search

spanicker / ip-blindness

119 stars 19 forks source link

IP addresses are a poor authentication method, and GeoIP databases are a poor authorization method. Mobile roaming typically performs home routing so that a person in CA and subject to CA laws, would actually be accidentally circumventing compliance systems if using a SIM card from Europe, for example. If we're looking at a metric for privacy, the population of an area and the number of Internet users in that area might be correlated differently for the US vs other countries. #12

Closed Nashmi97 closed 1 year ago

Nashmi97 commented 1 year ago

IP addresses are a poor authentication method, and GeoIP databases are a poor authorization method. Mobile roaming typically performs home routing so that a person in CA and subject to CA laws, would actually be accidentally circumventing compliance systems if using a SIM card from Europe, for example. If we're looking at a metric for privacy, the population of an area and the number of Internet users in that area might be correlated differently for the US vs other countries.

Services want geolocation for different reasons, regulatory compliance and localisation I guess would be the main reasons. Allowing for services to select finer-grained or coarser-grained geolocation that allows them to achieve their goal while not allowing reduction of the anonymity set beyond that which is required would benefit user privacy.

Under GDPR or CCPA, it is possible to remove yourself from GeoIP databases, so if you were using a GeoIP database for compliance then this can be circumvented by removing your IP from the database. This could have interesting consequences for compliance.

There is also a deanonymisation vector that can be used if you can influence (or more slowly, only observe) the database. You could cause a user's IP to be reported differently as the database updates, to narrow down to a subnet. The best mitigation for this would be to only update infrequently, but at the cost of accuracy.

Originally posted by @irl in https://github.com/spanicker/ip-blindness/issues/1#issuecomment-589611982

Nashmi97 commented 1 year ago

IP addresses are a poor authentication method, and GeoIP databases are a poor authorization method. Mobile roaming typically performs home routing so that a person in CA and subject to CA laws, would actually be accidentally circumventing compliance systems if using a SIM card from Europe, for example. If we're looking at a metric for privacy, the population of an area and the number of Internet users in that area might be correlated differently for the US vs other countries.

Services want geolocation for different reasons, regulatory compliance and localisation I guess would be the main reasons. Allowing for services to select finer-grained or coarser-grained geolocation that allows them to achieve their goal while not allowing reduction of the anonymity set beyond that which is required would benefit user privacy.

Under GDPR or CCPA, it is possible to remove yourself from GeoIP databases, so if you were using a GeoIP database for compliance then this can be circumvented by removing your IP from the database. This could have interesting consequences for compliance.

There is also a deanonymisation vector that can be used if you can influence (or more slowly, only observe) the database. You could cause a user's IP to be reported differently as the database updates, to narrow down to a subnet. The best mitigation for this would be to only update infrequently, but at the cost of accuracy.

Originally posted by @irl in #1 (comment)