The Security of Gambling and Gambling with Security: Hacking, Law Enforcement and Public Policy*

^*This artice was first published in French in Criminologie, Volume 39, Number 2, 2006. It was originally entitled ‘La Security du Jeu et le Jeu de la Securité: Piratage, Loi et Politique Publique’, and is reproduced here with kind permission of the Journal.

Abstract

This paper studies the relationship between criminal organization and social control in the area of computer crime. We examine a ‘cheat at play’ scheme that hacked into electronic gambling machines. We focus on how these cyber-attacks were committed and on the ability of the state and the industry to control them. We compare and contrast our findings with the research on hacking and the gambling industry and conclude by discussing the implications that our research has for law enforcement, security and consumer protection.

Introduction

Gambling is a recent growth industry in Canada (Azmier et al., 2001; Campbell and Smith, 1998; Marshall and Wynne, 2004; Smith and Azmier, 1997). The gross revenue from gambling in 2004 was over CA$12.74 billion an increase of CA$700 million from the previous year and the net revenue (i.e. the amount left over after prizes, expenses and commissions have been paid out) was CA$6.33 billion in profits (Azmier, 2005, p. 2). The net income of provincial governments from total gambling revenues as a percentage of their budgets, less operating and other expenses, has risen from 2.l% in 1993 to 3.8% in 2004 and the expenditures per citizen, based on persons 19 years of age and over, rose from CA$147 in 1993 to CA$598 in 2004 (Marshall and Wynne, 2004; Azmeir, 2005). Canadians now gamble at 87,000 gambling machines (slots and Video Lottery Terminals (VLT)), 33,000 ticket centres, 60 permanent casinos, 1,700 gambling tables, 250 race tracks and teletheatres, 25,000 temporary casinos, bingos, raffles and other activities (Azmeir, 2005, p. 1). There is an average of one electronic gambling machine (EGM) for every 329 adults, one VLT for every 599 adults and one VLT location for every 2,668 adults in the country (KPMG, 2004). The main drivers of growth have been casino and VLT electronic gambling. By 2003, lotteries accounted for 25% of all net non-charity gambling revenue, casinos for 33%, VLTs for 23% and slot machines not in casinos for 19% (Marshall and Wynne, 2004).

While the proliferation of electronic gambling technologies has created new popular recreational activities, it has also produced social problems such as family break-ups, bankruptcies, work losses, health problems and crime (Eadington, 1996; Goodman, 1995; MacDonald et al., 2004; McMillen, 1996; McMullan and Perrier, 2003). Indeed gambling has been linked to political corruption, to crimes committed by problem gamblers, to the development of an illegal market in electronic gambling machines, to organized crime activities and to criminal activities in and around gambling venues (Smith and Wynne, 1999, pp. 38–43).

In this paper, we examine one organized criminal scheme that defrauded VLT machines. We focus on how the cyber-crimes were committed and on the ability of the industry and law enforcement to control them: opportunities for fraud, product protection, security, law enforcement and sanctioning systems. Our paper is organized as follows. First, we discuss our research approach and sources. Then, we provide descriptions of the types of cyber-attacks on electronic gambling machines and situate our study in a comparative field of research on gambling and crime. Next, we describe the system of law enforcement and demonstrate that the current structures of policing and regulation governing the cyber-crimes were inadequate to the tasks at hand. Finally, we conclude by discussing the implications that this research has for security and public policy.

Perspective and Method

We approach hacking on gambling machines as an activity that is rationally geared to the conduct of the illegal behaviour in question. The main elements explaining organized cyber crime are therefore found within the illegal activity and the legal problems confronted there (Cressey, 1972; McIntosh, 1973, 1975). This explanatory approach asks: what types of technical problems had to be solved for successful cyber-attacks on gambling machines?; what criminal divisions of labour developed and how were they able to handle problems of planning, safety and detection?; how secure were gambling environments and products, what public policy implications arise from our findings?

The data we used came to us via a Lottery Corporation whose VLT machines had been compromised by a series of cyber-attacks. This archive containing 100 pages of printed information and visual exhibits provided detailed information about the methods hackers used to defeat the machines and evade and neutralize official detection, surveillance and apprehension. Archival information was supplemented by seven in-depth interviews with the key officials who were involved in the legal side of the case. Both security reports and interviews allowed us to piece together the compliance regime, the regulatory security system and public law enforcement measures and their limitations (Orum et al., 1991). In addition, we incorporated information from Internet sources and comparable published research studies. The Internet made it possible to obtain a wealth of data about hacking practices in other locations. We looked at a wide assortment of materials—video clips, interviews, media stories, ‘how to do it’ manuals and technical security reports—all of which detailed the world of hackers, the logistics of distributed denials of service (Ddos) attacks, the practices of cyber-extortion and the security remedies developed to prevent intrusions and attacks. We suggest that malicious illegal activities in real and virtual gambling settings are unreported, everyday events, part of the ‘dark figure’ of computer crime in the age of information (Grabosky et al., 2001).

