100 likes | 275 Vues
‘Geolocation’: New Pressures on RIRs? 12 November, 2002 Andrew McLaughlin Berkman Center, Harvard Law School. LACNIC III. Example 1: The Yahoo! Case. Yahoo’s yahoo.com auction site allows posting of Nazi paraphernalia (But not on its www.yahoo.fr site)
 
                
                E N D
‘Geolocation’: New Pressures on RIRs? 12 November, 2002 Andrew McLaughlin Berkman Center, Harvard Law School LACNIC III
Example 1: The Yahoo! Case • Yahoo’s yahoo.com auction site allows posting of Nazi paraphernalia • (But not on its www.yahoo.fr site) • Anti-racist groups in France sue Yahoo! • French judge orders Yahoo! to stop linking from its French take measures to block French users from access • Experts report: We think that IP address tracing using RIR Whois data would correctly identify about 70% of French Internet users as in France • Yahoo already uses such methods to target advertising. (Try www.google.com in Mexico!) • Lots of ways to evade this, like using proxy servers
French judge’s ruling • Yahoo.com auction site is directed generally at US-based users • But France has jurisdiction over Yahoo! • Symbols of Nazi ideology are of interest to any person • Simply displaying those symbols in France is a violation of the law • Yahoo! knows it reaches French users (Yahoo! targets its advertising) • Yahoo! already targets ads by geography, and blocks drugs, cigarettes, live animals, human organs • Yahoo! must (or pay euros 15,000/day): • Block French IP addresses from self-identified Nazi content; • Ask for user declaration of nationality whenever IP address information is not clear; • Check for place of delivery.
Example 2: New EU Tax Rules • When its new Value Added Tax (VAT) rules go into effect in July 2003, the European Union will require non-EU e-commerce vendors to charge tax on the basis of the geographic location of the customer. • VAT rates vary by country • For sales, residence of customer is location of transaction. • US variation: Collection of state-level sales taxes.
Geolocation • Simply means matching a given IP address with other data (RIR Whois databases, or specially-constructed proprietary databases) to pinpoint the geographic location of the machine. • Geolocation service vendors assemble their databases by gathering and storing individual IP addresses together with associated physical locations, as provided during e-commerce transactions, “Enter Your Zip Code”, etc. • Many limitations to these services: • For customers using dynamic IP addressing (dial-up customers), only the physical location of the POP can be estimated. • Same for users of proxy servers, VPNs, anonymizers, etc. • Cross-national ISPs; changes in network topology are common. • IPv6 makes shifts in geographic network topology much easier.
Governmental Interest? • Goal: Pinpoint geographic location of individual users. • Automatically & reliably. • Requiring use of proprietary “geolocation” services is not viewed as a realistic option – strong preference for use of non-commercial data sources. • RIR Whois data is free and publicly available. • So: There has been some government-level discussion about the use of the RIR Whois data to achieve the goal • Could vendors / websites be required to use RIR-maintained Whois data to locate customers / readers? • For improved accuracy, what changes in RIR Whois databases would be required? • Sources: OECD papers, EU taxation reports, US state tax proposals.
RIPE NCC Whois Policy • “Each assignment and allocation for public Internet address space must be registered in a publicly accessible Whois Database. Allocations and assignments in the RIPE NCC service region are registered in the RIPE Whois Database. This is necessary to ensure uniqueness and to support network operations.” • “All assignments to End Users need to be registered in the RIPE Whois Database. However, static assignments of single IP addresses to individual End Users (e.g. dial-up, ADSL, etc.) do not have to be registered separately to the Database. However, special verification methods apply.” • Update; LIR Audit [RIPE-234, 14 June 2002] ftp://ftp.ripe.net/ripe/docs/ripe-234.txt
APNIC Whois Poilcy “IRs are responsible for promptly and accurately registering their allocations and assignments in the APNIC Whois Database, as follows: • “All allocations must be registered. • “Assignments for networks greater than /30 must be registered. • “Assignments for networks of /30 or less may be registered, at the discretion of the IR and the network administrator. • “Assignments to hosts may be registered, at the discretion of the IR and the end-user.” • Update; [APNIC-086, 19 April 2002] <http://www.apnic.net/docs/policy/add-manage-policy.html>
RIR Problem (?) • Individual networks (AOL, UUNet, NTT Verio) cross national boundaries. • IP addresses are assigned by LIRs to networks without regard to the physical location of an End User. • 27 million AOL users will appear to be in Virginia. • RIR Whois data does not map to national boundaries. • Is it conceivable that RIR Whois data could be extended all the way down the allocation/assignment tree?
Looking ahead • As governments (and their courts) and the EU seek to apply laws to Internet content and transactions, there is some indication that they will explore the use of the RIRs’ IP address Whois data for purposes of pinpointing end user locations. • This seems to be a very very tentative idea – nothing too serious yet. • My view: • Not a smart idea to require automated geolocation. • Not a smart idea to rely on RIR Whois data. • The RIR communities should anticipate governmental interest in RIR Whois, and be prepared to explain and respond.