Skip to content(if available)orjump to list(if available)

Proof of location for online polls

Proof of location for online polls

69 comments

·January 14, 2025
Visit

jawiggins

> Latency-based geolocation can help protect poll integrity by:

> Detecting when poll responses originate from outside the intended geographic region > Identifying attempts to manipulate polls through elevated VPN/proxy usage

Unless the user also needs to complete a reaction-time test, couldn't this be defeated by using a remote desktop connection to a machine that is physically located in the other geography?

It just shifts which functions need to run on the proxy, from network routing to the browser itself.

polon

I think this is covered on the page

"Successfully manipulating a poll which employs this method would require following efforts and resources:

Gaining control over a large number of devices in the target geographic region for submitting votes through those devices"

So yes, it seems like it can be defeated via a remote desktop (or any proxy in the allowed area)

comex

You don’t even need to gain control over a large number of devices in the region.

You just need _one_ device in the region, which can connect to the VPN or proxy service you were already using (the assumption seems to be that the attacker has a large number of IPs they can access through such a service). That device will get some added latency from going through the VPN/proxy, but because it’s physically close, the added latency will be small, probably not enough to reliably detect.

85392_school

If you're using a proxy, I don't think whether or not the source device is in the region changes anything. The only variance is in the time from where traffic exits the proxy to servers.

banana_giraffe

> Gaining control over a large number of devices in the target geographic region for submitting votes through those devices

Does AWS Lambda count as a machine for these purposes? If so, you can get a nearly infinite number of them just by cycling a config param and casting another vote.

gavinsyancey

I assume they'd just ban the entire AWS IP block. And similarly for other cloud providers.

ghayes

Couldn't the "test" add some variety of math challenge, thus making a simple proxy insufficient. Obviously, this method would add more noise to the final calculation, but if the proxy would need to forward its data to the end-user machine to perform the math, then a simple proxy in this case wouldn't be sufficient.

TrainedMonkey

Only a small subset of the IPs has proxies on them, so it would be detectable if a disproportionate amount of traffic is coming from them.

dheera

Yes, and also, I'd argue that anonymizing your location is a sacred feature of the internet that anytime someone builds a better mousetrap we WILL build a better mouse. The internet is not a place where requiring proof of location is welcome.

For online polls, it should never be necessary, either: My rights to vote somewhere should depend only on my membership status to that somewhere, and not my current physical location.

Larrikin

This is similar to the argument the failed experiment 4Chan showed the internet. Being fully anonymous, the best arguments don't rise to the top, bad actors lie and lie and when confronted with their lies, they just pretend to be someone else and lie some more. All completely anonymous online polls are effectively useless. It's nice to have some research in helping them be a little less useless.

jagged-chisel

My state lottery app doesn’t let you play outside the state. It detects screen sharing and VPN configuration and refuses to run if it sees these things.

Depending on the importance of the poll, one could definitely apply these other requirements.

c-riq

That is true, the location proof is only for the hardware whose IP is used for submitting the vote request. However if remote desktop provider / cloud provider / VPN / Tor IPs are already blocked by the voting platform. Then it would require significant effort to acquire hardware in the target geographic region and equip it with a residential IP. Generally the whole setup only makes sense if IP's (or IP ranges) can only vote once per poll. Then large scale manipulations should become impractical.

nine_k

You are describing an ideal use case for a botnet of compromised home computers. Should command a much higher premium than sending spam.

DeepYogurt

For a motivated attacker its not that hard to add a few thousand raspberry pis to a residential internet network in most countries. Its really a quite practical attack when the stakes are governmental control.

myself248

Or just compromise an entire ISP full of routers...

kvdveer

No need for lots compromised devices. Just a single device (probably doesn't need to be compromised) in IPv4 behind carrier grade NAT is typically enough to vary your IP, or plausibly reuse an IP.

mac3n

having worked on IP geolocation in the past, I don't think this works. Though it can do a pretty good job of getting you in the right continent.

* Not all traffic goes through fiber - there are microwave links operating closer to the speed of light, though these are mostly reserved for high-speed trading. There's also satellite connections, but as long as they don't do satellite-staellite, they're slower.

* There are middleboxes messing with traffic, especially TCP, which add delay.

* If you rent servers in datacenters, you might not really know where they are. We had VMs relocated without our knowledge.

* Fibers links aren't direct, they tend to follow public right-of-ways. In much of the US, that's a rectangular grid along the highway system (look at a road map of the midwest sometime), increasing the delay by √2.

