Posts

iesnare Update: Victim Fights Back, urges others to do likewise

Bookies are spying on you...An update on ‘iesnare’ (Reputation Manager)

In September of last year, I published an article on iesnare - aka Reputation Manager - a piece of software that bookmakers deploy on the machines of unsuspecting visitors to their websites to collect data. They do this without permission, and with little or no reference to any such behaviour in their terms of service.

That article has been viewed over 43,000 times since, highlighting the interest in the subject. And, at the end of last week, I received an email from a fairly regular correspondent outlining his experiences. That is published in full below.

As well as his story, he urges us not to sit on our hands and tolerate this corporate machiavellianism; and he shares a specific approach we can adopt to shine a spotlight on such behaviour.

Over to B...

 

So... where are we with this privacy abuse?   

This is no ordinary third party cookie: it is extremely intrusive software, some would say a virus that is totally unnecessary unless fraud is already suspected on a betting account.

Nevertheless, due to modern online bookmaking paranoia and their habit of assuming bettors are guilty until proven innocent; its use has become ubiquitous. This is no exaggeration, as I’ve discovered.

About me…

I’ve backed horses for over 40 years.  It’s a hobby; betting mainly in ‘tenners’, but I do like a puzzle and I certainly try hard to win.  As you all know, it’s very, very difficult to make any money backing horses over a period of say six months if you don’t subscribe to excellent ratings/race cards and/or have access to a ‘nod’ in the right direction now and again, so I usually lose (but not much).  On-course bookmakers and my local independent bookmaker have been perfectly happy with this situation, meaning for 38+ years I was never refused a bet.

Two years ago, this forthcoming September, I opened six online accounts: My aim to take the best price offered on my selections, on a morning, when work allowed.  I use Peter May’s NH speed ratings (which are published on Geegeez from September to April, the main season).

September was a good month.  By mid-October I only had two accounts left that were unrestricted and still open.  I’d won about £700 spread between six companies.  For a supposedly fairly bright and informed bloke I had no concept that this would happen.  Even worse, I was made to feel like a criminal; the last straw being a demand for a ‘selfie’ stood next to my UK passport to ‘prove’ my identity.

I began to read the betting forums and soon realised that I was not alone.  More worrying, I began to gain an insight into the lengths online bookmakers were going to profile their customers.  I own an online education company, so I asked a couple of my IT guys to take a closer look at the methods being employed.  What they found cannot be explained by any better word than ‘spying’.  After re-reading the UK and EU regulations covering online privacy I believed that some of the methods employed were illegal.  I simply could not believe that regulators were allowing it to go on. 

Anyway, to cut a very long story short; I’ve had many disappointments and I soon realised that the regulatory and arbitration services for gambling (UK Gambling Commission) had no interest whatsoever in customer ‘spying’.  In fact, I got the feeling that I was a bit of an irritant, maybe even raising things that would be better ‘left in the dark’, so I decided to approach other relevant national regulators.

It took eight months and a lot of hours gathering and providing evidence, but I’ve now been proven right as the UK Information Commissioner’s Office (ICO) has recently found against a bookmaker and for me in a case of illegal use of ‘iesnare’ (Reputation Manager).

It is a landmark decision and one that bettors should be aware of / take advantage of.  Who the bookmaker was is irrelevant, because all bookmakers who choose to use ‘iesnare’ do so in the same way; and, in some cases, what they are doing is even worse.

Your first 30 days for just £1

Crucially all are breaking the Data Protection Act (1998) based on this ruling.

It is not for me to comment on whether merely providing advice to an offender on how to improve is a valid sanction when a major company is breaking the Data Protection Act.

How You Can Help…

Any online bettor (i.e. you) can help by complaining to the ICO about a bookmaker who uses ‘iesnare’: The ICO has said they will take further action if this happens.

So, if you want to rid the UK and the European Union of this unacceptable privacy intrusion their telephone number is 0303 123 1113: Get ringing, after obtaining and copying some correspondence with your chosen bookmaker (see later list of names).

This latter aspect is important; because it is likely the ICO helpline will ask if you have done it before contacting them.  The simplest way to get this information is using the bookmaker’s ‘live chat’ feature.

  1. State that you are aware that the company you are on ‘live chat’ with uses ‘iesnare’; that you have found it on your e-device and that you would like to know the information the company is holding about you and your equipment.[It is unpredictable what response you’ll get, but you can be pretty certain the information won’t be forthcoming at this point. In fact, it is more than likely that the customer service advisor will claim to know nothing about what you are referring to].

