Sometimes precise detection of user location is required by law. Usually GPS technology turns out to be best suitable solution for location detection purposes. What if it is not possible to receive GPS data?
Our client from US wanted us to create a financial application authorized for use in certain states only. We had to make the application of limited location use because in different states there are different taxation and financial relations, so any kind of financial software has to be in accordance with the specific state law. Thus the app had to track a user’s location by default to allow or ban some functionality, ie. processing payments.
There were two main problems of obtaining location data:
- A user does not allow GPS data tracking;
- There are some 3rd party tools enabled to conceal user location, for eg. VPN.
To meet this tough requirement, we conducted a deep research, implying both technological research (incl. tracerouting in US, available networking databases research, etc.), and studying US laws about network providers and routing.
* Traceroute stands to be a network diagnostic tool used for tracking the pathway taken by a packet on an IP network from source to destination point. Traceroute also records the time taken for each hop the packet makes during its route to the destination.
Finally we came up with several steps on how to track user location within the law when a user has blocked GPS data tracking or has some VPN enabled. To achieve better results, we combined them into one algorithm of finding location information — follow its steps further!
Step 1. Detect the IP address.
On the Internet there are free and paid IP address databases available, and they differ by area. For instance, there may be databases valid for US only, or global databases possessing much more IP addresses. Take a look at the traceroute fragment below: you may see IP addresses, such as
126.96.36.199 , etc.:
We use this information to define the location:
- We look for the IP address in the traceroute.
- Having found the IP address, we look for it in the global/regional IP addresses database:
- If we see that there is an IP address of correct state/region, then we allow user processing payments.
- If we see that there is an IP address of different state/region, then we prevent a user from processing payments.
- If we can not find any IP address data, then we go to the next step.
Step 2. Find the Internet Service Provider (ISP)
Via traceroute we look for a Internet Service Provider (ISP) codename using the corresponding ISP databases. Such databases are also available on the web, both paid and non-paid ones.
- We look for the ISP data in the traceroute.
- Having found the ISP data, we look for it in the global/regional ISP database:
- If we see that there is ISP data indicating that the ISP is of the correct region, then we allow user processing payments.
- If we see that there is ISP data indicating that the ISP is of the incorrect region, then we prevent a user from processing payments.
- If we can not find any ISP-related information, then we go to the next step.
Step 3. Look for the IATA Airport Code.
There are the International Air Transport Association (IATA) standards: each airport on the globe has its unique three-letter code. Sometimes it is possible to find this abbreviation in traceroute lines. Thus we can detect cities, and therefore states/ regions.
- We look for the IATA Airport Code in the traceroute.
- Having found the IATA Airport Code, we look for it in the IATA standards:
- If we see that there is a codename of network provider from correct state, then we prevent a user from processing payments.
- If we see that there is a codename of network provider from different state, then we prevent a user from processing payments.
- If we can not find any geographical identifier data, then we go to the next step.
Note: It is also possible to track telecom CLLI codes to define location. In addition, some countries/regions have specific geographical identifiers that can also be found via traceroute. In this case identifier will only depend on the regional specific networking features.
If by the end of the third step we still can not find any location-related open source information, then it is most likely location data was somehow changed or concealed (VPN turned on).
For instance, for our financial application it was not acceptable to let its user conduct any financial operations if his location is not identified. Therefore when a user tried to make a payment and our algorithm failed to verify the user, we simply asked to turn GPS on to access this data directly with user’s permission; otherwise we could not proceed with user confirmation and let him conduct this kind of operations. This is it.
Despite GPS being one of the most useful location tracking technologies by far, it is still possible to find location data using other techniques. These techniques are especially helpful when there is no user permission to request GPS data or his location data is changed with VPN.
With network-based method described above it is possible to reach about 95% of accuracy when detecting a location (the percentage is based on the sample of 1000 traceroute samples we took for testing).
Whether you do not/can not use ordinary ways of obtaining location data, or you simply want to increase detection accuracy — this tracking method is perfect for all the cases.