Security journalist Kashmir Hill put it well.
“Most casual internet users don’t know anything about IP mapping defaults,” she wrote when first reporting on the unfortunate Kansas couple whose quiet rural farmhouse has become associated with the geographic center of the US and whose address, thanks to an internet mapping glitch, has thus wound up being the default answer to “Where the hell is this nefarious IP address located,” as opposed to what that answer should have been: “We don’t have a clue.”
They just know that when a website tells them that their scammer lives in Potwin, Kansas, they get in the car and go.
The home’s 82-year-old owner, Joyce Taylor née Vogelman, her family, and the subsequent tenants who came to rent her home, have for the past 10 years been accused of being identity thieves, spammers, and scammers, have found on their doorstep FBI agents, federal marshals, IRS collectors, ambulances searching for suicidal veterans, and police officers searching for runaway children, and have been wrongfully punished by irate people who’ve published their names and addresses or left a broken toilet in their driveway.
On Friday, the couple who rent that farmhouse – James and Theresa Arnold – filed a lawsuit against MaxMind, the company that should have said “we don’t have a clue where that IP address is located”, or that should, at least, have used a default location that wasn’t their house.
According to the complaint, the problems started the first week after the Arnolds moved into the house in May 2011.
That’s when two deputies came around, looking for a stolen truck.
Over the next 5 years, that scenario repeated “countless times,” according to the complaint.
The plaintiffs were repeatedly awakened from their sleep or disturbed from their daily activities by local, state or federal officials looking for a runaway child or a missing person, or evidence of a computer fraud, or call of an attempted suicide. Law enforcement officials came to the residence all hours of the day or night.
Local police were baffled.
They didn’t understand IP addresses and internet mapping, which, as we’ve noted before, renders up GPS coordinates that deceptively appear pinpoint-precise but which are far from it.
The Arnolds and Vogelmans aren’t the only people who’ve been erroneously “pinpointed” at an address that some business has listed in some database as the one to associate with given IP addresses.
Another victim is Wayne Dobson, of Las Vegas: a repeat victim of what Naked Security’s Paul Ducklin calls “precise imprecision”: because of a flaw in a mobile phone company’s database, as of 2013, it was sending people who’d lost their phones to his house, even though all it really knew was that their phone was located somewhere in that part of the world.
It doesn’t draw a little circle on the map to say, “That phone’s probably in a 2km radius of here,” or a jagged polygon to say “It’s somewhere inside this grid of lines joining the following five transmission towers spread over an 8km2 area.”
It as good as says, “Head to Casa Dobson. You’ll find the phone in the kitchen, next to the kettle, under this morning’s newspaper.”
Local Kansas police didn’t know all that. Neither did the Arnolds.
But as angry people continued to show up at the Arnolds’ home, accusing them of things like clogging their computer systems with spam, they ran a background check on the couple.
This is what that background check found, from the complaint:
After this check, the plaintiffs were told that a “[LDNS, or Local Domain Name Server]” was located on the property and that the Sheriff Department received weekly reports about fraud, scams, stolen Facebook accounts, missing person reports, suicide threats from the VA that appeared to come from the address and stolen vehicles all related to the residence.
It was only after Hill wrote an investigate piece for Fusion, titled “How an Internet Mapping Glitch Turned a Random Kansas Farm into a Digital Hell,” that the Arnolds found out who was allegedly at the root of the problem: MaxMind.
As Hill reported, in 2002, the Massachusetts-based digital mapping company decided it wanted to provide IP intelligence to companies who wanted to know the geographic location of a computer, be it for targeted marketing or to send warning letters to people pirating music or movies.
Thomas Mather, a co-founder of MaxMind, told Hill that the company had originally picked a latitude and longitude that was in the center of the country – or, rather, a spot 2 hours away, with a less cumbersome latitude and longitude – to use when it was unsure of the physical address to associate with an IP address.
In other words, the Vogelmans’ farmhouse.
Mather told Hill that it had never occurred to the company that people would use the database to try to track people down to a household level. MaxMind had always advertised the database as determining the location down to a city or zip code level, he said: not to locate a household.
Evidently, trying to explain these complexities to MaxMind’s 5,000 clients is tough. As a result, there are now over 600 million IP addresses associated with this default “middle of the country, sort of” coordinate.
Mather told Hill in April that MaxMind would be changing the default locations for the US and Ashburn, Virginia, placing them in the middle of bodies of water, rather than people’s homes.
How quickly MaxMind’s 5,000 business clients would update the data is hard to say, though: some could take months, Mather said at the time.
The Arnolds are asking for compensatory and punitive damages in excess of $75,000.