How could a website operator identify where in the world a specific user is right now?
How does a website operator know where in the world a user is located right now?
Let’s say that there’s a law which requires a website operator not to provide its service to people in the UK who are under 18.
Not to use reasonable efforts to do so. Not to attempt to do so unless the user is trying to frustrate it. But a simple, bare legal requirement not to provide service to people in the UK who are under 18. (i.e. This post is about technical options, not questioning the law.)
And let’s say that there a multiple countries with similar-but-not-identical laws.
-
Country A, which says that the website operator is not to provide its service to people in Country A who are under 21.
-
Country B, which says that the website operator is not to provide its service to people in Country B who are under 25.
-
And Country C, which says that the website operator is not to provide its service to people in Country C at all.
Assuming that the website operator does not want to shut up shop totally - by applying the most restrictive rule, of Country C, to everyone - and that it does care about the laws in other countries (a big “if”, but it’s my example, so…) how does the website operator establish where the user is located at the point at which they access the site, to know which rule to apply?
tl;dr
I don’t think you can, with any reasonable degree of assurance.
So can we stop it already with poorly thought-through laws, which oblige organisations to do things, or punish organisations for not doing things, which they simply cannot do?
What you could try
You could try a number of things.
Ask the user
Users lie.
Ask for a copy of the user’s passport
Not everyone has a passport.
And it doesn’t show where the user is right now anyway.
Use the user’s IP address as a proxy for their location
Unreliable, but circumvented anyway by using a VPN or Tor.
The website operator could try to detect if someone is using a VPN or Tor, and apply different approach to them, but the point of this page is to say that there is no robust, reliable approach.
Ask the user for a mobile number, and text them a one-time code
Roaming.
You can rent a number from a different country.
Or make use of a SIM in a GSM gateway in another country.
HTTP Accept-Language header
It doesn’t show where the user is, just what language they prefer (or what locale they have set). I could have set en-gb but be anywhere in the world.
And, anyway, a user can simply change it, via browser settings.
Ask the user for a mobile number, text them a one-time code, and do an HLR lookup
It requires every user to have a mobile phone.
But an SRI-SM query, made through a service which can get through an operator’s SMS firewall, might work. (It’s not just a query of the HLR, in the technical sense; it needs a bit more than that.)
Creepy, and requires SS7 access, or a contract with someone who does.
It wouldn’t stop someone who had access to a SIM in a GSM gateway in the country of their choosing.
Ask the user for a postal address, post them a one-time code
Only shows an address to which a user has access, not where they are right now. And obviously not real time.
Require the user to share the geolocation from the html5 location API, through their browser
Trivially spoofable.
Require the user to download a mobile app, which uses mobile device derived location
It requires every user to have a suitable mobile phone, and the willingness to run your dodgy app.
Spoofable anyway, if you root your device.
So you ban rooted devices? I’d give it a day or so before someone has a version of your app which runs on a rooted device.
A mobile app, which can access the identify of nearby cell towers / broadcast PLMN IDs
It requires every user to have a suitable mobile phone, and the willingness to run your dodgy app.
Not all devices / OSs surface this information for developers.
Run the app in an Android emulator, and spoof the inputs?
Other factors
What do you do if a user lives close to a national border? How confident are you that you’ve placed them the right side of the border?
You may also like:
- Age verification, legislation, and the money-making opportunity
- Age verification: an Epic mess
- The end to end encryption debate: 1: the (very) basics of encryption
- We must not let perfect become the enemy of good
- Safer Internet Day 2022. At least we know what were trying to achieve. Right?
- The Wild West Web fallacy
- End to end encryption, and services which let you meet and message people you do not already know
- A prohibition on end to end encryption could leave you with #NoPlaceToHide. And that's not a good thing.
- Public safety by design: the catchphrase for Internet policy debate in 2022?
- CCTV or IP cameras outside your home, and the (UK) GDPR. It's easier than you think
- Three problems with the Age Assurance (Minimum Standards) Bill for keeping children safe online
- What if you could only speak online if you had a car number plate: quick comments on yet another weird Internet surveillance proposal
- Resurrecting Part 3 Digital Economy Act 2017 is not the answer
- I am standing for election as a Nominet non-executive director
- Data protection, privacy, and other bits for personal websites