Hacking and Gambling

Computer crime may be defined broadly as ‘the destruction, theft, or unauthorized or illegal use, modification, or copying of information, programs, services, equipment, or communication networks’ (Rosoff et al., 2002, p. 417). It may be usefully classified as: (a) financial theft; (b) computer hacking; (c) electronic embezzlement; (d) malicious sabotage; and (e) espionage. Much of what we discuss in the paper involves both theft and computer hacking and reveals intelligent operations that combines advanced programming skills with an ability to bypass security safeguards in order to hack machines, deny services to gambling web sites, or hold purveyors of gambling goods to ransom.

Core Technologies

Thefts and frauds on electronic gambling machines are not new. They have often involved the use of custom-made gadgets such as ‘Kickstands’ or ‘Monkey Paws’ to disrupt the inner workings of slot machines. These tools have been developed by reverse engineering the manufacturers' machines and then customizing them to defeat the official software or hardware. For example, ‘Magic Wands’ are miniature light devices with camera batteries, which cheats use to blind the internal optical readers of slot machines inducing them to coin out on command. Organized into mobile teams of two or three members, slot cheats of this sort usually attack multiple machines at multiple sites for small payouts (CA$1,000 per hour) thus minimizing suspicion and avoiding detection (Crenshaw, 2003; Skolnick, 1980, pp. 264–267; The Gambling Magazine , 27 November 2004). Other groups develop sophisticated ‘cracking’ techniques by using microprocessors, micro-controllers, computer hardware and computer programming languages. By developing and deploying a computer program that simulates the random number generator (RNG) algorithm of a gambling machine, by establishing an extensive information base on gambling combinations and by using a computer generated search mechanism, hackers have uncovered and exploited the RNG payout codes of VLT machines. One law official described in an interview the modus operandi of VLT cracking:

Three subjects would travel to a business with VLTs. First person would stay in the vehicle with a lap top computer, radio equipment, etc. Second and third subjects would enter the business. The player would be outfitted with a video camera, communication equipment, an ear piece and a power source. This person would focus the camera on a terminal screen and relay the playing/spinning of the screen to the operator in the vehicle enabling the computer guru to determine where the screen was in the random mode. From here the person with the computer using high speed equipment could tell how far away the terminal was from paying out. When the device was close to paying out the person inside the business would be told to increase the bet from five credits to 50 credits.)

This ‘predictive’ technique used in Canada has also been used to ‘fiddle’ video poker machines in casinos in the USA. One team, for example, purchased gambling machines, disassembled their inner components, studied how the random numbers were turned into playing cards on the screens, figured out when and how fast the RNGs iterated, developed a program to take all these variables into consideration and predicted the sequences of the payouts with relative accuracy (Mitnick and Simon, 2005, pp. 4–8). They communicated by fitting wearable computers—made up of small microprocessor boards and control buttons—into their shoes and by using silent vibrators that relayed messages to each other in hidden earpieces. Card sequences on the screens were tapped into a computer in binary codes, matched against a simulated database that contained the algorithm of the machine and played out accordingly. This allowed the hacking team to predict what five additional cards were about to appear after they discarded theirs. As one member put it: ‘we had a 40% advantage on every hand …. That's humongous—the best blackjack players in the world come in at about 2½% …. In half an hour, you can easily make a $1,000’ (cited in Mitnick and Simon, 2005, p. 15). Other teams have been cheating roulette games in Australia and Europe using similar techniques: hidden microcomputers, wearable ear inserts and voice-synthesized communication devices have been developed to decode wheel speed, allow players to predict probable number outcomes and reduce the house odds of winning ( The Gambling Magazine , 15 March 2005).

Equally compelling are hacking techniques that involve accessing the back up memory boards of gambling machines to observe random access memories (RAM). By using a machine code monitor, an operation known as boot-tracing, the hackers we studied located the bonus meter in RAM, inserted new instructions that modified a back up RAM board and then manipulated the contents of the bonus meter memory logic so that they could trigger it and cash it out at will. By using the same techniques, they also defeated the payout schedule stored in the erasable programmable read only memory (EPROM) of VLT machines to increase the payouts for winning combinations. This type of technique is also long standing and was deployed by employees working for American Coin Company in the 1980s but for opposite intentions. In what was called Nevada's greatest cheating scandal, programmers inserted ‘rigged’ computer chips into 1,000 of the company's machines to prevent royal flushes on video poker machines and jackpots on Keno machines from paying out to players. Similarly, Universal Distributing, a slot machine manufacturer in Japan programmed ‘near-miss’ scenarios into their machines to encourage players to believe that they were close to winning when they were not, in order to keep them playing. Eventually the machine manufacturer was ordered to re-program 15,000 of their machines (Bourie, 1999, p. 5).

