Online gambling geolocation was a key topic during a recent hearing before Michigan lawmakers to legalize online poker in the Great Lakes State. But former PokerStars security expert Michael Josem warns that proposed blanket geolocation bans on Virtual Private Networks would go too far.
On March 12th, 2019, the Michigan House Regulatory Reform Committee heard sworn testimony from
GeoComply public affairs and government relations consultant John Pappas.
In the hearing, the former Poker Players Alliance executive argued that licensed, statewide iGaming services in America should outright prohibit the use of Virtual Private Networks (VPNs).
Pappas added that regulators should not assume the risk of potentially allowing malicious, out-of-state users to gain access to iGaming products illegally, through intentionally masking their physical location — or through illicit use of remote desktop applications.
In response to that article, former PokerStars security analyst and current Part Time Poker reader Michael Josem reached out to this author, offering to broaden my (admittedly crude) perspective on the following:
- how Internet Protocol (IP) addresses work,
- why they are not a reliable means of determining physical location, and
- why use of Virtual Private Networks should not be discouraged (contrary to this author’s belief that U.S. online poker players should refrain from using VPN networks altogether, and that industry pursuits are justified in their push for blanket VPN bans).
What follows is a conversation that took place over numerous Skype calls during March 2019 between David Huber (on behalf of Part Time Poker) and Michael Josem — an individual with extensive industry experience who was also partly responsible for bringing the Ultimate Bet/Absolute Poker superuser cheating scandal to light in 2008.
Online Gambling Geolocation (Interview with Michael Josem)
<— “It would be helpful for the general public to get away from the idea that IP addresses are a meaningful or reliable source for determining physical location.” – Michael Josem
Michael Josem: I suppose a simple analogy to begin with — to visualize how an IP address is not the be-all and end-all for deciphering one’s physical location. It’s about as reliable as a ‘return address’ that might be included on an envelope sent via traditional postal mail. The IP address of a computer is about as reliable an indicator of origin as a return address that someone might jot down on a parcel envelope or sticker.
Most of the time, it is adequate, but it can very easily be manipulated. But also, on a more underlying, fundamental basis… IP addresses do not have locations.
They’re not designed at their very core to be a geographic location tool. At their very core, they’re designed to be Internet Protocol communications.
Perhaps another analogy that might fit is that an IP address as a means to pinpoint one’s location would be equivalent to a bouncer outside a club determining one’s age-based eligibility by giving a quick once-over of the patron before deciding whether to grant access. Just looking at attendees works adequately most of the time — but there are younger people who look old, and there are older people who look young.
IP address verification processes can be equally susceptible to false-positives and false-negatives. In that they can incorrectly identify some users as being within or outside of a specific geographical region or virtual border. IP addresses — at their base — represent a technology that was never meant for geographic location verification.
David Huber: I understand the case you’re making for IP addresses not being a reliable, sole data point for determining a user’s physical location, but John Pappas testified that GeoComply accrues other data (including Bluetooth, Wi-Fi, GPS, mobile devices), and then “interrogates” that data to produce a “compliance-grade” online gambling geolocation tool, as opposed to “open-door” tools that consumers can make use of through mobile apps, etc.
Michael Josem: Yes, and that is certainly useful. That gets to the point that IP addresses can be a useful indicator just like a return address of where it was sent from, but it’s just one little piece of a broader picture.
A lot of these technologies and security systems these days should be thought of less as a wall, and more as a series of nets… a shark net in the ocean, if you will. You don’t want to cut everyone off, but rather you want to have a number of tools that keep out the bad actors.
In the shark net analogy, you still want the water to come through. We need to let the legitimate users through, and block out only the bad people. That’s only possible with a multi-layered security strategy, and IP addresses are just a very weak tool against bad actors. Realistically, the vast majority of bad actors that IP address verification can stop are accidental breaches, not genuinely malicious actors.
The IP address of a user can be a very loose net, but not a meaningful one, nor one of substantial value for determining one’s physical location. They will become even more redundant as the world moves to the next generation of IP addresses.
