Beginning 1 September, we will need to geoblock Mississippi IPs

Google have additional information about IP addresses that updates dynamically based on cell phone, wifi and other magic usage so maybe ask them if they have some javascript that queries their site for more specific city/state details. Also call Pornhub and ask how they were blocking specific states to meet legal requirements.

https://en.wikipedia.org/wiki/Dreamwidth

It would be pretty crazy if you could kill someone in Arizona and then just walk over the border to California and not be able to be prosecuted…

Dreamwidth has been at the forefront of banning large swaths of the internet. They started doing it years before anyone else. Before the for-profit corporate spidering of HTTP/S content even began causing issues. This is well trod territory and entirely familiar for them and their upstream network provider they like to blame their inability to fix it on.

Tough for the neighbors, but nitpicking "resident" is not a good choice here.

https://en.wikipedia.org/wiki/Zone_of_Death_(Yellowstone)

"The Zone of Death is the 50-square-mile (130 km2) area in the Idaho section of Yellowstone National Park in which, as a result of the Vicinage Clause in the Constitution of the United States, a person may be able to theoretically avoid conviction for any major crime, up to and including murder"

For example, these days in Russia awareness and usage of VPN is well beyond any normal country. With Facebook and IG for example blocked for Meta being officially branded an "extremist organization" (by the way Taliban was taken off that list recently, so what do you guys in Menlo Park are cooking what is worse than Taliban? May be some freedom of speech? :) people in Russia of all strata is still using it, now through VPN, many from mobile devices. The thing of note from USSR/Russia here is that habitual violation of unreasonable laws breeds wide disrespect for the system of law as a whole, and it i very hard to reverse the flow.

https://en.wikipedia.org/wiki/The_Walker_Montgomery_Protecti...

It's a good question. Maybe something with interstate commerce laws?

>New York governor rejects Louisiana's extradition request for doctor in abortion pill case

cough

Pornhub and BlueSky have done similar in response to this legislation in Texas. Wikipedia and a few other sites blocked the UK to avoid being burdened by their Safety act. Pretty much every streaming platform implements regional geo blocking for licensing reasons.

I’ll be curious to see how things shake out in the long run given the current political climate.

That loophole got closed once inter-state data sharing became possible and Oregon merchants were required to start collecting those out-of-state taxes at the point of sale.

Also, for the enforcement agency who is/will be tasked with checking things out here...do they know whether geo-blocking is valid method or not? Its a silly law, don't get me wrong...but if its enforcement validation mechanisms are not up to snuff, i wonder how things will play out - both here in dreamwidth's case and other folks in a similar boat?

The threat of lawsuits.

> How is this enforceable if a company doesn't have any infrastructure within that state?

If you are intentionally doing business in a US state, and either you or your assets are within the reach of courts in the US, you can probably be sued under the state's laws, either in the state's courts or in federal courts, and there is a reasonable chance that if the law is valid at all, it will be applied to your provision of your service to people in that state. Likewise, you have a risk from criminal laws of the state if you are personally within reach of any US law enforcement, through intrastate extradition (which, while there is occasional high-profile resistance, is generally Constitutionally mandatory and can be compelled by the federal courts.)

That's why services taking reasonable steps to cut off customers accessing their service from the states whose laws they don't want to deal with is a common response.

Launch a small website and commit a felony in 7 states and 13 countries.

I wouldn't have known about the Mississippi bill unless I'd read this. How are we have to know?

Avoiding taxes. It's different. It was always perfectly legal to travel to another state to buy something expensive and bring it back home. No crimes were committed.

It was a loophole that you could buy in Oregon specifically to avoid $1,000s in sales taxes.

I mean it would be absurd if an anti-death-sentence state started trying to extradite the executioners working in pro-death-sentence states for murder, right?

No? Wikipedia is not blocked in the UK.

There is a certain group in the USA that is working hard on undermining the rights of the people of America, the enemies, foreign and domestic, per se; and this is part of their plank to control speech through fear and total control and evisceration of anonymity.

I support controlling access to porn for children, especially since I know people who were harmed and groomed by it, but these types of laws are really just the typical liar’s wedge to get the poison pill of tracking and suppression in the door.

I hope some of the court cases can fix some of these treasonous and enemy acts by enemies within, but reality is that likely at the very least some aspects of these control mechanisms will remain intact.

If it really was about preventing harm against children, then they would have prevented children from accessing things, not adults. But that’s how you know it’s a perfidious lie.

This MS situation is just another step towards what they really want, total control over speech, thought, and what you are able to see and read.

This MS situation is just a kind of trial balloon, a probe of the American people and the Constitution and this thing we still call America even though enemies are within our walls dismantling everything.

As you may have read, in MS they are trying to require all social media companies to “…deanonymize and age-verify all users…” …… to protect the children, of course. So you, an adult, have to identify yourself online in the public square that is already censored and controlled and mapped, to the government so it can, e.g., see if you oppose or share information about the genocide it is supporting … to protect Mississippi children, of course.

But yeah, this definitely sounds like a business opportunity for services or hosts.

https://news.ycombinator.com/item?id=44990886 ("Bluesky Goes Dark in Mississippi over Age Verification Law (wired.com)"—175 comments)

Not by the same definition, no, its not, though there is a crime called "murder" in all states, and there tends to be significant overlap in the definitions.

It’s called a ‘use tax’. In practice, nobody pays (personal) use tax, myself included.

Washington has a use tax: https://dor.wa.gov/taxes-rates/use-tax

California has a use tax: https://cdtfa.ca.gov/taxes-and-fees/use-tax/

Idaho has a use tax: https://tax.idaho.gov/taxes/sales-use/use-tax/online-guide/

So, all of those people going to Oregon to shop without sales tax and not paying use tax were technically breaking the law, not using a loophole. I’m not judging them, I don’t pay use tax either :)

I’ve never understood people like you that say anything and everything to increase taxes.

