
Kansas couple sues IP mapping firm for turning their life into a “digital hell” - antr
http://arstechnica.com/tech-policy/2016/08/kansas-couple-sues-ip-mapping-firm-for-turning-their-life-into-a-digital-hell/
======
cesarb
While most are focusing on the "default location" issue, I can see another
issue in this article:

Why are people expecting the output of an IP mapping database to be precise
enough to send law enforcement to that physical location? From what I could
gather from the article, law enforcement (and others) are treating it as if it
was as exact as a reverse phone number lookup, while in reality there's no way
a global IP mapping database can get much more precise than "around that city"
(unless perhaps if the IP address is in a datacenter).

That is, even without it being a "default location", sending people to the GPS
coordinates obtained from an IP mapping database is nonsense.

~~~
zAy0LfpBZLC8mAC
Really, the error here is that it's returning a point. And this is a mistake
that pervades all of society. The idea that any measurement could give you an
exact value. Every measurement of the physical world should always give you a
range of non-zero size. So, a lookup in a geo-ip database should give you an
area. And it's perfectly fine to give a default value of "the USA" if that's
where the address is located. It's only idiotic to return "the center of the
USA".

~~~
syshum
> So, a lookup in a geo-ip database should give you an area.

Good thing that is exactly what it does.

~~~
tlrobinson
There are multiple geo-ip databases. MaxMind's apparently does give an
"accuracy radius" [https://www.maxmind.com/en/geoip-
demo](https://www.maxmind.com/en/geoip-demo) but many others don't, and of
course tools built on top of any particular geo-ip database might not present
that information to users.

------
jessaustin
This is kind of like "SWATting", in that we hold anyone and everyone _except_
police responsible for horrible things done by police. One would have expected
some sort of procedure to have developed, between the second and four-hundred-
thirty-second time the sheriff's department drove out to hassle these people.
Apparently one would be expecting too much.

~~~
ptaipale
The problem is not only with police or law enforcement, though. It seems all
sorts of individuals and organisations knock the door of the farm because they
don't realize they were given a dummy location.

------
manarth
There are a lot of comments saying that given a fixed area (e.g. "Somewhere in
the USA), that it's common to return the centroid of a polygon.

There's an interesting note in the Fusion article[1], where it mentions _"
[the farm] is a two-hour drive from the exact geographical center of the
United States"_.

> _As any geography nerd knows, the precise center of the United States is in
> northern Kansas, near the Nebraska border. Technically, the latitudinal and
> longitudinal coordinates of the center spot are 39°50′N 98°35′W._

> _In digital maps, that number is an ugly one: 39.8333333,-98.585522_

> _So MaxMind decided to clean up the measurements and go with a simpler,
> nearby latitude and longitude: 38.0000,-97.0000._

I wonder whether that decision - to _choose_ a location, rather than use the
precise centroid of the area - will cost MaxMind the case.

[1] [http://fusion.net/story/287592/internet-mapping-glitch-
kansa...](http://fusion.net/story/287592/internet-mapping-glitch-kansas-farm/)

~~~
Raphmedia
Why don't they return 00.000000,00.000000 or the GPS position for the North
Pole instead? Would be a lot less confusing that the data was void.

~~~
jessaustin
In that case they'd be getting sued by various police agencies who have wasted
money on arctic trips, as well as the survivors of various officers who were
eaten by polar bears.

~~~
dpiers
Except 0,0 is not in the Arctic, it's a little bit off the coast of Nigeria.

And, the problem with returning Null or 0,0 is that it implies there is no
information available. There is still value in having a default location of
the country of an IP is known, but the location is not. If you work with
MaxMind a lot, you know that 38,-97 is a US IP with unknown location.

~~~
polartx
>Except 0,0 is not in the Arctic, it's a little bit off the coast of Nigeria.

Amusingly, that would actually lead many agencies to a closer proximity of the
scammers they're searching for.

------
raverbashing
"when MaxMind was first choosing the default point on its digital map for the
center of the U.S."

This doesn't make any sense. Why does it need to return a place in the middle
of the US when the location is unknown?

