How an internet mapping glitch turned this Kansas farm into digital hell
An hour's drive from Wichita, in a little town called Potwin, there is a 360-acre piece of land with a very big problem.
The plot has been owned by the Vogelman family for more than 100 years, though the current owner, Joyce Taylor, née Vogelman, 82, now rents it out. The acreage is quiet and remote: a farm, a pasture, an old orchard, two barns, some hog shacks, and a two-story house. It's the kind of place you move to if you want to get away from it all. The nearest neighbor is a mile away, and the closest big town has just 13,000 people. It is real, rural America; in fact, it's a two-hour drive from the exact geographical center of the United States.
But instead of enjoying their place of respite, the people who live on Joyce Taylor's land find themselves in a technological horror story.
For the past decade, Taylor and her renters have been visited by all kinds of mysterious trouble. They've been accused of being identity thieves, spammers, scammers, and fraudsters. They've gotten visits from FBI agents, federal marshals, IRS collectors, ambulances searching for suicidal veterans, and police officers searching for runaway children. They've found people scrounging around in their barn. The renters have been doxxed, their names and addresses posted on the internet by vigilantes. Once, someone left a broken toilet in the driveway as a strange, indefinite threat.
All in all, the residents of the Taylor property have been treated like criminals for a decade. And until I called them recently, they had no idea why.
To understand what happened to the Taylor farm, you have to know a little bit about how digital cartography works in the modern era — in particular, a form of location service known as "IP mapping."
IP refers to an Internet Protocol address, which is a unique identifier assigned to a computer or a computer network. IP addresses play an essential role in computers talking to each other, and every internet-connected device needs one. When you visit a website, servers write down your device's IP address and keep it in their records. Sometimes, through some sophisticated sleuthing, you can find out more information about a specific IP address — for example, whether it's been associated with a malicious device, or where in the world it's located.
The trouble for the Taylor farm started in 2002, when a Massachusetts-based digital mapping company called MaxMind decided it wanted to provide "IP intelligence" to companies that wanted to know the geographic location of a computer in order to — for example — show its user relevant ads, or send a warning letter if the user was pirating music or movies.
There are lots of different ways a company like MaxMind can try to figure out where an IP address is located. It can "war-drive," sending cars around the U.S. looking for open Wi-Fi networks, getting those networks' IP addresses, and recording their physical locations. It can gather information via apps on smartphones that note the GPS coordinates of the phone. It can look at which company owns an IP address, and then make an assumption that the IP address is linked to that company's office.
But IP mapping isn't an exact science. At its most precise, an IP address can be mapped to a house. At its least precise, it can be mapped only to a country. In order to deal with that imprecision, MaxMind set default locations at the city and state levels for IP addresses that were roughly known. For IP addresses known only to be somewhere in the U.S., the locator would point to the center of the country.
As any geography nerd knows, the precise center of the United States is in northern Kansas, near the Nebraska border. Technically, the latitudinal and longitudinal coordinates of the center spot are 39°50'N, 98°35'W. In digital maps, that number is an ugly one: 39.8333333, -98.585522. So back in 2002, when MaxMind was first choosing the default point on its digital map for the center of the U.S., it decided to clean up the measurements and go with a simpler nearby latitude and longitude: 38°N, 97°W or 38.0000, -97.0000.
As a result, for the past 14 years, every time MaxMind's database has been queried about the location of an IP address in the United States it can't identify, it has spat out the default location of a spot two hours away from the geographic center of the country. This happens a lot: 5,000 companies rely on MaxMind's IP-mapping information, and in all, there are now more than 600 million IP addresses associated with that default coordinate. If any of those IP addresses is used by a scammer, or a computer thief, or a suicidal person contacting a help line, MaxMind's database places it at the same spot: 38.0000,-97.0000.
Which happens to be in the front yard of Joyce Taylor's house.
"The first call I got was from Connecticut," Taylor told me. "It was a man who was furious because his business internet was overwhelmed with emails. His customers couldn't use their email. He said it was the fault of the address at the farm. That's when I became aware that something was going on."
This was back in 2011. Taylor, who grew up on the farm and remembers the day, when she was 15, when the house first got an indoor bathroom, has a Gateway computer but doesn't use the internet often. "I use it to write letters and Sunday school lessons," she says. When I first called her, she refused to talk to me because she's had so many crazy callers over the years. "My parents had a golden reputation. My family has always been beloved in this community," she told me later. "We've never had enemies."