How does it make any rational or logical sense that you should pay higher taxes for something?

So when you go to Delaware that has 0% sales taxes, you make sure to log everything and pay taxes to your home state upon return?

https://www.wired.com/story/bluesky-goes-dark-in-mississippi...

> However, it doesn't apply to news sources, online games or the content that is be made is by the service itself or is an application website.

What is an "application website"? I can't seem to find how they're defining that.

I.E. Are US ISPs, particularly big ones like Comcast, required to geolocate ISPs to the state where the person is actually in? What about mobile ones?

Where I live (not US), it is extremely common to get an IP that Maxmind geolocates to a region far from where you actually live.

The end game here is total control and awareness of who is saying what at any time, in order to allow those messages to be thwarted.

My understanding is that this is similar to the law the UK passed recently except instead of verifying age of users for "adult" content, every platform needs to verify (and log) age of all users for all content?

It can't possibly be that ridiculous.

To enforce all this, states can sue companies and they can take steps to ensure companies can't do business in their state (so like maybe force ISPs to block Dreamwidth?).

(It is possible for state charges existing to make other actions federal crimes, though, e.g., there is a federal crime of interstate travel to avoid prosecution, service of process, or appearance as a witness. But state charges themselves can't get "bumped up" to the federal level.)

Regulatory capture in real time!

https://law.justia.com/codes/mississippi/title-45/chapter-38...

That's probably what the wikipedia author meant to say

This is just the start and the trial balloons. The enemy within is a bit nervous about this attack on the most fundamental freedom that the Constitution is protecting, free speech, but they’re also very confident in themselves.

It may not be, if the law can be applied to them.

OTOH, may be sufficient to make it illegal to apply the law to them in the first place. US states do not have unlimited jurisdiction to regulate conduct occurring outside of their borders, but they do have more ability to regulate conduct of entities intentionally doing business within their borders.

The US doesn’t have 50 different cultures with totally different values, but probably has like… 7.

As you say, IP geolocation is unreliable. Unfortunately that's the only option. If it is technologically impossible to comply with the law, you just gotta do the best you can. If someone in MI gets a weird IP, there's absolutely nothing any third party can do. That's on the ISP for not allocating an appropriate IP or the legislators for being morons.

It was legal to do that. If it was purchased out of state with the intent of bringing it back home, then (assuming the home state was California) California use taxes were always owed on it. Other states with sales taxes also tend to have similarly-structured use taxes with rates similar to the sales tax rates.

They were legally avoiding sales taxes, but also illegally evading use taxes, and, moreover, there is very little reason for the former if you aren't also doing the latter, unless you just have some moral objection to your taxes being taken at the point of sale and the paperwork and remittance to the government being done by the retailer instead of being a burden you deal with yourself.

The law in question requires "commercially reasonable efforts"

Source: am from Kansas City.

does that also mean that all social media platforms will start a small jobs board?

I’m not being glib. Honestly, why can’t I? There’s precedent for saying that’s unauthorized access, so the feds (not the state; “Interstate Commerce Clause” and all that) should prosecute the visitor for violating my ToS.

If you don't, you are technically violating the law. All states with sales tax also have a use tax.

For example, if you are a resident of neighboring Maryland, this is the form you'd need to fill out for purchases you make in Delaware.

https://www.marylandcomptroller.gov/content/dam/mdcomp/tax/f...

Putting a small jobs board on instagram would not make instagram "primarily function" as a job application website. LinkedIn is primarily a professional networking website - it qualifies.

It is possible some US States and maybe the UK will end up like China.

Reminds me of Silicon Valley. PiperChat has grossly violated COPPA as there was no parental consent form on the app leading to a 21 billion dollar fine: https://www.youtube.com/watch?v=N3zU7sV4bJE

The laws are written in a way where the responsibility for enforcement falls on the operator of the business. In both cases, the business doesn't actually have to verify anything if they don't want to, but if it's found that they're allowing violations to happen, they will be held legally responsible.

Same goes for other countries as well. It’s insane.

Cut the ignoramuses from the US internet until they can learn to be decent people. Serves them right, and well, legally.

Yes! Make a union of states! How should we call that? States Union... Union of States... United States! Yeah, that should work.

If they make an honest attempt to comply and a small number of people using VPNs slip through the cracks, if they're ever reported, they'll likely be given a slap on the wrist at most. If they ignore the law or do some obvious half assed attempt to comply and thousands of Mississippi users are still using their site and they get reported, it's far less likely that a judge will be lenient.

Also "operate in or leave" doesn't make a lick of sense on THE INTERNET

it is like age verifying current generic access to the Internet. Sure, we'll come to this too (the anti-utopias aren't fiction, it is future :), yet we still don't verify such a generic access because it isn't the time yet, the society isn't yet totalitarian enough.

As a preview - in Russia (i'm less familiar with China to comment on it) they do already attack VPN by making it illegal to advertise it, something like this.

Oregon merchants are not required to collect sales tax for any other jurisdictions outside of Oregon. And they don’t, any non Oregonian can go to any merchant in Oregon right now, and you will be charged the same as any other customer who lives in Oregon.

Also, it was never a loophole to buy things in Oregon to evade sales tax. All states with sales tax require their residents to remit use tax for any items brought into the state to make up the difference for any sales tax that would have been paid had it been purchased in their home state.

The situation petcat described is tax evasion (illegal, since use tax is due in lieu of paying sales tax at point of purchase, assuming item is brought back to home state).

Tax avoidance is simply minimizing tax liability, completely legal.

That would allow you, perhaps, to sue people from MS that used your site for violating the ToS (though, "some idiotic courts have ruled" does not mean "the courts which actually create binding precedent over those that would adjudicate your case have ruled...", so, be careful even there.) But that doesn't actually mean that, if someone from MS used your site and you took no further steps to prevent it you would not be liable to the extent that you did not comply with the age verification law.

