Changes to accessing and using Geolite2 databases

172 点作者 anandchowdhary超过 5 年前

18 条评论

saurik超过 5 年前

From CC BY SA 4.0: "No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits."GeoLite2's new EULA "incorporate[s] into this Agreement by reference" specifically the CC BY SA 4.0 ("Creative Commons Corporation Attribution-ShareAlike 4.0 International License") with a statement that this EULA (as well as their data processing addendum DPA, privacy policy PP, and website terms of service WT) take precedent in case of conflict."This Agreement controls in the event of any conflict with the above-referenced documents. Thereafter, for any conflicts among the above 4 documents, the priority and precedence of interpretation is DPA, PP, WT and Creative Commons License."The EULA then has a number of what are literally called "additional restrictions" (omg), which restrict (to summarize) 1) how you distribute it (with some kind of weird statement saying "where not inconsistent with the other terms of this Agreement, as in the Creative Commons License", which seems to invert the prioritization?! I don't know what to do with this...), 2) how you secure your distribution (which I guess precludes any ability to distribute the database along with an application? this is now only for backend use?), 3) that you will destroy old copies of the database (which is pretty egregious per CC BY SA, but I can appreciate this is likely the goal of this new EULA for CCPA compliance), and 4) that you won't send personal data to MaxMind (was anyone doing that before? ;P).So, I don't understand the goal then with respect to "incorporat[ing] into this Agreement by reference" the CC BY SA if it is no longer a license agreement even remotely compatible with CC BY SA. Like, I was expecting this EULA to be an unrelated license, not some attempt to provide an awkwardly incompatible set of provisions. I now need to send this EULA off to my lawyer, who is probably going to come back with something like "we recommend you don't use this for any purpose unless we can get legal clarification".

nahikoa超过 5 年前

Wait a minute, now that I've registered for Maxmind there is a Do Not Sell My Personal Information Requests page with the text:The following IP addresses are associated with valid 'Do Not Sell My Personal Information' requests as required by applicable privacy regulations, and have been removed from (or will be removed from the next releases of) the GeoIP2 and GeoLite2 databases. None of the IP addresses listed or contained within a listed network may be used for advertising or marketing purposes.If I had sent Maxmind a request for data removal, the last thing I would expect is that my IP address would be shared with any internet user who bothered to create a Maxmind account. Even if this page were removed, it might not be difficult to obtain the opted-out addresses by doing a diff between GeoIP2 free releases. Perhaps a search for narrow slivers of addresses removed that were previously in California?Law of unintended consequences for CCPA? Bad implementation for CCPA compliance? What interesting things could be done with a list of publicly available list of opted-out IP addresses?

评论 #21916925 未加载

crazygringo超过 5 年前

I'm glad this was posted here because I never would have heard about it otherwise, until one of my sites' monthly downloads would have broken.But I still can't quite figure out if anything's changing technically except a new file location that requires an account to access, and new license terms -- or is there something else?If someone requests a "do not sell" for their IP address that is in the middle of a range... is the range being split in 2, and skipping that address? Or are the ranges staying the same, and is there a separate "blacklist" of some kind that says, if the IP is any of these individual addresses, it's against the law to geolocate? And is that blacklist in the same file, or something to do with "we will... communicate all valid “Do Not Sell” requests to you as we receive them"?Wish this post were both clearer, and that it had been announced at least a couple of months in advance, rather than less than 2 weeks before taking effect today. (Still, I can't complain too much -- it's free so I'm just glad the public databases exists at all.)

评论 #21916334 未加载

评论 #21916128 未加载

dsign超过 5 年前

I'm not sure I understand how the logic of this works.For those that don't know, GeoLite2 databases are for the most part prefix trees on IP address space, they can contain concrete IP addresses, but more often they just map an IP address range to some metadata. This is particularly true about GeoLite2, which is a very coarse database.To me, this is equivalent to a database saying in which state is a given zip-code. How can that imply any kind of personal data?

评论 #21915607 未加载

评论 #21915893 未加载

Eikon超过 5 年前

Interestingly enough, some of the information maxmind is providing can be found in RIRs databases, such as RIPE for instance: ftp://ftp.ripe.net/ripe/dbase/split/, ARIN: <a href="https://ftp.arin.net/pub/rr/" rel="nofollow">https://ftp.arin.net/pub/rr/</a>This is the same information than can usually be accessed using the "whois ip_address" command.I wonder how this is going to be handled as it's necessary that this information remains public for network operators.Would ping / mtr / traceroute need to be banned on a per-ip basis too as these tools can be used to triangulate?The whole thing feels like "please remove my address from maps, it's private data", well yes, ok...

