How could a website operator identify where in the world a specific user is right now?

Screenshot of a faked location

How does a website operator know where in the world a user is located right now?

Let's say that there's a law which requires a website operator not to provide its service to people in the UK who are under 18.

Not to use reasonable efforts to do so. Not to attempt to do so unless the user is trying to frustrate it. But a simple, bare legal requirement not to provide service to people in the UK who are under 18. (i.e. This post is about technical options, not questioning the law.)

And let's say that there a multiple countries with similar-but-not-identical laws.

  • Country A, which says that the website operator is not to provide its service to people in Country A who are under 21.

  • Country B, which says that the website operator is not to provide its service to people in Country B who are under 25.

  • And Country C, which says that the website operator is not to provide its service to people in Country C at all.

Assuming that the website operator does not want to shut up shop totally - by applying the most restrictive rule, of Country C, to everyone - and that it does care about the laws in other countries (a big "if", but it's my example, so...) how does the website operator establish where the user is located at the point at which they access the site, to know which rule to apply?

tl;dr

I don't think you can, with any reasonable degree of assurance.

So can we stop it already with poorly thought-through laws, which oblige organisations to do things, or punish organisations for not doing things, which they simply cannot do?

What you could try

You could try a number of things.

Ask the user

Users lie.

Ask for a copy of the user's passport

Not everyone has a passport.

And it doesn't show where the user is right now anyway.

Use the user's IP address as a proxy for their location

Unreliable, but circumvented anyway by using a VPN or Tor.

The website operator could try to detect if someone is using a VPN or Tor, and apply different approach to them, but the point of this page is to say that there is no robust, reliable approach.

Ask the user for a mobile number, and text them a one-time code

Roaming.

You can rent a number from a different country.

Or make use of a SIM in a GSM gateway in another country.

HTTP Accept-Language header

It doesn't show where the user is, just what language they prefer (or what locale they have set). I could have set en-gb but be anywhere in the world.

And, anyway, a user can simply change it, via browser settings.

Ask the user for a mobile number, text them a one-time code, and do an HLR lookup

It requires every user to have a mobile phone.

But an SRI-SM query, made through a service which can get through an operator's SMS firewall, might work. (It's not just a query of the HLR, in the technical sense; it needs a bit more than that.)

Creepy, and requires SS7 access, or a contract with someone who does.

It wouldn't stop someone who had access to a SIM in a GSM gateway in the country of their choosing.

Ask the user for a postal address, post them a one-time code

Only shows an address to which a user has access, not where they are right now. And obviously not real time.

Require the user to share the geolocation from the html5 location API, through their browser

Trivially spoofable.

Require the user to download a mobile app, which uses mobile device derived location

It requires every user to have a suitable mobile phone, and the willingness to run your dodgy app.

Spoofable anyway, if you root your device.

So you ban rooted devices? I'd give it a day or so before someone has a version of your app which runs on a rooted device.

A mobile app, which can access the identify of nearby cell towers / broadcast PLMN IDs

It requires every user to have a suitable mobile phone, and the willingness to run your dodgy app.

Not all devices / OSs surface this information for developers.

Run the app in an Android emulator, and spoof the inputs?

Other factors

What do you do if a user lives close to a national border? How confident are you that you've placed them the right side of the border?


Author: neil

I'm Neil. By day, I run a law firm, decoded.legal, giving advice on Internet, telecoms, and tech law. This is my personal blog, so will be mostly about tech stuff, cycling, and other hobbies.

You can find me (and follow me) on Mastodon and Twitter.