On Wed, Apr 21, 2021 at 12:21:26PM -0700, William Herrin wrote:
a legal requirement that it be located in [Atlantis]
A legal requirement of whom? Undoubtedly the requirement is made of provider of this theoretical service doing the restricting. Is that "legal requirement" satisfied by asking a third party their opinion of the source of a given IP packet? Or is there an actual measure of due diligence necessary on the part of the service provider or the maintainer of the GeoIP database? Because it amuses me, let's think this one out: Let's assume there are sanctions by Utopia against Atlantis, because I cannot think of any other geolocation-based legal requirement. Can you? Widgets Unlimited of Utopia, LLC provides access to technical manuals on its website. Someone in their customer service IT support group learns of the sanctions and wires up their website to IPgeoco's API. A "devious" Atlantean sends a SYN to Widgets Unlimited server, who sends a SYN/ACK back, followed by a GET request from the Atlantean, which triggers an API call for "geolocation of origin" to IPgeoco, which returns "El Dorado", and then the LLC sends the Atlantean the manual for their tractor. The Utopian government uses its enormous, ubiquitous surveillance mechanisms (every Utopian government has one) to discover the transaction and is FURIOUS. They slap Widgets Unlimited with a huge fine (also a feature of Utopian governments) and threaten to schedule them for a holiday at the local re-education camp (Utopian service at its finest.) The remaining executives at Widgets Unlimited start to look into "how this could have happened!" They discover that no one did any due diligence to qualify these transactions. They just asked a third party what their opinion of the source of the connection might be. Widgets Unlimited didn't inquire from the requester if they were a customer, where they might be located, or anything else. They based their entire determination on a JSON field. One of the younger lawyers decides to seek damages from IPgeoco for misrepresenting the information in their database. IPgeoco shrugs and points at their terms of service. And they're located in the Switzerhamas anyway. "We don't do due diligence on our database. We just format and republish information provided to us." So, the young Widgets Unlimited lawyer, high on ...fees, decides to bully an ISP in El Dorado who runs a microwave relay across the strait for some Atlantean customers. "You misrepresented the geographic location of those IP addresses!" "We've never spoken to you and don't know who you are," replies Phantom Gold ISP's legal team. "But you provided this information to IPgeoco!" "And?" "And you materially misrepresented that information!" "We did not. We're located in El Dorado, we told IPgeoco that the addresses are assigned to us in El Dorado, and they were issued by FARIN, the RIR for the Fantastic realms which lists us in El Dorado." "But it's inaccurate!" "Accurate to what standard?" "International borders!" "Of whom?" "The actual host sending the packets." "Why?" "Because we use this as the basis of our compliance with Utopian sanctions regulations!" "So let me get this straight: you blindly trusted a database operated by a disinterested party ... who collects data from a wide variety of other disinterested third parties ... who follow widely variant policies for the meaning of, let alone "accuracy" (to what standard?) of, that data ... and find this to be a sufficiently stable basis for bypassing your seeking redress from your GeoIP provider and harassing me as a common carrier in third party nation for some kind of nebulous damages?" -- . ___ ___ . . ___ . \ / |\ |\ \ . _\_ /__ |-\ |-\ \__