More recently, ‘Easter Eggs’ or programming codes secretly implanted in electronic gambling machines (EGMs) have been discovered in gambling machines in Canada and the USA. They were inserted by programmers, perhaps in the employ of manufacturers or distributors, so that players in the ‘know’ could obtain large payouts. One slot machine manufacturer recently admitted that he sold ‘Easter eggs’ to casinos as a special feature for the amusement of their valued customers and a former Internet casino owner demonstrated that he could empty an EGM in a minute and a half by pushing and manipulating screen features and machine buttons. In his words, there is a ‘huge open door in the programming of slot machines’ that is being exploited ‘by gambling subcultures in Michigan, Iowa and Illinois’. Indeed one of the world's largest manufacturers of gambling products now admits that 300 of their slot machines were compromised by at least US$2 million in a three month period (Blackwell, 2004, 2005; Mandel, 2000).)

A third hacking technique makes illegal machines out of legal ones by using computer interfaces and programs to access, clear and modify RAM. Similar to ‘phantom programming’ this is a trap door technique that is installed in the machines to create the appearance that VLTs are operating on-line when in fact they have been manipulated into stand-alone mode. Similarly types of deceptions and intrusions also occur on internet gambling sites. Cryptologic, a Canadian software company that develops on-line casino products, discovered that a hacker cracked into one of its gaming servers, corrupting the play of craps and slots so that players could not lose. Every spin on the virtual games generated a perfect match and in a matter of a few hours 140 gamblers acquired CA$1.9 million in winnings ( Reuters News Service , 10 September 2001).

Internet gambling sites in the UK, Australia, Europe, North America and the Caribbean have also faced persistent Ddos attacks forcing their players off line and shutting their wagering activities down. Hackers or crackers use a computer virus to install ‘back door’ programs on networks of personal computers (PCs). These ‘bots’ or ‘zombies’ are awakened from dormancy at a hacker's command but without the PC owner's knowledge. Networks of zombies in the thousands or tens of thousands are subsequently mobilized to take over targeted Internet sites by denying access to bona fide consumers. Companies such as Canbet, Harrods Casino, Inter Bingo, Inter Casino Poker, Totalbet, VIP Casino, William Hill, Paddy Power, Corals and Blue Square, to name a few, have had their websites shut down and their gambling activities suspended for hours, days and weeks at a time. One hacking team, for example, caused over US$70) million in overall damages to British bookmakers alone. These Ddos attacks are increasingly connected to ‘cyber-phlishing’ where hackers clone a gambling website and launch an e-mail based ‘phlishing expedition’ directing potential gamblers to play on a fake website in order to defraud them and to cyber-extortion where hackers demand US$40–50) thousand in protection money from gambling companies to avoid further attacks on their servers or to protect them from other hacking teams (Biever, 2004; Kramerenko, 2004; Criminal Intelligence Service Canada, 2000; Nuttall, 2004; Smith, 2004; Eriksson, 2004; Golubev, 2005; Germain, 2004; Reuters News Service , 17 March 2004). According to the director of one security company, ‘gangs of computer crooks … have collected protection money from 10% to 15% of the companies they have threatened’ (Cullingworth, 2004, p. 3).

Terrestrial gambling machines and malicious software for Internet attacks are not difficult to acquire. A recent R.C.M.P. investigation into illegal gambling devices in Atlantic Canada, for example, found that ‘government machines’ were easily purchased by an undercover officer via the Internet for CA$1,500 a piece. In a matter of several months he bought 24 machines through intermediaries who were traced back to a prominent distributing company (R. v. Patrick Hinchey, 2005 ). Hackers buy machines from manufacturers or distributors, inspect them for design faults and develop ways to defeat them. They discuss techniques and trade software information in closed chat rooms making them ever more skilled and powerful. One casino hacker in the USA recalls, ‘I found it surprising that we could buy the exact same production units that they use on the casino floor … the two of us put this damn thing in a car. We drove it home as if we had a baby in the back seat’ (cited in Mitnick and Simon, 2005, p. 4).

