It’ll surprise no-one to hear that most poker sites don’t try very hard to catch bots or Real-Time-Assistants, and it’s been that way for a long time.
Traditionally, a bot is entirely automated. It not only takes decisions by itself, but it inputs them to the site too. A decision aid like an RTA tells you which decision to take, and you input it yourself. The latter have existed for at least fifteen years, going back to ICM solvers in SNG. The former have probably been around just as long, with bot-rings winning millions since the early days of online.
As far as I’m aware, the sites I have worked with have invested in bot detection, but I know of several that do as little as they think they can get away with. Partly, I’m writing this article for them – to persuade them that it’s a good idea to start building capabilities – and also of course to hire me as a consultant, because I like having more work to do.
Poker is different from other gambling games because the site doesn’t care who wins or loses, they just want people to play. That sets up misaligned incentives with players when it comes to catching cheats of any kind, but bots in particular. You’re making money from the bot, and there are going to be some winners in any case. If an account is providing much-needed liquidity, why risk finding out it’s a bot?
For chip dumping, regulators and indeed the regular legal system impose anti-money-laundering measures on sites. But regulators often have no idea how collusion or bots work, and their requirements tend to be fairly vague (do they know what a solver is?) Why bother over-complying with your regulator?
Finally, catching bots is hard. Most poker sites are, effectively, failing. We trumpet sites as success stories when they are staying level for a couple of years. Most departments in a big gambling company want nothing to do with poker, when they can work on a more glamorous, growing product instead. Why invest resources into hiring expensive analysts? Why would those analysts even want to join you, knowing they’ll often be low status, and paid accordingly?
You Should Catch Bots Anyway
At an old job, we got a guy in to give a talk to the poker team about making a bot. He had won several million writing and running his own, and we wanted to talk to someone we could trust about what we might have missed and what would actually work.
He had a story about a > 100 employee company in Russia that operated a large bot-ring, and was still in operation. The people doing these things are often unsavoury, and in this particular case, had strong links to organised crime. By not attempting to catch these people, you are inadvertently funding activities you do not want on your conscience.
I’ve also twice heard stories of a company in Korea that hired mostly ex-pro gamers, sat them in a darkened room, and had them play eight tables online, following suggested decisions from automated software. I don’t think this was linked to other criminal activities, but what about the places I haven’t heard of? This was at least a decade ago, it’s hard to imagine it’s gone away since.
Asides from the criminal angle, it’s also of course immoral to not try to catch bots on your site. I don’t want to belabour this because some people don’t really think morality should come into running their businesses, but people play online under the impression they’re playing fair games against other people. It’s a business’s responsibility to provide that.
Then there’s the bad PR. I think the Absolute Poker & Ultimate Bet scandals of ~2007 demonstrate that lots of players will happily ignore other players being cheated, but remember that both of those sites still went broke while others survived the era. Back when live games had an older demographic than today, you’d often hear people vowing to stay away from online because it was infested with cheaters, and being able to stake a claim as a clean site has a lot of merit, particularly when a lot of people are forced to stay at home.
Finally, we should be wary of regulators. Over the past few years, the UKGC in particular have taken much more interest in problem gamblers. What happens to you if they start taking an interest in bot detection? It’s going to take you months to get any kind of reasonable capabilities, so it makes sense to me to get out ahead of the problem.
How do You do it?
The basic idea is that you catch someone by the way they actually play poker, and by the way they interact with the client. I can’t go into details, but I worked on this at PokerStars in the dim and distant past (2005), and headed the fraud team at Relax (who make Unibet’s poker software), where one of my main projects was rebuilding the fraud detection systems. I’m also familiar with what PS and Party do, via friends who work in those teams.
I started writing this because of a post on Twitter:
To which I replied with something from backgammon. You may have heard of poker Snowie, but the original snowie was a backgammon solver. I don’t know if it played theoretically 100% perfectly correct, but machines are much better at the game than humans. For these purposes, let’s say it never makes errors.
If the backgammon world champion makes 5 mistakes per 100 over a large sample according to snowie, you can be fairly confident that an online player on zero mistakes is cheating. Even if someone is making 4 or 5, if they aren’t actually playing in the world championships, you’re safe to assume they cheat, particularly as your sample size grows. You can use similar methods for poker.
The idea behind most security is not to make it impossible to stop people doing something. It’s to make it hard enough that it isn’t worth doing to me anymore. Let’s say that you have a solver that makes zero GTO mistakes. If you make zero mistakes playing on my site, you’ll be banned. So you start making mistakes to cover your tracks. If you’re playing much better than the best players in the world do (benchmarked by playing live, say), you’ll still be banned. You need to purposely introduce errors into your play to remain on the site. At that point, you may as well just go and play on a site that isn’t trying to catch you in the first place, as you’ll make more money at less risk of confiscation.
Obviously that is an unstable equilibrium, but as long as many sites don’t care about catching cheats, it still works – and in the long term, there will still be a site with the best security.
Even if you have the perfect play style to avoid detection by the site’s systems, there are still other ways to catch you. You need to get this right along several dimensions, some of which you likely won’t have thought of, and some where the sites have huge asymmetric information edges over you.
What Should Players Do?
Let’s say you want your site-of-choice to enact those kinds of security measures. Asides from persuading them to hire me (hurrah!), there are a few things you can do.
First of all, some sites are proactive about catching cheats, but don’t want to talk about it because it’s bad PR. It therefore becomes important to change the norm – it should be bad PR to NOT talk about the cheats you caught this month. Players mailing sites, leaving reviews, posting on social media, posting in their local press, posting in the industry press – sites will react to this, and you want them competing for your custom with it.
Second, talk to the regulators. If the UKGC (say) start taking poker bot detection seriously, all major sites have to take it seriously too. If a site can detect bots in the UK, they’re not likely to ignore it when their systems highlight some suspicious accounts in Norway. I suggest targeting a responsive regulator, if that isn’t a contradiction in terms, organised via 2 + 2 or similar.
Some of the player efforts to catch bots are impressive, and I know of two sites who hired people on that basis. But sites have enormous information asymmetries over regular players, no matter how much crowdsourcing they do. The most effective response to RTAs and bots has to come from sites, and for the sites that don’t care, players need to find ways to change their minds.
2 thoughts on “Poker: Bot & RTA Detection”