lax internal controls that allowed a DraftKings employee to publicly post of sensitive data regarding contests before that data should have been publicly available.
The employee was cleared of wrongdoing by an external review commissioned by DraftKings.
Now, DraftKings is now under fire additional for its seeming inability to, or perhaps apathetic attitude towards, prohibiting players from blocked states like Nevada.
The first hint that geolocation at DFS sites wasn’t all it was cracked up to be came in the form of a lawsuit by a DraftKings and FanDuel player in Louisiana, one of five states that all daily fantasy sports operators have blocked .
The plaintiff filed the lawsuit on October 13; his lawyers claimed he was playing DFS in the state for real money.
Other unconfirmed reports indicate this may not have been entirely a product of careless internal controls. A New York Times article alleges that a DraftKings employee suggested a workaround for playing in locations where DFS is not legal.
Following the Nevada Gaming Control Board’s notice that DFS was in fact gambling and required a state license, virtually all of the big name sites pulled out of the market, and vowed to block future play from the state.
However, OPR sister site Legal Sports Report reported being able to log on to DraftKings and enter contests from Nevada simply by using an account registered out of state.
LSR accomplished this without disguising their IP address or using any other methods to conceal their actual location (other than checking a box to say they weren’t a resident of the state).
This breach occurred two days after DraftKings announced it would not accept any new contest entries from players in Nevada. Similar attempts by LSR at FanDuel and StarsDraft were unsuccessful.
LSR repeated the test successfully and entered new real-money contests at DraftKings on Monday October 19.
The UIGEA is clear on this point, prohibiting “gambling businesses from knowingly accepting payments in connection with the participation of another person in a bet or wager that involves the use of the Internet and that is unlawful under any federal or state law.”
Violations of state law by DFS operators also have the potential to trigger a variety of other federal laws.
Basically, if DFS is illegal under state law and a site knowingly (there is that word again) accepts wagers from these states, it could obviously be a problem.
Nevada Gaming Control Board Chairman A.G. Burnett framed it this way for the NYT:
“We have been and will continue to test the D.F.S. operators’ websites and apps to determine if they’ve disengaged from Nevada or not,” he said of the daily fantasy sports sites. “Failure to disengage can constitute a crime; we will work with our counsel on what are the next steps forward, should that be the case.”
The question is, what constitutes knowingly, and would negligible safeguards to prevent players from prohibited states from participating constitute a violation?
Thus far neither DraftKings or FanDuel has been willing to detail their geolocation procedures, so it’s unclear what standards they have, or how much effort they are putting into proper geolocation.
According to a statement by DraftKings issued on October 15, “We [DraftKings] are able to track location a variety of ways and have sophisticated methods both internally and via third parties to ensure we are complying with the law in all jurisdictions.”
The statement goes on to say the company uses several different tools to accomplish this, including IP tracking, GPS tracking on mobile devices, and payment verification. LSR’s tests seem to indicate these “sophisticated methods” may not be overly effective.
I recently spoke with CAMS CEO Matthew Katz, one of the leading player verification and geolocation companies in the gaming industry, who explained the different types of geolocation technology a site could employ and their efficacy.
Katz made it clear he was unsure what type of geolocation protocols the two leading DFS sites have in place, but did say they are not customers of CAMS. We also know neither FanDuel or DraftKings are clients of GeoComply, which is widely considered to be the gold standard for geolocation and the company regulated online gaming markets in the U.S. have turned to. GeoComply has proven highly effective in ring-fencing markets in the U.S.
Here is a look at how sites could geolocate users:
GeoComply and CAMS use a layered approach to geolocation, employing aggregated data from multiple third-party sources. Because they don’t rely on any singular method to verify a customer’s location, their methods are highly effective.
GeoComply CEO Anna Sainsbury demonstrated this technology during a briefing on Capitol Hill in May, and explained the numerous layers GeoComply employs, such as IP address, GPS location, wi-fi triangulation, and cell tower triangulation, as well as software that detects concealing technologies such as VPN’s and remote servers on a customer’s computer.
With this technology in place, there has yet to be a single known case of a player accessing a regulated New Jersey online gambling site from out of state.
To the best of our knowledge, beyond GeoComply and CAMS, there isn’t a geolocation product that is a mere step or two down that a site could turn to. The drop from GeoComply or CAMS is precipitous, and is made up of off the shelf verification systems. According to Katz, these products are “basic and rudimentary,” and individually could have a false positive rate of 25%-30% without the customer doing very much to defeat it. In fact, Katz indicated these products are so ineffective that players could inadvertently thwart it because if a company’s servers were located in a certain area, it would appear that all traffic was coming through those central servers.
What’s even more worrisome is there is yet another version DFS sites might be employing of geolocation that is even less effective.
According to Katz, the simplest and obviously least effective of geolocation is “user-defined.”
Essentially, user-defined geolocation is the honor system. When a player registers and lists “Steve from Massachusetts” the site accepts this at face value. “As Katz said, that would be “their version of geolocation.”
There is a second, stronger, layer to user-defined verification, as the site could ask for some form of proof, such as copy of a driver’s license or utility bills. It should be noted that neither FanDuel or DraftKings asks for this type of hard copy verification at registration, but they do require it for withdrawals.
Based on the tests conducted by LSR this weekend, it appears StarsDraft and FanDuel are using, at the very least, some type of IP verification that identified LSR’s attempts to access their sites from inside the state.
Based on the tests, it appears DraftKings may only be employing user-defined verification — at least for access that comes via something other than a mobile device.
Of course, DraftKings could put this uncertainty and speculation to rest quickly by clearly defining exactly what geolocation methods they are using.