Many worldwide cyber-attacks are organized as ‘projects’ in themselves. Typically, each attack involves separate, advanced planning where the techniques are calibrated to reduce the risk of detection surrounding the event. Many of the strengths and weaknesses of the machines and sites are probed before the hackers engage in their deficit manipulations and many of the glitches in their own simulation software are re-calibrated in order to reduce the ‘attack times’ on the machines and finesse Ddos attacks on websites. One law officer familiar with VLT hacking in Canada noted:

The hackers may play 3 or 4 games to get a sample to video back to the mastermind sitting in the van. In the van his computer had more gigs to get more (capacity to identify the pattern) … this is how quick it was for the scam to be conducted … a matter of minutes. Once they picked the VL machine they would stay there. If it took too much time to get where the payouts would occur, they would change machines.

Social Organization

The core technologies used to defraud the machines we studied were embedded in a wider social organization consisting of a dozen members who structured the financing costs, monitored the flow of information and conducted the hacks. The organization included a technical expert who planned the cyber-attacks on VLT machines, accomplices who ‘cased’ terminals, relayed information back and forth from the gambling floor to the intelligence sites (usually located in strategically placed vans or in local hotel rooms), executed the frauds and collected the winnings and lookouts who spotted for trouble. Not all members were used in each and every cyber-attack and the team moved different players in and out to avoid suspicion. Kinship relationships assured secrecy and group integration that protected the core technologies in the task environment from most regulatory and policing scrutiny (Albini, 1971; Reuter, 1985; Smith, 1980). The geographical scope of the group we studied was local and limited, confined to communities in the central corridor of the province and to the urban metropolitan area. The estimated ‘take’ per machine was about CA$1,000 and the grand total for four years of operation was estimated at CA$0.5 million!

This division of labour is similar to the organization of slot machine cheats who operated in Las Vegas and Atlantic City. They also worked in networks of seven or eight persons and combined technical experts with ‘shades’ who spotted and developed ‘cheating routes’ that were both profitable and safe from industry and legal scrutiny (Crenshaw, 2003). Hacking casino machines in other areas of the USA were also structured around networks of family members and work associates usually in the programming and engineering fields. These hackers divided into three handed teams: one scouted a casino and a video poker machine, another filmed screen images on a miniature video camera and communicated these images by phone to a third party who consulted a database, calculated the timing of winning hands and relayed the data back to the players in the casino so that they could ‘predict’ a royal flush payout. Their modus operandi prioritized small hits on multiple machines at multiple locations. As one member put it ‘a lot of the logistics were about, how do we stay under the radar?’ and ‘how do we fit in’ by developing the ‘personae of happy gamblers’ while we ‘work and find the edge?’ (cited in Mitnick and Simon, 2005, p. 11).

Like other hacking enterprises, the one we studied in Canada required moderate expenditures. Items such as laptops, computer hardware and software, video equipment and communication devices were their major expenses. Betting capital, travel and accommodation were regular but minor costs. Hackers had collusive arrangements with legitimate business people who operated or distributed legal gambling machines. They had state-of-the-art gambling machines, disc identifiers and programs capable of reading and compromising source codes and EPROMs that could only have been obtained from legitimate manufacturers, distributors or operators in the industry (Mitnick and Simon, 2005). Their organization, however, did not tap economics of scale. Unlike the cyber-extortion networks that operated globally, the hackers we researched never developed stable alliances for accumulating profit such as in the provision of illegal drugs, protection or weapons, obtained external funding for their ventures, or advertised their services widely (Reuter and Rubenstein, 1982). One law officer put it as follows: ‘I don't think they realized what damage they could perpetrate, or if they did, they still only committed the frauds when they wanted extra cash or to travel.’

The Legal Control of VLT Hacking

This success of hacking, cheating and malicious software and hardware intrusions depends not only on technical competence and organizational acumen, but on the ability of the state and the industry to control it. Generally speaking there are two types of enforcement strategies used by government and industry to control organizational crimes of this type: deterrence and compliance (Reiss, 1984, pp. 25–37). Deterrence systems imply that acts like computer hacking are wilful and rational and can be best controlled by the threat of criminal sanctions. Law enforcement responsibilities in Canada, however, are divided between the R.C.M.P., provincial or inter-provincial gaming agencies, regional or municipal police and private security (i.e. casino staff or VLT operators and staff). The R.C.M.P. respond to criminal code gambling offences and gather, share and communicate criminal intelligence between law enforcement agencies. Municipal and regional police use vice and morality squads to conduct gambling investigations. Provincial and inter-provincial gambling commissions regulate licensed gambling activities by auditing violations in order to ensure the integrity of the games. Staff at gambling sites secure the financial aspects of play and participate in security operations as well (Smith and Wynne, 1999).

