The online gambling industry can exploit data in the most harmful way, by monitoring and manipulating the behaviours of vulnerable people.
🆕 We examined how a major UK gambling firm tracks and profiles players, and how it shares sensitive data with many other data companies ⬇️
We've been working on it for more than a year, probably the most detailed investigation into data flows in the online gambling industry to date, commissioned by @cleanupgambling
"A major betting company harvested troves of data from a suicidal gambling addict to target his weaknesses and predict his losses ... [and] to groom the high-value gambler that they wanted to win back"
Based on GDPR access requests, we found that Signal, a company owned by the credit reporting giant TransUnion, collected up to 186 profile attributes on Data Subject 1, a person who has been an extensive SBG user for years.
Data Subject 1, or Michael in the Daily Mail's article.
Signal recorded how often he opened emails from Sky Betting and Gaming, identified him as 'positively influenced by promotions', calculated his 'customer value' for different gambling products, and predicted how much the company can spend to 'win him back' and 'grow' his account.
Who else does Sky Betting and Gaming (SBG) share data with? To find out, we assisted another person (Data Subject 2) with observing data processing in the web browser.
Only 37 visits to SBG websites led to 2154 data transmissions to 83 domains controlled by 44 third-party firms.
During visits to Sky Betting and Gaming's skycasino.com, the website transmitted extensive data on gambling activities and behaviours to several third-party companies, including Facebook, Google, Microsoft, Adobe, MediaMath and Iovation, another TransUnion subsidiary.
For most of these firms, we don't know whether they created profiles or used them to influence gamblers. Without technical testing, we wouldn't even know that they received data. Much of this data processing was not disclosed to Data Subject 2 when they sent GDPR access requests.
Taken together:
- The online gambling industry processes vast quantities of personal data of a highly sensitive nature
- It is not even transparent about it
- Profiles include indicators of vulnerability and addictive behaviours, which can be used to target the most vulnerable
Two TransUnion subsidiaries play a major role:
- Signal, a marketing surveillance firm that claims to receive billions of 'signals' on activities every day
- Iovation, a risk surveillance firm that claims to track 7bn consumer devices globally to verify identity and detect fraud
While Signal helps to profile players to 'grow' their value, Iovation tracks players (and people across the planet) to decide whether they are risks.
Iovation's gambling products also promise to 'identify VIPs' and to 'promote responsible gambling'. web.archive.org/web/2021012402…
Many other companies received extensive data.
During visits to skycasino.com, a server that appears to be operated by both Adobe and Sky UK received behavioural data about the pages visited, games played, cash deposits and about every step taken during registration.
While we observed these personal data transmissions when Data Subject 2 visited SBG websites, neither Adobe, Sky UK nor SBG provided any relevant information about it.
Btw Only few people outside the industry know that Adobe, the Photoshop company, is also a massive data broker.
When Data Subject 2 registered as a customer at Sky Casino and made their first £30 deposit, the website immediately informed Facebook, Google and Microsoft about this fact, including the amount deposited.
Facebook and Google received data on almost every click.
While we observed personal data transmissions to Facebook, Google and Microsoft when Data Subject 2 visited the Sky Casino website, SBG did not provide information about it when Data Subject 2 asked SBG to provide access to the data it processes under the GDPR.
Did FB, Google or Microsoft use the data transmitted to them for profiling or to target gamblers? Did SBG or other parties make use of the data sent to those parties in any way?
We don't know.
Without technical testing, we wouldn't even know that they received personal data.
Btw. My organization Cracked Labs worked on this investigation together with @A__W______O /@RaviNa1k
To examine the data practices of SBG and its data partners, we went deep down the rabbit hole of how today's data industry processes, exchanges and exploits personal information:
@A__W______O@RaviNa1k We observed that several third-party data firms *received* the same personal IDs referring to Data Subject 2 during visits to different websites.
In that way, Signal, Iovation, Adobe, Facebook, Google, Microsoft and other companies can track and profile users across websites.
@A__W______O@RaviNa1k We observed that some third-party firms also *stored* such IDs in the user's browser during visits to the Sky Casino website.
As third-party firms can later receive the stored IDs when the user visits a different site, SBG may *facilitate* cross-site tracking by third parties.