评论 #21918441 未加载

stevenicr超过 5 年前

Well this sucks.I depend on these to keep thousands of user's ips private. IPGeoBlock on many of Wordpress installs keep a lot of bad bots (and humans) out - and there are already options baked into that plugin to query several online DB's with the user IP to find country code... Most of my sites that allow other users to login, I keep their data private by telling ipGeoBlock to download the DB onto our server, check that, and NOT query the other online services.Sure would be nice if you could still provide GeoLite2 Country GeoLite2 ASNjust remove all the USA ones :) - then I could have it query the downloaded DB if it finds a result block them - and if not result then let them try to login..So they are going to offer the DB if registered and agree to whatever so called terms.. we should be able to get someone in a country without a jurisdiction that considers USA agreements legal - to get the DB and put it online right?having to sign up with maxmind alone is reducing privacy for me - I guess unintended consequences - but sheesh!

评论 #21917982 未加载

mpetroff超过 5 年前

The Wayback Machine has copies of the last CC BY-SA 4.0 version:<a href="https://web.archive.org/web/20191227182209/https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz" rel="nofollow">https://web.archive.org/web/20191227182209/https://geolite.m...</a><a href="https://web.archive.org/web/20191227182412/https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.tar.gz" rel="nofollow">https://web.archive.org/web/20191227182412/https://geolite.m...</a><a href="https://web.archive.org/web/20191227182527/https://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN.tar.gz" rel="nofollow">https://web.archive.org/web/20191227182527/https://geolite.m...</a><a href="https://web.archive.org/web/20191227182816/https://geolite.maxmind.com/download/geoip/database/GeoLite2-City-CSV.zip" rel="nofollow">https://web.archive.org/web/20191227182816/https://geolite.m...</a><a href="https://web.archive.org/web/20191227183011/https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip" rel="nofollow">https://web.archive.org/web/20191227183011/https://geolite.m...</a><a href="https://web.archive.org/web/20191227183143/https://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN-CSV.zip" rel="nofollow">https://web.archive.org/web/20191227183143/https://geolite.m...</a>And the last copy of the download page before the download links were removed, for reference: <a href="https://web.archive.org/web/20191222130401/https://dev.maxmind.com/geoip/geoip2/geolite2/" rel="nofollow">https://web.archive.org/web/20191222130401/https://dev.maxmi...</a>

评论 #21920791 未加载

evantahler超过 5 年前

This is fascinating and I’m sure will have lots of far-reaching effects for the courts to chew on... For example, do I “own” the IP address that my ISP assigned me? Is it really my PII? If enough people ask to be removed, have I harmed the ISPs property? What about dynamic IPs? I like that I know have the power to opt-out... but will it last?As a developer, thinking about this is a great mental exercise for switching my thinking from “use public datasets” to “use user opt-in data” - what would I have used IP->GEO info for before? Guessing a user’s language? I can use Accept headers. Guessing a user’s real location? Better to use the web/mobile GPS api and get explicit consent. I guess the internal maps we make from our server logs will get less accurate... fine?

评论 #21916345 未加载

anandchowdhary超过 5 年前

OP here. My CI builds started breaking out of nowhere [1] because the public download URL of the Geolite2 database started giving 404s.I reached upon the GitHub issue opened by MaxMind on the package I was using [2] who recommended that every user should create an account and download the package, so I used Git LFS to manually add the package to the repo for now, until I can come up with a better CI-driven solution, because one of the rules is that you need to update the database as soon as a new one comes out, and stop using the older version within 30 days of update, and you might need to provide this in writing as well.[1] <a href="https://travis-ci.org/staart/api/builds/630988787" rel="nofollow">https://travis-ci.org/staart/api/builds/630988787</a>[2] <a href="https://github.com/runk/node-geolite2/issues/17" rel="nofollow">https://github.com/runk/node-geolite2/issues/17</a>[3] <a href="https://www.maxmind.com/en/geolite2/eula" rel="nofollow">https://www.maxmind.com/en/geolite2/eula</a>

评论 #21916417 未加载

评论 #21917212 未加载

tyingq超过 5 年前

That's pretty interesting that an IP address is enough to trigger CCPA. I thought it had to specifically tie to identity versus something broader like zip codes and city names to be covered under CCPA.I wonder if you would be okay geolocating just the first three octets.