Enforcement roles however overlap and coordination is limited. R.C.M.P. and regional policing agencies lack staff trained in enforcing gambling-related laws. When special units are formed, they are typically under-funded. Policing strategies such as preventative, directed and managed patrols cannot easily enter or survey the sites where VLT hacking occurs. Gaming commissions are specialized, better trained and more focused in monitoring the illegal gambling marketplace, but they are even less resourced than the public police (Smith et al., 2003, pp. 89–91). Thus front line enforcement in the VLT gambling market often falls to untrained private staff or security personnel working in countless lounges, bars, taverns and service clubs. As one law officer noted:

The protection of our equipment that would be VLTs, 649 machines, tickets or any of our assets is totally different in scope than for a casino that is under one roof …. Big difference, some people equate us with a mini casino in a couple of thousand places …. So trying to protect assets under those circumstances is rather difficult …. The best way to protect our assets is to make them (site holders) feel responsibility for them. When we put in a VL terminal the site has the responsibility for the overall security for that asset.

Hundreds of site operators, managers and employees, therefore, must monitor under-age gambling, cheating at play, theft and customer safety. In some VLT sites, electronic surveillance cameras are available, but in many others security simply involves watching and listening for ‘suspicious’ conduct. As one law officer observed:

Here is a big difference between a casino and a VLT operation, if you take a VLT operation at a bar or a corner store, those machines are there for 24 hours a day and it is rare compared to a casino that somebody in authority is around looking at the machine or monitoring the machine …. Therefore, wherever the machine is located those people have the opportunity to gain access to it … and can try to tamper with the machine.

Taken together, the overall enforcement structure is de-centred, reactive and distant. Law enforcement agencies do not usually initiate investigations on their own. They do not possess sufficient computer crime management assistance or effective forensic fraud tools (Stanbaugh et al., 2001; Smith and Wynne, 1999, p. 75; Surin, 2005).

The deployment of resources is a second problem in the legal control of VLT hacking. All levels of enforcement have modest resources to discover illegal gambling practices, provide investigative expertise, collect evidence, determine charges, advise prosecutors and serve as witnesses in a court case. Specialized gambling investigators in traditional policing agencies are therefore few in number and criminal intelligence about gambling-related hacking and fraud is at best provisional. The numbers of new provincial and inter-provincial gaming regulators and investigators, however, have grown with the spread of legalized gambling, but not substantially or without causing conflicts. The actual number of gambling investigators, for example, remains small: in Western Canada the average number of investigators per province is eleven, whereas in Atlantic Canada it is six. In Nova Scotia, the ratio of investigators to VLT machines is approximately 1 per 539 and to VLT locations it is approximately 1 per 100. Furthermore, provincial gaming commissions have usurped some traditional law enforcement responsibilities and appropriated a lead role in the enforcement of gambling legislation. However, mandates and regulatory agendas have become blurred and confused with inter-agency immobility resulting. Despite the expansion of gambling products in the marketplace, there has been a downgrading of social control and a lessening of criminal justice interest in policing gambling-related crimes (Smith et al., 2003, pp. 89–90).

Inter-provincial and provincial gaming corporations and commissions, until recently, also monitored VLT machines through on line, dial-up systems and this constitutes a third problem for legal enforcement. In Atlantic Canada, the lottery commission approves the site holders and locations for VLT assets, the manufacturers and distributors that sell and promote these machines and the operating standards and specifications for the governance of the games. The dial-up system is designed to enrol VLT machines and record normal and abnormal practices. However, this system has not functioned in real time.

We are only aware of what transpires on VLTs or with VLTs 24 hours after it (a violation) has occurred because we poll them once every 24 hours. Everything that has transpired on the machine is stored in memory and that memory downloads to our central system …. Therefore if something occurs … we can go back and look at those records. So it (the system) is always in an audit mode more than a totally preventive mode. In other words, if someone opens the logic area of the machine we don't know they did it instantly at that time, we have to find out afterwards …. If there is nothing obvious when our technicians look at it (the record) then we (the lottery commission) may not know until something strange occurs, like payouts are greater than what they should be, that type of thing.

One recent scam involved an organized group of five or six cheats. They played VLTs for a short time, left with winning tickets of CA$5 to CA$10, scanned and reproduced the tickets changing the winning amounts to CA$300 to CA$400 and returned to the gambling sites to collect the higher winnings without any security system detecting them (Arsenault, 2005, p. B2). Similarly in thefts of lottery products, security can just as easily be compromised:

There have been situations where money is missing into the thousands of dollars … but we do not become overly involved in catching the thief … what you find is they usually have someone in charge and that individual gets the sweep sheets from us, they make sure LC money is there, they deliberately do not keep the audit tapes, they deliberately destroy the sweep sheets, and of course they are taking the money out ….