> There’s precedent for saying that’s unauthorized access, so the feds (not the state; “Interstate Commerce Clause” and all that) should prosecute the visitor for violating my ToS.

Most things in interstate commerce, except where the feds have specifically excluded the states, are both federal and state jurisdiction, but neither the feds nor the state are obligated, even if applicable law exists which allows them to, to prosecute anyone for violating your ToS. You can (civilly) attempt to do so if you are bothered by it.

I run a geolocation service, and over the years we've seen more and more ISPs providing official geofeeds. The majority of medium-large ISPs in the US now provide a geofeed, for example. But there's still an ongoing problem in geofeeds being up-to-date, and users being assigned to a correct 'pool' etc.

Mobile IPs are similar but are still certainly the most difficult (relative lack of geofeeds or other accurate data across providers)

Most areas of governance usually give years of preparation ahead of anything actually being enforced. This is so short-sighted.

Websites don't have to be a business or be related to one.

Might as well be the slogan of the current era

I think it's going to happen one way or another and the most peaceful way to do it would be sooner rather than later.

But the law was signed over a year ago[1]? The recent development was that the injunction blocking the bill from being implemented got struck down. I'm not sure what you'd expected here, that the courts delay lifting the injunction because of the sites that didn't bother complying with the law, because they thought they'd prevail in court?

[1] https://legiscan.com/MS/bill/HB1126/2024

What would you have preferred? Of course you'd prefer if the law never existed in the first place, but I don't see having a third party auditor verify compliance is any worse than say, letting the government audit it. We don't think it's "regulatory capture" to let private firms audit companies' books, for instance.

Calling geoip databases "surveillance capitalism" seems like a stretch. It might be used by "surveillance capitalism", but you don't really have to surveil people to build a geoip database, only scrape RIR allocation records (all public, btw) and BGP routes, do ping tests, and parse geofeeds provided by providers. None of that is "surveillance capitalism" in any meaningful sense.

Source: am from St. Louis.

AFAIK it's not that Oregon changed anything, either. It's that Washington passed additional laws that require out-of-state merchants to collect the tax when selling to customers in WA, and said out-of-state merchants complied.

I leave my home computer network open to the public and now suddenly I'm liable to some random jurisdiction around the world because someone in that location decides to call my computer?

China's GFW seems benign in comparison

The free tier does have limits on the number of API calls can you can make. But the good news is you don't have to use their API. You can download the database [1] and do all the lookups locally without having to worry about going over their API limits.

It consists of 10 CSV files and is about 45 MB compressed, 380 MB uncompressed. For just identifying US states from IP address you just need 3 of the CSV files: a 207 MB file of IPv4 address information, a 120 MB file for IPv6, and a 6.7 MB file that lets you lookup by an ID that you find in one of the first two the information about the IP address location including state.

It's easy to write a script to turn this into an SQL database that just contains IP ranges and the corresponding state and then use that with sqlite or whatever network database you use internally from any of your stuff that needs this information.

If you don't actually need Geo IP in general and are only adding it in order to block specific states you can easily omit IPs that are not mapped to those states which would make it pretty small. The database has 3.4 million IPv4 address ranges, but only 5 359 of them are listed as being in Mississippi. There are 1.8 million address ranges in the IPv6 file, and 3 946 of them are listed as being in Mississippi.

Here's how to get the Mississippi ranges from the command line, although this is kind of slow--the 3rd line took 7.5 minutes on my M2 Mac Studio and the 4th took almost 4 minutes. A proper script or program would be a lot faster.

  grep ,MS,Mississippi, GeoLite2-City-Locations-en.csv | cut -d , -f 1 > 1
  sed -e s/^/,/ -e s/$/,/ < 1 > 2
  grep -f 2 GeoLite2-City-Blocks-IPv4.csv | cut -d , -f 1 > MS-IP4.txt
  grep -f 2 GeoLite2-City-Blocks-IPv6.csv | cut -d , -f 1 > MS-IP6.txt

  [1] URL=https://download.maxmind.com/geoip/databases/GeoLite2-City/download?suffix=tar.gz
      curl -L -u userid:license_key $URL > db.tar.gz

I suppose this is what confused me then, as it seemed obvious that e.g. the Facebook reccomendation algorithm isn't speech, so if a social media site would be considered speech it would be due to the user content. Section 230 doesn't in any way supercede the constitution, but it does clarify which party is doing the speech and thus where the first ammendment would apply.

So if someone is making money off of it it's suddenly "surveillance capitalism"? What makes it more or less "surveillance capitalism" compared to aws selling cloudfront to some ad company?

Moreover you can do better than area level code granularity. When landlines were more common and local number portability wasn't really a thing, can look at the CO number (second group) to figure out which town or neighborhood a phone number was from. Even if this was all information you could theoretically determine yourself, I'm sure there are companies that package up the data in a nice database for companies to use. In that case is that "surveillance capitalism"? Where's the "surveillance" aspect? It's not like you need to stalk anyone to figure out where a CO is located. That was just a property of the phone network.

>GeoIP databases are much higher resolution and use active scanning methods like ping timing. If a company was spam calling me to estimate distance based on call connection lag, yes that would be surveillance capitalism.

Why is the fact it's "active" or not a relevant factor in determining whether it's "surveillance capitalism" or not? Moreover spam calling people might be bad for other reasons, but it's not exactly "surveillance".

No, it immunizes certain parties from being held automatically liable (without separate proof that they knew of the content, as applies to mere distributors [0]), the "publisher or speaker" standard being the standard for such liability (known as publisher liability.)

It doesn't "clarify" (or have any bearing on) where the First Amendment would apply. (In fact, its only relevant when the First Amendment protection doesn't apply, since otherwise there would be no liability to address.)