2. End the ‘live chat’ by saying that unless they provide the information by email within 24 hours you will be contacting the ICO.

        [You may get the information within 24 hours, but this is unlikely, either way you can now ring the ICO saying the information has not           been provided or that it has and you are appalled that this amount of detail has been stolen without your permission].

You will need to mention the bookmaker with whom you have an issue when you ring the ICO.  Unless you know how to block ‘iesnare’ (see this article) you can be 99% certain that if you have accessed the website of any of the following companies as a customer and placed a bet via your PC, laptop or tablet, that device will have been ‘tagged’:

Betdaq, Betfair, Betfred, Boylesports, Coral, RaceBets, SkyBet, William Hill.  This list is not at all inclusive, but it gives plenty to go at.

To be clear, ‘iesnare’ is NOT illegal (I believe it should be and probably will be soon).

Rather, this case was won because the bookmaker did not make it clear to the customer that they were using it and what it actually does, i.e. steal the identity of your e-device and store the extensive information about that device in a database that can be accessed by any/all corporate subscribers, e.g. other bookmakers, etc.  To my knowledge no bookmaker tells their customers about their use of the product, so as already mentioned all bookmakers are potentially guilty under this ruling.

When you ring the ICO, you simply need to say that you have found ‘iesnare’ on your e-device and you have been made aware it is used to steal the identity of e-devices.  Importantly, say that you were not told clearly it would be downloaded on to your e-device and that you are shocked/appalled that the identity of your e-device has been stolen, without your knowledge or consent, and when you have done nothing wrong.  Mention that you know about the controversy surrounding this product and ask for your complaint to be put on a list for general consideration by the ICO investigative team.

Please do not take the easy option and do nothing.

Maybe the next two paragraphs will motivate you, because it outlines what has been stolen from you, without your knowledge.  Nobody, including the ICO truly knows what happens to this stolen information and what bookmakers (and other even less scrupulous companies) do with it in combination with everything else they collect about individuals.  All that is certain is that the information appears to be available to all subscribers to the database.

In my opinion, it is semantics whether this amounts to personal data sharing or not, but presently the ruling is that it is on the right side of the law. However, the process of collecting it is not…

What is collected?

Screen resolution, Device Type e.g. PC, MAC, etc., Operating System e.g. Windows, OS X, Linux, etc., Device Time Zone, JavaScript on/off, Flash on/off, Flash installed?, Flash Version, Flash storage enabled/disabled, Browser Cookies enabled/disabled, Browser Type, Browser Version, Browser character set, Browser Menu Language, Browser Configured Language, IP Address, IP Geolocation: City, IP Geolocation Country Code, IP Geolocation Proxy Flag, IP Geolocation Country Name, IP Geolocation State/Region, IP Geolocation Time Zone, Internet Service Provider (ISP), ISP Organization; Fully-qualified domain name, CPU Count, CPU Speed, Operating System Version, System Model, Component Serial Numbers, MAC Address, Device Name (MD5 Hash), Device Identifier, Device Locale, Device System Version, OS Build Number, Kernel Version, Kernel Build Number, Flash System Capabilities.

The best way to think about this, if you are not an ‘IT geek’ is:

Imagine being at the police station and suspected of a crime.  The police would take your fingerprints after asking you; 'iesnare' does this to your tablet, laptop or PC, but you have not committed, nor are you suspected of, any crime at this time.  It assumes you may be, so enters your equipment into a database where subscribing companies can enter other information about your machine, e.g. machine suspected of fraud.

The difference between the police station and ‘iesnare’ is that it is impossible to find out what is logged in the database, a list of exactly which companies share the database information, and that the information is stored permanently with no personal rights to have it removed.

Many tracking cookies are used by bookmakers, some of which have a lifespan until 2038 (!).  Companies claim they cannot identify customers’ specific internet activity outside of websites within their corporate group, but they can see it through trackers like Google Analytics; however this data is pooled, i.e. not identifiable to an individual.

We have to assume this is true, because if companies did otherwise, it would be illegal.

Nevertheless, it is possible to buy software that takes Google Analytics’ pooled data and following clever programming will identify an individual’s specific internet activity.  It is not for us to guess whether this has happened or not, or to know what the ‘iesnare’ database contains exactly: that is the job of the UK’s Information Commissioner’s Office and similar regulators throughout the world.

