Security journalist Kashmir Hill put it well.
“Most casual internet users don’t know anything about IP mapping defaults,” she wrote when first reporting on the unfortunate Kansas couple whose quiet rural farmhouse has become associated with the geographic center of the US and whose address, thanks to an internet mapping glitch, has thus wound up being the default answer to “Where the hell is this nefarious IP address located,” as opposed to what that answer should have been: “We don’t have a clue.”
Hill:
They just know that when a website tells them that their scammer lives in Potwin, Kansas, they get in the car and go.
The home’s 82-year-old owner, Joyce Taylor née Vogelman, her family, and the subsequent tenants who came to rent her home, have for the past 10 years been accused of being identity thieves, spammers, and scammers, have found on their doorstep FBI agents, federal marshals, IRS collectors, ambulances searching for suicidal veterans, and police officers searching for runaway children, and have been wrongfully punished by irate people who’ve published their names and addresses or left a broken toilet in their driveway.
On Friday, the couple who rent that farmhouse – James and Theresa Arnold – filed a lawsuit against MaxMind, the company that should have said “we don’t have a clue where that IP address is located”, or that should, at least, have used a default location that wasn’t their house.
According to the complaint, the problems started the first week after the Arnolds moved into the house in May 2011.
That’s when two deputies came around, looking for a stolen truck.
Over the next 5 years, that scenario repeated “countless times,” according to the complaint.
The plaintiffs were repeatedly awakened from their sleep or disturbed from their daily activities by local, state or federal officials looking for a runaway child or a missing person, or evidence of a computer fraud, or call of an attempted suicide. Law enforcement officials came to the residence all hours of the day or night.
Local police were baffled.
They didn’t understand IP addresses and internet mapping, which, as we’ve noted before, renders up GPS coordinates that deceptively appear pinpoint-precise but which are far from it.
The Arnolds and Vogelmans aren’t the only people who’ve been erroneously “pinpointed” at an address that some business has listed in some database as the one to associate with given IP addresses.
Another victim is Wayne Dobson, of Las Vegas: a repeat victim of what Naked Security’s Paul Ducklin calls “precise imprecision”: because of a flaw in a mobile phone company’s database, as of 2013, it was sending people who’d lost their phones to his house, even though all it really knew was that their phone was located somewhere in that part of the world.
It doesn’t draw a little circle on the map to say, “That phone’s probably in a 2km radius of here,” or a jagged polygon to say “It’s somewhere inside this grid of lines joining the following five transmission towers spread over an 8km2 area.”
It as good as says, “Head to Casa Dobson. You’ll find the phone in the kitchen, next to the kettle, under this morning’s newspaper.”
Local Kansas police didn’t know all that. Neither did the Arnolds.
But as angry people continued to show up at the Arnolds’ home, accusing them of things like clogging their computer systems with spam, they ran a background check on the couple.
This is what that background check found, from the complaint:
After this check, the plaintiffs were told that a “[LDNS, or Local Domain Name Server]” was located on the property and that the Sheriff Department received weekly reports about fraud, scams, stolen Facebook accounts, missing person reports, suicide threats from the VA that appeared to come from the address and stolen vehicles all related to the residence.
It was only after Hill wrote an investigate piece for Fusion, titled “How an Internet Mapping Glitch Turned a Random Kansas Farm into a Digital Hell,” that the Arnolds found out who was allegedly at the root of the problem: MaxMind.
As Hill reported, in 2002, the Massachusetts-based digital mapping company decided it wanted to provide IP intelligence to companies who wanted to know the geographic location of a computer, be it for targeted marketing or to send warning letters to people pirating music or movies.
Thomas Mather, a co-founder of MaxMind, told Hill that the company had originally picked a latitude and longitude that was in the center of the country – or, rather, a spot 2 hours away, with a less cumbersome latitude and longitude – to use when it was unsure of the physical address to associate with an IP address.
In other words, the Vogelmans’ farmhouse.
Mather told Hill that it had never occurred to the company that people would use the database to try to track people down to a household level. MaxMind had always advertised the database as determining the location down to a city or zip code level, he said: not to locate a household.
Evidently, trying to explain these complexities to MaxMind’s 5,000 clients is tough. As a result, there are now over 600 million IP addresses associated with this default “middle of the country, sort of” coordinate.
Mather told Hill in April that MaxMind would be changing the default locations for the US and Ashburn, Virginia, placing them in the middle of bodies of water, rather than people’s homes.
How quickly MaxMind’s 5,000 business clients would update the data is hard to say, though: some could take months, Mather said at the time.
The Arnolds are asking for compensatory and punitive damages in excess of $75,000.
treFunny
“The Arnolds are asking for compensatory and punitive damages in excess of $75,000.”
they should ask for more than that… a lot more. The local police, FBI, etc should be paying not MaxMind. Nothing like paying your taxes and the very people you pay with those taxes abusing their positions and doing exactly what they did here. If you dont understand the basic’s of networking and how an IP address works you shouldn’t be investigating any type of cyber crime. Again the FBI, police etc didn’t do their job correctly and or lacked training to do their job correctly. MaxMind was just providing the service and obviously even the FBI and others didnt understand what service they paid for…
If Maxmind has to pay, every time a gun owner uses their guns in illegal ways… Glock/X manufacture would get sued. That is wrong!!!! Hold the government and the investigating agencies accountable for once! That is their job after all.
Lisa Vaas
The police eventually figured it out and posted a sign on the property, asking people to call them instead of harassing the residents. MaxMind wasn’t just providing a service: it was substituting this particular farmhouse address because the exact middle of the country, as accepted by geography experts, had an ungainly set of GPS coordinates. From the sounds of it, MaxMind had no idea that this nightmare would spring from that substitution. When Kashmir Hill told the company about it, MaxMind moved to fix two instances of people’s homes being substituted for “sort of in/the middle of/we don’t really know where” situations.
I could see the suit having merit when it comes to holding MaxMind accountable. But we’ll see what the courts say.
Phil
A similar problem with GPS locations. If you enter an address that it can’t find (misspelled name or wrong number?), some units will point to the center of the zip code if you give one. I NEVER enter the zip code for that reason.
Mel Metts
Last Friday, a man came to my house looking for his wife’s iPhone. Police were called and wanted permission to search my house and garage. Turns out the phone had been misplaced in the building where she works. It had never left the building.
Anonymous
Is Internet mapping similar to when you open Google maps and the center of the ma[ is somewhere near your location?
Browser
Short answer: Yes.
Longer answer: What it (tries to do) does is take your (public) IP Address and compare it to a set of lists (and probably other resources nowadays) that detail where in the world that IP Address is located physically. It then passes that information on to the other thing.
Other: What the article is talking about is called Geolocation, for a proper explanation I highly recommend looking at wikipedia or another reliable source of your choosing. (I probably should have brushed up on the topic before replying, now that I think about it…)
Bruce
The problem with IP addresses alone is you can end up extremely far from the mark. My sister uses CenturyLink. Doing a search on her current IP address “pinpoints” her in Denver, Colorado, not her actual location – a mere 864 miles apart. It did the same thing for me when I was using CenturyLink as well saying I was located 851 miles from my actual location.
Browser
The 3G Modem I owned some years ago was “pinpointed” to exist somewhere in the Northern Territory (Australia) rather than along the south-eastern coast where I had been at the time. I found it amusing at the time, but can see how it could easily cause people a lot of grief when a fallback is set up with such a terrible default.