Pixel Envy

Written by Nick Heer.

An IP Mapping Glitch Turned a Kansas Farm Into a Digital Hell

Kashmir Hill, Fusion:

[…] for the last 14 years, every time MaxMind’s database has been queried about the location of an IP address in the United States it can’t identify, it has spit out the default location of a spot two hours away from the geographic center of the country. This happens a lot: 5,000 companies rely on MaxMind’s IP mapping information, and in all, there are now over 600 million IP addresses associated with that default coordinate. If any of those IP addresses are used by a scammer, or a computer thief, or a suicidal person contacting a help line, MaxMind’s database places them at the same spot: 38.0000,-97.0000.

Which happens to be in the front yard of Joyce Taylor’s house.

This is a terrifying example of what bad software design and misleading advertising begets. MaxMind markets their IP geolocation software as their “most accurate information about the location of an IP address, pinpointing it to the zip or postal code level”. So I tried it with an off-the-cuff IP address. I figured that, with 600 million of the damn things all being mapped to MaxMind’s default, I stood a pretty good chance of eventually guessing one of those.

And, on my very first try, I did: an arbitrarily-typed 72.56.122.12 address turns out to be mapped to 38, –97. There is no indication — at least, not within their homepage demo — that this is a randomly-selected default location.

An intrepid software engineer making a product dependent on IP geolocation might look at the results and MaxMind’s marketing, and reasonably conclude that this is the actual mapped location of that IP address. An interface designer might wish to make the results page of this product a little more helpful to people who can’t locate coordinates in their heads — that’s most people, weirdo — so they might add a map. Their end user will see impressive-looking coordinates and a nice-looking map with a pin marking a specific location. At every stage, there is the impression that this result has been arrived at with a high level of precision. And Joyce Taylor takes the fallout.

Update: 600 million of anything is a hard amount to grasp. To put it in more manageable terms, think of it as approximately one in every seven IP addresses ever issued that are mapped by MaxMind to a single farm in Kansas, or approximately one in every three U.S. IP addresses. Nothing says “pinpoint” like a one-in-three shot of getting the answer completely wrong.