I’ve been asked several times if it is possible to restrict access to users by geographical location using federated access. This is normally from a Service Provider who wants to restrict access to a resource to people physically present somewhere in the UK. My begrudging answer is, yes, there are ways of doing this. eduPerson has a locality field that could be populated, or you could ask for postcodes to query against. Of course this doesn’t ensure that the person is physically within the UK, only that the IdP believes that the person in question is normally resident in the UK.
To ensure that people are physically within a specific location, IP checking is normally relied upon. This in itself is not a particularly reliable process – machines in the UK often have IP addresses that would be flagged as belonging to another country and proxy servers and VPN access will get around all of these issues.
My main reaction however would have to be WHY, oh WHY would you want to try and do this? As you can see from the above, it is a fairly difficult thing to achieve, so you are immediately placing an expectation on your customer that they are likely to fail to meet. I also don’t understand why restricting access just to the UK would be perceived as more secure. Downloaded information could easily be passed beyond the boundaries of the UK in a instant because of that interweb thingamy 
I can almost I guess understand why BBC iPlayer would only be available in the UK because of license payer issues, but as a license player I think I should be able to access iPlayer when I’m in other countries, especially so I don’t miss the final episode of The Apprentice! The right is not a geographical one – it is actual a personal one based on my license fee payment.
In a world of ubiquitous electronic access, I think it is foolish to try and restrict access by location (and yes, I’m afraid that for me this includes ‘on site only’ access). Location is often inaccurately identified as the restricting element for access – but when properly analysed, you can nearly always find a better way of managing such a process. Does a publisher, for example, actual mean that they would be uncomfortable with students permanently resident overseas using a resource, rather than it can only be used in the UK?
I think it is such a shame that we are still dealing with these issues, and that it automatically cuts the publisher off from developing their resources for use on iPhones and netbooks and in other truly mobile locations due to what I see as an inaccurate interpretation of security. Lets hope we can move on!
2 comments
Comments feed for this article
Trackback link
http://access.jiscinvolve.org/wp/location-location-location/trackback/
August 1, 2009 at 6:40 am
David Harrison
Thoughtful and persuasive posting. Somewhere in the back of my mind there is something to do with IPv6 that should be brought into this thread as well, but my geekiness disappeared many years ago
. Suffice to say that China and India are racing into the IPv6 space because they can control it and because they can control the traffic at their national boundaries.
However, I would just add that when you see the geographic distribution of IPv4 Class A addresses, you see the domination of the internet by the US (and US companies) it’s no wonder that a publisher will take a “anywhere outside of the US that we don’t control” point of view.
So we have an address space (virtual location) problem as well as a pure geographic location problem.
August 10, 2009 at 2:31 pm
Ian Cooper
My experience of why (oh why) publishers would want to do this is simply (!!) because they only have rights to distribute the content within the territory they’re enquiring about.
In the case of the BBC and iPlayer they probably only have a license to redistribute materials geographically within the UK. Why would they go to the expense of covering other countries where other broadcasters would have better distribution channels?
You’re right, of course, that in the 21st century these things don’t make a lot of sense a lot of the time, but until we can get content owners into this century in their own ways of thinking we’re probably not going to be able to avoid such strange licenses. So we need to engage with the publishers and understand why they would want to license the materials in that way in the first place. And if they’re not the primary rights holder then I guess the 22nd century isn’t that far off…