iesnare Update: Victim Fights Back, urges others to do likewise
An update on ‘iesnare’ (Reputation Manager)
In September of last year, I published an article on iesnare - aka Reputation Manager - a piece of software that bookmakers deploy on the machines of unsuspecting visitors to their websites to collect data. They do this without permission, and with little or no reference to any such behaviour in their terms of service.
That article has been viewed over 43,000 times since, highlighting the interest in the subject. And, at the end of last week, I received an email from a fairly regular correspondent outlining his experiences. That is published in full below.
As well as his story, he urges us not to sit on our hands and tolerate this corporate machiavellianism; and he shares a specific approach we can adopt to shine a spotlight on such behaviour.
Over to B...
So... where are we with this privacy abuse?
This is no ordinary third party cookie: it is extremely intrusive software, some would say a virus that is totally unnecessary unless fraud is already suspected on a betting account.
Nevertheless, due to modern online bookmaking paranoia and their habit of assuming bettors are guilty until proven innocent; its use has become ubiquitous. This is no exaggeration, as I’ve discovered.
About me…
I’ve backed horses for over 40 years. It’s a hobby; betting mainly in ‘tenners’, but I do like a puzzle and I certainly try hard to win. As you all know, it’s very, very difficult to make any money backing horses over a period of say six months if you don’t subscribe to excellent ratings/race cards and/or have access to a ‘nod’ in the right direction now and again, so I usually lose (but not much). On-course bookmakers and my local independent bookmaker have been perfectly happy with this situation, meaning for 38+ years I was never refused a bet.
Two years ago, this forthcoming September, I opened six online accounts: My aim to take the best price offered on my selections, on a morning, when work allowed. I use Peter May’s NH speed ratings (which are published on Geegeez from September to April, the main season).
September was a good month. By mid-October I only had two accounts left that were unrestricted and still open. I’d won about £700 spread between six companies. For a supposedly fairly bright and informed bloke I had no concept that this would happen. Even worse, I was made to feel like a criminal; the last straw being a demand for a ‘selfie’ stood next to my UK passport to ‘prove’ my identity.
I began to read the betting forums and soon realised that I was not alone. More worrying, I began to gain an insight into the lengths online bookmakers were going to profile their customers. I own an online education company, so I asked a couple of my IT guys to take a closer look at the methods being employed. What they found cannot be explained by any better word than ‘spying’. After re-reading the UK and EU regulations covering online privacy I believed that some of the methods employed were illegal. I simply could not believe that regulators were allowing it to go on.
Anyway, to cut a very long story short; I’ve had many disappointments and I soon realised that the regulatory and arbitration services for gambling (UK Gambling Commission) had no interest whatsoever in customer ‘spying’. In fact, I got the feeling that I was a bit of an irritant, maybe even raising things that would be better ‘left in the dark’, so I decided to approach other relevant national regulators.
It took eight months and a lot of hours gathering and providing evidence, but I’ve now been proven right as the UK Information Commissioner’s Office (ICO) has recently found against a bookmaker and for me in a case of illegal use of ‘iesnare’ (Reputation Manager).
It is a landmark decision and one that bettors should be aware of / take advantage of. Who the bookmaker was is irrelevant, because all bookmakers who choose to use ‘iesnare’ do so in the same way; and, in some cases, what they are doing is even worse.
Crucially all are breaking the Data Protection Act (1998) based on this ruling.
It is not for me to comment on whether merely providing advice to an offender on how to improve is a valid sanction when a major company is breaking the Data Protection Act.
How You Can Help…
Any online bettor (i.e. you) can help by complaining to the ICO about a bookmaker who uses ‘iesnare’: The ICO has said they will take further action if this happens.
So, if you want to rid the UK and the European Union of this unacceptable privacy intrusion their telephone number is 0303 123 1113: Get ringing, after obtaining and copying some correspondence with your chosen bookmaker (see later list of names).
This latter aspect is important; because it is likely the ICO helpline will ask if you have done it before contacting them. The simplest way to get this information is using the bookmaker’s ‘live chat’ feature.
- State that you are aware that the company you are on ‘live chat’ with uses ‘iesnare’; that you have found it on your e-device and that you would like to know the information the company is holding about you and your equipment.[It is unpredictable what response you’ll get, but you can be pretty certain the information won’t be forthcoming at this point. In fact, it is more than likely that the customer service advisor will claim to know nothing about what you are referring to].
2. End the ‘live chat’ by saying that unless they provide the information by email within 24 hours you will be contacting the ICO.
[You may get the information within 24 hours, but this is unlikely, either way you can now ring the ICO saying the information has not been provided or that it has and you are appalled that this amount of detail has been stolen without your permission].
You will need to mention the bookmaker with whom you have an issue when you ring the ICO. Unless you know how to block ‘iesnare’ (see this article) you can be 99% certain that if you have accessed the website of any of the following companies as a customer and placed a bet via your PC, laptop or tablet, that device will have been ‘tagged’:
Betdaq, Betfair, Betfred, Boylesports, Coral, RaceBets, SkyBet, William Hill. This list is not at all inclusive, but it gives plenty to go at.
To be clear, ‘iesnare’ is NOT illegal (I believe it should be and probably will be soon).
Rather, this case was won because the bookmaker did not make it clear to the customer that they were using it and what it actually does, i.e. steal the identity of your e-device and store the extensive information about that device in a database that can be accessed by any/all corporate subscribers, e.g. other bookmakers, etc. To my knowledge no bookmaker tells their customers about their use of the product, so as already mentioned all bookmakers are potentially guilty under this ruling.
