Geo IP Scope

[AramZS]

I agree we need to provide some form of general non-exact Geolocation to sites in order to allow this proposal, but country-level is insufficient to handle privacy compliance properly, we have to be able to resolve at least down to the US State level right now, as we have different compliance regimes rising in a number of states, with one known in CA, but more likely to come.

[bslassey]

Good point. Policy-wise we could allow for identifying location down to a political entity (trying for a word that covers both US states and countries) of at least some minimum number of people (500,000 people would cover all US states).

[irl]

IP addresses are a poor authentication method, and GeoIP databases are a poor authorization method. Mobile roaming typically performs home routing so that a person in CA and subject to CA laws, would actually be accidentally circumventing compliance systems if using a SIM card from Europe, for example. If we're looking at a metric for privacy, the population of an area and the number of Internet users in that area might be correlated differently for the US vs other countries.

Services want geolocation for different reasons, regulatory compliance and localisation I guess would be the main reasons. Allowing for services to select finer-grained or coarser-grained geolocation that allows them to achieve their goal while not allowing reduction of the anonymity set beyond that which is required would benefit user privacy.

Under GDPR or CCPA, it is possible to remove yourself from GeoIP databases, so if you were using a GeoIP database for compliance then this can be circumvented by removing your IP from the database. This could have interesting consequences for compliance.

There is also a deanonymisation vector that can be used if you can influence (or more slowly, only observe) the database. You could cause a user's IP to be reported differently as the database updates, to narrow down to a subnet. The best mitigation for this would be to only update infrequently, but at the cost of accuracy.

[RussStringham]

There are many reasons why a site would want finer resolution than country. Small businesses only want their ads served to people that are close enough to their business to be potential customers. Stores with multiple locations want to direct the person to the nearest store. A site should be able to declare that they are only using the IP address for Geo-location and specify the precision they are using. They could specify one of:

• Country
• State/Province
• Designated Market Area (DMA) or equivalent
• City
• U.S. zip code or equivalent
• rough latitude/longitude (that may be higher resolution than a city/zip code)
  The number of privacy budget bits consumed would based on the precision, but all of these should require fewer bits than the full IP address.
  An implementation could assign a fixed number of bits for a given resolution (country is 5 bits, city is 12) or it could be based on the number of unique IP addresses that map to that particular location. For example, there are many more IP address in New York City than in Moscow, Idaho.

[npdoty]

I agree we need to provide some form of general non-exact Geolocation to sites in order to allow this proposal, but country-level is insufficient to handle privacy compliance properly, we have to be able to resolve at least down to the US State level right now, as we have different compliance regimes rising in a number of states, with one known in CA, but more likely to come.

Are there any cases where compliance with one jurisdiction's privacy laws requires violating the privacy laws of another jurisdiction?

It seems like state-level geolocation by IP address is only necessary for compliance in the sense that a service provider may not want to provide that functionality (for user opt-out or notice, say) to visitors from outside that state, but not that it would be non-compliant if it did.

[npdoty]

@spanicker can you block these spam commenters from this repo? Thanks.