Skip to main content

2 posts tagged with "olg"

View All Tags
DetectedCompliance

GeoLocs / mkodo at OLG iOS: session terminated immediately when device location services are disabled ✓

GeoLocsOLG (Ontario Lottery & Gaming)
geolocsmkodoolgioslocation-services

Source. May 26, 2026 weekly sync.
Ticket. CIV-52: Ontario — mkodo / GeoLocs — Compliance Failures & Retest.

What we tested

Whether the OLG iOS app (GeoLocs / mkodo geolocation) would correctly refuse to operate when device location services were turned off — i.e. the most basic compliance pre-condition (no location signal → no wager).

What happened

  • Session was terminated immediately on detection of disabled location services.

Why it matters

The baseline check works. A platform that allows wagering with no location data is unambiguously non-compliant; this vendor correctly refuses, on iOS, at session start.

That said — pair this with the OLG / GeoLocs VPN gap recorded the same week: the vendor does enforce when the device claims to be unable to locate, but falls down when the device claims to be located somewhere it isn't. The two findings together describe the shape of the gap: GeoLocs trusts the device's location signal too uncritically when that signal is present.

Cross-reference

GeoLocs profile → · May 26 weekly sync →

MissedVPNComplianceUX / messaging

GeoLocs / mkodo at OLG (Ontario): VPN-from-Ontario allowed when location services are on; Netherlands VPN only blocked on re-entry, no user-facing error

GeoLocsOLG (Ontario Lottery & Gaming)
geolocsmkodoolgvpnontario

Source. May 26, 2026 weekly sync.
Ticket. CIV-52: Ontario — mkodo / GeoLocs — Compliance Failures & Retest (Casumo, High Flyer, OLG).

What we tested

Two VPN scenarios against the OLG (Ontario Lottery and Gaming) web app, geolocated by GeoLocs / mkodo:

  1. Ontario-based VPN — exit-node inside the licensed jurisdiction.
  2. Netherlands-based VPN — out-of-jurisdiction exit node.

In both cases device location services were left active so the system had a real GPS signal alongside the VPN IP.

What happened

  • Ontario-based VPN was authorised when location services remained active. Unrestricted gameplay and wagering were permitted — the VPN itself was not flagged.
  • Netherlands-based VPN did not trigger any immediate session termination. The user was able to keep playing.
  • Detection only fired on re-entry — when the user exited a game and tried to come back in, the system finally prohibited access.
  • No explanatory error notification was shown to the user at the point of block. Silent failure on a compliance event.

Why it matters

Two distinct failure modes in one test:

  1. VPN-tolerance when device GPS agrees. A VPN with an in-state exit-node is fine, even though VPN-detection is a normal column of any modern compliance stack. Anyone wanting to obscure their network identity inside Ontario faces no friction.
  2. Late, silent block on out-of-state VPN. The system does eventually detect the Netherlands VPN, but only at a session boundary — and tells the user nothing. From the user's perspective the platform "just stopped working."

This combines into a UX-and-compliance double failure: the wrong thing is allowed, the right thing is detected too late, and the user is never told what happened.

Cross-reference

GeoLocs profile → · May 26 weekly sync →