Analysis: Online gamblers risk losing their identity

Online gambling sites play fast and loose with customers' personal data, say privacy campaigners. So why isn't the ICO doing something about it?

“A fool and his money are soon parted,” so the saying goes. And ever since the advent of online gambling, fools have never been so quickly parted from both their hard-earned cash – and their personal information.

That, at least, is the claim of Simon Davies, the founder of Privacy International. In 2010, Davies conducted an experiment with a number of online gambling operators to find out how they dealt with the information they collect.

This includes not just the data they gather as customers gamble away their money, but also the sensitive identification documents they typically demand before opening an account. “It is routine for sites to demand passport and credit card scans, driver’s licences, utility bills and other personal documents,” wrote Davies in a report.

Did they, Davies wanted to know, comply with the UK Data Protection Act and keep the information only for as long as necessary?

No, was the blunt answer. “All the available evidence indicates that this information is stored permanently,” says Davies.

When sites were pushed by Davies to close his account and delete all his data, most refused, with many citing anti-money laundering laws as justification for keeping his personal data indefinitely.

In the case of 32Red, it even offered him free chips first before turning down his request on anti-money laundering grounds.

Identity theft threat

The problem, says Susan Hall, partner and IT specialist at Cobbetts, is that the documents demanded by online gambling sites are also ideal for conducting identity theft.

“Every time the law requires that an organisation generates or collects personal data, you are creating another point at which an identity theft can occur,” says Hall.

She adds: “[Anti-money laundering legislation is] actually putting an obligation on organisations to have exactly the sort of information on file that would be of interest to an identity thief.”

Furthermore, an estimated two-thirds of the online gaming of British citizens is conducted on sites outside of the UK, outside the reach of regulators such as the Information Commissioner's Office (ICO).

Analysis: Online gamblers risk losing their identity

Online gambling sites play fast and loose with customers' personal data, say privacy campaigners. So why isn't the ICO doing something about it?

The sites will also retain gamblers’ payment details, often including debit and card information. In short, they have everything a criminal could need to perpetrate the very crimes that anti-money laundering laws are supposed to prevent.

Who knows how the information is stored, how secure that storage is, and who has access to it? Is the data printed off and kept only in locked filing cabinets, or in digitised form on computer systems accessible over companies’ networks or, possibly, over the internet too?

Many of the most popular gambling websites lie within the jurisdiction of offshore tax havens because of their reputation for minimal regulation.

The issue is important because anywhere between four per cent and 11 per cent of adults in the UK participate in online gambling every year, depending on the survey, and the majority of people playing online poker or bingo will be using operators based overseas. Between April 2010 and March 2011, some £660.7m was wagered on gambling websites administered by the Gambling Commission in the UK – compared to an estimate for the total UK online gambling market in 2010 of £1.9bn.

Perhaps reflecting their attitude towards data protection issues, when Computing contacted six of the biggest gambling website operators for comment, only one responded – directing us to the Remote Gambling Association instead.

Perhaps what was even more disappointing was the response of the ICO. Also declining to speak to Computing, it claimed that it looked into the issue thoroughly. “Following our enquiries, and in line with our Data Protection Regulatory Action Policy, we concluded that no further action was required,” it said in a statement.

“In reaching this decision, the ICO took account of the information already available on a number of websites and recognised that many of these websites operated outside of the ICO’s jurisdiction,” it added.

Yet with as many as one-tenth of UK adults – as many as 4.8 million people – putting themselves at risk of identity theft, perhaps the ICO ought to take a closer interest.

And the players themselves, believes Davies, ought to think longer and harder about exactly who they are giving their money to.

In the offshore environment, with gambling sites turning over hundreds of millions of pounds, it is not in the interests of the limited authorities to look too closely at what the operators are doing. “The real scam online is that they can use an infinitely bigger number of deceptions and tactics to manipulate the user,” warns Davies.

Indeed, perhaps an even bigger issue than data protection and the risk of identity theft is the fact that no one really knows what an online gambling website, based on some lightly regulated, far-flung island, is really getting up to.