Here's another company that received extensive data during visits to the gambling site skycasino.com including on the pages visited, games played, deposits, withdrawals, logins…
MediaMath, unknown to most people, claims to have data on 'more than a billion consumers'.
On top of that, MediaMath initiated personal data processing by a number of YET OTHER digital advertising firms and data brokers during visits to skycasino.com, including Salesforce, Oracle, Tapad/Experian, LiveRamp, Zeotap, AdForm, TTD, FreeWheel/Comcast, Pubmatic...
What the industry often refers to as 'cookie syncing' is actually massive personal data processing across many companies.
The result?
- These firms gained the capability to better track Data Subject 2 across the web
- Most of them learned that the person visited a gambling site
During visits to the Sky Casino website, SBG directly or indirectly *initiated* personal data processing by MediaMath, who sent personal data to many other digital advertising firms and data brokers, and directly or indirectly initiated further personal data processing by them.
I guess rarely anyone has ever examined personal data sharing during a few 'cookie syncs' at that level of detail, and probably rarely anyone has ever examined what happens during just 37 website visits at that level of detail 🤖
The technical report contains details about the tests and observations of personal data flows in the web browser, and a summary of GDPR access requests that Data Subject 1+2 sent to the companies & their responses.
Data Subject 1 spent years (!) to get at least some information.
The main report contains an exec summary, an overview of data exploitation in the gambling industry, an overview of the marketing+risk surveillance industry, a brief explainer on how digital tracking on the web works, and of course, all the actual findings cdn.sanity.io/files/btrsclf0…
Yes, many businesses harvest extensive personal data on behaviours and constantly share it with companies most people never heard of.
It's bad when retailers, travel sites or news publishers do so. It's disastrous when gambling firms use it to profile+target the most vulnerable.
The gambling industry has long been exploiting data on players to influence their behaviour, get them to spend more and make them return more often.
Decades ago, casinos started to use data and statistical models to score players and to create 'behavioural modification reports'.
Casinos use a wide range of personalised promotions and incentives to induce behavioral change, including free food, drinks, hotel stays, and most important, bonuses and 'free' bets/plays.
For some players, they spend thousands of dollars, because they know they are 'worth' it.
They send hundreds of millions of tailored email messages, and they tried to make losing a 'good experience' by calculating personalised 'pain points' that indicated how much someone can lose while still being satisfied. When a person approached this pain point, they got rewards.
The gambling industry has pioneered what has become routine in today's digital economy: data-driven behavioural experiments on people.
A mathematician and former consultant at Booz Allen who became chief marketing officer of a large casino firm called it 'Pavlovian marketing'.
In addition to profiling for marketing and behavioural change, casinos always operated systems to monitor, identify and single out suspicious players, rarely to protect them. Instead, 'fraud prevention' meant banning players who managed to exploit the casino's marketing programs.
The above paras are taken from section 2.1 in our report, which largely relies on the books "What Stays in Vegas" by Adam Tanner and "Addiction by Design: Machine Gambling in Las Vegas" by Natasha Dow Schüll, both highly recommended.
Dow Schüll also points to in-game bonus pots.
This is the context when we discuss targeted messaging or ads in gambling.
A UK House of Lords report found the "gambling industry spends £1.5 billion a year on advertising, and 60% of its profits come from the 5% who are already problem gamblers, or are at risk of becoming so".
Now what about online gambling?
It's clear that personal data collection and personalised manipulation based on profiling and experiments became even more pervasive. Almost anything described above can be applied in online gambling, only much easier, at greater speed and scale.
However, little is still known about how data is actually collected, shared and utilised by gambling/betting sites. This is why we started this investigation.
It was incredibly difficult to find out how they collect and share data. We still don't know much about how they use it.
Data Subject 1 has been an extensive user for a decade and lost a huge amount of money.
SBG recorded data on 1359 deposits/withdrawals, 5717 games played, 44063 bets and 826 'free' bets.
His Signal profile estimated he spent only 10% of the money he spends for gambling at SBG.
How did they decide what kinds of free bets he got?
How did they message/target him based on the Signal profile data he received upon his GDPR access request?
Most likely, his Signal profile was constantly updated over the years. How did it look like at earlier points in time?
