nanog mailing list archives
Re: Submitting Fake Geolocation for blocks to Data Brokers and RIRs
From: Izaac <izaac () setec org>
Date: Thu, 22 Apr 2021 10:32:45 -0400
On Wed, Apr 21, 2021 at 12:21:26PM -0700, William Herrin wrote:
a legal requirement that it be located in [Atlantis]
A legal requirement of whom? Undoubtedly the requirement is made of provider of this theoretical service doing the restricting. Is that "legal requirement" satisfied by asking a third party their opinion of the source of a given IP packet? Or is there an actual measure of due diligence necessary on the part of the service provider or the maintainer of the GeoIP database? Because it amuses me, let's think this one out: Let's assume there are sanctions by Utopia against Atlantis, because I cannot think of any other geolocation-based legal requirement. Can you? Widgets Unlimited of Utopia, LLC provides access to technical manuals on its website. Someone in their customer service IT support group learns of the sanctions and wires up their website to IPgeoco's API. A "devious" Atlantean sends a SYN to Widgets Unlimited server, who sends a SYN/ACK back, followed by a GET request from the Atlantean, which triggers an API call for "geolocation of origin" to IPgeoco, which returns "El Dorado", and then the LLC sends the Atlantean the manual for their tractor. The Utopian government uses its enormous, ubiquitous surveillance mechanisms (every Utopian government has one) to discover the transaction and is FURIOUS. They slap Widgets Unlimited with a huge fine (also a feature of Utopian governments) and threaten to schedule them for a holiday at the local re-education camp (Utopian service at its finest.) The remaining executives at Widgets Unlimited start to look into "how this could have happened!" They discover that no one did any due diligence to qualify these transactions. They just asked a third party what their opinion of the source of the connection might be. Widgets Unlimited didn't inquire from the requester if they were a customer, where they might be located, or anything else. They based their entire determination on a JSON field. One of the younger lawyers decides to seek damages from IPgeoco for misrepresenting the information in their database. IPgeoco shrugs and points at their terms of service. And they're located in the Switzerhamas anyway. "We don't do due diligence on our database. We just format and republish information provided to us." So, the young Widgets Unlimited lawyer, high on ...fees, decides to bully an ISP in El Dorado who runs a microwave relay across the strait for some Atlantean customers. "You misrepresented the geographic location of those IP addresses!" "We've never spoken to you and don't know who you are," replies Phantom Gold ISP's legal team. "But you provided this information to IPgeoco!" "And?" "And you materially misrepresented that information!" "We did not. We're located in El Dorado, we told IPgeoco that the addresses are assigned to us in El Dorado, and they were issued by FARIN, the RIR for the Fantastic realms which lists us in El Dorado." "But it's inaccurate!" "Accurate to what standard?" "International borders!" "Of whom?" "The actual host sending the packets." "Why?" "Because we use this as the basis of our compliance with Utopian sanctions regulations!" "So let me get this straight: you blindly trusted a database operated by a disinterested party ... who collects data from a wide variety of other disinterested third parties ... who follow widely variant policies for the meaning of, let alone "accuracy" (to what standard?) of, that data ... and find this to be a sufficiently stable basis for bypassing your seeking redress from your GeoIP provider and harassing me as a common carrier in third party nation for some kind of nebulous damages?" -- . ___ ___ . . ___ . \ / |\ |\ \ . _\_ /__ |-\ |-\ \__
Current thread:
- Re: Submitting Fake Geolocation for blocks to Data Brokers and RIRs, (continued)
- Re: Submitting Fake Geolocation for blocks to Data Brokers and RIRs Tom Beecher (Apr 22)
- RE: Submitting Fake Geolocation for blocks to Data Brokers and RIRs Brian Turnbow via NANOG (Apr 22)
- Re: Submitting Fake Geolocation for blocks to Data Brokers and RIRs Mark Tinka (Apr 22)
- RE: Submitting Fake Geolocation for blocks to Data Brokers and RIRs Brian Turnbow via NANOG (Apr 22)
- Re: Submitting Fake Geolocation for blocks to Data Brokers and RIRs Mark Tinka (Apr 22)
- Re: Submitting Fake Geolocation for blocks to Data Brokers and RIRs Jaap Akkerhuis (Apr 22)
- Re: Submitting Fake Geolocation for blocks to Data Brokers and RIRs Tom Beecher (Apr 22)
- Re: Submitting Fake Geolocation for blocks to Data Brokers and RIRs Robert Blayzor via NANOG (Apr 22)
- Message not available
- Re: Submitting Fake Geolocation for blocks to Data Brokers and RIRs nanoguser100 via NANOG (Apr 22)
- Re: Submitting Fake Geolocation for blocks to Data Brokers and RIRs Matthew Petach (Apr 22)
- Re: Submitting Fake Geolocation for blocks to Data Brokers and RIRs Patrick W. Gilmore (Apr 22)
- Re: Submitting Fake Geolocation for blocks to Data Brokers and RIRs George Michaelson (Apr 22)
- Re: Submitting Fake Geolocation for blocks to Data Brokers and RIRs RafaĆ Fitt (Apr 23)
- Re: Submitting Fake Geolocation for blocks to Data Brokers and RIRs Patrick W. Gilmore (Apr 23)
- Re: Submitting Fake Geolocation for blocks to Data Brokers and RIRs nanoguser100 via NANOG (Apr 23)
- Re: Submitting Fake Geolocation for blocks to Data Brokers and RIRs William Herrin (Apr 23)