Geolocation is More Than GeoIP

by Leo Vegoda

What is Geolocation

Today’s internet and associated technologies have a suite of services to help users and others know where someone or something is. This convenience creates a long lasting record of where we – or our devices – are over time. These records sit in the logs of all services that collect geolocation data. We should assume it is retained as long as allowed by law and analyzed to improve services, profit, and to support law enforcement, when required.

Geolocation is useful for users, for network operators, for businesses using the internet, and for governments around the world.

Our mobile devices are with us most of the time and location services are generally a boon. But geolocation creates advantages and disadvantages to the person using the device. For instance, some services are available to you only at your home location (or the vicinity). So, those services – if geographically specific – are lost to you when traveling and you may be denied access.

How Do Computers Locate You?

Most fixed-line internet access services (cable and fiber) have a generalized location associated with them. A market of separate companies collects, packages, and sells data about the location of IP addresses at the user end of these fixed-line services. They call it GeoIP data. All sorts of companies use this city level data to localize the services they provide. For instance, users generally find that maps default to their city or neighborhood and local advertisements are served on web pages that appear on devices accessing that IP address.

But an increasing amount of time is spent accessing internet services on a phone. W3C, the organization that develops the open standards used to make the web work, has a Geolocation mechanism. It works best on mobile devices because they have hardware built into them for working out where they are. But you might occasionally see a website on a desktop computer asking for permission to share your location.

So, web browsers and other applications can ask the device for its location. W3C’s technical standard enables the device to get that information from, “Global Positioning System (GPS) and location inferred from network signals such as IP address, RFID, WiFi [sic] and Bluetooth MAC addresses, and GSM/CDMA cell IDs.” And, of course, users can just type it in.

GPS signals are very accurate device location aids. But forests or valleys can block accurate GPS location data as it needs a good view of multiple satellites. In urban areas, tall buildings get in the way. To supplement GPS location tools, cell towers are an important source of location data. When a phone connects to three towers, its position can be triangulated. This is often used to help locate people who go missing. Nonetheless, W3C’s document notes that “no guarantee is given that the API returns the device’s actual location.” This can be true in both urban and rural areas.

The companies that collect and collate mapping information don’t just care about street names and business addresses. They also map Wi-Fi networks. Wi-Fi networks and cell towers are relatively stable and designed to be visible to radios at street level. That’s why your phone will tell you to turn on Wi-Fi to improve location accuracy. It’s not to connect to random Wi-Fi networks. It’s using them to work out where you are.

But not all services need to know which side of the street someone is on. Services that rely on intellectual property licenses (streaming services or sports franchises) just need to know which jurisdiction the device is located in. And most advertisers don’t need anything more precise than a district in a city.

One key source for this information is network latency data collected by Content Delivery Networks. Data travels known speeds in fiber optic cables: about a third of the speed of light in a vacuum. Network operators know how long it takes for data to travel across a city, across a country, and across an ocean. They can automatically measure how long data takes to get to a user. That can tell them roughly how far away a user is.

And an update to the DNS protocol means that they often have routing information for the device that will use the DNS answer. Knowing the route helps establish distance.

The EDNS0 Client Subnet option is a tool used by the DNS servers that research answers for users. They use it to share information about the network location of the user they are researching an answer for. Some services will be served from many data centers, with each server having a different IP address. If the DNS server giving the answers knows where the user is, it can provide the address of the server closest to the user.

Using a mapping service lets the map service operator know what you’d like to do. For instance, if you search for “restaurants near me” at 11:00 a.m., they’ll know that you’re looking for somewhere to eat lunch. But getting a DNS answer means sharing your immediate intentions to the operators of all the servers involved in answering your question. For instance, if you ask for the IP address of a meal delivery service, the DNS server operators know who you’re choosing to buy lunch from.

Of course, you could be doing more than ordering food. It’s a privacy issue and the designers of the EDNS0 Client Subnet option recognized that. They described some ways to mitigate it. Geoff Huston, APNIC’s Chief Scientist, described a possible approach for improving the privacy protections given to people whose DNS answers are researched this way. It involves industry standardization of the service areas and IP addresses to represent them. No identifying client information needs to be shared.