Compliance systems, however, create conformity by using management tools such as machine standards, operating policies, technical product specifications and inspections to thwart unwanted problems before they occur (Bayley and Shearing, 1998; Reiss, 1984). Methods of this part, however, are rather laggard in preventing many cyber-attacks. For example, we discovered that several standards were compromised and the following violations on gambling machines were not detected by the regulator's security system:

1. Play button manipulations allowed games to continue after the regulator had requested the machines be disabled, suggesting that the host did not have complete control over them;

2. Rules or bet buttons, when held down, interrupted the reporting of machine door entries to the regulator. VLTs could remain off-line and undetected by the authorities. Indeed audible alarms protecting logic area doors sometimes malfunctioned and the terminals did not always reset to the operational conditions prior to the doors being opened, thus facilitating fraud;

3. The machines did not automatically compel cash pay-outs at the $1,000 maximum limit.) They permitted pay-outs far greater than those specified under existing legislation thus encouraging those in the know to defraud machines and even double their winnings;

4. The products did not respond appropriately to the signature checking processes when they were activated and enrolled. Machines ignored continuations of the Random Operating Memory (ROM) checks and functioned independently, thus subverting their own software and security measures;

5. The machines did not always operate correctly after one EPROM was replaced with another. Signature checks were not adequately performed by the software and the software failed to detect important storage and protocol information, thus permitting hacking to occur without the regulator's knowledge;

6. The machines did not recognize critical memory when it was corrupted after each game and did not always perform the appropriate memory validity checks, thus undercutting security and enabling fraud on the machines;

7. Hard meter connections were not enclosed in proper sealed environments to prevent tampering and frauds could occur without security knowledge or prevention; and finally

8. Computer chips failed randomness testing in two ways: they did not meet the 99% confidence level with regard to producing recurring patterns of symbol occurrences and they did not meet the 99% confidence level with regard to the independence of number positions from one game to the next. This allowed the hackers to know and defeat the RNGs and win jackpots and win often.

To paraphrase McIntosh (1975, pp. 42–50), the hallmark of project crime is its ability to assemble teams of competent criminals for attacks on valuable and well-protected property to such an extent that they establish stable, though short-lived, criminal organizations and avoid and evade the detection and deterrent exigencies of legal control.

The hackers were eventually discovered by bar employees who by chance detected people using miniature video cameras and wireless communication devices and who observed patterns of unusual payouts. ‘I am not sure we would have caught them … if they had been doing it at a level of $500,’ stated one law officer, ‘but they were doing $1000 and $1900 at a time … so retailers became suspicious of cashing out so much.’ These suspicions led to nine months of undercover surveillance and the arrest of two hackers. One law officer explains:

I and my partner were separated by the bridge, but we got there rather quickly …. We watched one of the subjects put on certain equipment (jacket, battery, ear piece, etc.) in a parking lot. We also observed another subject inside the back of a van parked in the parking lot …. As the subject approached the business, surveillance was placed inside and we observed the subject playing a terminal and appearing to talk into his clothing. A short time later I observed a large number of credits started to appear on the gaming device screen.

Law enforcement agents secured the telephone line that connected the machine to the registration system, froze its records and seized equipment from the hackers on site and at their homes. One law officer recalls: ‘they told us not to touch their computer because we would have been locked out and lost the information …. Had they clammed up, I don't think we could have charged them since all the evidence would have been gone.’ The hackers were convicted under section 342.1(1)(b) of the Criminal Code for unauthorized use of a computer, computer programs, computer data and mechanical devices to defraud a video lottery terminal. They each received a conditional discharge and one year probation. As one law official noted, ‘we got what we wanted, the know-how out there and … the offenders went through the courts … it was a fairly innocuous charge and needless to say we did not want a lot of publicity here.’ This outcome confirms that illegal gambling infractions are negotiable and treated lightly by the justice system. Unlike drug trafficking where penalties are substantial, illegal gambling charges typically involve trading information and knowledge in exchange for leniency. This results in paltry fines and seizures of gambling machines. Jail time is a rarity (Smith and Wynne, 1999, pp. 76–77).