According to responses to GDPR access requests, Signal put both data subjects into groups that appear to refer to digital marketing experiments on the web and on social media.
How did SBG, Sky UK, Signal, MediaMath, FB or others use this profile data for targeting or messaging?
And how did these companies use the detailed data on gambling behaviours they received?
There are many open questions.
I hope our findings will have consequences, they should have. They should have consequences for SBG, and for the data industry at large.
Enough for today 🤖
Based on my investigation of how the UK gambling firm Skybet/SBG exploits personal data on players, Clean Up Gambling and AWO made a submission to the UK's data watchdog ICO, which started an investigation.
I took another look at Snowden docs that mention browser/cookie IDs.
It's breathtaking how the surveillance marketing industry has still managed to claim for many years that unique personal IDs processed in the web browser are somehow 'anonymous', and sometimes still does.
Another 2011 doc indicates that the GCHQ operated a kind of probabilistic ID graph that aims to link cookie/browser IDs, device IDs, email addresses and other 'target detection identifiers' (TDIs) based on communication, timing and geolocation behavior:
Btw. What inspired me to revisit these docs is @ByronTau's book Means of Control, which not only details how US agencies buy commercial data from digital marketing but also provides deep historical context, tracing back to early-2000s debates on Total Information Awareness (TIA).
Die digitale Werbeindustrie verkauft Smartphone-Standortdaten und Bewegungsprofile von Millionen Menschen in Deutschland, darunter Privatpersonen und sensibles Personal.
Große Recherche von und BR, die einen riesigen Datensatz als "Muster" erhalten haben. netzpolitik.org
Sie haben Menschen identifiziert, die Entzugskliniken, Swinger-Clubs oder Bordelle besucht haben, aber auch Personal von Ministerien, Bundeswehr, BND, Polizei.
Fast alle Smartphone-Apps sind heute mit zwielichtigen Datensammeltechnologien "verwanzt".
Völlig unkontrollierte Datenmarktplätze, u.a. die Firma Datarade mit Sitz in Berlin, bieten Standort- und andere Verhaltensdaten über ganze Bevölkerungen aus vielen Ländern zum Verkauf an.
So, Microsoft exploits activity data from Outlook, Teams, Word etc across customers for its own promotional purposes, including on meetings, file usage and the seconds until emails are read.
Microsoft states that the analysis on the seconds until emails were read excludes EU data. Activity data from Outlook, Teams, Word etc, however, seems to include EU data.
What's their legal basis? This is also personal data on employees. And, are business customers fine with it?
Should cloud-based software vendors exploit personal data on users of their services, including private persons and employees of business customers, how they see fit?
I don't think so.
Not even for public-interest research, at least not without academic process and IRB review.
Some more findings from our investigation of LiveRamp's ID graph system (), which maintains identity records about entire populations in many countries, including name, address, email and phone, and aims to link these records with all kinds of digital IDs:crackedlabs.org/en/identity-su…
Identity data might seem boring, but if a company knows all kinds of identifying info about everyone, from home address to email to device IDs, it is in a powerful position to recognize persons and link profile data scattered across many databases, and this is what LiveRamp does.
LiveRamp aims to provide clients with the ability to recognize a person who left some digital trace in one context as the same person who later left some trace elsewhere.
It has built a sophisticated system to do this, no matter how comprehensive it can recognize the person.
As part of our new report on RTB as a security threat and previously unreported, we reveal 'Patternz', a private mass surveillance system that harvests digital advertising data on behalf of 'national security agencies'.
5 billion user profiles, data from 87 adtech firms. Thread:
'Patternz' in the report by @johnnyryan and me published today:
Patternz is operated by a company based in Israel and/or Singapore. I came across it some time ago, received internal docs. Two docs are available online.
Here's how Patternz can be used to track and profile individuals, their location history, home address, interests, information about 'people nearby', 'co-workers' and even 'family members', according to information available online:
, a 'social risk intelligence platform' that provides digital profiles about named individuals regarding financial strain, food insecurity, housing instability etc for healthcare purposes.
"It calculates risk scores for each risk domain for each person", according to the promotional video, and offers "clarity and granularity for the entire US".
Not redlining, though. They color it green.
Making decisions based on these metrics about individuals and groups seems to be highly questionable and irresponsible bs.