You don’t have to be a detective to work out that unless a customer is suspected of fraud, what is being done is completely unnecessary; so why are most of the major bookmakers doing it?  You can form your own opinions on this, because unless the ICO legally force ‘iovation’ (owners of ‘iesnare’) and bookmakers to reveal exactly what is stored in totality and analysed we are never going to know.

The ‘big finish’ is an insight into the secret world of big data collection.  Some companies on the list outlined above are not only stealing the identity of the e-devices of their customers, they are doing it to anyone in the world who simply visits their website home page with no privacy or cookie warnings.  A friend and I are in possession of a letter from the legal department of one of the largest bookmakers in the world admitting fault and stating that they would ensure their processes were updated following their ‘mistake’ being pointed out to them.  Ten weeks later they have done nothing, meaning they are still stealing information on a massive scale, i.e. from every website visitor who does not know how to block ‘iesnare’.  The job required to update their processes would take a good website programmer about 15 minutes.

In the near future there will be a series of short videos available at www.justiceforpunters.org informing bettors how to search for ‘iesnare’ downloads (my IT advisors actually regard it as a virus), how to ‘cure infections’, how to stop re-infection and how to stop other nasty intrusions into your online privacy.  All this used to be quite difficult, but not anymore; a bit of patience and perhaps a little help from someone tech-savvy is all that is required.

If you want to read extensive coverage of ‘iesnare’, including peoples’ experiences and feelings; see: http://www.geegeez.co.uk/iesnare-how-bookmakers-are-spying-on-you-from-your-own-computer/

If you do feel aggrieved by this unthinking and potentially damaging corporate behaviour, PLEASE DO NOT FORGET TO RING THE ICO.

Don’t forget that other online bookmakers are also ‘spying’ on you.  If a company does not use ‘iesnare’, it doesn’t mean that they are not using another type of ‘fingerprinting’ software or other intrusive type of ‘cookie’.  The word ‘cookie’ and a phrase like ‘3rd party cookie’ covers a whole range of products - most perfectly innocent but some sadly not - so always make sure your e-device is as secure as possible whether on a betting website or anywhere else online for that matter.

Additional ICO contact details can be found here: https://ico.org.uk/global/contact-us/

 

iesnare: How Bookmakers are Spying on You from Your Own Computer

Bookies are spying on you...

Bookies are spying on you...

Online bookmakers are installing software on your computer to spy on you. This is not some melodramatic statement designed to get readers to click through, but rather a statement of unequivocal fact based on my own experience, and that of hundreds of others. The extent of this behaviour is likely to be widespread, and there is a very good chance it includes you.

Here's how I learned about this...

The first thing I knew about it was when listening to an enlightening podcast on the bookmaking industry - which can be heard here. In it, Neil Channing, a pro gambler, made reference to a bit of software called IE Snare, which bookmakers have been using to track user behaviour. At the time - a couple of weeks ago - my ears pricked up, but by the end of that excellent audio it had drifted somewhere into the cobwebbed recesses of my increasingly recall-challenged cranium...

...until today. While writing an innocent piece about Gleneagles' racecourse absences, I went to check on a 'special' price that I recalled Coral's head of racing had mentioned on twitter. Clicking across to that site to see if the horse was indeed still 11/10 not to race again in 2015, the bolt from the blue (branded site) happened.

I use Google Chrome and Windows 10, and this combination of browser and operating system alerted me, upon landing at coral.co.uk, that something had been downloaded to my machine. I was not even logged into their site. Rather, I'd simply landed on its home page as a casual website visitor. Thus, I had no contract with them, and had not agreed to any terms, conditions or privacy policies.

The file was simply called 'download'. Right clicking on it, and navigating to the folder into which it had deposited itself, I saw it was called mpsnare.iesnare.com

A bit of googling revealed some very interesting and, in my opinion, disturbing insights. I'd like to share them with you.

-

What is iesnare?

iesnare is spyware provided by a firm called iovation.com, big players in the world of online fraud management. Here's what the company says about itself:

iovation protects online businesses and their end users against fraud and abuse through a combination of advanced device identification, shared device reputation and real-time risk evaluation.

iovation actively target the online gaming industry and have a stand at the biggest trade show, ICE.

iesnare, when installed on a computer, monitors that machine's behaviour, including:

- pages visited
- your computer's installation data
- information from your registry
- browser and operating system information

and a lot more besides.

Once it is on your machine, it feeds back data - lots of data, about lots of things - to iovation's central hub, and continues to monitor your machine's - and therefore your - activity in real time for the duration of its existence on the device.

