Australia: "Remote" Gambling: Cloud Computing and Online Gambling Operators

No buzzword is more prevalent in IT circles than "cloud computing". But what is it, what are the risks and how can you take advantage of it?

What is Cloud Computing?

In its simplest sense, cloud computing is the use of "remote" computing resources (hard disks, databases, CPUs) to perform tasks that are typically done by "local" resources. In computer terms, something is "remote" (as opposed to "local") if it is accessed over a network. While relatively simple cloud computing services like Hotmail or Gmail have existed for years, the phenomenal increase in the speed of networks allows a far broader range of "remote" resources to behave as well as (and in some cases better) than "local" resources.

Because cloud computing allows for the centralisation of the resources being used (be they the hard disk, database, etc), it makes it easier to more efficiently use those resources. In the traditional model of computing, each resource is utilised only by the particular PC to which it is attached. Centralisation allows for resources to be shared and, as a result, used more effectively. Moreover, because all the resources are centralised, they are easier to maintain and to expand.

Effective sharing and easier maintenance allows for "scalability" (that is, the ease with which you can increase or decrease the resources used), one of the key attractions of cloud computing. It generally means a lower cost and more flexibility, allowing companies to deal more effectively with fluctuations in business, such as varying customer demand.

Some members of the online gambling sector has already begun to make use of the cloud. The betting exchange Betfair was reported as having moved some of its research and development operations to cloud computing provider Rackspace.¹

However, there are also risks. For online gambling operators, outsourcing computing resources to the cloud can bring some serious potential legal risks if they use a cloud from another provider, instead of maintaining it themselves.² The risks include choice of law, security, data protection, privacy and regulatory issues.

Choice of Law

Cloud computing providers usually include a "choice of law" clauses in their contracts with cloud users. These clauses specify which jurisdiction's laws will govern the contract between the cloud provider and the customer and potentially which jurisdictions have the authority to hear any dispute that subsequently arises between the parties. Typically, this is the jurisdiction where the cloud computing provider's server is located, or a jurisdiction with laws favourable to the provider.

A choice of law clause in a contract can make it difficult for any online business to ascertain precisely at a particular time which laws govern the activities of the business. In addition, some laws may potentially have adverse ramifications for certain online businesses, as their activities may not be lawful in all jurisdictions. This is especially so for online gambling operators as laws regulating online gambling vary greatly between jurisdictions. Certain types of online gambling are illegal in Australia under the Interactive Gambling Act 2001 (Cth) (IGA), so an overseas gambling operator providing services accessible by Australians needs to be careful about where its data is located. If the server hosting its data is located in Australia, this could potentially breach Australian law.

Other gambling operators (such as wagering and betting operators) which allow bets to be placed over the Internet also need to be careful about which jurisdiction governs their data when using cloud servers. The jurisdiction specified in a choice of law clause may not be the same jurisdiction in which the gambling operator is licensed (for example, online wagering and sports betting activities may fall foul of the Interstate Wire Act in the United States). Gambling operators should research the law of the jurisdiction specified in such clauses, so that they do not expose themselves to potential risks if they do not have a licence in that jurisdiction.

Security

Security concerns are a key concern in connection with cloud computing for two reasons. First, the fact that a public network is utilised in the provision of most forms of cloud computing means that malicious users have an additional avenue of attack. Second, since the user of a cloud service does not control directly their own data, the user is entirely dependent on the security practices of the provider. (In practice, most providers employ more sophisticated security measures than most businesses but the lack of control over these measures can lead to an understandable level of anxiety on the part of the business.)

There are two types of adverse consequences for a gambling operator that can arise from a security breach. The first is the damage to that operator's brand. This can be particularly acute for gambling operators where the years that are spent building trust with a customer can evaporate in minutes once a problem arises.

The second factor is the potential liability of a gambling operator to its customers. While cloud computing allows for the outsourcing of computer resources, the legal responsibility to the end customer remains with the gambling operator. When taking advantage of cloud computing opportunities, it is important that gambling operators ensure they are not exposed to unnecessary risk in the event of a security breach.

If gambling operators store sensitive information within an external cloud, they need to review carefully the level of security promised by the cloud provider. This is especially important if the data stored includes customers' personal information, such as credit card details or bank information. In addition, online gambling operators should ensure that the cloud provider is required to notify them if any security breaches occur.