[0] subsequent case law has also held that Section 230 has the effect of also insulating the parties it covers against distributor liability where that would otherwise apply, as well, but the language of the law was deliberately targeted at the basis for publisher liability.

it's regulatory capture if a cartel of ID verification companies are lobbying for specific requirements that lock out upstart competitors.

At some point it makes more sense to pass such a law at the federal level since we end up there eventually either way.

Setting aside the problem with pinging home IPs (most home routers have ICMP echo requests disabled), your definition of "systematic observation" seems very flimsy. Is monitoring the global BGP routing table "systematic observation"? What about scraping RIR records? How is sending ICMP echo requests and observing the response times meaningfully similar to what google et al are doing? I doubt many people are upset about google "systematically observing"... the contents of books (for google books), or the layout of cities (for google maps, ignoring streetview). They're upset about google building dossiers on people. Observing the locations of groups of IP addresses (I'm not aware of any geoip products that can deanonymize specific IP addresses) seems very divorced from that, such that any attempts at equating the two because "systematic observation" is non-nonsensical.

> They're upset about google building dossiers on people.

Their location being in that dossier is part of what upsets people.

Expecting laws to instead propagate from neighbor to neighbor as I accidentally suggested—this wasn’t what I meant to suggest, but in defense of the idea:

> At some point it makes more sense to pass such a law at the federal level since we end up there eventually either way.

I do think there still could be some value. Laws could propagate across states that are more receptive to them, and then people can see if they work or not. Porting Masshealth to the whole country at once seems to have been a little bumpy. If it has instead been rolled out to the rest of New England, NY, then down to Pennsylvania… might have gone a little smoother.

Except I'm not aware of any geoip databases that operate on a per-IP level. It's way too noisy, given that basically everyone uses dynamic IP addresses. At best you can figure out a given /24 is used by a given ISP to cover a certain neighborhood, not that 1.2.3.4 belongs is John Smith or 742 Evergreen Terrace.

Indeed. It has far more than that. The US is astonishingly diverse.

>A blog is speech, but I wouldn't say that deciding to operate a social media site is speech.

very incurious/very unhacker

If anything, communications between Mississippi and California would be interstate commerce and would thus fall under federal legal jurisdiction.

I appreciate that not all modern post 1776 democracies are the same, but in Australia, whose constitution was informed hugely by the US constitution, Federal communications law takes supremacy over states, and states laws cannot constrain trade between the states. There are exceptions, but you'd be in court. "trade" includes communications.

So ultimately, isn't this heading to the FCC, and a state-vs-federal law consideration?

-Not that it means a good outcome. With the current supreme court, who knows?

______

* See UDHR articles 12, 18, 19, and 20. This is not an issue limited to the provincial laws of one small country.

† Unless the site operators also use of the site, in which case they too do suffer it; this is in my experience virtually always the case with the noncommercial sites that it is most important to protect.

Please don't comment like this on HN. We need everyone to avoid ideological flamebait and unkind swipes. Please take a moment to read the guidelines and make an effort to observe them in future.

https://news.ycombinator.com/newsguidelines.html

In his concurring opinion, Justice Kavanaugh said it was likely unconstitutional (but apparently not obviously enough to enjoin it) [1]. So it's going into effect, then the lawsuit follows.

Similar laws in California, Arkansas and Ohio were all found unconstitutional, so I am hopeful. That said, these were all district court decisions, and all of them are being appealed. When they lose on appeal, they go to the Supreme Court for (hopefully) the final smack-down.

Interestingly, reading the summary MS HB1126 [2], this law is doing two things. It regulates companies and defines crimes.

States are allowed to set their own criminal codes. If Mississippi drops the mandate part and passes a new law that simply defines certain things as crimes with corresponding penalties, that law would probably be constitutional.

[1] https://www.supremecourt.gov/opinions/24pdf/25a97_5h25.pdf

[2] https://legiscan.com/MS/bill/HB1126/2024

Personally I'd say none at all, unless the government itself provides it as a free service, takes on all the liability, and makes it simple to use.

It also defines personally identifiable information as including "pseudonymous information when the information is used by a controller or processor in conjunction with additional information that reasonably links the information to an identified or identifiable individual." But it doesn't specify what it means by 'controller' or 'processor' either.

If a hobbyist just sets up a forum site, with no payment processor and no identified or identifiable information required, it would seem reasonable that the law should not apply. But I'm not a lawyer.

Clearly, however, attempting to comply with the law just in case, by requiring ID, would however then make it applicable, since that is personally identifiable information.

Welcome back to the 90s and the PGP, Clipper chip, warez, and DeCSS days.

At some point, they will have outlawed enough things that most people want, that most people will become outlaws.

If I run a server in Utah primarily for myself, and you as a Californian happen to stumble upon it, should I have to abide by California privacy laws?

We've let states set their own "internet services" taxes, making selling anything online in the US a regulatory nightmare. A third-party vendor to manage (and keep up with) the tax laws to stay compliant is basically required for anyone selling online, or risk the wrath of various state tax bodies.

I was totally ready to consider blocking US IP ranges too, if there was a good reason. I run a small business and 0% of my customers are overseas.

* The First Amendment generally prohibits the government from enacting any laws or regulations that limit speech based on its content (anything you might reasonably call "moderation" would definitely fall into this category!).

* Private companies are not the government. Social media networks are therefore not obligated to follow the First Amendment. (Although there is a decent argument that Trump's social media network is a state actor here and is therefore constitutionally unable to, say, ban anybody from the network.)

* Recommendation algorithms of social media networks are protected speech of those companies. The government cannot generally enact a law that regulate these algorithms, and several courts have already struck down laws that attempted to do so.

* §230 means that user-generated speech is not treated as speech of these companies. This prevents you from winning a suit against them for hosting speech you think injures you (think things like defamation).

* §230 also eliminates the liability of these companies for their moderation or lack thereof.

