Reminds me of the problem with MaxMind and the IPs with undetermined locations being assigned to the geographical center of the country, with resulting problems for the people that lived there.
The MaxMind datasets (even the free ones) come with an accuracy radius, which makes it abundantly clear that the location is not exact. The ipinfo response doesn't even include that.
You can't stop ignorant people from drawing wrong conclusions, but at least MaxMind made it harder for them to do so, as the article mentions:
> MaxMind has changed its default centre points to be in the middle of bodies of water.
I don't know how ipinfo default coordinates compare to that; I would hope that they've learned the same lesson.
It's a valid point although ultimately the responsibility for displaying the data to end customers / users / viewers lies with the company / entity ingesting the data.
So if any sensitive locations are being displayed on a map & pinpoint a house for example, then the company displaying that data to end users needs to mask that (for example, changing the design to show a radius as opposed to a specific point).
As a freetime project I monitor my internet connections and display them on a world map. It's interesting to see where your traffic goes in the world and to what company. You can make statistics like "which company got the most traffic or most TCP connections from me".
I wonder if this will be still possible with IPv6.
You can get something similar if you use NextDNS. They show you an analytics map of the world where it colours in countries that your quering to/from and on mouse hover shows all the sites for that country.
How do they get the list of domains hosted? Doesn’t look like they initiate an SSL connection. Do they resolve every single domain (and therefore can’t see sub domains)? Or is there another trick?
Zone files are available for most gTLDs, would guess that's the prevalent way. A lot of "IP neighbourhood" type tools use these. A telltale sign is not seeing any ccTLD domains which are generally less easy to get a list of.
The variances would be fascinating. Maxmind have some insight to VPN identity but also have some howlers. I know whoever configured geo in most ad feeds in games, regarding my home provider here in Oz mislocates me significantly and it's a long term stable dhcp/dhcp6-pd binding.
Geo is hard. Sharing data would be good. (Disclamer: I work in an RIR)
>I think there was wide agreement that collecting the data was unethical.
AFAIK the unethical bit was that they were collecting unencrypted wifi traffic, which at the time could contain sensitive information (many popular sites were unencrypted back then). I don't think there's "wide agreement" that collecting wifi beacons was "unethical".
Would you feel any differently if people were recording your activities by pointing a camera at your window from the street? Or even just pressing random doorbells to see if anyone lives there?
Personally I think there is little difference between virtual unwarranted data collection and physical intrusions, and just because there isn’t some kind of barrier doesn’t make it acceptable.
“Privacy is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively.”
I’d posit that recording the location of every IP address, which in many cases can be directly tied to an individual, violates a user’s right to privacy by publishing information about them without their consent.
>Would you feel any differently if people were recording your activities by pointing a camera at your window from the street?
that's what curtains are for. if you were caught doing a shameful activity because your windows were wide open and a onlooker saw, that's on you.
>Or even just pressing random doorbells to see if anyone lives there?
so... jehovah's witnesses?
>I’d posit that recording the location of every IP address, which in many cases can be directly tied to an individual, violates a user’s right to privacy by publishing information about them without their consent.
How is this any different than going around and recording the coordinates of every street address? You can also make the argument that a street address can be correlated to an individual, and by associating a coordinate with it, you are violating "user’s right to privacy by publishing information about them without their consent"
> that's what curtains are for. if you were caught doing a shameful activity because your windows were wide open and a onlooker saw, that's on you.
People have a reasonable expectation of privacy in their own home. In addition, the right to privacy is not limited by arbitrary definitions of shamefulness.
> so... jehovah's witnesses?
That’s a whataboutism logical fallacy. Just because some people do it and get away with it doesn’t make it acceptable.
> How is this any different than going around and recording the coordinates of every street address? You can also make the argument that a street address can be correlated to an individual, and by associating a coordinate with it, you are violating "user’s right to privacy by publishing information about them without their consent"
That’s kind of a straw man IMO. An IP address is public information and is transmitted by every IP packet. You can’t compare it to someone’s home address which is normally private by default. By associating a location with an IP address, you are effectively transmitting your location with every IP packet.
So we have a GDPR breach now as I posted some IP address here :).
They are PI if you also have other data that can tie it to an individual without sending request to his internet provider. That company in the article is mostly tying IP to a country/region.
There is no technical way to get any info about individual from the IP address alone. I also disagree with "which in many cases can be directly tied to an individual" most often it is not tied and if it is then only temporarily and only if and when user logs into your system and you have other information about him that he gave out. With CG NAT and often dynamic IP allocation by providers.
In the end any "outrage" is not substantiated because the way IP addresses are managed you have whois registry that is public and that will tell you which provider has this IP and country/region as well. So they don't do anything that is not already possible.
> With CG NAT and often dynamic IP allocation by providers.
Which are both bad practices on the way out as IPv6 becomes the norm. (Static IP prefixes - to illustrate another PI aspect of this - also mean that ISPs don't have to keep IP logs, which for better or worse, laws require of them for potential future law enforcement purposes.)
And indeed, like other PI, their collection only becomes problematic when it's associated with other PI and/or is done on a massive enough scale (like this service is doing ?) - also remember how government databases are forbidden from merging for this very reason.
>People have a reasonable expectation of privacy in their own home.
AFAIK that "expectation of privacy" doesn't include things that you can see from the street.
>In addition, the right to privacy is not limited by arbitrary definitions of shamefulness.
What makes you think I suggested otherwise? I suggest you read more carefully next time. Obviously the "shameful" part was added to make an example. The "that's on you" won't make any sense if it was a innocuous activity, eg. watching TV.
>That’s a whataboutism logical fallacy. Just because some people do it and get away with it doesn’t make it acceptable.
it's not a whataboutism fallacy because the fact that it happens on a frequent basis and doesn't provoke action from law enforcement suggests that it is acceptable, at least from a legal point of view.
I suppose you could claim that people being annoyed at them makes it unacceptable from a social/moral point of view, but I'm still skeptical whether that has any implications from a privacy point of view. People are annoyed because it disturbs them, not because of the privacy implications. Furthermore, there are many ways of determining whether someone's home that doesn't involve knocking on doors, eg. checking whether the lights are on, or the cars on the driveway.
>That’s kind of a straw man IMO.
No, it's not. It's https://en.wikipedia.org/wiki/Reductio_ad_absurdum. A strawman is when you replace your opponents argument with a false one. I fail to see how I did that. There's nothing in that paragraph that suggests that "going around and recording the coordinates of every street address" is something that you proposed. You really need to lay off responding to everything with "fallacy", even when it isn't.
>An IP address is public information and is transmitted by every IP packet.
This seems baffling to me. Your IP address should get additional privacy protections because it's public?
>You can’t compare it to someone’s home address which is normally private by default.
Given how much I buy stuff online, it's not "private" by any means.
>By associating a location with an IP address, you are effectively transmitting your location with every IP packet.
1. the location is very coarse. Realistically speaking it's accurate down to the city you're in.
2. you realize that's how phone numbers worked, at least one or two decades ago? it has almost the same properties. It's transmitted with every call (caller ID) and it's vaguely correlated with your neighborhood (the middle 3 digits are the central office code). should we ban databases of central office code locations as well?
This is a great article showing how ipinfo gathers their data. It would be fascinating to see how it compares to the other providers.
I would really like to see the results of some of the ip addresses that he says are being spoofed as US-based.
[1] https://resolve.rs/ip/geolocation.html