评论 #21915567 未加载

评论 #21920629 未加载

hlieberman超过 5 年前

This is deeply unfortunate. I know the folks at Maxmind fairly well, and they're good people. I'm quite sure this isn't what they wanted to do, and that they've pushed their lawyers to let them continue distributing this data as much as is possible, in a way that is as gentle as possible. I applaud them for their efforts; it is appreciated.Unfortunately, it's also clear to me that this renders the Maxmind geoip databases non-free. I've filed bugs for the removal of the geoipupdate package from Debian main, and I believe the geoip-database maintainer has already terminated updates.

kwoff超过 5 年前

This might not be a common experience nowadays (sigh), but I encountered this problem a few weeks ago in Perl. The long-used module at <a href="https://metacpan.org/pod/Geo::IP" rel="nofollow">https://metacpan.org/pod/Geo::IP</a> now mentions "the GeoIP Legacy file based database" and has a link to <a href="http://dev.maxmind.com/geoip/geolite" rel="nofollow">http://dev.maxmind.com/geoip/geolite</a> which actually redirects to <a href="https://dev.maxmind.com/geoip/geoip2/geolite2/" rel="nofollow">https://dev.maxmind.com/geoip/geoip2/geolite2/</a> . Interestingly, now that I look there again, it no longer refers (at the top of the page) to the January 2019 deprecation of the version 1 database, but now to "making significant changes to how you access free GeoLite2 databases starting December 30, 2019". (I now have to also review that for my workplace...)Anyway, the new CPAN modules are under <a href="https://metacpan.org/pod/GeoIP2" rel="nofollow">https://metacpan.org/pod/GeoIP2</a> and can be confusing. One confusing thing: despite a prominent Perl developer such as Dave Rolsky working (still?) at MaxMind, it says that the "module is deprecated and will only receive fixes for major bugs and security vulnerabilities".For porting purposes, please note that the module you want to use is <a href="https://metacpan.org/pod/GeoIP2::Database::Reader" rel="nofollow">https://metacpan.org/pod/GeoIP2::Database::Reader</a> . (They also mention <a href="https://metacpan.org/pod/MaxMind::DB::Reader" rel="nofollow">https://metacpan.org/pod/MaxMind::DB::Reader</a> which can makes things unclear...) I didn't see any other info on the github page about Perl support. Also the interface is definitely more tedious and object-oriented in the worst way. I'm sure there are good reasons... And in my experience it's much slower if you use the pure-Perl interface (this is something you should read the MaxMind::DB::Reader perldoc for: it mentions installing a C library in "PURE PERL VERSUS XS").Good luck

alias_neo超过 5 年前

It's a shame this only made it into here after the restriction was already in place.Or of interest, does anyone know how long a historic copy might be considered valid? How regularly do people update their "copy" generally?

评论 #21917230 未加载

unilynx超过 5 年前

This provision in the EULA might be troublesome when dealing with backups:You shall cease use of and destroy (i) any old versions of the Services within thirty (30) days following the release of the updated GeoLite2 DatabasesI'm sure I can get customers to otherwise agree with the GeoLite2 terms when I install/get them to download the database, but how to get the GeoLite2 database out of their three-months-retained VM snapshots ? I can ensure we 'cease use' of a restored database, but ensuring destruction is a problem...(The GDPR explicitly acknowledges this problem and allows you to keep data in your backups if it's too burdensome to remove it as long as you've taken measures to reapply data deletions on restore)

bullen超过 5 年前

The biggest problem with the new Maxmind data is that it requires many MB of dependencies: <a href="https://github.com/maxmind/MaxMind-DB-Reader-java/issues/48" rel="nofollow">https://github.com/maxmind/MaxMind-DB-Reader-java/issues/48</a>

WGeorge480超过 5 年前

I do not work for any company that uses GeoLite2 but I do have a gaming server that I want to display the country of a player to the staff team. I signed up 3 days ago but no email received as of now. Should I contact maxmind and will I be able to get a license for such an intend use?

justinclift超过 5 年前

Seems to only cope with fixed IP addresses, which only some places use.For example, my IP address (not in the US) changes ~18 hours or so and can come up in at least 30 different IP ranges that I've so far seen. (Used to make writing out SSH rules for remote access a pita, until automating it)