Tell HN: If you're asked to implement geofencing, push back
In the name of modernity, the city has removed ticket booths. Cutting down on real estate and human labor, yadda yadda. You pay the bus with an app. Okay, I'll download the app. Uh oh. My google play region is set somewhere in Europe, but I'm currently visiting the USA. The app developers decided to restrict the app to people living in the USA. What do I do?
I know, maybe I can pay through the website! Maybe the stupid idea that everything needs to be an app isn't completely pervasive yet. Hooray! There's a link to buy a ticket online. Wait, the website's giving me a weird 403 error... Not even a nice one, it's just a raw XML response. What did I ever do to them to ban me like that? Oh right. I'm using my phone to browse the website. My phone is connected to the internet via roaming through my home country's operator. All the traffic gets tunneled back there. So the whole internet thinks I'm still back home, even though I'm physically in the USA. The WAF detects that and decides that I'm not worthy to buy a ticket. So I can't buy a ticket on the website either.
This is a true story. It does have a happy ending: when I understood what happened, I logged into my VPN to get a shiny public-facing all-American God-fearing IP address. It's not an isolated case, however. So far this has only happened while I travelled in the USA, but it has happened numerous times over the past year. I've been blocked from buying bus tickets, paying for my parking spot, several store franchises' websites to check inventory is nearby locations... I've even been prevented from reading a restaurant menu! Not once, but twice: apparently Toast is a popular vendor for restaurant online operations, and that company implemented geofencing.
If you're in a software development role, and you're asked to implement geofencing, tell your manager that you simply cannot do it with any kind of accuracy. It's going to lose your company customers! I have an IT background; I understood what happened, and I have a VPN subscription / know that I need to connect to a public wifi somewhere. I'm not sure everyone will figure it out. And for what benefits, exactly? Why does the bus app need to be geofenced? It's not like I'll take the bus when I'm in a different country!
Do your part to keep the internet open, please.
10 comments
[ 3.5 ms ] story [ 36.3 ms ] thread* I'm a tourist, I need an item;
* I see there are two stores nearby, one is CVS, the other something else;
* I want to check online if they have the item, because I'd have to get out of my way a bit and checking the store website is just a click away in my map app;
* oh wait, CVS blocks roaming users;
* I guess I'll go to the other store because their website was accessible and let me know they have the item.
Devil's advocate's attempt: because most traffic from foreign countries is fraud, automated security suites, potential DDoS or people trying credit cards.
I see the same though. Just yesterday for example the city website http://cupertino.org/ isn't accessible from Europe. Generic text error only "You don't have permission to access "http://www.cupertino.org/$(SERVE_403)/?" on this server." What are they protecting? I tried to lookup the postal code of a public building from an official source.
> What are they protecting?
Nothing. They've simply listened to a "security consultant" parrot a few points about foreign traffic being mostly fraud/DDoS/... but behold! they have a shiny WAF to sell.
Well, realistically, in the context of municipal public transit, what does foreign network traffic consist of, mostly?
If software developers simply say no and walk away, then the buyers are completely and utterly up a creek.
Money is the typical reason to not just walk away. But you know what? What about the value that we're creating with our code? The buyers wouldn't be paying so much to acquire the fruits of our labor unless said fruits were truly valuable.
Most software evil happens because the programmers are busy and it would take hours to make a coherent case for why the negative social impact of the feature outweighs the claimed advantages, so they just do it and move on.
I could probably sign up for a VPN service and take it, but then again, they could be blocking VPN services too.
* It's sometimes the case that geofencing is applied for major contractual or legal reasons that cannot be bypassed.
> A service might be restricted to X state because there are stupid laws that govern it. For instance, many sports betting sites are really careful about geographical checks because they don't want to run afoul of complicated state laws so they check if you're physically in X area for each action.
> A video service might be restricted to Y country because there's no way to get the rights to play some video content in Y country, so doing that is necessary to avoid running afoul of Hollywood.
* A lot of App review spam or fraudulent credit card checks come from overseas, so there might be an arguably semi-valid reason to restrict people from using a service that is useless unless you're physically there.