=

Why should I be worried about iesnare?

OK, so there's this bit of code running on my (and probably your) machine, and it's gathering information. Why should I (and probably you) be worried?

This 'cookieless fingerprinting' as it's known, is storing your data to a central repository housed at iovation. The data they store can be bought by just about anyone.

The chart below taken from this paper by students at the University of California reveals that the vast majority of those buying such information are doing so for the purposes of malware or spam.

This is how fingerprinting information is used

This is how fingerprinting information is used

Your first 30 days for just £1

So, in a nutshell, if you have this code on your machine, bookmakers can see what you're up to. Whether you're using oddschecker. Whether you're arb'ing. Which other bookmakers you use.

But that's a mere triviality compared to the wider world that can potentially access your data, and use it for nefarious ends.

The research paper concludes,

The purpose of our research was to demonstrate that when considering device identification through fingerprinting, user-privacy is currently on the losing side.

In plain English, this type of software considers a user's privacy to be of secondary/no importance when compared against the interests of the company deploying it.

-

What permission do bookies have to deploy iesnare?

This is where it gets tricky. My first thought was that this must be illegal. After all, I've not given my permission to be pried on in this way, have I?

Well, not explicitly, no. But when I checked the bookmaker's privacy policy, I was alarmed at what I read.

Here are the clauses, click to view full size, that I found most vague:

Redefining 'vague' terms...

Redefining 'vague' terms...

Coral reserve the right to "collect certain data" which will be used "to meet certain business requirements". What in the name of anything specific or palpable does that actually mean?

It seems to me that it is essentially carte blanche for bookmakers to plunder and pillage any information they can beg, steal or borrow about their site visitors.

And it is not just Coral. All four of the bookmakers I checked have a similarly vague 'all encompassing' clause or clauses which, ostensibly at least, gives them a mandate to behave in this fashion.

Obviously, when this code is deployed outside of a login, the strong likelihood is that it is illegal, regardless of the possibility of an existing cookie on my machine triggering that behaviour. But I'm not a lawyer...

-

How can I tell if iesnare is on my machine?

If you want to know if this code is on your device, here's how. It's pretty simple:

Go to the file search function on your computer/device

Type in 'mpsnare' in the search box, and hit 'search'

If iesnare has been used on your machine you'll find one or more of the following folders:

  • #mpsnare.iesnare.com
  • #ci-mpsnare.iovation.com
  • mpsnare.iesnare.com
  • ci-mpsnare.iovation.com

-

How do I get rid of iesnare?

Getting rid of iesnare may be as simple as deleting the folders you find. However, staying rid of it is a slightly more complicated operation. But, if you value your privacy and still want to bet with the best priced firm, it is worth the effort.

These instructions were originally published here, and I make no claim to be a tech whizz or otherwise able to troubleshoot the implementation of them, or anything awry which might crop up as a consequence of following them. They have worked fine for me, with no adverse consequences so far. Caveat emptor!

[NB The process is not nearly as complicated as it is long, so don't be put off by the block quoted text below]

To check if iesnare is on your computer...You can find it by opening up a command prompt
(start -> all programs->accessories->command prompt) then typing..... dir mp*.com /s
If it's there you will see the date it was installed on your computer!

If it's there and you want to block it this is how...

Click the Start button, click notepad or enter notepad in the bar at the bottom
Right-click on the Notepad item which appears at the top of the list
Choose "Run as administrator"
In "untitled - notepad" go to file and click open, then under "files of type" click all files
Enter "C:\WINDOWS\system32\drivers\etc" in file name and click open
Right click on "hosts" file (make sure it only says hosts, not hosts.bak or hosts.txt), select properties and uncheck read-only box at bottom beside attributes, then click "Apply" then OK.
Now double-click "hosts" again
Add the following lines in the next line below where it says "127.0.0.1 localhost"