Security, Public Policy and Consumer Protection

This and other studies raises important questions concerning the state's ability to regulate and police one of the most lucrative consumer products in the gambling market place. Here and elsewhere low profile law enforcement measures have combined with lax compliance system to favour solutions that prioritized manufacturers' and distributors' interests over consumers' welfare. Arrangements of convenience seem to have shielded insider and outsider attacks on VLT sites and casinos from public knowledge and accountability. While the Lottery Commission took remedial actions regarding their hardware and software deficits, no information about the ‘hacking’ scheme we studied was provided to players, no public advisories were issued and no immediate machine recalls were ordered despite the fact that these hacking manipulations were known to be moderate to high risk in nature and could be conducted by less skilled hackers than the ones arrested. Revenues would seem to have trumped harm and secrecy would seem to have trumped transparency! This in our opinion is short-sighted public policy: customers should know what is transpiring when they make consumer purchases on gambling machines and there should be a visible and energetic reporting systems to establish crime patterns, devise corrective actions and provide better security for consumers. Like harm minimization and responsible gambling strategies, security awareness measures should be conveyed by regulators to players as well as to industry and government (Gray, 2005, p. 1; McMullan, 2005).

The recurrent hacking of gambling machines and Ddos attacks on gambling websites affects pay-outs and the odds of winning and ultimately problematizes the credibility of the machine games as a whole because legitimate players no longer have the same chance of winning jackpots. In a growing number of jurisdictions, regulators' RNGs are taking them for a ride and they only discover this after they have been subjected to prediction and the harm has been done. This raises the question: How do you guarantee fairness and see to it that the games stay fair after the initial testing is completed? The answer is frequent and comprehensive testing! Outcome-based testing, which looks at the statistical output of RNG results, should be combined with objective-based testing, which includes methodical internal inspections of the RNG design and implementation. The two together best guarantee the functionality and environmental protection of the machines, especially if baseline measures and regular, random field tests looking for illegal terminals, machine modifications and software corruptions are added and regularly conducted (Bourie, 1999; Technical System Testing, 2005)).

Security, moreover, has to occur at the speed of thought. Website attacks are now instantaneously automated to find any target to exploit. In the world of information intrusion and cyber-crime, hackers and extortionists know when to attack and launch their software with less need for perfection than website owners and regulators require to detect attacks and manage their defences (Kessler, 2000). As the director of an Internet security firm put it, ‘there is no such thing as secure software and there will always be vulnerabilities for hackers to exploit’ (Gray, 2005, p. 1). Indeed much of the innovative exploration regarding malicious code, ‘rigged’ computer chips, cracking and Ddos attacks is still conducted by ‘skilled people in the hacking underground’, not by institutions who should be providing security for these vulnerabilities (Gray, 2005, p. 1). A strategy for consumer protection should proactively investigate electronic gambling machines from the perspective that the entertainment may be unsafe and that the machines may be performing unfairly after they have been placed in the market place.

Real-time monitoring systems also afford the best available protection for consumers who gamble. These systems have augmented security features and provide flexible, real time tracking that permits system wide signature checks for software and hardware validations (i.e. door cage, logic cage access, EPROMs and critical memory). They afford better protection to consumers so that they are not unduly put at risk or cheated. As one technical expert observes, it is better for governments ‘to suffer a software upgrade than to suffer the criticism of the press, the ire of the anti-gaming forces and the embarrassment of a trial’ or indeed the loss of insurance coverage (Technical System Testing, 2001, p. 3). Thus when product defects and failures are discovered they should not be kept secret or destroyed, but rather removed from the gambling floor, corrected and if necessary, retained as evidence for further inquiry and consumer notification.

Provincial governments in Canada have a monopoly on gambling as a result of Criminal Code amendments made in 1969, 1985 and 1998 which effectively allows them to conduct lotteries, manage and conduct lottery schemes including games conducted via computers, video devices, slot machines or telephones and conduct dice games. As both operators and regulators, they are mandated to maximize their revenues while trying to protect the public good. This creates a security conundrum in appearance and in reality: if new consumer measures are put forward they are admitting that the games may not be properly protected, the costs of fair play may increase and profits may decline; or if financial revenues take precedence then consumers may not be adequately protected and the public good may be harmed. If governments remain committed to owning and operating and regulating gambling products, then they need to rethink their multiple roles. Self-regulation of gambling in Canada has led to an absence of transparency, accountability and uniformity and a failure to consider the long-term impacts on public consumers. As Campbell et al. (2005, p. 54) observe:

Questions regarding conflicts of interest arise in regard to provincial involvement in electronic machines …. Police departments do not generally have the technical expertise to investigate complaints about the integrity of EGMs, police are invariably dependent on technical advice from provincial gaming regulators—the very authorities that approve the machines, or from gaming manufacturers. This raises questions about the adequacy and independence of checks and balances in the overall regulatory process.