This is what it should return: "location is unknown" and absolutely NOT a pair
of geographical coordinates

~~~
cnvogel
It should just return a precision estimate along with the data. Here's what
the ancient (from january 1996) standard for "location" records in the DNS
specifies, which in my view is very sensible:
[https://tools.ietf.org/html/rfc1876](https://tools.ietf.org/html/rfc1876)

    
    
        SIZE The diameter of a sphere enclosing the described entity, in
        centimeters, expressed as a pair of four-bit unsigned integers,
        each ranging from zero to nine, with the most significant four bits
        representing the base and the second number representing the power of
        ten by which to multiply the base. This allows sizes from 0e0 (<1cm) to
        9e9 (90,000km) to be expressed. This representation was chosen such that
        the hexadecimal representation can be read by eye; 0x15 = 1e5. Four-bit
        values greater than 9 are undefined, as are values with a base of zero
        and a non-zero exponent.
    
        HORIZ PRE The horizontal precision of the data, in centimeters,
        expressed using the same representation as SIZE.  This is
        the diameter of the horizontal "circle of error", rather
        than a "plus or minus" value.  (This was chosen to match
        the interpretation of SIZE; to get a "plus or minus" value,
        divide by 2.)
    

...so, for a point "somewhere" in the united states, I'd reckon that
SIZE=1·10⁰m (1 times 10^0=1m) and HORIZ (and VERT) PRE set to 5·10⁶m (5 times
10^6=5000km) would be a sane choice.

(measuring on google maps, the united states seem to measure about 4500km from
east- to west-coast)

~~~
UVB-76
This assumes users of the data don't then report the location, and ignore the
precision estimate.

------
dangrossman
Why are these law enforcement agencies turning up to -any- latitude/longitude
pair from an IP-to-location database? Even when the location is "known" it's
still just going to point to the center of a city or region an IP range was
allocated to at some time.

To map a specific IP to a specific physical location you want to arrest
someone at, you'd have to actually go to the ISP (with a subpoena) and ask
them what customer that IP was allocated to at a specific time, then look up
that customer's address. They know that, right?

~~~
adventured
Most likely reason? Ignorance. Very few people (sub 1% of the earth's
population) actually know how an IP works, how an IP is assigned, or what
their weak and often non-relationship to physical locations or GPS coordinates
are. So when said people use a product that pretends to offer accurate
correlation, they don't know any better.

~~~
ultramancool
But you'd think that if their job was law enforcement of internet crimes, they
would have to have at least a very basic understand of this sort of thing. It
couldn't be more than a 2 or 3 hour training course to teach people a bit
about IP and how to use subpoenas or other law enforcement requests to ISPs to
get what they need.

~~~
throwaway049
It doesn't look like law enforcement of internet crimes is the main use of
this product. More like general law enforcement is just one use among many.
That said, I am surprised the local sheriffs don't immediately recognize the
address and disregard it, after the first few misunderstandings.

------
joebergeron
I get that this is indicative of a bigger issue: default behavior. Choosing to
return something as arbitrary as //almost// the center of the US as a default
when the location is unknown is pretty universally ridiculous. And in
production code expected to have a huge user base and likely a lot of
situations where there's no known location? Alright.

That said, after reading again and again how ridiculous desicions like these
lead to these disproportionate real-world effects, I can't help but laugh at
the sheer absurdity of it all. "Digital hell", indeed.

~~~
redcalx
I like how they 'fixed' it by moving the default to the centre of a lake. So
you still have the waste of police (or whoever) driving out to some location
before they figure out what's going on.

~~~
alex_hitchins
You would think it better to set it to a police headquarters.

~~~
redcalx
Yeh good compromise. The ideal solution would be for their API to not report a
precise location if it doesn't know one. I guess they have no simple method of
stating a region rather than a point, and if they did the consumer of the APIs
would probably just use the centre of the region most of the time.

