Lately I have been using a VPN service. Using a VPN for daily browsing has many advantages. If you are not already using it, please give it a try. A great feature that comes when browsing through VPN is that the websites are fouled to believe that you reside in a different country than the one you actually do. Unfortunately, this is the route of many problems, as it seems that many websites contain services that function based on the user’s country. This matching is being performed by the user’s IP address which is changes when browsing through VPN. For the purposes of this article, these types of services will be called “location oriented services”.
Types of location oriented services and security
Normally, location oriented services, should include types of services that are complementary to a web sites functionalities (e.g. advertisements). However, a lot use user’s location to apply security practices. For example, paypal or facebook, when accessed from a different location than usual, might request you to confirm your real identity (i.e. by requesting a passwords change).
From security point of view, switching country practically means nothing. Even if this done every 2 seconds. People travel all the time; others use corporate VPN service every day to work remotely, while others use VPN for anonymity. Therefore, people may appear to be in different countries than they reside for a number of legitimate reasons. Consequently, applying security practices based on the switching of countries is a clear confession of failure. Web sites should not depend on user’s location in order to draw any kind of conclusion.
A better approach
A case where location oriented services have a usefull application is for language auto-selection in multilingual websites. In order to do so, the IP approach (as described previously) or an alternative approach can be followed. This alternative approach is by using the “Accept-Language” HTTP header. The accepted languages can be set by the OS automatically, or by the user and is part of the HTTP protocol, which practically means that there is native support to all web programming languages.
Consequently, if the web site needs to provide location oriented services, (except security) the “Accept-Language” is the way to go.
A critical aspect of the location oriented services, which are based on the IP address, is matching of user’s IP address to country. Critical questions are drawn regarding the provider of this information, and if sharing it is legal. Moreover, sharing this information should be part of the contract with the ISP and a fact that the user should be aware. As this is a huge issue, it becomes a great candidate for a future article.
Instead of conclusion, two things:
1. Use VPN, its for your own good!
2. Resist in sites that use your IP to detect your country and provide services based on that!
P.S. As a VPN provider, I am using, for almost a year, those guys Private Internet Access and I am super happy with their services!