[itake]

> just forcing people to use VPNs

Does this really even work? The law isn't "if the user's ip address appears to be from this state, then you must require id".

Properly enforcing georestrictions like this costs money and destroys businesses, but that is kinda the point.

[azernik]

It provides plausible deniability. "We did our best, judge"

[moate]

It's not even plausible deniability, it's literally "how are we supposed to know what location people are in other than ISP?" That's the de facto determinate of location online. The government hasn't taken the position that a bar checking driver's licenses to confirm someone's age provides "plausible deniability", but rather that they're doing their part to comply with the law, even if some users are going to use fake IDs to cheat the system.

[itake]

1/ block data center connections / require users to connect via a residential IP, not cell phone.

2/ request GPS location from the device.

3/ request WiFi location from the device.

4/ require billing address to be out of state. (States collect sales tax based on billing address, not where the service or product is bought. So I think this is fair.)

[dspillett]

No, but they have deniability. “We checked, and they weren't in your state as far as we can tall”.

Slightly aside, if you filter like this for any reason it is safer to check that the request is NOT coming from some other location – that way your main failure mode is accidentally screening someone in a state you don't need to, not accidentally letting someone in that you could face legal action for, though this is a harder check to make.

The blocked people that use VPNs may well appear to be coming from a non-US location too which probably makes the denial slightly safer.

[svnt]

I’m sorry but business success aside, how else do you propose to do it? Require them to go outside and take a panoramic video including their face that somehow also captures third-party information about the date and time and then feed it into geoguessr?

[itake]

Couple thoughts:

1/ if the company can’t meet the regulations, it can’t exist.

2/ if there is wiggle room of “as long as you tried your best, then it’s ok”, then requesting gps location, nearby wifi nodes, and banning traffic from data centers, then that would be better.

[harimau777]

I think the problem is that laws that are trying to force morality on people.

[ryandrake]

The general problem is that web site X doesn't know if user Y lives in state Z. And most of the realistic ways to allow them to know this are huge PII disasters waiting to happen. This has nothing to do with morality. If states wanted to ban HN, it would be just as ridiculous. Using IP address is about as pointless as using your mobile phone's area code.

[numpad0]

No, the problem is unchecked moral panicking. IP geoblocking is mitigation.

[Digory]

All laws force morality on people.