* Internet routing isn't shortest-path. It's get-this-crap-off-my-infrastructure, aka hot-potato.

* Anycast prefixes have IPs in multiple locations.

My experience was that with a lot of observation points, you could get within 10ms, 1000km in most places.

jampekka

> there are microwave links operating closer to the speed of light, though these are mostly reserved for high-speed trading

This is so sad.

xethos

Sure, but if it becomes ubiquitous, web devs will assume lower latency. That wouldn't make it less sad, just makes different people sad - my first guesses are those at crowded areas with overloaded cellular connections, and Australians.

mrguyorama

It's really not. The microwave links got decommissioned everywhere because nobody NEEDS that higher fraction of lightspeed. High speed trading is the only field where saving a singular millisecond is economically rewarded. The links used by high speed trading are the only ones left.

reocha

I think routing not being shortest path (nor being consistent) is the biggest issue with this method.

ranger_danger

I don't think microwave is "closer to the speed of light" than.. light.

skaushik92

> Key Advantages: [...] Can provide supportive evidence for VPN/proxy usage, when the latency is too high for all server locations

I'm reading through the description, but I'm having trouble understanding the difference between a client having a higher overall latency due to bandwidth/connectivity concerns (e.g. a 3G phone) versus using a VPN. Both would have increased timings and the clock skew would be similar. Would both would be considered too high for proof of location?

matthewdgreen

Why is clock skew being used here at all? I'm confused why the client's clock is being trusted or consulted in any way for a measurement like this. I should probably click through and read the details.

ETA Ok, reading the code turned up not a lot of comments. But it did produce the following line. I hope that's for testing and not the actual nonce generation process:

nonce = 'ieoskirlyzauuv6ehdug8lift65fkrddeuu6f5z6ka'

c-riq

> Why is clock skew being used here at all? You're right, it's not actually necessary to use the client clock at all. It was easier to implement it that way initially and I kept it in the description and didn't think about it again.. Thanks for pointing that out. Since all timestamps are measured, the calculations can actually also be made afterwards without using the client clock timestamps at all. However this may add a bit more noise. > not the actual nonce The nonce can only be used once so it's ok to share it afterwards.

38

No you read it right. The proposal is idiotic and Will resulted in rural voters being detected as foreign residents

croshan

A bit aggressive. No, wouldn't connecting to a slow 3g tower affect ping times to all global servers proportionately?

The proposal has other flaws, but phone to tower latency isn't one.

vitus

> No, wouldn't connecting to a slow 3g tower affect ping times to all global servers proportionately?

Yep. Per the article (last point under "How it works"):

> Users with a high latency to all servers can be excluded from polls, as this is a strong indicator of a VPN/proxy usage

Something seems off about how they're measuring latency (which seems to be "fetch various AWS Lambda endpoints"), since their system seems to think that I have hundreds of milliseconds of latency even to the nearest AWS region (even though in practice it should be an order of magnitude lower), and multiple seconds to the other side of the world.

edit: well, if the slowness is just on last-mile delivery, then it should be a fixed amount of overhead added to each connection (rather than a multiplier). For instance, I have about 8ms of latency added by my ISP just by the first hop into their network. But it's that same 8ms overhead whether I'm connecting to a server on the other side of town, or on the other side of the world.

jknoepfler

If eliminating signal from malicious, remote actors is more valuable than preserving signal from rural areas, which may very well be the case depending on the application, then adopting this might solve a real problem for you.

I don't see anything terribly idiotic in that.

edit: to be clear I think this is likely one of those solutions that creates more problems than it solves. There's a gulf of sympathy separating that from "idiocy," however.

kvdveer

There are a lot of valid critiques already, but here's another:

This technique will have to allow for over-all slow connections. This connection latency could be caused by over-provisioned office connections, torrents, bad gsm reception, cheap internet or a cheap device.

What prevents a client from strategically delaying specific requests, to simulate a slow device in the target geography. AFAIT, this would be indistinguishable from the scenarios mentioned above.

ranger_danger

> This technique will have to allow for over-all slow connections

I don't think the technique can accommodate that. But I would love to be proven wrong.

tony-allan

For example very slow ADSL connections or somewhere with poor phone reception.

anilr

Has this been tested, or is it just an idea. I imagine it would have some very serious limitations. Perhaps it could tell if you are likely in the US or Europe, but I doubt could get much more granular than that.

