Closed Bug 1724570 Opened 4 years ago Closed 4 years ago

How does Normandy handle users with activated VPNs?

Categories

(Firefox :: Normandy Server, enhancement)

Product:
Firefox
Component:
Normandy Server
Type:
enhancement

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: metasieben, Unassigned)

Details

So over on reddit a user posted this…
https://www.reddit.com/r/firefox/comments/ozbo7n/firefox_default_search_engine_automatically/

Apparently they were using a VPN with an endpoint in Sweden, somehow
they got enrolled in this study: bug-1715474-rollout-yandex-sponsored-tile-rollout-release-89-100

From the Normandy docs I gather that:

normandy.county
ISO 3166-1 alpha-2 country code for the country that the user is located in.
This is determined via IP-based geolocation.

My guess would be, that the geolocation-db erroneously assigned them an russian address?

Since the number of people using VPNs is increasing, how does Normandy
handle these clients?

Normandy handles user location based on the network path that is used to make the request to the server. That is, as the path goes from the user to the server, the last IP address that Normandy has not been configured to recognize is used to determine user location. As pointed out, this can result in users that are using a VPN getting assigned to unexpected countries.

The study is question, bug-1715474-rollout-yandex-sponsored-tile-rollout-release-89-100 is recipe 1158, and targets Belaurus (BY), Kazakhstan (KZ), Russia (RU), and Turkey (TR).

This technique is common across many services, including outside of Mozilla. I would suggest that if a user does not want to be seen as using a connection a particular country, they should be more careful about what VPN endpoints they use. VPN addresses are often misclassified, due to their ephemeral nature. To see how a particular client is identified, you can visit https://classify-client.services.mozilla.com/. The country listed there is the same that Normandy will use to locate the user.

Also, I replied to the user directly on Reddis, to try and get more information and determine if this is a bigger bug than it might seem. Because this is a rollout and not a experiment, there is no easy way to opt out of it.

Thanks for your answer here and on reddit and for taking the time to explain it.

Let's hope flukes like these don't occur that often.

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.