Transcript lacnic-ajm-12nov02

LACNIC III
‘Geolocation’:
New Pressures on RIRs?
12 November, 2002
Andrew McLaughlin
Berkman Center, Harvard Law School
Example 1: The Yahoo! Case
• Yahoo’s yahoo.com auction site allows posting of
Nazi paraphernalia
– (But not on its www.yahoo.fr site)
• Anti-racist groups in France sue Yahoo!
• French judge orders Yahoo! to stop linking from its
French take measures to block French users from
access
• Experts report: We think that IP address tracing
using RIR Whois data would correctly identify about
70% of French Internet users as in France
– Yahoo already uses such methods to target advertising. (Try
www.google.com in Mexico!)
– Lots of ways to evade this, like using proxy servers
French judge’s ruling
•
•
Yahoo.com auction site is directed generally at US-based
users
But France has jurisdiction over Yahoo!
–
–
–
•
•
Symbols of Nazi ideology are of interest to any person
Simply displaying those symbols in France is a violation of the law
Yahoo! knows it reaches French users (Yahoo! targets its
advertising)
Yahoo! already targets ads by geography, and blocks
drugs, cigarettes, live animals, human organs
Yahoo! must (or pay euros 15,000/day):
1. Block French IP addresses from self-identified Nazi content;
2. Ask for user declaration of nationality whenever IP address
information is not clear;
3. Check for place of delivery.
Example 2: New EU Tax Rules
• When its new Value Added Tax (VAT) rules go
into effect in July 2003, the European Union will
require non-EU e-commerce vendors to charge
tax on the basis of the geographic location of
the customer.
• VAT rates vary by country
• For sales, residence of customer is location of
transaction.
• US variation: Collection of state-level sales
taxes.
Geolocation
• Simply means matching a given IP address with other
data (RIR Whois databases, or specially-constructed
proprietary databases) to pinpoint the geographic location
of the machine.
– Geolocation service vendors assemble their databases by
gathering and storing individual IP addresses together with
associated physical locations, as provided during e-commerce
transactions, “Enter Your Zip Code”, etc.
• Many limitations to these services:
– For customers using dynamic IP addressing (dial-up customers),
only the physical location of the POP can be estimated.
– Same for users of proxy servers, VPNs, anonymizers, etc.
– Cross-national ISPs; changes in network topology are common.
– IPv6 makes shifts in geographic network topology much easier.
Governmental Interest?
• Goal: Pinpoint geographic location of individual users.
– Automatically & reliably.
• Requiring use of proprietary “geolocation” services is
not viewed as a realistic option – strong preference for
use of non-commercial data sources.
– RIR Whois data is free and publicly available.
• So: There has been some government-level discussion
about the use of the RIR Whois data to achieve the goal
– Could vendors / websites be required to use RIR-maintained
Whois data to locate customers / readers?
– For improved accuracy, what changes in RIR Whois databases
would be required?
– Sources: OECD papers, EU taxation reports, US state tax
proposals.
RIPE NCC Whois Policy
• “Each assignment and allocation for public Internet address
space must be registered in a publicly accessible Whois
Database. Allocations and assignments in the RIPE NCC
service region are registered in the RIPE Whois Database. This
is necessary to ensure uniqueness and to support network
operations.”
• “All assignments to End Users need to be registered in the RIPE
Whois Database. However, static assignments of single IP
addresses to individual End Users (e.g. dial-up, ADSL, etc.) do
not have to be registered separately to the Database. However,
special verification methods apply.”
• Update; LIR Audit
[RIPE-234, 14 June 2002]
ftp://ftp.ripe.net/ripe/docs/ripe-234.txt
APNIC Whois Poilcy
“IRs are responsible for promptly and accurately registering their
allocations and assignments in the APNIC Whois Database, as
follows:
• “All allocations must be registered.
• “Assignments for networks greater than /30 must be registered.
• “Assignments for networks of /30 or less may be registered, at the
discretion of the IR and the network administrator.
• “Assignments to hosts may be registered, at the discretion of the IR
and the end-user.”
• Update;
[APNIC-086, 19 April 2002]
<http://www.apnic.net/docs/policy/add-manage-policy.html>
RIR Problem (?)
• Individual networks (AOL, UUNet, NTT Verio)
cross national boundaries.
• IP addresses are assigned by LIRs to
networks without regard to the physical
location of an End User.
– 27 million AOL users will appear to be in Virginia.
• RIR Whois data does not map to national
boundaries.
• Is it conceivable that RIR Whois data could
be extended all the way down the
allocation/assignment tree?
Looking ahead
• As governments (and their courts) and the EU seek
to apply laws to Internet content and transactions,
there is some indication that they will explore the use
of the RIRs’ IP address Whois data for purposes of
pinpointing end user locations.
• This seems to be a very very tentative idea – nothing
too serious yet.
• My view:
– Not a smart idea to require automated geolocation.
– Not a smart idea to rely on RIR Whois data.
• The RIR communities should anticipate governmental
interest in RIR Whois, and be prepared to explain
and respond.