There remains the interesting question as to whether or not companies can be held liable via their own speech that occurs as a result of the recommendation algorithms of user-generated content. This is somewhat difficult to see litigated because it seems everybody who tries to do a challenge case here instead tries to argue that §230 in its entirety is somehow wrong, and the court rather bluntly telling them that they're only interested in the narrow question doesn't seem to be able to get them to change tactics. (See e.g. the recent SCOTUS case which was thrown out essentially for this reason rather than deciding the question).

Also there is no need to spend time parsing it yourself, there are plenty of existing libraries you can simply point at the file.

People who are not “the speaker or publisher” for liability purposes have Constitutional first amendment free speech rights in their decision to interact with content, this includes distributors, consumers, people who otherwise have all the characteristics of a “speaker of publisher” but are statutorily relieved of liability as one so as to enable them to make certain editorial decisions over use generated content without instantly becoming fully liable for every bit of that content, etc., yeah.

And arguing the alternative is you making the exact inversion of statute and Constitution I predicted and which you denied, that is, thinking Section 230 could remove First Amendment coverage from something it would have covered without that enactment.

...and then the lawyers profit.

Excluding "identity theft".

How is it not? Most "normal" surveillance works the same way - you look up public records for the person you're going after, cross-reference them against each other somehow, and eventually find enough dirt on them or give up. This is surveillance, and it's being done by and in the interests of capitalism.

Now, buying a fancy computer or something... but a car?

The 20 min further south than you I live costs me over $30k/year.

When I get the time, I'll be hosting a site from my closet that allows anything short of csam and I will reject states like MS and TX. My final act will be to die. But I don't much want to live.

> Personally I'd say none at all, unless the government itself provides it as a free service, takes on all the liability, and makes it simple to use.

1. There are many commercial services that do identity verification. There are many other commercial websites that have tools to do identity verification themselves. There are industry published best practices for these types of activities. All of these are evidence that you could use to demonstrate how you are making a commercially reasonable effort.

2. It's completely irrelevant whether you consider your website "commercial" or not. The law defines which websites it applies to, based on the activities they engage in.

https://law.justia.com/codes/mississippi/title-45/chapter-38...

3. Since when does the government have to give you compliance tools for free in order to require something of you? This isn't the standard for anything anywhere. Compliance with the law is often quite expensive. Honestly, buying an identity verification service is pretty cheap in the spectrum of compliance costs.

> If a hobbyist just sets up a forum site, with no payment processor and no identified or identifiable information required, it would seem reasonable that the law should not apply. But I'm not a lawyer.

You don't have to guess whether or not this is reasonable or not. If you read the law, you'll see that it says it only applies to sites that collect personally identifiable information.

From the above link, again:

> "Digital service" means a website, an application, a program, or software that collects or processes personal identifying information with Internet connectivity.

> "Personal identifying information" means any information, including sensitive information, that is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous information when the information is used by a controller or processor in conjunction with additional information that reasonably links the information to an identified or identifiable individual. The term does not include deidentified information or publicly available information.

Except for very specific things that are forbidden to the states in Art. I Sec. 10, or where Congress has specifically closed off state action in its own actions under the Interstate Commerce Clause, states retain the ability to regulate commerce in manners that impact interstate commerce so long as they do not discriminate against interestate commerce compared to in-state commerce in such regulations.

> should I have to abide by California privacy laws?

It seems these are the conditions:

As of January 1, 2023, your business must comply with both the CCPA and the CPRA if you do business in California and meet any one of the following conditions:

* Earned $25 million in gross annual revenue as of January 1 from the previous calendar year

* Annually buys, sells, or shares the personal information of 100,000 or more California consumers or households

* Derived 50% or more of your gross annual revenue from the selling or sharing of personal information

Also lots of states have their own data privacy laws.

https://iapp.org/media/pdf/resource_center/State_Comp_Privac...

And yes, in this particular circumstance for this specific law as currently written a private blog doing it's own normal things probably wouldn't infringe or be subject to these rules.

But what about a Utah focused social media site that does have $25M in revenue? It's not trying to court California users. Why should they have to be liable to laws in a state they never intended to do business in? It's these Californians leaving California to interact with an org across state lines. Whatever happened to state sovereignty? Should an Oklahoman be required to buy only 3.2% beer in Texas as well or have some Texas beer and wine shop face the wrath of Oklahoma courts for serving an Okie some real beer?

Where did that web transaction actually happen? On the client or on the server? Where did the data actually get stored and processed?

IMO we're past the time of patchwork laws. The social experiment of figuring out what makes some sense is largely over at least for the basics. It's time for real federal privacy laws to make a real, enforceable nationwide policy.

If you have a competitor, you can hire a bunch of Mississippians to access their website by VPN, collect evidence of them doing so, and then report them to have the shit fined out of them. It will pierce their corporate veil and leave them personally bankrupted, ending their website.

States have limits to what things they define as crimes. Defining certain type of trade to be criminal is regulating trade. And regulating interstate trade is reserved for Congress. Yet, many state laws criminalize some commerce, and case law has expanded interstate commerce to often include sales where the buyer, seller, and manufacturer are all in the same state... consistency is not a strength of our system.

Phone number assignments are mostly public, you don't really need to pay for this information, but there are certainly those who will sell it to you.

Of course, phone numbers don't really tie you to a rate center anymore, but a rate center is often much more geographically specific than an address for a large ISP. What I've seen near me, is a rate center often ties the number to a specific community. Larger cities often have several rate centers, smaller cities may have their own or several small cities may have one. Of course, phone company wiring tends to ignore municipal boundaries.

On the other hand, most large ISPs tend to use a single IP pool for a metro area. Not all large providers do it that way, of course, and larger metro areas may be subdivided. You can't really ping time your way to better data there either, most of the last mile technology adds enough latency that you can't tell if the customer is near the aggregation point or far.

