1

I want to put up a site for a particular language speaker not in Europe and I don't want to be liable for anything or have to read up on laws in case one or two person connects from there. Is there any simple way(regular expression perhaps ?) for Node.js/Express application to block all European IPs without having to make request per connection to a third party services ?

Robert C. Holland
  • 1,651
  • 4
  • 24
  • 57
  • Google could be your friend here, search for geo-location – Mikkel Dec 26 '18 at 04:36
  • @Mikkel Did that for half an hour. I only see third party API solution. I found this (https://github.com/yourtion/node-ip2region#readme) project that seems to use offline database of sort, but the program seems to output in a language that I don't understand. – Robert C. Holland Dec 26 '18 at 04:42
  • 1
    Regardless what you do. You can prevent but you can not garanti, hence some users using vpn connections. – Maytham Fahmi Dec 26 '18 at 04:47
  • Why would you want to block specifically Europe (Do you mean European Union btw) ? How come you are worried about European law but not Indian/Chinese/Australian? – visibleman Dec 26 '18 at 04:48
  • Yes, because of European Union laws. I was not aware that there were similar laws in India/China/Australia. I guess I will need to block them too. – Robert C. Holland Dec 26 '18 at 04:50
  • No one knows, because you didn't state specifically what type of laws you worry about. – visibleman Dec 26 '18 at 04:51
  • 1
    I am not sure either. I think it is the GDRP laws. The idea is that I don't want to have to care since almost none of the user would be from European union since it is a rare language specific site. I just don't want to be liable for one or two user that may decide to use it from those places. – Robert C. Holland Dec 26 '18 at 04:53
  • @maytham-ɯɐɥʇʎɐɯ I am 95% sure my target country doesn't have any similar restricting law. And I am in the US, which is lenient enough. – Robert C. Holland Dec 26 '18 at 04:56
  • GDPR only matters if you store personally identifiable information. – Mike 'Pomax' Kamermans Dec 26 '18 at 05:25
  • @Mike'Pomax'Kamermans I don't want to get a lawyer to figure out what EU means by personally identifiable. – Robert C. Holland Dec 26 '18 at 05:27
  • you don't need a lawyer. The internet fell over itself to figure this out over a year ago, just read up [any number of quality posts on it](https://medium.com/wattx-stories/gdpr-what-your-company-should-know-and-do-starting-now-f62d70f72d7e). Takes you less time than posting a question on SO and then waiting for answers that don't really fix your problem (because EU visitors on a VPN are _still_ EU visitors. The GDPR is about _people_, not IP connections, so if you store user data, even if you block IPs, you have the GDPR to contend with) – Mike 'Pomax' Kamermans Dec 26 '18 at 05:34
  • 1
    It's questionable whether the GDPR is at all enforceable if you don't live in an EU country, don't do business in the EU, and don't even advertise the website to EU citizens. – eschwartz Dec 26 '18 at 07:23

2 Answers2

3

Easiest way would be to use a free IP location API (http://ip-api.com/) to find the user's location then restrict access using a variable. 

if (loc == region) {
    redirect = true;
}

Without calling on an API the only other way is to simply ask which country they're from, however they might not be too truthful about that.

Justin Bugeja
  • 53
  • 6
  • 1
    I am trying to avoid third party services that I have to call every request. Interestingly the site you linked to gets blocked by UBlock origin extension as spyware/ad tracking service, so not sure how much to trust it. I guess asking users where they are from is a solution, I probably won't be liable if they lie. – Robert C. Holland Dec 26 '18 at 04:46
  • 1
    The issue is that IP addresses get moved around constantly and that's so you'll need access to an up-to-date database, the other options are just different forms of geo-location. Btw I just found that API through a google search, probably best to research one to use. – Justin Bugeja Dec 26 '18 at 05:00
1

Not an answer

Since it seems this is in regards to GDPR, I thought I'd link some information.

I am not a lawyer, and this is not a legal site so do with the info what you want.

https://www.gdpreu.org/the-regulation/who-must-comply/

This outlines non-exhaustive examples for deciding whether there is sufficient evidence that a firm is within the GDPR’s scope:

May be insufficient evidence

  • The firm’s website is accessible to EU residents
  • The firm’s email or other contact details is accessible to EU residents
  • The firm is located in a non-EU state that speaks the same language as an EU state

May be sufficient evidence

  • The firm markets its goods and services in the same language as that which is generally used in an EU member state
  • The firm lists prices in EU member state currencies (the Euro, British pound sterling, Swiss franc, etc.)
  • The firm cites EU customers or users

This recital therefore provides a safe harbor to firms that do not market goods or services to the EU, by calling out that they do not need to undertake potentially expensive processes to block EU IP addresses from accessing their websites or reject emails sent by EU mail servers.

It further suggests a nuanced interpretation when it comes to marketing language. One possibility is that languages commonly used outside of EU states such as English or Spanish will not be by themselves deemed sufficient evidence of intent to offer goods and services to EU residents, whereas languages more local to EU member states, such as Bulgarian or Estonian, may be sufficient alone.

visibleman
  • 3,175
  • 1
  • 14
  • 27