Files in the cloud might be stored in multiple locations on multiple servers. In such cases, gambling operators should check where their files are stored, as levels of security may vary between the different file servers. Many providers, particularly those aimed more at the consumer segment, are reluctant to release such information and this may factor into the attractiveness of one provider over another.

Standard contracts of cloud service providers generally contain clauses under which the cloud computing provider seeks to exclude liability in the event of a security breach. Also, it is not uncommon to see a provider refusing to warrant the security, reliability or data integrity of its cloud service.

Where gambling operators are not able to negotiate the terms of clause service contracts, care should be taken to ensure that the contract (usually in the form of a terms of use agreement) that governs the relationship between the operator and the customer is drafted to take this into account.

Data Protection

While terms of use can be drafted to limit the liability of a gambling operator to its customers (even in the event of data breach), data protection laws may exist in the jurisdiction (either of the operator or the cloud computing provider) which prevent businesses from contracting out of the legal obligations that arise under these laws.

Typically, data protection laws impose obligations on persons collecting or transferring personal information to ensure that it is protected. While this does not prevent a business from using a cloud computing provider, it means that security breaches may have wider ramifications. Even for businesses based in jurisdictions which do not yet have strong data protection laws in place (eg. Australia), the provisions of overseas legislation, particularly in Europe, may need to be considered if cloud computing resources are utilised.

Also, in some jurisdictions, there is a requirement to give notice to customers of any security breach which has occurred.

Privacy

With data potentially residing in multiple locations, it can be difficult for cloud users to protect their privacy or the privacy of their customers. Users of the cloud still need to comply with the privacy laws of their own country, even if their data is stored in a cloud server overseas.

For Australian operators, consideration should be given to ensuring compliance with the Privacy Act 1988 (Cth). Although Australia's privacy laws are not as constrictive as those of overseas countries (particularly in Europe), operators need to ensure that they understand their obligations. If data is being sent overseas, Australian operators must ensure that the country where the data will reside has privacy protections that are at least as good as those under the Privacy Act.

Australian businesses should also ensure that they are aware of the impact proposed changes to the Privacy Act may have as a result of the Government's response to a recent Australian Law Reform Commission inquiry into privacy protection.

As with the other issues noted above, when services based overseas are used, gambling operators need to check to ensure that the overseas laws that may apply are understood.

Other Regulatory Issues

For online gambling operators, a further concern is the effect the extent to which the conditions of a gambling licence inhibit the manner in which the business is conducted. Most gambling regulators require the computing resources that are going to be used in the provision of gambling services to be audited prior to the grant of the licence (and on further request). A change to the existing licensed systems, particularly one that affects the core gambling operations of the operator, is likely to require approval of the regulator.

In addition to performing audits on systems, many regulators wish to ensure that the systems which are used by an operator under their purview are located within the jurisdiction. Because cloud computing providers typically place resources in locations with strong communication links (eg. the United States, Ireland and Singapore). These locations may not be those where the licence is granted and so regulators may be reluctant to have systems in jurisdictions where they cannot easily be accessed by the regulator.

In both of these cases, the regulator may not be opposed to certain resources being provided via the cloud and what is required is for operators to explain the types of resources that are being placed into the cloud and the controls that will exist to ensure compliance with the rules of the relevant gambling licensing regime.

Conclusion

Online gambling operators that are looking to use cloud computing services to improve their service delivery to customers need to be aware of the risks associated with cloud computing. Just as with more traditional resources, resources provided via the cloud still need to be protected from security risks, comply with data protection and privacy laws and be consistent with any regulatory requirements which apply to gambling licences. Although online gambling operators are particularly well suited to taking advantage of the benefits of cloud computing, there are nevertheless a number of issues they need to consider in any attempt to make the move.

Footnotes

¹ Anh Nguyen, "Betfair moves R&D testing to the cloud", 26 January 2011, URL: http://www.computerworlduk.com/news/cloud-computing/3258252/betfair-moves-rd-testing-to-the-cloud/.

² Some of the risks discussed in this paper can be mitigated through the use of a "private" cloud. A private cloud involves the same centralisation of resources and their provision over a network with the difference being that the resources are placed in a location under the control of the relevant business.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.