Did your lawyer review this? Because you just committed a felony.

I haven't seen it as much in WA, but I used to see a lot of Oregon plates on new vehicles in Northern California where I had reason to believe the driver was a resident of CA. I do know someone who was pulled over for driving like a Californian while having out of state plates, so there's some enforcement that way anyhow. (Changed several lanes from the fast lane to the exiting lane in a continuous motion)

I understand it used to be possible to show ID in store and have sales tax not be applied, but now you need to submit receipts and etc.

> It's not trying to court California users.

The point that is being made, is that even a site generally designed and expected to be used by Utah citizens can become liable to Californian law because a Californian created an account.

You don’t need to know all the laws of Mississippi to serve such customer, or any laws from anywhere else other than Italy.

It's an uniquely American thing (Canada does it too, but access is regulated much more tightly).

This one[2] I could get reliable results from for free, but it seems to be "under maintenance" right now. Twillio just offers it as a service at 1 cent per number.

[1] https://en.wikipedia.org/wiki/CNAM [2] https://www.sent.dm/resources/phone-lookup

At least in some cases, e.g. when multiple devices that are logged into their respective Google accounts are using that IP, and Google knows what location those usually reside at when together.

I've had Google pop up reliable location results for me, to the granularity of a small town, even if they had no information about me specifically to help them deduce this. It doesn't always happen though.

This is mostly because of how APNs / G-GNS / P-GW systems work. E.G. you may have an APN that puts you straight in a corporate network, and the mobile network needs you to keep using that APN when roaming. This is why your roaming IP is usually in the country you're from, not the one you're currently in.

I've heard of local breakout being possible, but never actually seen it in practice.

If I operate a healthcare facility in New Mexico and a Texan comes in asking an addition, should I be liable to Texas abortion laws? Should they be held liable for an abortion that happened out of the state?

Capitalism at its best. We have a definite problem with over-regulation and a judicial system that isn't coping nor keeping up. Capitalism, instead of fixing the problem, makes a business model out of it.

Capitalism: Why fix it when you can make money of it.

And if you don't do business in the US there is only so much the US can do. Most importantly it can ask ISPs in the US to block your site. As they do for copyright infringement routinely.

We have all accepted that our countries block copyright violations originating from outside their jurisdiction.

But of course this is a disaster for the free internet. While copyright laws are relatively uniform world wide, so if you respect it locally you're probably mostly fine everywhere, incoming regulation like age verification and limits on social media use, or harassment stuff, is anything but uniform.

To some degree this is also maybe more shocking to people in the US, as the US norms have de facto been the internets norms so far. It is, in any case, not entirely new:

"When Germany came after BME for "endangering the youth" and demanded that I make changes to the site to comply with German law, my response was to simply not visit Germany again (and I'm a German citizen). When the US started to pressure us, we moved all of our servers and presence out of the country and backed off on plans to live in the US. No changes were ever made to the site, and no images were ever removed — if anything, the pressure made me push those areas even more."

https://en.m.wikipedia.org/wiki/BMEzine

How do we deal with the fact that we don't have a global mechanism for agreeing (socially and legally) on necessary regulations, whilemaintaining the social good that is a truly global internet?

And if the police has reason to suspect that there is illegal gambling happening at your dinner party they can obtain a warrant to bust your party.

Hell even if your party is to loud and annoys the neighbours the police can and will shut it down.

If social media sites are shut down but I am free to post my opinions on my personal blog site, how is my freedom of speech affected?

Did I not have freedom of speech before social media existed?

Is there an implication in freedom of speech that any speech facilitating service that can be offered must be allowed to operate? That's at least not obvious to me.

I echo what others said: There are good reasons to oppose all this, but blanket cries of "free speech" without any substance don't exactly help.

With the internet it's a lot less clear cut. The user is requesting data from Italy, maybe, but is located in another jurisdiction. Add Cloudflare and the data might even be served from the US by a US company you asked to serve your illegal data.

It's becoming a shit show and is breaking up the global internet.

451 - Blocked for legal reasons.

In some cases this arises in US Constitutional law as the freedom of other people to seek and encounter the speech, though I'm not sure if there's a formal name for the idea. (e.g. "Freedom of Hearing".)

So, I'm genuinely curious about this. Does the US not require any kind of territorial nexus in order for a jurisdiction's laws to apply to an individual? Can Texas criminalise abortions in New York, by New Yorkers, for New Yorkers? This seems very unlikely to me.

Under private international law, very generally speaking, you tend to require a nexus of some kind (otherwise, we'd all be breaking Uzbekistani laws constantly). I assume there must exist some kind of nexus requirement in US federal constitutional law too.

Assuming you have no presence, staff, offices, or users in a state, and you expressly ban that state in your T&C, why would that state's laws apply to you at all? You're not providing any services from or to that state, and in as far they can open your landing page, that's sort of like saying they can call your phone number. And in the absence of that state's laws applying at all, would not any requirements about geoblocking etc that may exist in those laws be moot?

(Usual risk calculus would seem to apply re over-zealous state prosecutors, etc.)

The former is literally the real legal system, nothing shadow about it. Shadow would be some hidden deal to drop charges or something.

It's also not DDOS when a huge part of what you call "real" is exactly the same, so not unwillingly overloaded but willingly complicit.

Since you can't really block all state IPs, but also since prosecution isn't bound by honesty, this retaliatory risk doesn't decrease much (though hard to assess precisely).

They can order overflights to land to arrest you, if they so desire. They can also block you from the more-or-less all legitimate commerce globally with sanctions. And if they really don't like you, they can kill you without due process.

All of which the US has done to undesirables over the years, and can do again without any controls or checks or balances, to anyone globally.

At this point, I almost welcome all these laws. The more they restrict us, the more potential felons, but they can't fine and put us all in jail, no? Chronic over-legislation will crush from its own weight.

