms, we don't know whether they created profiles or used them to influence gamblers. Without technical testing, we wouldn't even know that they received data. Much of this data processing was not disclosed to Data Subject 2 when they sent GDPR access requests.
Taken together:
- The online gambling industry processes vast quantities of personal data of a highly sensitive nature
- It is not even transparent about it
- Profiles include indicators of vulnerability and addictive behaviours, which can be used to target the most vulnerable
Two TransUnion subsidiaries play a major role:
- Signal, a marketing surveillance firm that claims to receive billions of 'signals' on activities every day
- Iovation, a risk surveillance firm that claims to track 7bn consumer devices globally to verify identity and detect fraud
While Signal helps to profile players to 'grow' their value, Iovation tracks players (and people across the planet) to decide whether they are risks.
Iovation's gambling products also promise to 'identify VIPs' and to 'promote responsible gambling'.
web.archive.org/web/2021012402…
Many other companies received extensive data.
During visits to skycasino.com, a server that appears to be operated by both Adobe and Sky UK received behavioural data about the pages visited, games played, cash deposits and about every step taken during registration.
While we observed these personal data transmissions when Data Subject 2 visited SBG websites, neither Adobe, Sky UK nor SBG provided any relevant information about it.
Btw Only few people outside the industry know that Adobe, the Photoshop company, is also a massive data broker.
When Data Subject 2 registered as a customer at Sky Casino and made their first £30 deposit, the website immediately informed Facebook, Google and Microsoft about this fact, including the amount deposited.
Facebook and Google received data on almost every click.
While we observed personal data transmissions to Facebook, Google and Microsoft when Data Subject 2 visited the Sky Casino website, SBG did not provide information about it when Data Subject 2 asked SBG to provide access to the data it processes under the GDPR.
Did FB, Google or Microsoft use the data transmitted to them for profiling or to target gamblers? Did SBG or other parties make use of the data sent to those parties in any way?
We don't know.
Without technical testing, we wouldn't even know that they received personal data.
Btw. My organization Cracked Labs worked on this investigation together with @A__W______O /@RaviNa1k
To examine the data practices of SBG and its data partners, we went deep down the rabbit hole of how today's data industry processes, exchanges and exploits personal information:
@A__W______O @RaviNa1k We observed that several third-party data firms *received* the same personal IDs referring to Data Subject 2 during visits to different websites.
In that way, Signal, Iovation, Adobe, Facebook, Google, Microsoft and other companies can track and profile users across websites.
@A__W______O @RaviNa1k We observed that some third-party firms also *stored* such IDs in the user's browser during visits to the Sky Casino website.
As third-party firms can later receive the stored IDs when the user visits a different site, SBG may *facilitate* cross-site tracking by third parties.
Here's another company that received extensive data during visits to the gambling site skycasino.com including on the pages visited, games played, deposits, withdrawals, logins…
MediaMath, unknown to most people, claims to have data on 'more than a billion consumers'.
On top of that, MediaMath initiated personal data processing by a number of YET OTHER digital advertising firms and data brokers during visits to skycasino.com, including Salesforce, Oracle, Tapad/Experian, LiveRamp, Zeotap, AdForm, TTD, FreeWheel/Comcast, Pubmatic...
What the industry often refers to as 'cookie syncing' is actually massive personal data processing across many companies.
The result?
- These firms gained the capability to better track Data Subject 2 across the web
- Most of them learned that the person visited a gambling site
During visits to the Sky Casino website, SBG directly or indirectly *initiated* personal data processing by MediaMath, who sent personal data to many other digital advertising firms and data brokers, and directly or indirectly initiated further personal data processing by them.
I guess rarely anyone has ever examined personal data sharing during a few 'cookie syncs' at that level of detail, and probably rarely anyone has ever examined what happens during just 37 website visits at that level of detail 🤖
129page technical report:
cdn.sanity.io/files/btrsclf0…
The technical report contains details about the tests and observations of personal data flows in the web browser, and a summary of GDPR access requests that Data Subject 1+2 sent to the companies & their responses.
Data Subject 1 spent years (!) to get at least some information.
The main report contains an exec summary, an overview of data exploitation in the gambling industry, an overview of the marketing+risk surveillance industry, a brief explainer on how digital tracking on the web works, and of course, all the actual findings
cdn.sanity.io/files/btrsclf0…
Yes, many businesses harvest extensive personal data on behaviours and constantly share it with companies most people never heard of.
It's bad when retailers, travel sites or news publishers do so. It's disastrous when gambling firms use it to profile+target the most vulnerable.
The gambling industry has long been exploiting data on players to influence their behaviour, get them to spend more and make them return more often.
Decades ago, casinos started to use data and statistical models to score players and to create 'behavioural modification reports'.
Casinos use a wide range of personalised promotions and incentives to induce behavioral change, including free food, drinks, hotel stays, and most important, bonuses and 'free' bets/plays.
For some players, they spend thousands of dollars, because they know they are 'worth' it.
They send hundreds of millions of tailored email messages, and they tried to make losing a 'good experience' by calculating personalised 'pain points' that indicated how much someone can lose while still being satisfied. When a person approached this pain point, they got rewards.
The gambling industry has pioneered what has become routine in today's digital economy: data-driven behavioural experiments on people.
A mathematician and former consultant at Booz Allen who became chief marketing officer of a large casino firm called it 'Pavlovian marketing'.
In addition to profiling for marketing and behavioural change, casinos always operated systems to monitor, identify and single out suspicious players, rarely to protect them. Instead, 'fraud prevention' meant banning players who managed to exploit the casino's marketing programs.
The above paras are taken from section 2.1 in our report, which largely relies on the books "What Stays in Vegas" by Adam Tanner and "Addiction by Design: Machine Gambling in Las Vegas" by Natasha Dow Schüll, both highly recommended.
Dow Schüll also points to in-game bonus pots.
This is the context when we discuss targeted messaging or ads in gambling.
A UK House of Lords report found the "gambling industry spends £1.5 billion a year on advertising, and 60% of its profits come from the 5% who are already problem gamblers, or are at risk of becoming so".
Now what about online gambling?
It's clear that personal data collection and personalised manipulation based on profiling and experiments became even more pervasive. Almost anything described above can be applied in online gambling, only much easier, at greater speed and scale.
However, little is still known about how data is actually collected, shared and utilised by gambling/betting sites. This is why we started this investigation.
It was incredibly difficult to find out how they collect and share data. We still don't know much about how they use it.
Data Subject 1 has been an extensive user for a decade and lost a huge amount of money.
SBG recorded data on 1359 deposits/withdrawals, 5717 games played, 44063 bets and 826 'free' bets.
His Signal profile estimated he spent only 10% of the money he spends for gambling at SBG.
How did they decide what kinds of free bets he got?
How did they message/target him based on the Signal profile data he received upon his GDPR access request?
Most likely, his Signal profile was constantly updated over the years. How did it look like at earlier points in time?
According to responses to GDPR access requests, Signal put both data subjects into groups that appear to refer to digital marketing experiments on the web and on social media.
How did SBG, Sky UK, Signal, MediaMath, FB or others use this profile data for targeting or messaging?
And how did these companies use the detailed data on gambling behaviours they received?
There are many open questions.
I hope our findings will have consequences, they should have. They should have consequences for SBG, and for the data industry at large.
Enough for today 🤖
Based on my investigation of how the UK gambling firm Skybet/SBG exploits personal data on players, Clean Up Gambling and AWO made a submission to the UK's data watchdog ICO, which started an investigation.
Submission:
cdn.sanity.io/files/btrsclf0…
FT article:
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.