Internet applications have come to rely on IP addresses to estimate where their users are located. This blogpost explains ongoing standards work to improve IP address privacy, their approach to IP geolocation, and questions whether it is the role of internet routing protocols to reveal information about a user’s location.

We have all encountered localized content on the internet – be it search engines that show results near you or a website that displays content in your local language. Many web and mobile applications rely on a mechanism known as ‘IP-based geolocation’, wherein the IP address connecting to a server is used to estimate where a visitor might be located. IP location estimates are sourced from commercial services that rely on a number of open and proprietary signals to profile IP addresses and deduce their locations, with increased accuracy being a selling point for these services. Location estimates are considered to be accurate at the country level, but accuracy may drop at the city and zip code granularity.

IP-based geolocation has served as a quick-and-easy way for applications to show their users locally relevant content and to demarcate virtual borders that are used to comply with local regulations. While this approach may be convenient for companies and users alike, it neglects to consider the privacy implications of deriving private information about internet users from network layer metadata without their knowledge or consent. Even though IP-based geolocation has become the norm, there is an important need to deliberate on whether this is a desirable property of a network protocol, or simply one that has emerged from popular use, and whether it meets the privacy expectations of end-users.

IP geolocation is also being increasingly used to enact geo-blocking – a form of internet censorship where content is withheld from internet users based on their geographical location. When governments find it infeasible to block access to an entire online platform, they instead issue takedown orders to the platforms to block individual pieces of content. These platforms utilize IP-based geo-blocking to restrict access to content in the country. In India, for example, IP-based geo-blocking has become a predominant way for the government to conduct internet censorship. Reports indicate that out of the 6,775 pieces of content (including web pages, websites, apps, social media posts and accounts) blocked by the IT Ministry in 2022, about 50% were X posts and accounts and 25% were on Facebook.

Emerging recognition of the need to keep IP addresses private

Originally designed to identify routes to entities that can be reached through the internet, IP addresses have been (ab)used in a number of ways to glean information about end-users. This includes profiling internet users for behavioral advertising and abuse prevention, identifying individuals for law enforcement purposes, building IP reputation systems for spam and DDoS prevention, and geolocating users for localization and to comply with local laws.

Recognizing the privacy risks of IP addresses in profiling and identifying internet users, some jurisdictions have designated them as personally identifiable information for data protection purposes. A number of technical solutions, such as VPNs, proxies, mixnets and Tor, have emerged to obfuscate users’ IP addresses from the web services they visit, with each offering varying degrees of privacy-usability tradeoffs.

Participants at the IETF have also acknowledged the need to keep IP addresses private and are developing and deploying protocols to help internet users protect their IP address from the web servers they interact with. This work is primarily being done through the OHAI and MASQUE working groups, where participants are working on developing “privacy relays”.

Oblivious routing: ongoing standards work to improve IP address privacy

The go-to solution for obfuscating a user’s IP address from a web service they are trying to visit is to route the request through an intermediary server, so that the recipient sees the intermediary’s IP address and not the user’s. This is how VPNs and proxies operate. This design, however, shifts the privacy issue to a different entity, as the intermediary now has visibility into the user’s internet usage. To work around this, IETF participants are developing an “oblivious routing” pattern. In this approach, the request is routed through two intermediary servers operated by separate entities, neither of which is given a complete picture of the request. As long as the two intermediaries do not collude, they cannot see which web servers a user is communicating with, which allows internet use without revealing a user’s IP address.

The OHAI working group has developed the Oblivious HTTP standard which defines a way for specific applications that involve repeatedly querying information from a server to do so privately using oblivious routing. The MASQUE working group has developed more generic transport-level relay protocols that are suited for a wider range of use-cases, like web browsing. A MASQUE proxy can be used with or without oblivious routing, depending on the privacy properties required from the system.

While there (currently) is no singular definition of what privacy relays are, these are some examples of how they’ve been deployed: (1) Apple’s iCloud Private Relay is a subscription service that uses MASQUE proxies with oblivious routing to allow users to browse the internet while keeping their IP address private, (2) Apple’s Private Cloud Compute is experimenting with Oblivious HTTP to reduce the footprint of their user’s queries to AI models, (3) Google’s proposed IP Protection envisions MASQUE-based oblivious routing for a very limited set cases (third-party requests in incognito mode) in its Chrome browser, (4) Cloudflare’s Warp offers both free and paid versions of a VPN-like service that uses a MASQUE proxy for internet browsing, but without oblivious routing, and (5) Google’s Safe Browsing service uses Oblivious HTTP to enable users to privately query for unsafe URLs.

An opportune moment to rethink IP-based geolocation

If privacy relays get adopted more widely, internet applications will no longer be able to rely on metadata derived from a user’s IP address for the variety of purposes that they are used for today. Internet companies are working to establish alternate signals to provide this information to web servers in situations where they deem the metadata to be useful. For example, anonymous credential schemes, like those used in the Privacy Pass standard, are being used to distinguish human traffic from bots without using signals like IP addresses or CAPTCHAs.

When it comes to geolocating users through privacy relays, operators are looking to maintain the status quo by conveying geolocation information to web servers through alternate means. Both Apple’s iCloud Private Relay and Chrome’s proposed IP Protection, convey users’ IP geolocation through their relays by maintaining a pool of IPs in each region, and routing requests through a relay whose IP location corresponds to the user’s IP location. While Apple’s service offers users the choice to reduce the IP location granularity to a country-level, it does not allow users to opt-in or opt-out of geolocation sharing entirely. Recognising that it is expensive to maintain a pool of IP addresses in every potential user location, these companies have also proposed a new HTTP header to allow clients/browsers to directly convey geolocation information through any privacy relays that may be present.

Given the pervasive reliance on IP-based geolocation by much of the web, it is easy to see why these companies have taken a cautious approach in retaining support for it. But simultaneously, as we move away from IP metadata signals and design appropriate alternatives for them, it is important to deliberate upon whether geolocating users is truly a function of a network routing protocol or one that happened to emerge from its design, and how geolocation mechanisms can incorporate user privacy and agency.

Internet applications have incorrectly come to rely on network layer metadata to derive private information about internet users without their knowledge or consent. This metadata is also being misused to conduct internet censorship on a large scale. While it is not an easy task for companies to re-evaluate their assumptions on the free availability of geolocation data, it is in the best interest of end-users to start planning a migration to consensual forms of location sharing on the internet, and the arrival of IP privacy solutions at the IETF is an opportune moment to do so.

Standardization work on privacy relays, oblivious routing and IP geolocation is ongoing in the HTTPBIS, MASQUE and OHAI working groups at the IETF. These discussions could benefit from participation of the public interest technology community to advocate for migration to consensual forms of location sharing on the web.

Divyank Katira is a researcher at the internet Research Lab and Internet of Rights Fellow with ARTICLE 19. The author would like to thank Michaela Shapiro and Shivan Kaul Sahib for their invaluable suggestions. Mistakes and opinions remain the author’s.