Historically, network operators have tried to get some location information from the Regional Internet Registries’ (RIRs) public databases. But this data was never intended to show user locations. The addresses published were often the locations of head offices. Industry consolidation often meant that these were in different cities, states, or even countries.

So, engineers created a format for network operators to publish location data. Once that had been standardized, they encouraged the RIRs to allow publication of links to the information in the listing for blocks of IP addresses. The files themselves can be hosted anywhere but their location can be found in the RIRs’ public databases.

Two kinds of users want this information. Business users want it because they often need to know if they can provide a service to someone. And ordinary internet users want it because when it is wrong they cannot access services. Streaming services and financial institutions are two of the main business users of this data.

Networks can now publish details about the city each block of addresses is used in. The format also lets them tell users that a block of addresses doesn’t have a location associated with it. This could be a block of addresses that has not been put into use, or a block used for infrastructure links that should never be communicating directly with commercial services.

In late 2024, almost all the commercial geolocation databases use this information. Some of these are run by Content Data Networks that need the information for their own operations. Others are run or used by streaming services who license content. A third group sells security and fraud detection services. Most download and process the RIR public databases regularly, so they know about changes. But the time between changes and discovery varies. Geolocatemuch.com reports that some react in about a day while others take over two weeks.

Users get upset when they can’t access or use services. They will complain to customer service and support services, which cost money to provide. So, network operators need to remember the time it takes for new geolocation information to work through the system. It takes time to publish it, for the geolocation services to react, and then for their customers to act on the updated information. It can take several weeks.

Some services will only update their geolocation data slowly, if ever. These are often the users of free geolocation data.

Opportunities

User Experience and Advertising

Highly detailed, customizable maps are available for free on any smartphone. But as Andrew Lewis told us in 2010, “if you are not paying for it, you’re not the customer; you’re the product being sold.”

But the experience is remarkably good. Whichever services you choose to use, and whatever you search for, you have locations, directions, and reviews. It’s easy to find the route to a distant place or discover somewhere to eat or workout in a city you don’t know well. You don’t even need to trust someone to give you a good suggestion. You can rely on statistics and the wisdom of crowds.

Google Maps offers Google Reviews while Apple Maps links to Yelp’s ratings service

Of course, it’s all paid for by advertising. The advertisers know that they are buying advertisements that will be seen by people who want their service and are looking at their area. It is well targeted spending.

Other in-app and web advertising can do similar things. Our phones know where we are and share that information with the advertiser through W3C’s Geolocation API. And the GeoIP services sell the locations of devices connected by fixed lines.

Fraud Detection and Cybersecurity

But the information that helps us make purchasing decisions can also protect us.

Banks and card issuers have been tracking spending trends for decades. If your card is typically used for groceries and fuel in one city but is suddenly used at a high-end department store in another, the transaction should be flagged for review.

Financial institutions use multiple signals when deciding whether to authorize a transaction. That’s why banks ask for travel notifications. They don’t want to block legitimate transactions, like a taxi ride or hotel bill in a foreign city.

They combine IP addresses, data from W3C’s Geolocation API, and fraud trends in that location, when evaluating a transaction.

If you login to an online service on a new device, you’ll often be asked to authorize that connection with a second factor. When that second factor is delivered by email or SMS, it will normally say the location of the login attempt. That’s to help you reject attempts you know cannot be yours. Some services will show you where your account is being used. The IP addresses are shown alongside their locations, so you can quickly see anything suspicious.

Many companies block login attempts from IP address ranges associated with locations they know their people won’t be using. This doesn’t just mean blocking access from countries like North Korea – 175.45.176.0/22[1]  – but also address blocks used by commercial VPN providers, some cloud computing services, and data centers.

Each organization needs to tailor an approach that fits its own risk profile and appetite. Some will be more cautious than others. The important thing is to regularly review and update both the approach and the implementation. IPv4 and IPv6 address blocks change hands every day. New IPv6 address blocks are allocated every day, too.

