: Code 2.0

Who Did What, Where?

Who Did What, Where?

Finally, as long as different jurisdictions impose different requirements, the third bit of data necessary to regulate efficiently is knowing where the target of regulation is. If France forbids the selling of Nazi paraphernalia, but the United States does not, then a website wanting to respect the laws of France must know something about where the person accessing the Internet is coming from.

But once again, the Internet protocols didnt provide that data. And thus, it would be extremely difficult to regulate or zone access to content on the basis of geography.

The original Internet made such regulation extremely difficult. As originally deployed, as one court put it:

The Internet is wholly insensitive to geographic distinctions. In almost every case, users of the Internet neither know nor care about the physical location of the Internet resources they access. Internet protocols were designed to ignore rather than document geographic location; while computers on the network do have addresses, they are logical addresses on the network rather than geographic addresses in real space. The majority of Internet addresses contain no geographic clues and, even where an Internet address provides such a clue, it may be misleading.[20]

But once again, commerce has come to the rescue of regulability. There are obvious reasons why it would useful to be able to identify where someone is when they access some website. Some of those reasons have to do with regulation again, blocking Nazi material from the French, or porn from kids in Kansas. Well consider these reasons more extensively later in this book. For now, however, the most interesting reasons are those tied purely to commerce. And, again, these commercial reasons are sufficient to induce the development of this technology.

Once again, the gap in the data necessary to identify someones location is the product of the way IP addresses are assigned. IP addresses are virtual addresses; they dont refer to a particular geographic place. They refer to a logical place on the network. Thus, two IP addresses in principle could be very close to each other in number, but very far from each other in geography. Thats not the way, for example, zip codes work. If your zip code is one digit from mine (e.g., 94115 vs. 94116), were practically neighbors.

But this gap in data is simply the gap in data about where someone is deducible from his IP address. That means, while theres no simple way to deduce from that someone is in California, it is certainly possible to gather the data necessary to map where someone is, given the IP address. To do this, one needs to construct a table of IP addresses and geographic locations, and then track both the ultimate IP address and the path along which a packet has traveled to where you are from where it was sent. Thus while the TCP/IP protocol cant reveal where someone is directly, it can be used indirectly to reveal at least the origin or destination of an IP packet.

The commercial motivations for this knowledge are obvious. Jack Goldsmith and Tim Wu tell the story of a particularly famous entrepreneur, Cyril Houri, who was inspired to develop IP mapping technology. Sitting in his hotel in Paris one night, he accessed his e-mail account in the United States. His e-mail was hosted on a web server, but he noticed that the banner ads at the top of the website were advertising an American flower company. That gave him a (now obvious) idea: Why not build a tool to make it easy for a website to know from where it is being accessed, so it can serve relevant ads to those users?[21]

Houris idea has been copied by many. Geoselect, for example, is a company that provides IP mapping services. Just browse to their webpage, and theyre 99 percent likely to be able to tell you automatically where you are browsing from. Using their services, you can get a geographical report listing the location of the people who visit your site, and you can use their products to automatically update log files on your web server with geographic data. You can automatically change the greeting on your website depending upon where the user comes from, and you can automatically redirect a user based upon her location. All of this functionality is invisible to the user. All he sees is a web page constructed by tools that know something that the TCP/IP alone doesnt reveal where someone is from.

So what commercial reasons do websites have for using such software? One company, MaxMind[22], lists the major reason as credit card fraud: If your customer comes from a high risk IP address meaning a location where its likely the person is engaged in credit card fraud then MaxMinds service will flag the transaction and direct that it have greater security verification. MaxMind also promises the service will be valuable for targeted advertising. Using its product, a client can target a message based upon country, state, or city, as well as a metropolitan code, an area code, and connection speed of the user (no need to advertise DVD downloads to a person on a dial-up connection).

Here too there is an important and powerful open source application that provides the same IP mapping functions. Hostip.info gives website operators for free the ability to geolocate the users of their site[23]. This again means that the core functionality of IP mapping is not held exclusively by corporations or a few individuals. Any application developer including a government could incorporate the function into its applications. The knowledge and functionality is free.

Thus, again, one of the original gaps in the data necessary to make behavior regulable on the Internet geographic identity has been filled. But it has not been filled by government mandate or secret NSA operations (or so I hope). Instead, the gap has been filled by a commercial interest in providing the data the network itself didnt. Technology now layers onto the Internet to produce the data the network needs.

But it is still possible to evade identification. Civil liberty activist Seth Finkelstein has testified to the relative ease with which one can evade this tracking.[24] Yet as I will describe more below, even easily evaded tracking can be effective tracking. And when tied to the architectures for identity described above, this sort will become quite effective.

: 1.206. /Cache: 3 / 1