I sincerely doubt that any actual law could be enforced against an ISP which is a legal entity in one location, yet has multiple discrete /23 or /24 blocks and without any obfuscation choose to announce them from multiple different geographic locations. Configurations where an AS has multiple islands of service which are not linked together by an internal transport network are not that rare these days (see prior discussion about merits vs risks of filtering out your own netblock at your BGP edge). If anyone is aware of any case law precedent for such a prosecution it would be interesting to see citations.

The only scenario in which I could see a legal penalty being imposed on some ISP, is if it fails to publish an accurate record of its corporate name, address and contact info for its ARIN, RIPE, AFRINIC, APNIC, etc entity listing as a corporation. Obviously you can't and shouldn't attempt to obfuscate where you're headquartered, and you need to be able to prove your legal entity bona fides to ARIN or RIPE anyways in order to maintain registration.

As to whether third party content sources might refuse to serve content to an ISP announcing blocks in weird places, an ISP tunneling a customer's traffic from one location to another, or misunderstanding their geolocation (Hulu in the US is a fine example of this, its regional content is broken on Starlink right now because of a misunderstanding of how the cgnat traffic meets the real Internet), that's not a law... 

That's an arbitrary private choice of some OTT video content provider or CDN to serve or not serve certain licenses of copyrighted content based on what it thinks is geolocation data. Another example would be the content you see on Canadian domestic netflix vs US domestic netflix.



On Wed, Apr 21, 2021 at 12:22 PM William Herrin <bill@herrin.us> wrote:
On Wed, Apr 21, 2021 at 11:58 AM nanoguser100 via NANOG <nanog@nanog.org> wrote:
> I wanted to get the communities' opinion on this.
>
> Increasingly I have run into 'niche needs' where a client has a few users in a country we don't have a POP, say Estonia.  This is 'mainly' for localization but also in some cases for compliance (some sites REQUIRE an Estonian IP).  With that being said is it common practice to 'fake' Geolocations?  In this case the user legitimately lives in Estonia, they just happen to be using our cloud service in Germany.

If the endpoint (e.g. web server) is physically located in Germany and
you're helping a client misrepresent that it's located in Estonia in
order to evade a legal requirement that it be located in Estonia then
you've made yourself a party to criminal fraud. Do I really need to
explain how bad an idea that is?

If the service is a VPN relay for addresses which are actually being
used in Estonia then what's the problem? You're just a transit for
those IPs. Report the location where the endpoints are, not the
transits.

Regards,
Bill Herrin


--
William Herrin
bill@herrin.us
https://bill.herrin.us/