Submitting Fake Geolocation for blocks to Data Brokers and RIRs

Fri Apr 23 19:44:21 UTC 2021

> I see a lot of replies about the legality.  As mentioned I have legitimate reasons for doing this.  I plan on serving customers in country.

> Your “legitimate” reason is to avoid someone else’s restrictions on the content they own. You are intentionally falsifying data to keep the owner of something from controlling that thing the way they want to control it.

> You and I have different definitions of “legitimate”.

Under normal circumstances where user has a proper laptop with a DIA connection in Estonia they would get the Estonian content.

Because the user's organization decided to consolidate their PCs and security services into a cloud hosted remote desktop product should have no bearing on how the end user's experience is.

The end users at the org don't know they are "going through us".  They just open their "computer" and work.

> Risk? Blacklisted where?

> The risk of another ISP filtering your traffic for this is very low, almost certainly to the right of the decimal, but not mathematically zero to infinite decimal places. As I mentioned before, the risk of geo-loc providers ignoring any of your manual updates in the future is higher, but still low. Most of those things are automated.

Thank you.

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, April 23, 2021 11:11 AM, Patrick W. Gilmore <patrick at ianai.net> wrote:

> On Apr 22, 2021, at 7:58 PM, nanoguser100 via NANOG nanog at nanog.org wrote:
>
> > I see a lot of replies about the legality. As mentioned I have legitimate reasons for doing this. I plan on serving customers in country.
>
> Your “legitimate” reason is to avoid someone else’s restrictions on the content they own. You are intentionally falsifying data to keep the owner of something from controlling that thing the way they want to control it.
>
> You and I have different definitions of “legitimate”.
>
> > My questions really are:
> >
> > -   Is most geo data simply derived from self reporting?
>
> No comment.
>
> > -   Do these vendors have verification mechanisms?
>
> Yes.
>
> > -   Going to the Estonia\Germany example would a traceroute "terminating" in Germany before being handed off to my network 1ms away be a tell-tale sign the servers are in Germany.
>
> Yes.
>
> BTW: Adding artificial latency to mimic a trip back to Estonia is a bad idea, IMHO.
>
> > -   Is the concept of creating "pseudoPOPs" where it's not cost effective to start a POP in the region a 'common practice'?
>
> No, but it is not unheard-of.
>
> > -   Do I run the risk of being blacklisted for this practice?
>
> Risk? Blacklisted where?
>
> The risk of another ISP filtering your traffic for this is very low, almost certainly to the right of the decimal, but not mathematically zero to infinite decimal places. As I mentioned before, the risk of geo-loc providers ignoring any of your manual updates in the future is higher, but still low. Most of those things are automated.
>
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> TTFN,
> patrick
>
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > On Wednesday, April 21, 2021 9:00 AM, nanoguser100 via NANOG nanog at nanog.org wrote:
> >
> > > I wanted to get the communities' opinion on this.
> > > I am an admin for a quasi-ISP providing cloud hosted desktop solutions for end users. We have POPs all around the world, own our own ASN, and advertise /24s or /23s at each of our POPs fro our large aggregate. As an ISP we submit our blocks to popular geolocation vendors such as Google, Maxmind, IP2, etc and put the proper geolocations in our RIR records (RADB, ARIN, etc).
> > > Increasingly I have run into 'niche needs' where a client has a few users in a country we don't have a POP, say Estonia. This is 'mainly' for localization but also in some cases for compliance (some sites REQUIRE an Estonian IP). With that being said is it common practice to 'fake' Geolocations? In this case the user legitimately lives in Estonia, they just happen to be using our cloud service in Germany. I do want to operate in compliance with all the ToS as I don't want to risk our ranges getting blacklisted or the geo vendors stop accepting our data. I would think it's pretty easy to tell given a traceroute would end in Germany even though you're claiming the IP is in Estonia. How common of a practice is it to 'fake' the geos? Is it an acceptable practice?
> > > Sent with ProtonMail Secure Email.