That said, like the saying of markets staying irrational longer than people can afford to, the realistic outcome is that bureaucracy will survive longer than a functioning society. Legislation will continue until morale improves.

> It should also be based on good faith

Setting the wishes aside, it isn't, the judges easily act in bad faith when it suits them, so this also doesn't explain much.

Neither is it "designed" to take bad faith at face value, again, to be specific - just read the Supreme Court case about this law. The flood/design explain nothing: it would've been just as easy to block the implementation of what the court itself says is an unconstitutional law (see, no "good faith" basis required) and then don't even review it fully because the court has no time (see, the flood can flow in either direction)...

It's just wrong and it breaks the internet. We had it so good for so little.

Ideally, yes. I think the reality however will be that most "perpetrators" will be ignored, and anything else will be easy wins and collateral damage to small site operators that these regulators to happen to notice.

You can't have it both ways. Tech oligarchy is just another road to fascism city.

https://en.wikipedia.org/wiki/Telephone_directory

https://www.supremecourt.gov/opinions/17pdf/17-494_j4el.pdf

https://en.wikipedia.org/wiki/South_Dakota_v._Wayfair,_Inc.

Prior to this ruling, if you were a merchant in state A and you mailed something to someone in State B, you were not considered to have an economic nexus in state B, and hence state B had no jurisdiction over you to enforce sales tax collection.

Previous definitions of economic nexus involved having physical buildings or employees operating within a jurisdiction's boundaries.

South Dakota v Wayfair said that mailing something to a customer established economic nexus in the customer's jurisdiction, hence the merchant now has to register as a business in the customer's jurisdiction and collect applicable sales taxes and follow all the laws of that jurisdiction.

The whole ruling is weird though, because the justification came down to it's messing up the order of things, and since Congress can't be bothered to fix it with legislation, the Courts have to make up stuff to prolong the status quo.

No, this is literally a "both sides" issue. Lawfare is not new. See the continuous legal battles over the second amendment in states like NY, NJ, and CA.

Anyway find a reason to live, unless you're objectively suffering there's quite a few

No cities are on fire and there aren't raiding parties crossing the border.

What makes you think the statute is "unconstitutional?" The Supreme Court hasn't tackled the issue directly, but it upheld a law requiring libraries to install blocking software to restrict access to websites for children: https://en.wikipedia.org/wiki/United_States_v._American_Libr.... Remember that, prior to the reinterpretation of the First Amendment in the mid-20th century, the "obscenity" carve-out was broad enough to outright ban things like pornography, much less allowing access to children.

That said, I suspect that the law is probably unconstitutional, insofar as it's targets at a type of speech (social media) that doesn't fall within any of the traditional exceptions. I don't think the "under 18" rationale holds when you're talking about content that traditionally hasn't been prohibited to children.

Regardless, this isn't an instance of the state blatantly violating some clear Supreme Court precedent. (And even that's okay if you have a good-faith basis for challenging the precedent! That's how impact litigation often works.)

Trump is winning most of these fights in the appellate courts and the Supreme Court. Activist groups are flooding the system with a bunch of weak cases, getting weak, poorly reasoned district court rulings, then getting overturned on appeal.

> Two other judges, John Higgitt and Llinét Rosado, said James had the authority to bring the case but argued for giving Trump a new trial. And the fifth judge, Justice David Friedman, argued to throw out the case, saying James lacked the authority to bring it.

> Activist groups are flooding the system with a bunch of weak cases, getting weak, poorly reasoned district court rulings, then getting overturned on appeal.

Trump's > 90% success rate at the Supreme Court should be read as an indictment of the Supreme Court, not of the lower courts.

Sounds more like a... Confederation? of states. Or maybe... a Confederacy?

You have conceded that sites with user-generated content should be age restricted. The question for the court is if a state can pass a law making that requirement.

More like: look at the EU, extrapolate how it would look after a little more unification, and then take advantage of the fact that we’re made up of small states already that can group ourselves up as fits. Germany and France seem all-right, so we should organize ourselves into Germany and France size units.

Individuals are not meant to keep track, they're meant to leave the ecosystem. These types of bills are the end product of the process of regulatory capture by the corpos.

Corpos create centralized watering holes that are magnets for social problems, offering low effort service and very little accountability for early users. Corpos then nurture these uses because they drive engagement, and at the early stage any usage is good usage. When the wider public catches on and starts complaining, corpos then cast it as outside meddling and reject addressing the problems they're facilitating, as curation at scale would cost too much. Corpos then become a straightforwardly legible target for politicians to assert control over, demanding some kind of regulation of the problem. Corpos then lobby to make sure such laws are compatible with their business - like simply having to hire more bureaucrats to do compliance (which is the sine-qua-non of a corpo, in the first place). The last few steps can repeat a few cycles as legislation fails to work. But however long it takes, independent individual hosters/users are always left out of those discussions - being shunned by the politicians (individuals are hard to regulate at scale) and the corpos (individuals turn into startups, ie competition). Rinse and repeat.

The reason a democrat would be involved in such prosecution is because every GOP member has effectively sworn fealty to Trump and they will fiercely protect him from any accountability.

Biden was many things, but not corrupt in the sense that Trump is. Yes, his son did business trading on his relationship but that was legal (albeit distasteful).

Most dem voters dislike corruption, even if it's one of their team; I don't see that on the other side of the aisle. Disclaimer: I am not a dem.

Isn't that the crux of the matter? You have a (crypto)billionaire president using his presidential powers and personal wealth to start frivolous lawsuit to shut down his opponents. If that doesn't worry you I really don't know what to tell you.

In your mind, are these all filled with people who look the same, sound the same, practice the same religion, immigrated from the same place?

I feel like you are unfamiliar with who you are replying to. That doesn't make it any less amusing.

Yes.