David Huber: The March 12th testimony provided by John Pappas before the Michigan House Regulatory Reform Committee advises lawmakers that Virtual Private Networks (VPNs) should be restricted outright from participating in licensed games. My understanding is that you disagree with that take?
Michael Josem: The technology in VPNs has many legitimate uses, and the actual underlying bad behavior is not the VPN per-se. The bad behavior is the deliberate effort to mislead an operator about where you’re located. So rather than banning VPNs, it’s much more important to ban the willful effort to mislead an operator concerning one’s whereabouts.
David Huber: So it’s your belief that a blanket ban on VPN usage within regulated iGaming markets is, or would be, overreaching?
Michael Josem: Yes. It’s very much overreaching, for the exact reason that John Pappas outlined in his testimony. Which is that determining someone’s location is a function of a whole series of different pieces of information.
He spoke about Wi-Fi, Bluetooth and GPS. China, Russia and the European Union all have plans to install GPS-equivalent satellites. So there are a whole bunch of different services out there in the world that we can use to determine one’s location. And for exactly the reason that John made, outright banning VPNs would be an overreaching action.
Of course, he’s advocating for a commercial business that has a wide variety of services, and it’s important to look at the whole picture.
David Huber: Let’s go over an issue that you have with my recent commentary advising U.S. online poker players that they should refrain from using VPNs or other location spoofing software while gambling online from the United States. Why do you disagree with that take/opinion?
Michael Josem: There are a lot of people who use VPNs for legitimate reasons. For example, if you were to access an unsecured Wi-Fi hotspot, then all of that data — that is coming to and from your computer — is being transmitted by radio transmission. It’s being broadcast into the air. So anyone observing that can record that stream of data.
In the case of online gambling, if you’re operating as a legitimate, secure operator, then that data will be encrypted anyway. But there are a lot of other websites in the world that are not encrypted.
I see that Part Time Poker — for example — has good HTTPS encryption. So you’re fine there, but some other online services do not use good encryption. So it can be important for an end-user to want to protect that data — in a way that can be entirely disconnected from the activity of gambling online.
Leaving that so-called ‘hole’ in the shark net open for non-malicious VPN users (so that they’re not arbitrarily denied service or otherwise labeled as bad actors), is key in any regulated market, in my opinion.
David Huber: So it’s your belief that it would be prudent for lawmakers to further consider the questions brought forth by Michigan House Regulatory Reform Committee Vice Chair Ryan Berman (as they relate to “appeals” processes and other safeguards to protect consumers from wrongful denials of service)?
WATCH: MI House Regulatory Reform Committee Questions (5:10-8:00)
A lot of operators have prohibited legitimate online patrons. Online poker sites — even companies like GeoComply — can sometimes make mistakes. No one’s perfect. And it is important to have a proper appeals process for when errors are made. Even IP geolocation techniques can turn out to be faulty.
And there are legitimate questions surrounding jurisdictional authority in circumstances which could eventually be relevant to online gambling — although that’s somewhat beyond the scope of current legislation being considered by Michigan lawmakers.
And that is… there’s actually a legitimate conversation and dispute to be had about which laws apply. Say for instance, if you’re in a plane over Michigan, would you one day be allowed to participate in the regulated Michigan iGaming market? To add to this… the argument could center around a combination of (a) where the flight’s going, (b) where the flight originated, (c) the place where the plane is registered, and (d) the airspace that is currently being utilized.
So there’s a combination of all these different rules that are relevant to online gambling geolocation. Meaning…
- no automated system can possibly take into account all that sort of information,
- there are always going to be mistakes on the edge, and
- there should be an appeals process… some humility from operators in their effort to get this right. —>
Read More Part Time Poker Interviews
Alex Scott Interview: Online Poker Bots and The Future (Feb 15, 2019)
Table Talk’s the Thing at Poker Night in America (Rich Glanzer – Jul 22, 2017)
Poker AI with Eric Jackson (Alex Weldon – Jan 16, 2015)
FOLLOW US ON TWITTER: @dhubermex, @benefactumgames, @gonzo787, @abarber1, @PartTimePoker