But over the next several months, the calls and visits intensified. When law enforcement agents asked companies like Google and Facebook for the IP addresses used by suspected criminals and then mapped them using tools that relied on the MaxMind database, the locator pointed to the Taylor house. Amateur sleuths who spotted IP addresses used by visitors to their websites or on message forums were so convinced that the Taylor house was the source of their various problems that they created reports about it on Facebook, YouTube, Reddit, the Ripoff Report, and Google Plus. (Even today, if you Google the house's address, it returns a series of websites detailing nefarious activities.)
The harassment continued to the point where the local sheriff had to intervene. He placed a sign at the end of the driveway warning people to stay away from the house and to call him with questions.
"That poor woman has been harassed for years," Butler County Sheriff Kelly Herzet told me. Herzet said that his department's job has become to protect the Taylor house from other law enforcement agencies. "Our deputies have been told this is an ongoing issue and the people who live there are nice, nonsuicidal people."
Last year, I discovered a young couple in Atlanta that suffered from a similar, but less severe, issue: Since the couple moved into their home a year ago, dozens of strangers have visited looking for lost and stolen smartphones. The visitors are led there by Find My Phone apps that say the phones are located inside the house. (They aren't.) While helping the couple try to figure out their mystery, I teamed up with the podcast Reply All and a security researcher named Dave Maynor. When Maynor visited the house to investigate, he discovered that it was one of the only houses in the neighborhood with a router and Wi-Fi. The couple lived in a digital desert, and because of the way some location-mapping programs seek out permanent networks in the area to act as an anchor, lots of IP addresses were getting attached to the house.
After I published that story, I began wondering if there were other homes in the country like it. I asked Maynor if there was a way to find out, and he said he could build a program that would crawl through a public MaxMind database of mapped IP addresses to see if there were physical locations that appeared repeatedly. Within a couple of days, he sent me a spreadsheet with thousands of home addresses along with the number of IP addresses attached to them. The Taylor home was at the very top of the list; the 600 million IP addresses attached to the home were an order of magnitude higher than at any other location. (The Atlanta home was No. 865 on the list.)
I told Thomas Mather, a co-founder of MaxMind, about Joyce Taylor's story. I asked him if he knew anything about the default coordinates that were placing unidentified IP addresses on the Taylor property. Mather told me via email that "the default location in Kansas was chosen over 10 years ago when the company was started."
"At that time, we picked a latitude and longitude that was in the center of the country, and it didn't occur to us that people would use the database to attempt to locate people down to a household level," he wrote. "We have always advertised the database as determining the location down to a city or ZIP code level. To my knowledge, we have never claimed that our database could be used to locate a household."
But people do use it that way. Five thousand companies draw information from MaxMind's database. And most casual internet users don't know anything about IP-mapping defaults — they just know that when a website tells them that their scammer lives in Potwin, Kansas, they get in the car and go.
Mather told me that he hadn't realized until I emailed him that his IP mapping had caused problems for Taylor and her tenants. But he sounded sympathetic.
"Until you reached out to us, we were unaware that there were issues with how we selected these lat/lons," Mather wrote to me in an email. "We do take this issue seriously and are working to resolve it as quickly as possible."
The physical mapping of computer addresses is one of the many aspects of the internet infrastructure that is almost completely unregulated. It is a task performed by private companies, and not just MaxMind. No one is officially in charge, and so there was no obvious party that Joyce Taylor could go to in order to find out why this was happening, or to get the problem fixed.
There are lots more of these phantom-IP houses. When Maynor sent me that list of thousands of locations in the MaxMind database that have an aberrantly high number of IP addresses associated with them, a colleague and I called dozens of them. Many residents had remained blissfully unaware that they were living in an IP flood zone; they'd never had strangers show up on their doorstep. Apparently, the IP addresses attached to their homes hadn't yet been used for anything nefarious. Yet.
One important lesson of my sleuthing is that IP addresses, which get used as digital evidence in criminal trials and to secure search warrants, are not always reliable. Like Social Security numbers, they comprise a numerical system built for one purpose and now used for something completely different. Social Security numbers were designed to keep track of people's lifetime earnings, but they're now the security token used to lock down a person's entire identity. IP addresses were meant to allow computers to talk to each other, but they've been repurposed to reveal details about the people behind those computers. The words "security" and "address" in their titles promise more than they can deliver.
Now that I've made MaxMind aware of the consequences of the default locations it's chosen, Mather says the company is picking new default locations, in the middle of bodies of water rather than near people's homes. I asked Mather how soon all of the companies that use its IP-mapping database will update the information in their own databases. "I'd say the typical customer updates the data every week, but that can vary," said Mather. "Some customers only update every few months."
MaxMind refreshed its database the following week. The Taylor farm will, hopefully, be a quiet place again sometime soon.