While troubleshooting some Windows-related IPv6 problems, I regularly checked a site that tells me my IP addresses (v4 and v6) and, crucially, which one is preferred by the browser / OS: https://www.ipchecktool.com/
This site also displays geo information that it can find about my IP. And while it is not new to me that IP addresses can be geolocated to some extent, I found it disappointing how accurate the results were. For my IPv6 address, the site linked above determines a position with a 5km accuracy that is actually correct. For IPv4 though, it determines a position with a 200km accuracy and that isn’t even correct. I’ve tried several sites with differing results. Some are correct with a very high accuracy (< 10km), while others simply yield incorrect results. So while from a user perspective it is somewhat hit or miss whether a given lookup site provides meaningful results, the information is clearly out there.
So why did I write I find the high accuracy “disappointing”? Well, from a privacy perspective I think it’s a nightmare. I wonder how it is that third party sites can give such accurate results.
From a naive, technical perspective, I figure that firstly, of course my ISP knows my exact location because they own the line that my IP is assigned to. Now the way I see it, every router a packet passes through can only know the location of its peers. When I traceroute to the geo lookup site, I see that the packets go through my ISP’s AS and then pass to the AS where the server is hosted. This happens at the internet exchange point (DE-CIX in Frankfurt, in my case). It makes sense that my ISP’s router at DE-CIX knows my location as it receives the packets from a POP in my area that also belongs to the ISP. But the server’s AS’s router that receives the packets from my ISP’s router should only be able to know location of the machine it received the packets from, which is in the same datacenter. So concluding this section, I don’t see how a server in a different AS would be able to know my location if all it had was the routing information. Please do correct me if I’m wrong.
Of course I know that people/corporations are crafty and have other ways to create geolocation databases. For example, if it is known that the ISP uses blocks of IP addresses for geographic regions, knowing the location of one of the IP addresses provides conclusions about the rest of them. Or they can correlate IP addresses with cooperatively obtained location data, etc. Then there is the possibility that the ISP outright publishes that information. Wikipedia states as much:
The primary source for IP address data is the regional Internet registries which allocate and distribute IP addresses amongst organizations located in their respective service regions. […]
The registries allow assignees to specify country and geographical coordinates of each assigned block. Starting from 2021 RFC 9092 allows assignees to specify location of any IP subnetwork they own. […]
Secondary sources include: Data mining or user-submitted geographic location data […], data contributed by Internet service providers. […]
Can anyone give insight into the extent that ISP’s participate in the creation of geolocation databases?
And what do you think? Is it “good” or “bad” or something in between that location information has city-accuracy? Do you think ISP’s should do more to protect customer privacy in this regard? I’m curious about your opinions on the matter.
PS: This is not me asking how to conceal my identity or location. I don’t need a VPN or proxy.