Lessons from Arizona: Redefining Transparency for Lottery Draws
By Helena Pereira and Walter Szrek of Szrek2Solutions, szrek.com
Security in the lottery industry is essential. Players must trust that every step of the way, lotteries provide secure games from beginning to end – including for electronic draws. Automated draw machines are integral to the lottery industry for many reasons, including that they help streamline the draw process with consequent cost-savings, and they are an important vehicle for launching new games and seizing new markets. Lotteries, Gaming Authorities, and Certification Agencies have defined certification standards for the generation of random numbers, security requirements for protecting ADMs, and auditable processes to ensure procedures are correctly implemented.
The certification and security standards support a strong rapport between consumers and lotteries. These measures, however, do not protect ADMs against hardware defects, software failures, or insider fraud. Many cases of errors or fraud have taken place in the US within the last decade despite the best practices that have been defined and numerous certifications of ADMs by independent labs. The industry keeps being confronted with situations of faulty random numbers due to improper machine setup, hardware malfunctions, software glitches, and fraud. While mistakes, hardware or software malfunctions, human mistakes, and cases of fraud are bound to happen, the problem persists because the random number generation process is not transparent. Problems are hidden inside the ADM computer and they are not evident externally, so they can exist without being detected.
The industry is realizing that the traditional security and certification approach fails because it does not provide transparency into the RNG process. The cost of a single problem is very high and hurts the whole industry. Consequently, transparency into the RNG process should be a requirement – at the very least to protect consumers.
The technical solution to the problem exists, and lotteries and operators worldwide have been deploying this technology since 2005. Early adopters include Danske Spil, Lottomatica, IGT, Sisal, and more recently Texas Lottery, Iowa Lottery, and Ithuba, South Africa – amongst others.
The currently available RNG system ensures fault-tolerance and provides nonrepudiation, proof of the origin and integrity of the generated random numbers. The process of generation in its initial step verifies if the RNG hardware generates a correct RNG seed and proceeds with a draw only if there is no device error, otherwise it switches to a second device. The verified digital signature, which functions as a RNG seed for random number generation, is saved as a Draw Signature. This Draw Signature allows for recreating every draw, and it serves as proof of draw integrity. The Draw Signature cannot be altered or manipulated and it provides information to identify any malfunction of the hardware, software, configuration errors, or fraud. The result: the draw generation process is transparent and there is independent verification of the numbers drawn on an independent system by internal auditing departments or outside entities. The verification can take place at the very time of the draw, just after the draw, or at any other later time following the draw. If there is any problem with the RNG generation process, this problem can always be detected. The Draw Signature existing in the form of a digital signature can also serve as legal protection.
In the recent Arizona draw machine malfunction, the same numbers were generated for consecutive draws. If the described RNG technology were used, the problem would have been detected before the first incorrect draw took place. This would have allowed the lottery to switch to another ADM, avoid an incorrect draw, and address the problem immediately instead of unknowingly continuing to use a faulty machine. The lottery would also have the draw signature – the irrefutable proof of integrity that would protect it against any liability cases. As it was, without draw transparency, it required multiple failures for the problem to be noticed. This, in turn, casts needless doubt on the integrity of the lottery and the industry as a whole.
The nonrepudiation of RNGs and draw transparency have not been made a requirement for RNGs/ADMs. Any lack of transparency in any part of the draw opens the industry to vulnerabilities that could easily be avoided. Regulators and lottery executives are in a position to protect consumers and build trust by demanding verifiable proof of draw outcomes, required for transparency in the draw process.