Tuesday, November 09, 2010

PokerStars' Lee Jones on Multi-Accounting and Online Poker Cheating

Lee Jones, a very successful poker player, poker author and the poker room manager at the biggest online poker site, PokerStars, recently had this to say about cheating in an online poker interview with Bluff Magazine:

BLUFF: Some issues that affect the online poker community: First, the number of bots who have appeared on poker sites over the years, including at Cake Poker. Do you feel that anonymous names and/or having constant name changes makes detecting them more difficult?

Jones: I think the external poker community often doesn’t fully appreciate the level of information that the sites themselves have. For instance, people occasionally ask me if, when one of our players changes his nickname, are we still able to track him. In fact, we don’t pay any attention to the player’s nickname - we don’t think of him by that nickname any more than you refer to your girlfriend by the color of blouse she is wearing on a given day. We have a unique numeric identifier that you get when you open your account at Cake and that’s how we know you forever.

I told you all that to tell you this: there are lots of ways to spot bad actors and many of them come from *inside* the poker sites. We have many techniques for detecting bots and, in fact, our head of security is a bit of a bot expert. Bots really don’t make very much money on an individual basis so to be at all cost effective, they have to scale massively. In fact, many of the bots that we’ve busted recently were actually losing players, but were marginally +EV with bonuses, rakeback, etc. The point is that once you start to scale massively, you become much more detectable. I honestly believe that bots are more of a theoretical problem than a practical one. We definitely shut them down, and we’re good at doing it, but from the player’s perspective, they should be putting their energy into beating the carbon-based opponents. Of course, if the bots are colluding, that’s a whole different ballgame, but collusion leaves its own set of tracks and we spot those too.

BLUFF: Another issue that affects online poker is the security of a site. UB is well known for their superuser scandals, and their lack of having SSL encryption. Shortly after that discovery, PokerTableRatings found a similar flaw in Cake Poker’s site, and there was suspicion that there may have been “superusers” on Cake who exploited that flaw. A few posters on 2+2 were going through the hand histories to try and determine if this was the case. What is the current progress on that investigation?

Jones: In case nobody reads beyond the first couple of sentences: it is true that Cake Poker had a security vulnerability in its server-client communication. That vulnerability was removed on August 5th, 2010. There is no evidence whatsoever that anybody exploited that vulnerability. I also think we should be careful about our vocabulary. UB/AP had “superusers” - which is a term I use for people who had access to every single hole card of any game they wished. The subsequent vulnerability on UB, which was also found on Cake, was of a very different nature. Properly exploited, it might have given a user access to the hole cards of very specific people who they’d have to find on an unprotected (almost certainly wireless) network.

So if you were sitting in a coffee shop that had free WiFi and you could find a Cake user on that same network, and you had the proper exploitation software, you could have seen that player’s cards for the period that he was playing there. That’s obviously a very different scenario from the Hamilton et. al. thievery at UB where they had complete unfettered access to the hole cards of any game they wished. I’m not for a moment excusing the vulnerability that we had, but I want to keep our perspective.

You are correct that we have instituted a major audit of the hands that were played during the time that the vulnerability was present. We had three different teams working on it independently. Two of the auditors - Steve Wood, a former PokerStars employee, and Jeff Williams, a well known high-stakes player - have reported back that they were unable to find any signs of exploitation. The third team, Noah Stephens-Davidowitz and Thomas Bakker, are running in-depth statistical studies. They have not made it all the way through all the data yet. However, in the hand histories they *have* been through, they have found no sign of any exploitation of the vulnerability. I’d add that this audit is, by far, the most through and transparent audit of online poker histories that’s been done in the history of the business, at least to my knowledge.

BLUFF: Over the years, several well-known players have been caught multi-accounting. Do you believe there’s a way to prevent further multiaccounting scandals from occurring in the future? I know in the past you’ve talked about your dislike of particular rules that you feel are unenforceable. [For example] the one player to a hand rule.

Jones: Yes, I believe there’s a way to prevent further multi-accounting scandals from occurring: stop trying to enforce this silly one-to-one mapping between human beings and screen-names. It’s the Internet, and being anonymous, or “shape-shifting” is trivial stuff. You can use multiple computers, multiple ISPs, VPNs, mobile devices. And heck, that’s just the technology I’m aware of and I’m far behind the times on Internet technology. Furthermore, it’s just going to get harder as more and more devices become Internet-aware and so on.

Sites making a deal about this are fighting a battle that they can’t win and is only going to become more futile as time goes on. We have so many truly legitimate issues facing us: the whole question of legality, protecting the fish (player anonymity), real cheating (collusion and financial fraud), etc. It is a poor use of our time and resources to spend all that energy on multi-accounting. Now, two things to make clear:

1. I never condone somebody breaking a site’s Terms and Conditions. If you play on a poker site, then you have, either implicitly or explicitly, agreed to a set of rules. If their rules say you have a single account that has a single name, and that you and only you play that account, then that’s the rule and you follow it. If you don’t like their rules, play elsewhere.

2. I am not including in the general multi-accounting argument the idea of multiple accounts colluding or playing in the same tournament together. That’s a whole different ball of wax, and IMHO, crosses a very different set of lines.

But I firmly believe that the whole multi-accounting issue has largely come from the player community. They get upset when they see that players who have been crushing the tournaments are doing this. But the best players are going to do well, no matter what.