I guess they could just not give lat/long when unknown, but still state
country, state, county, etc. if they're known.

~~~
syshum
That is not how location services work, you always at least 3 data points,
Lat, Lon and Accuracy

[http://dev.maxmind.com/geoip/geoip2/web-
services/#location](http://dev.maxmind.com/geoip/geoip2/web-
services/#location)

It is up to the Developer to do sanity checks on the Accuracy for their type
of application.

in some instances just knowing it came from the US or some other country is
accurate enough.

To claim they should simply not return any data if they do not have an
accuracy level to your arbitrary standards would make the service useless

IMO Max Mind is not the problem here, people taking the data and using it as
if it is accurate to 1in is the problem.

Geo-location data on IP address has NEVER EVER been that accurate, NEVER. The
fact the law Enforcement, Consumers and others use this data as the sole data
point then act on that data is the problem, not that Max Mind Returned a Lat
Lon to the center of the US

~~~
redcalx
> To claim they should simply not return any data if they do not have an
> accuracy level to your arbitrary standards would make the service useless

Ideally they'd offer version of the service that gives a probability 'heat
map', but in reality 99% of users would use a simplified version with an app
configured threshold for what constitutes useful info for that app, and also
how to convert a heat map to a single point (since that what most people seem
to want) or a very localised region (e.g. within 100 meters or so).

In reality the simplified version would be provided as a service with a
default threshold, anything under the threshold would not report a position,
but could still report a country ISO code and perhaps state, county as
optional extras. These are workable compromises to the ideal of everyone
consuming a heat map in a sensible way (IMO).

~~~
syshum
>Ideally they'd offer version of the service that gives a probability 'heat
map'

that is not "ideal" at all, one of the first uses of this data was for real
time CC fraud Detection, giving a computer processing CC info a graphical
"heat map" is less than useless. Most geolocation API data is consumed by
computers that use it for many things, not presented to the user directly.

>In reality the simplified version would be provided as a service with a
default threshold, anything under the threshold would not report a position,
but could still report a country ISO code and perhaps state, county as
optional extras.

It appears you believe this data is only for Human Consumption. If an API is
designed to return LAT and LON and Accuracy, then that is what is should
return, not an ISO country code. I get you believe no API should be designed
this way, but I as a developer that consumes these services prefer it that
way, makes it easier to write against

I as a developer am asking for Max Mind to give me Lat Lon and Accuracy, not a
ISO Country Code or Heatmap

~~~
redcalx
The heat map is the baseline data model; from that it's possible to derive
simpler models for simpler use cases. However, providing access to the
baseline model will likely be useful for some use cases. i.e. if you want
something more nuanced than lat/long.

> It appears you believe this data is only for Human Consumption.

Most human's I've encountered don't refer to countries by their ISO code...
most.

~~~
socksy
But MaxMind already do return ISO codes... The developers are picking and
matching which returned values they want to consume.

------
UVB-76
Fusion covered this story in depth four months ago:

[1] [http://fusion.net/story/287592/internet-mapping-glitch-
kansa...](http://fusion.net/story/287592/internet-mapping-glitch-kansas-farm/)

[2] [http://fusion.net/story/290772/ip-mapping-maxmind-new-us-
def...](http://fusion.net/story/290772/ip-mapping-maxmind-new-us-default-
location/)

~~~
kjhughes
Yes, and those references are even cited in this article. Title link should be
changed to one of these, away from wrapper article.

------
saalweachter
So I think there's an important lesson in here for software engineers.

How do you design your API so that it is as difficult as possible for your
clients to misinterpret?

The "always return a center & accuracy" API is very simple and elegant, but
with the benefit of hindsight, you can assume that a significant fraction of
your users are just going to ignore that accuracy number and treat the center
as precise. As was pointed out elsewhere in this thread, the default point
isn't the only problem -- any town, city, or state will generate similar
problems.

One option would be to return a richer result type: (COUNTRY, "United States")
(CITY, "Portland, OR, USA") (REGION, latlng-a, latlng-b) (POINT, latlng,
accuracy)

Now it becomes more difficult for a client to pretend most of those are
precise points.