Indeed, recent gambling related scandals and frauds in Alberta, British Columbia, Manitoba and Saskatchewan were exposed by provincial auditors, not provincial gambling corporations or commissions. To remove state conflicts of interest, independent gambling commissions (IGCs) should be created by governments to regulate the security of the products that they license, manage, market, operate and regulate. Some of the functions currently conducted by existing government commissions and corporations should be transferred to IGCs composed of autonomous, non-partisan experts from the prevention, law and security, therapy, social services and research fields with oversight powers similar to auditor generals (Campbell et al., 2005, p. 75).

The IGC's main function with regard to security could be to supervise and implement arms length security capable of objectively verifying:

1. The design, integrity and functionality of electronic games (i.e. Do they play correctly? Are they designed to encourage safe and non-addictive behaviour? Are source codes reviewed for anomalies, ‘Easter eggs’, malicious codes, etc.?);

2. The location of electronic games (i.e. are they played in dedicated and secured sites that encourage responsible play and discourages unsafe and addictive behaviour?);

3. The signage and rules of the games (i.e. are these properly and accurately displayed?);

4. The recovery procedures of the games (i.e. does play start properly when shutdowns or lockdowns occur?);

5. The actuarial processes (i.e. are all bets, wins and losses properly accounted?);

6. The adjudication processes (i.e. are there proper procedures and evidence to solve disputes?);

7. The protection of privacy (i.e. are personal data adequately safeguarded from government and industry eyes?);

8. The protection of consumers from harm (i.e. Are there proper procedures for wagering controls, deactivation of player accounts and self exclusion? Are they designed to encourage safe and non-addictive behaviour?); and

9. The promotional and advertising processes (i.e. are there proper measures in place to guarantee that promotional and advertising considerations are honest and fair and are not contributing to unsafe and dangerous consumer practices. This organizational restructuring encourages independent checks and balances and insists that gambling authorities and investigators act as trustees for the entire citizenry not just governments or the industry.

Finally, the problem of security raises a fundamental question concerning the role of the criminal code in regard to gambling in Canada. Because gambling is no longer a central concern of criminal prohibition and the law has been used to consolidate and legitimate provincial governments' expansionist monopolies, there are few justifications now and in the future for controlling permitted gambling via criminal censures (Campbell et al., 2005, pp. 81–85). Perhaps it is time for federal and provincial governments to review their ad hoc and haphazard legislative enactments and pass ‘responsible gambling’ Acts. Such legislation might recognize that gambling is risk-taking behaviour and should be prohibited unless precautionary principles such as reverse onus and harm reduction are established. Consumer safety could come first and responsible gambling could be defined in such a manner that consumers can participate in its various forms in a safe, honest, informed and secure environment. Harm might be defined broadly to include any kind of harm relating to players' gambling behaviours, their personal, social or economic situations, their families and their wider communities (Secker, 2005). While ‘responsible gambling’ Acts would have roles for other government ministries such as Health and Welfare or Social Services in developing harm reduction and treatment strategies, IGCs should be given separate statutory powers covering the licensing of gambling machine operators and locations, the equipment standards, the casino operating standards, the rules governing games and the investigation and auditing of the security of gambling products and operations. In this statutory schema, governments ‘must not license’ unless consumer protection, harm minimization and fairness standards have been established and satisfied.

The security of gambling in the future requires that there be less gambling with security. The complete purchasing process should not only protect consumers from what Dickerson (2003a,2003b) calls continuous forms of gambling which harms them, but also from what we call design and operational lapses and failures which deceives and victimizes them. It follows then that at civil law, purveyors of gambling opportunities should be fixed with utmost good faith duties that apply in an area like insurance law, which also legislates similar features of risk and vulnerability and trust and representation. This entails placing a higher obligation on gambling agencies than that which applies to usual commercial transactions that are controlled by Fair Trading Acts and Consumer Protection Acts. Given the level of vulnerability associated with buying a risk in legal gambling, legislation should evince a stringent threshold that prioritizes the common law principle that ‘in high risk situations, the burden is on the person knowing the risk to inform the other of its extent’. The gambling industry and its regulators should be bound by strict liability in regard to misrepresentation and, at bottom, they should provide ‘accurate information as to the risk customers undertake and not to conceal what they privately know’ (Minchin, 2004, pp. 13–14).

Acknowledgements

An earlier version of this paper was published in French in Criminologie (see first page for details). The editor has given approval to publish this revised version in English.

Notes

^*This artice was first published in French in Criminologie, Volume 39, Number 2, 2006. It was originally entitled ‘La Security du Jeu et le Jeu de la Securité: Piratage, Loi et Politique Publique’, and is reproduced here with kind permission of the Journal.