as the web in the United States becomes increasingly divided by a patchwork of mutually-conflicting age-verification laws, surely at some point weâre going to have to address the fact that itâs technologically impossible to know where anyone on the internet actually lives, right?
right?
oh, sorry. let me explain. see, now that weâre legally demanding that websites hosting adult content collect the IDs of users who live in particular states, you may have made the reasonable assumption that it is (for example) possible to do that.
this is a classic error.
maybe an analogy would help. if i were to call you on the phone, your phone would probably display my caller ID. it would show you my number, and below that number would be the text âOrlando, FLâ. you, seeing this, would make the reasonable assumption that i am calling you from Orlando, FL.
but in fact Iâm calling you from Portland, OR. i donât live in Orlando: actually, Iâve never lived in Orlando in my entire life. i once lived kind of sorta in the general vicinity of Orlando, which is how I got this number, but thatâs not where I live now and itâs not where Iâm calling from. your phone just looked up my phoneâs area code, and used that to guess where Iâm calling from.
IP addresses are to the internet as phone numbers are to the phone network. if you run a website, the only piece of information you can know for certain about any user who visits your website is their IP addressâtheir âcaller IDâ, so to speak. that IP address is the only bit of information you can use to determine where they live.
but if guessing a callerâs location from their phone number is impossible, it is tenfold more impossible to guess a userâs location from their IP address. behold this fucking mess:
I work as a fraud investigator for an online bank and can confirm most of this information is true. Phone number locations are actually area code and exchange, or the first 6 digits in the North American numbering plan. i.e. 765-778-XXXX is Pendleton, IN, while 765-640-XXXX is Anderson, IN. Big cities often have their own area codes (or even two), but most areas of the country share area codes across multiple cities.
As far as IP addresses, the data collected from this is open source intelligence (OSINT), which means that this is basically like a phone book of data. However, due to factors like dynamic IP addresses (that change periodically based on other factors outside of your control), one user is not associated with a set IP address. Also, this information can be collected from a passive scan without the user knowing. If you visit a website, that website can theoretically have what IP address your device used.
IP address scanners can also vary as well. IPaddress[dot]com and Scamalytics[dot]com are two that I use, and depending on where they capture data, they can give much different locations.
A further note on regulatory compliance: if a business serves multiple jurisdictions with different laws, technically everyone would likely fall under the strictest laws. "This call may be monitored and/or recorded for quality assurance purposes." That phrase is required by only a few states, but everyone in the US who has called a toll-free number has heard it. This is because anyone who has a toll-free number has no way of knowing if a caller is from a state that requires two-party consent for recorded calls. ID laws are no different.

