127.0.0.1 iesnare.com
127.0.0.1 iesnare.co.uk
127.0.0.1 www.iesnare.co.uk
127.0.0.1 mpsnare.iesnare.com
127.0.0.1 mpsnare.iesnare.co.uk
127.0.0.1 www.mpsnare.iesnare.com
127.0.0.1 www.mpsnare.iesnare.co.uk
127.0.0.1 ci-mpsnare.iesnare.com
127.0.0.1 ci-mpsnare.iesnare.co.uk
127.0.0.1 www.ci-mpsnare.iesnare.com
127.0.0.1 www.ci-mpsnare.iesnare.co.uk
127.0.0.1 admin.iesnare.co.uk
127.0.0.1 www.admin.iesnare.com
127.0.0.1 www.admin.iesnare.co.uk
127.0.0.1 iovation.com
127.0.0.1 iovation.co.uk
127.0.0.1 www.iovation.com
127.0.0.1 www.iovation.co.uk
127.0.0.1 www.iesnare.com
127.0.0.1 admin.iesnare.com
127.0.0.1 dra.iesnare.com
127.0.0.1 impsnare.iesnare.com
127.0.0.1 mpsnare.iesnare.com
127.0.0.1 mx.iesnare.com
127.0.0.1 snare.iesnare.com
127.0.0.1 iovation.com
127.0.0.1 accountlock-demo.iovation.com
127.0.0.1 admin.iovation.com
127.0.0.1 bam-pilot.iovation.com
127.0.0.1 batch.iovation.com
127.0.0.1 ci-accountlock.iovation.com
127.0.0.1 ci-admin.iovation.com
127.0.0.1 ci-mpsnare.iovation.com
127.0.0.1 ci-snare.iovation.com
127.0.0.1 dv-fw-a-nat.iovation.com
127.0.0.1 ioit.iovation.com
127.0.0.1 mx.iovation.com
127.0.0.1 p.iovation.com
127.0.0.1 rm-admin-demo.iovation.com
127.0.0.1 soap.iovation.com
127.0.0.1 test.iovation.com
127.0.0.1 testgw.iovation.com

Save the text file back to its existing location, then close notepad

Now, open the command prompt (start -> all programs->accessories->command prompt)
and check that it is working by...

Type in the word "ping" followed by any of the entries
(without the numbers)..e.g ping mpsnare.iesnare.com

Press enter

You're looking to see similar to this:

Pinging mpsnare.iesnare.com [127.0.0.1] with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Note all zeros at bottom and 127.0.0.1 addresses at top
anything different to this is wrong!

I've done this on both vista and xp, both work.

Now, whenever IESnare attempts to phone home, your networking system will give it the wrong address (127.0.0.1 is always the address of your own computer), and its messages won't get through. You can check this has worked by trying to go to www.iesnare.com, or any of the above addresses, in your web browser: you shouldn't be able to get there and it should say it is unable to connect!

I followed these instructions, and can say they worked fine on Windows 10 as well. I'd imagine they'll work on any Windows device. Sadly, I can't vouch for a similar process on Apple kit. If any techies reading are able to share the equivalent, please do leave a comment below to that effect. And thanks in advance.

[UPDATE: Details of the process for checking on a Mac have been added in the comments below - thanks to Michael for those]

****

Some closing thoughts on iesnare, and a request for help from you

Given the nature of the bookmaking industry, and its need to operate within the laws of the land, it is likely that this spyware is just on the right side of legal.

That said, EU Privacy laws have been tightened, and I am unconvinced that this is in line with the stringent diktats set out more recently there, especially given that I wasn't logged into the site at the point the code was downloaded to my machine.

Either way, it is far adrift of what might be considered ethical practice, in my humble opinion at least. I have nothing to hide from bookmakers, but that doesn't mean I'm happy for my computer and its contents to be strip searched by them. That they are so vague about how this happens is not only unethical but, in my opinion again, immoral.

Large aggressive corporates bleating about fraud and arbers, and implicating a (presumed) majority of their small-time retail customers in their paranoia, when they won't stand a bet to anyone who looks even remotely like winning a couple of quid in the long term, is pretty hard to take.

I'm actually getting a bit bored unearthing the sharp practices of an industry that could be so much better simply by resorting to first principles - going back to laying a fair bet based on the skill and judgement of both parties.

But activity like this needs to be more front and centre in the betting public's collective consciousness, and I have no truck with supporting that end in some small way.

A plea for help:

If you decide to have a look at your own machine, I'd be grateful if you could feed back into a small straw poll by commenting below this post as to whether such a file exists/existed on your device when you searched. Thanks in advance.

Matt

p.s. PLEASE NOTE: A number of comments below are from readers who say they've deleted the files. This is only a temporary solution as the code will get re-installed on your machine. If you want to prevent it permanently, you need to follow the instructions above.

p.p.s. I am trying to find instructions to check on different configurations - Android, Chromebook, etc. Will update here if/when I find these. If you have any suggestions, please do post a reply below. Many thanks. Together, we'll tighten security around our personal data just that little bit. (It really is a new frontier right now, sadly).

Mac details are in this comment below.