The District of Columbia recently legalized Internet gambling, and may offer Texas holdem games in hot spots this summer.
The plan is to eventually make gambling widely available to anyone in the District whether its from home, hotel or car.
Its uncertain how many Washington residents think Internet gambling is a good idea. The law was slipped into a broader budget bill last December, and adopted by D.C.s Council without public hearing or debate. Even today, many people in the District appear unaware of it.
The government expects to make about $14 million in tax revenue in the first four years. Elected officials will likely gain as well in campaign donations from the competition for hot spot licenses.
The technical challenges may be daunting. The District has to be certain that gambling is occurring in its borders, and the only geographic control suggested so far is the use of static IP addresses, although most home users have dynamic IP addresses.
More broadly, how do you ensure IP addresses arent being spoofed? And how is location determined, particularly if youre gambling on your mobile phone or iPad while riding a Metro bus that has just crossed into Maryland or Virginia?
Here are the views of some security experts.
Patricia Titus, the vice president and chief information security officer at Unisys, sees many problems ahead for D.C. in deploying this technology.
The difficulty of limiting access based on geography is that its nearly impossible, and addressing the issue of smartphones and tablets users will add to the complexity, said Titus.
The ability to forge IP addresses, or IP spoofing, would allow someone to give unauthorized participants the ability to masquerade as a legitimate residents of the District, said Titus.
To ensure only District residences can access the gambling sites, the D.C. government will need to implement some sort of multi-factor authentication scheme tied to an official government record, said Titus, and implementing a system like this could be costly and quite complicated.
The idea of creating WiFi hotspots for gambling raises other, well-known issues regarding the risks associated with public hot spots.
Most consumers have very lax security practices with their computing devices, if any at all, said Titus.
Assuming the online gambling site can address this vulnerability with the use of secure socket layer (SSL) security similar to methods used for online banking, it is possible this could help keep the hackers from hijacking the secure session and gaining access to the system, said Titus. However I would venture to say that if you ask the banks how they keep their networks secure from hackers, youd find there is a considerable amount spent on security, she said.
Titus recommends that the District look at the total cost of ownership of this project, including the cost associated with potential security breaches.
The government should look at what would happen if this system were being used by people living outside the District and the possibility they could be sued or shutdown. If so this program could be a total waste of time and money, said Titus.
Andrew Storms, director of security operations for nCircle, a network security and compliance auditing firm, said that trying prove someone is local using only a static IP address is completely the wrong approach.
People have been hopping through networks for decades to disguise their identities and their geographic location, said Storms. Its ridiculously easy to do things on the internet and make it look like the actions are being taken by someone else, often without that persons awareness.
The security risks associated with Internet gambling and identity theft are enormous because there is no failsafe way to prove that anyone is who they say they are online, said Storms.
Instead of looking at static IP addresses those designing this system should start with the user, not the computer or the network, said Storms. What to accomplish, and this is no small task, is some means to authenticate the user and his/her actions.
Sam Alapati, senior technical director of Miro Consulting, believes legalized Internet gambling is a far superior alternative to offshore gambling, and there is technology that can restrict it to a geographic area and prevent underage gambling, with the latter requiring age verification procedures using Social Security numbers and motor vehicle records.
The challenge is to strictly regulate the internet gambling, so the geo-location technology can verify that the user in a permitted geographical area, said Alapati.
Technologies such as proxies, firewalls, network address translators (NAT) and VPN can circumvent geo-location data, said Alapati. The challenge here is not that you wont be able to prevent the usage of these technologies, but how to build in countermeasures to prevent the use of one of these technologies to circumvent the geo-location technology. The geo-location software can, for example, use the physical characteristics of an Internet connection such as the round trip delay, to determine if the request is possibly coming from outside the D.C. area. If the software is unable to determine the location of the user with a high degree of certainty, it can block the customer and flag the account for a review.
Operators and regulators can use software such as pattern recognizing software to routinely scan the transactions to detect anomalies and suspicious behavior, to prevent money laundering and terrorist financing, both of which are not easily detectable in normal casino, due the use of cash, said Alapati. A no cash, all digital transaction leaves plenty of auditable records for ensuring compliance with laws, he said.
If the technical challenges prove too much to allow Internet gambling, the District's law still allows creation of places in hotels and bars where people can gamble. Because federal law prohibits the use of slot machines in D.C., users would have to bring their own laptops, but then again, maybe not.
Theres nothing to stop hot spot owners from leasing an iPad or any touch screen device to a customer to use. The law, in effect, enables the creation of mini-casinos all over the District.
On a personal note, I live in the District and oppose this law. Ive written my local Neighborhood Advisory Commission, an elected volunteer group that provides feedback to local government, to urge them to do what the D.C. Council has not done, and that is to examine the laws implications to its neighborhoods and what government approved and promoted gambling will bring to some families living in Washington.