Starlink internet customers, and users of Apple's private relay (vpn-like service) would all be excluded?

raggi

Tailscale uses latency to pick home DERPs and I am re-evaluating it as we observe what appear to be manipulated STUN latencies for users in Asia particularly in or close to China. The latencies are often raised to over 300ms to affect this, and steer clients toward the US west coast. The reason for these manipulations is unclear, but it's easy to speculate.

mulmen

> The reason for these manipulations is unclear, but it's easy to speculate.

Care to elaborate? I don’t know why anyone would do this.

raggi

This is tin-foil-hat speculation, but for example, if you observe a locality measurement protocol picking where it should connect to, but you already know all of the local sites of interest that are relevant, you might want to find remote sites of interest. If you manipulate the more open sampling protocol to lean toward that remote site, you can then observe where secured connections to which you're otherwise blind, connect to. Now you have new remote targets of interest.

c-riq

I tested it from my home and got a radius of about 200 km. But would be nice to get some additional validation. In any case it's not super precise but it adds more friction to manipulation and in conjunction with IP based geolocation and other things it may turn out to be useful for some parts of an online democracy.

c-riq

The goal is to easily get a representative and un-manipulated sample of popular opinion. To achieve that, it might be ok to discriminate against certain users who use connections which cannot prove their location, as long as it's not heavily skewing the results.

ortusdux

Reminds me of the case of the 500-mile email:

https://www.ibiblio.org/harris/500milemail.html

IgorPartola

Have you ever wondered why most studies on humans use college students as test subjects? The answer is that they are easy to survey. Obviously though that can skew results quite a bit because the population is really not all that representative of the general public.

This product will do the same thing: it will help narrow the field of candidates to those who are easy to locate. I guess people who do marketing might like this because look high quality online survey results! And the bias is hidden well enough to keep your job! But the reality is that this will affect the results in a meaningful way.

For example, my ISP doesn’t support IPv6 so my entire home network is served by IPv6 provided by Hurricane Electric via protocol 41. So depending on what this service does with it I would likely be disqualified since my IPv4 is in a different state than my IPv6.

Long story short, cool tech demo and product I would personally avoid using or recommending.

SteveVeilStream

It's an interesting concept.

Re: "Cannot be manipulated unlike GPS signal derived coordinates, which can be altered by the user's device before relaying them to the server"

Is it possible to ensure that the data is not manipulated? If the user had to install a voting software package on their phone, then couldn't that piece of software take responsibility for pulling the co-ordinates from the device and encrypting it? I am assuming most modern phones are secure enough that the signal from the GPS that is made available to applications can be trusted but maybe I am wrong?

Re Starlink: Is it possible to trace your route through a specific satellite and to look up the location of that satellite? That seems like a relatively easy and secure check (aside from the VPN/Proxy concerns which feel like they would be a larger challenge in this scenario since I am assuming the delays through the satellites would be more significant than delays through fiber.)

c-riq

> Is it possible to ensure that the data is not manipulated? I don't think one can place much trust in phones not being tampered with as they are frequently jailbroken. So you could supply fake GPS antenna data to the software or I believe you could in principle also put your phone in a metal box and spoof actual GPS signals into the box. Civilian GPS signals aren't encrypted, I think..

lesostep

Usefulness of proposed metrics aside, I can't wrap my head around proposed use cases there.

If you don't require proof of identification for voting then one local voter can vote limitless times. If you do require it, why don't you trust it? Surely an identification is enough too choose if someone could vote or not.

It could be a nice addition to some social networks like Mastodon, I suppose, if people wouldn't care enough to create puppet accounts just to swing a vote, and false rejections/positives wouldn't mean losing or gaining something meaningful. Other then that, I have no idea.

c-riq

The idea is to make things like petitions or demonstrations easier on a global scale and to also make voting data accessible for independent analysis, where further manipulation attempts can be identified and excluded. My guess is that it's much cheaper to create 10000 fake accounts on facebook etc than to send 10000 requests from unique residential IPv4 addresses in a target country, which are also evenly distributed across Internet Service Providers and IP blocks to evade detection.

remram

https://ipv4.games/ will show you who will win at your polls.

INTPenis

Or just adopt eID. I just signed a petition to ensure free and safe abortion in the EU and I could sign with eID from over 20 nations. Get with the program.

Jimmc414

I'm not seeing in the proposal what is to prevent variable latency - from network congestion, route changes, quality of service differences, ISP peering arrangements, last-mile connection quality variations, and router queue delays - being interpreted as a distance metric?