When you ring the ICO, you simply need to say that you have found ‘iesnare’ on your e-device and you have been made aware it is used to steal the identity of e-devices. Importantly, say that you were not told clearly it would be downloaded on to your e-device and that you are shocked/appalled that the identity of your e-device has been stolen, without your knowledge or consent, and when you have done nothing wrong. Mention that you know about the controversy surrounding this product and ask for your complaint to be put on a list for general consideration by the ICO investigative team.
Please do not take the easy option and do nothing.
Maybe the next two paragraphs will motivate you, because it outlines what has been stolen from you, without your knowledge. Nobody, including the ICO truly knows what happens to this stolen information and what bookmakers (and other even less scrupulous companies) do with it in combination with everything else they collect about individuals. All that is certain is that the information appears to be available to all subscribers to the database.
In my opinion, it is semantics whether this amounts to personal data sharing or not, but presently the ruling is that it is on the right side of the law. However, the process of collecting it is not…
What is collected?
Screen resolution, Device Type e.g. PC, MAC, etc., Operating System e.g. Windows, OS X, Linux, etc., Device Time Zone, JavaScript on/off, Flash on/off, Flash installed?, Flash Version, Flash storage enabled/disabled, Browser Cookies enabled/disabled, Browser Type, Browser Version, Browser character set, Browser Menu Language, Browser Configured Language, IP Address, IP Geolocation: City, IP Geolocation Country Code, IP Geolocation Proxy Flag, IP Geolocation Country Name, IP Geolocation State/Region, IP Geolocation Time Zone, Internet Service Provider (ISP), ISP Organization; Fully-qualified domain name, CPU Count, CPU Speed, Operating System Version, System Model, Component Serial Numbers, MAC Address, Device Name (MD5 Hash), Device Identifier, Device Locale, Device System Version, OS Build Number, Kernel Version, Kernel Build Number, Flash System Capabilities.
The best way to think about this, if you are not an ‘IT geek’ is:
Imagine being at the police station and suspected of a crime. The police would take your fingerprints after asking you; 'iesnare' does this to your tablet, laptop or PC, but you have not committed, nor are you suspected of, any crime at this time. It assumes you may be, so enters your equipment into a database where subscribing companies can enter other information about your machine, e.g. machine suspected of fraud.
The difference between the police station and ‘iesnare’ is that it is impossible to find out what is logged in the database, a list of exactly which companies share the database information, and that the information is stored permanently with no personal rights to have it removed.
Many tracking cookies are used by bookmakers, some of which have a lifespan until 2038 (!). Companies claim they cannot identify customers’ specific internet activity outside of websites within their corporate group, but they can see it through trackers like Google Analytics; however this data is pooled, i.e. not identifiable to an individual.
We have to assume this is true, because if companies did otherwise, it would be illegal.
Nevertheless, it is possible to buy software that takes Google Analytics’ pooled data and following clever programming will identify an individual’s specific internet activity. It is not for us to guess whether this has happened or not, or to know what the ‘iesnare’ database contains exactly: that is the job of the UK’s Information Commissioner’s Office and similar regulators throughout the world.
You don’t have to be a detective to work out that unless a customer is suspected of fraud, what is being done is completely unnecessary; so why are most of the major bookmakers doing it? You can form your own opinions on this, because unless the ICO legally force ‘iovation’ (owners of ‘iesnare’) and bookmakers to reveal exactly what is stored in totality and analysed we are never going to know.
The ‘big finish’ is an insight into the secret world of big data collection. Some companies on the list outlined above are not only stealing the identity of the e-devices of their customers, they are doing it to anyone in the world who simply visits their website home page with no privacy or cookie warnings. A friend and I are in possession of a letter from the legal department of one of the largest bookmakers in the world admitting fault and stating that they would ensure their processes were updated following their ‘mistake’ being pointed out to them. Ten weeks later they have done nothing, meaning they are still stealing information on a massive scale, i.e. from every website visitor who does not know how to block ‘iesnare’. The job required to update their processes would take a good website programmer about 15 minutes.
In the near future there will be a series of short videos available at www.justiceforpunters.org informing bettors how to search for ‘iesnare’ downloads (my IT advisors actually regard it as a virus), how to ‘cure infections’, how to stop re-infection and how to stop other nasty intrusions into your online privacy. All this used to be quite difficult, but not anymore; a bit of patience and perhaps a little help from someone tech-savvy is all that is required.
If you want to read extensive coverage of ‘iesnare’, including peoples’ experiences and feelings; see: http://www.geegeez.co.uk/iesnare-how-bookmakers-are-spying-on-you-from-your-own-computer/
If you do feel aggrieved by this unthinking and potentially damaging corporate behaviour, PLEASE DO NOT FORGET TO RING THE ICO.
Don’t forget that other online bookmakers are also ‘spying’ on you. If a company does not use ‘iesnare’, it doesn’t mean that they are not using another type of ‘fingerprinting’ software or other intrusive type of ‘cookie’. The word ‘cookie’ and a phrase like ‘3rd party cookie’ covers a whole range of products - most perfectly innocent but some sadly not - so always make sure your e-device is as secure as possible whether on a betting website or anywhere else online for that matter.
Additional ICO contact details can be found here: https://ico.org.uk/global/contact-us/