The best API is sometimes not the one that is easiest to use but most
difficult to misuse.

~~~
whack
I appreciate the notion that "explicit is better than implicit", so as to
minimize assumptions and miscommunications. But that said, if the service is
providing details for a region using the center-and-radius approach, that
sounds perfectly reasonable. It explicitly states what is being returned, and
the fact that it isn't a single point. For responsible clients who are using
the API correctly, this data-response is the easiest to parse and make sense
of.

I would hate to see a world where services are responsible for generating and
clients are responsible for parsing data in an overly convoluted and
cumbersome format, just to minimize the risk of irresponsible clients
misinterpreting it.

------
jobigoud
> center spot coordinates are 39.8333333,-98.585522.

> go with a simpler 38.0000,-97.0000.

Wait a minute, that's a weird rounding. Even if it's ill-advised, why did he
chose that rather than 40,-99?

------
SFJulie
Half of the classical problem of any detection system (like GPS, big data,
IA): the cost of false positive.

The other one being false negative (like an alarm not detecting trepassing).

False positive are called artefacts, but people want to believe so much in the
infallibility of IT that they use detection system as if the result were error
prone.

Hence what I call the Oracle syndrome: genuinely scientific person relying on
an inaccurate system by nature as an exact system. Then they scale up system
an what is anecdotal occurence becomes a serious concern with accumulation.

Non conformity with expectations are not handled anymore, they are disdained
and measurement systems (hence that can fail) are used as exact systems.

It is like death penalty: should we care about the innocent people that will
pay a dear price from wrongfully giving too much trust in non perfect systems
knowing there is a tendency to make it hard to contest the decision because it
would attack the trust we have in the system?

------
walrus01
There are two completely separate fucked up things here:

a) Maxmind shouldn't be returning a location like this for "Anywhere in the
USA". It should either be 0,0 for unknown or something totally obvious like
the Washington Monument in WA DC.

b) The fact that clueless/ignorant law enforcement is blithely trusting and
USING this spurious data. Someday a person is going to get SWATTed and shot
dead over this sort of thing.

------
jaynos
Similar situation near Atlanta, Georgia (not the center of the US) was
discussed earlier this year [1]. Reply All had a good podcast about figuring
out the real issue [2] in this case.

[1] [http://fusion.net/story/214995/find-my-phone-apps-lead-to-
wr...](http://fusion.net/story/214995/find-my-phone-apps-lead-to-wrong-home/)

[2] [https://gimletmedia.com/episode/53-in-the-
desert/](https://gimletmedia.com/episode/53-in-the-desert/)

------
tzakrajs
Were the police using this as an escape to burn time? Why even investigate?

------
FussyZeus
You would think after like fourth or fifth IP search turned up this some
bloody farm these guys might start questioning that result.

I don't work in LE at all but if I was, and I was getting sent to the same
damn house every other week for everything from drug trafficking to sex
slavery I'd start raising an eyebrow whenever dispatch tried to have me go
there again.

I suppose they really can't just not go because of the gravity of most of
those calls, but you'd think at least the stolen cellphone/car could wait
until the morning.

~~~
manarth
From the original Fusion article[1], it sounds like the _local_ LE know
exactly what's going on, but need to intervene with people who aren't local -
FBI agents, federal marshals, IRS collectors, ambulances, police officers,
etc:

> _“That poor woman has been harassed for years,” Butler County Sheriff Kelly
> Herzet told me by phone. Herzet said that his department’s job has become to
> protect the Taylor house from other law enforcement agencies._

[1] [http://fusion.net/story/287592/internet-mapping-glitch-
kansa...](http://fusion.net/story/287592/internet-mapping-glitch-kansas-farm/)

------
sscotth
Reminds me of this:
[https://aaasen.github.io/github_globe/](https://aaasen.github.io/github_globe/)

Previous Discussion:
[https://news.ycombinator.com/item?id=6470600](https://news.ycombinator.com/item?id=6470600)

[http://imgur.com/cGuetKg](http://imgur.com/cGuetKg)

------
DanBC
Here are some comments from a while ago:
[https://news.ycombinator.com/item?id=11466849](https://news.ycombinator.com/item?id=11466849)

------
jtrtoo
Contrarian perspective: These GeoIP firms should start offering businesses in
a given area the ability to sponsor the area and become the default location.

------
SteveCoast
Trying to make this better with open GeoIP data over at
[http://browserlocation.co/](http://browserlocation.co/)

------
SlashmanX
I wonder if that couple could take advantage of this and start a life of cyber
crime from now on in a sort of 'boy who cried wolf' situation