> If so, I'd expect them to understand that recent decisions such as Trump v. Casa and McMahon v. New York are pretty flimsy.

That's what makes it extra interesting.

If you're talking about the criminal case, it's even worse, as CNN's chief legal correspondent explained: https://nymag.com/intelligencer/article/trump-was-convicted-... ("Most importantly, the DA's charges against Trump push the outer boundaries of the law and due process."). Or, as an MSNBC legal columnist explained: https://www.msnbc.com/opinion/msnbc-opinion/trump-guilty-hus... ("Most DAs wouldn’t have pursued this case against Trump. Alvin Bragg got lucky. Let’s be honest with each other. Manhattan District Attorney Alvin Bragg’s case against former President Donald Trump was convoluted.").

You could write an entire Harvard law review issue about the novel legal issues raised by the Trump criminal case: Can a state crime be predicted on an uncharged federal campaign finance violation? can someone violate campaign finance law--which is focused on preventing candidates from misusing donated funds--by using their own money to pay off a porn star? Can you bootstrap a misdemeanor into a felony through a triple-bank-shot involving an uncharged secondary crime and a choice of three possible tertiary crimes? When you prosecute someone for a business records misdemeanor, but almost all the allegedly bad conduct relates to unspecified secondary and tertiary crimes, how do you instruct the jury? When you give the jury three different options of uncharged tertiary crimes to support the uncharged secondary crime, which in turn supports the charged primary crime, on what points must the jury reach a unanimous decision?

Google's and Apple's "Double Irish with a Dutch Sandwich" was a more straightforward legal theory than the Trump criminal case.

It isn't, and it isn't designed to be based on good faith or good faith actors.

Be careful what you put in that menu.

I am not sure that I have ever encountered anyone confused in the way you describe either...

The current legal reality is a shitshow but I don't think that's inherent to the situation itself. gTLDs and foreign hosting services certainly complicate things, but then so does choosing to (physically) import supplies from abroad. I'm not convinced there's a real issue there at least in theory.

I think that a single "common carrier" type treaty unambiguously placing all burden on the speaker and absolving any liability arising from jurisdictional differences would likely fix 90% of the current issues. If I visit a foreign run site and lie about my country of residence in order to access material that isn't legal where I reside the only liable party in that scenario should be me.

there are many many resources online you can find on the matter

Shutting down a notebook factory for dodging sales tax is not a violation of the rights of would-be purchasers.

If you actually sell things to Californians that's different. At that point, yeah, I think you _should_ be subject to California law. You're doing the equivalent of mail order business with a resident after all.

Contract law requires many things, including "a meeting of minds"; that does not imply that all civil lawsuits and criminal hearings require "a meeting of minds".

See https://en.wikipedia.org/wiki/Good_faith_(law)

There are many resources online you can find on the matter.

You’ve come up with more reasons not to split up the country, by pointing out some ways the other parts of the country might have trouble.

I think (correct me if I’m wrong) you disagree with the partisan jab at the end, not the actual line of argument.

That is false, and the wiki paragraph does not say that

https://www.law.cornell.edu/rules/frcp/rule_11

> quite distinct from criminal law.

Trumps frivolous lawsuits have been civil matters, which is obviouos because private persons do not file criminal lawsuits, prosecutors do that.

I wasn't thinking carefully enough because I've grown accustomed to such lines of argument being simultaneously partisan and irrelevant.

  1. Trump is the epitome of a corrupt pol and has pretty much gotten away with everything his entire life.
  2. Prosecuting him was not in the form of of attacking a rival, it was addressing issue #1
  3. If the roles were reversed and this was Biden we were talking about, most dem voters would still be for prosecution of blatant corruption. The magic of Trump is that his supporters (which apparently you are one of) are fine with him doing anything he wants, up to and including shooting someone on Fifth Ave

Sure, but it is quite common for companies offering database access to offer that via an API to query the database on their server rather than letting customers download the whole database for local use.

It thus seemed worthwhile to make it clear that MaxMind does let you download the whole database.

As far as libraries go sure that's a possibility. But for people who just need a simple IP to country or IP to US state lookup and need that from a variety of languages it may be overall less annoying to make your own DB from the CSV files that just handles what you need and nothing more.

I've already got libraries for sqlite, MySQL, or both for every language I use where I need to do these lookups, and almost all the applications that need these lookups are already connecting to our databases. Add an IPv4_to_Country table to that database (that they are already using) and then it just a matter of doing a "select country_code from IPv4_to_Country where ip_low <= ? and ? <= ip_high" with the two '?'s replaced with the IP address we want to lookup, probably using a DB handle they already have open.

Many would find that a lot easier than adding a dependency on a 3rd party GeoIP library. Beside it being one more thing on each machine that needs periodic updating (or rather N more if you are working in N different languages on that machine), I believe that most of these libraries require you to have a copy of the download database on the local machine, so that's another thing you have to keep up to date on every server.

With the "make your own simple SQL DB" approach you just have to keep an up to date download from MaxMind on the machine that builds your SQL DB. After building the SQL DB you then just have to upload it to your one network DB server (e.g., your MySQL server) and all your apps that query that DB are up to date no matter what server they are on or what language they are in.

If you are building an sqlite DB for some of your apps, you do have to copy that to all the servers that contain such apps, so you don't totally escape having to do updates on those machines.

If making the SQL DB were hard then maybe reducing dependencies and reducing the number of things that need updates might not be worth it, but the CSV files are organized very sensibly. The scripts to make the SQL DBs are close to trivial if you've got a decent CSV parser in the language you are writing them in.

Another example is the Mackey case, where the appeals court unanimously overturned the entire conviction, attacking both the legal reasoning and the evidence underlying the entire case. It’s pretty clear the whole thing was cooked up to “get” an influential pro-Trump Twitter user. See: https://ww3.ca2.uscourts.gov/decisions/isysquery/5d7bf858-ff...