Lovely things, subnets
[Here's something I wrote on a mailing list in response to a discussion about the restrictions Apple added to iTunes to require that computers receiving iTunes music streams be located on the same IP subnet.]
Lovely things, subnets. A lot of people have been trying to use IP addresses not only as evidence of geography but as evidence of "locality" or "proximity" (e.g., whether devices are in the same physical location or not). VPNs, tunnels, and bridging mean that neither IP addresses nor MAC addresses are actually any evidence of any of these things. Much of the Internet community has always assumed that this is as it should be; the Internet has long practiced layering and encapsulation and used new software to make old software work in network configurations the authors of the old software didn't envision.
The interesting result of this is that some DRM vendors are falling back on other tricks. One you hear a lot about is "IP TTL" (a part of the Internet Protocol specification where routers are supposed to subtract 1 from a header field, to prevent a misaddressed packet from floating around the Internet forever). That doesn't provide evidence either, though, because (1) IP headers like TTL are under the minute control of end-users wielding firewall software, and (2) "bridging" software doesn't subtract 1 from TTL in the first place because conceptually it is not acting as a router.
So the last resort of people trying to use TCP/IP and get evidence about locality or proximity has been to measure latency -- how long it takes for one device to communicate with another. Latency is harder to tamper with because there are physical limitations like the speed of light. For example, you can never get any message from New York to Paris in under 19.5 milliseconds because that is how long it takes light to go from one to the other. If you're using a satellite in geosynchronous orbit, there is a magic number around 250 milliseconds (depending on your latitude) because geosynchronous orbits can only occur at one particular altitude and it takes light about 250 milliseconds to cross that entire path. (Geosynchronous orbit is far away!) So some systems have been adopting rules about not sending some programming to devices that take more than a certain number of milliseconds to answer you when you say hello and ask them for acknowledgment, on the theory that devices that answer really quickly plausibly are on the same local network, whereas device that answer more slowly probably are not.
That scheme also is subject to some question, generally because the range of network latencies is so great that it's likely to produce very significant numbers of both false positives and false negatives. But I think that will take some more study and I know that DRM developers are doing some of that study (whereas DRM critics unfortunately seem not to be, unless you count this message, which I don't).
I think the difficulty in using Internet technologies to determine proximity speaks to many interesting things about Internet design and philosophy, things I would love to try to articulate sometime. I will say that we heard a lot in the boom about the death of distance and the erasure of place, but that DRM developers have been working hard (between region coding, location-awareness, geolocation, and proximity detection) to bring place and distance back to life. And physics is going to influence the extent to which distance can be measured or detected -- but in another sense there is going to be a cultural and a political conflict about location and who gets to use location to affect commerce and communication, and how. And I think we are in the middle of that conflict now.