App Stores

App stores are localized using knowledge of all the other factors in combination with payment card address and the location of the device accessing the store. Users can download updates to an app sold only in one store while they are abroad because their payment card is registered in the right country. But users with an account but no payment card will be served based on the local store.

Apple’s App Store region setting.

App store operators need to use all these geolocation techniques because they must comply with local laws. In 2024, Brazil’s Supreme Court ordered Apple and Google to remove X, formerly known as Twitter, from their app stores. They complied. Negotiations followed.

Licensing

The world is divided into many markets. The rights for books, music, video, and games are sold separately in each market. In some cases that means that something popular in one market is not available in others – yet. In other cases, the same content is available but at different prices to account for the varying cost of living.

Broadcasters that might otherwise want to have a global audience, cannot. Rights issues mean that they need to limit internet streaming to the same group of people covered by broadcast signals.

Legal Compliance

Trade sanctions forbid trade with some countries. For instance, the US State Department describes trade with Russia as risking “severe civil and criminal penalties.” And the International Trade Administration recommends “transactional due diligence for all business involving Russia.” Geolocation is a strong tool in avoiding or managing those risks. It is especially important for anyone with an automated internet shop front.

People in some jurisdictions have rights that people in others don’t. For instance, the disclosure right in California’s CCPA impacts many businesses. Californians have the right to be informed when data like geolocation or IP address is collected. And they have the right to opt-out or have their data deleted. Honoring the law requires businesses to know that internet users are in California, which requires geolocation.

The Future of Geolocation

The World Trade Organization was established in 1995, following the fall of the Soviet Union. Its mission was to globalize trade. But the last few years have seen an increase in tariffs, sanctions, and trade disputes. Borders are becoming more important and that means that geolocation capabilities will become more important, too.

Licensing and Pricing

Studios have been relaxed about people getting around borders to access entertainment more cheaply. They are likely to be more aggressive with commercial VPNs. The proliferation of VPN services offering location-on-demand frustrates the business models of those restricting use to specific locations. Counter-measures are inevitable when profit is threatened.

Supermarkets have been experimenting with dynamic pricing. We can expect other kinds of geolocation-based pricing. For instance, travel booking sites could suggest different pricing based on the district from which a user accesses the site. They’d be seeing different prices at the offer stage, long before getting to the checkout. Similarly, car insurance policies could introduce dynamic premiums that vary based on where and when drivers travel and park.

Politics

The internet has challenged the United Nations “principle of the sovereign equality of all its Members.” Sovereign equality suggests that countries control that which is inside their boundaries on an equal basis, each respecting the other. But physical invasion isn’t the only means of violating that principle. Countries with strong technology sectors have the opportunity to undermine the sovereignty of other countries. One set of examples is the series of protests, uprisings, and revolutions labeled as the Twitter Revolution by Wikipedia. Another includes foreign interference in other countries’ elections.

Expect more surgical filtering based on better geolocation technology. It’s being deployed by organizations who want fewer complaints about subscribers who can’t access streaming services. We can expect financial institutions to combine geolocation data with trend analysis to improve their fraud detection and blocking processes.

And governments are just as capable of using the data, in combination with DNS and other sources, to create national borders for the internet. Brazil’s ban of X was one example. And Elon Musk’s capitulation will be noted by other business leaders.

GeoIP

IP addresses are the internet’s locators. They’ve always been tied to geography in some way. They are used to number servers that sit in data centers and user devices that sit on desks or in hands. But the accuracy of GeoIP data is much higher than it has ever been before.

There was a period where the internet was a wild west. Entertainment was shared without compensating the creators. That time is ending. People pay monthly subscription fees for streaming services, much like they paid monthly subscriptions for cable services. Pricing differentials, local taxes, and more, mean that the streamers want to know where users are.

Expect commercial demands for GeoIP data quality to increase in the coming years. Expect subscribers to demand that from their access providers.