Before going to a long 3 month trip to Asia last year, I installed WireGuard on my Raspberry Pi 1 (original model B from 2012) which was running at home in US. I found PiVPN to be the easiest way to install Wireguard. I didn't know if I even needed a VPN but I was glad, and I was able to use internet as if I were at home. It was weird, but a lot of sites are blocked oversea, even though it shouldn't. For example, I couldn't access Homedepot.com. I also couldn't make payment to my Target card as the website refused connection. Apparently a lot of US business sites refuse to connect from oversea IP because of too many hacking attempts, or they just don't want to deal with it. Anyway, I was glad I had set up a VPN before I left for the trip.
Also, the original Pi (2012) was able to run Wireguard well enough for light VPN, although I didn't push it too much since I didn't use it for anything heavy like video streaming.
> Apparently a lot of US business sites refuse to connect from oversea IP because of too many hacking attempts, or they just don't want to deal with it.
Yes, and it's infuriating. For example, it was (and probably still is) impossible to access the NY MTA's OMNY portal from many, but curiously not all, European countries. The OMNY system itself works using foreign cards, but this makes it very annoying to download receipts for expense reports.
Another fun one was not being able to cancel some streaming service from outside of the US due to the service geoblocking their account management site as well. I actually had to use a VPN to cancel!
> Apparently a lot of US business sites refuse to connect from oversea IP because (...) they just don't want to deal with it
I am French. What I find fascinating is that there are local US newspapers (that server a tiny community) that went through the effort to do a geoblock from the EU and put a page along the lines "we cannot be compliant to Privacy laws in the EU so we must block you".
Why do they care at all? How is the EU law relevant to their small, local business?
Large companies are different - there could be some litigation against their footprint in the EU etc. - but for thosewho just live in the US (or anywhere outside the EU) going the extra mile to block because of non compliance is really weird.
It's just a lot simpler to block than having to keep up with laws in other countries for businesses who don't even do business in those countries. It's not like it's hard or time consuming to implement, and cheaper than your other suggestion further down of consulting a lawyer every time one of these pops up, like "do I have to annoy my customers with these stupid cookie popups every time they visit?" Why should I have to spend a dime for something that is external to my company, has nothing to do with it, and have to constantly keep on top of it? We don't even sell our services there. Why should I even waste the bandwidth? Our firewalls are sure a lot less active, as well. Why should I waste time answering emails from people we don't sell to? It's better to just not get them. I guess my question to you is why do YOU care if they're accessible or not? If a (local) business really just wants to sell within their own (local) country (or even smaller municipality such as state/county/city), is there something wrong with blocking everything outside it out and just not worrying about it?
> It's just a lot simpler to block than having to keep up with laws in other countries for businesses who don't even do business in those countries.
Exactly, except that it is just simpler to do nothing.
Do you (I assume you are not in either of the countries I give an examples, nor travel there) worry about laws in, say, China when you state "Taiwan is an independent country", or Russia when you say "Russia invaded Ukraine", or North Korea when you say "NK is a tyranny", or France when you say "Retirement should be at 60 and not 64". No. Because the local laws that forbid these statements are, well, local. Nobody cares outside of these countries. They could send you letters informing that you did wrong and that you have to pay 1M USD and you would just put that to trash.
> I guess my question to you is why do YOU care if they're accessible or not? If a (local) business really just wants to sell within their own (local) country (or even smaller municipality such as state/county/city), is there something wrong with blocking everything outside it out and just not worrying about it?
I do not care - it is just that I ended serendipitously on a few of these places and was wondering why they care (I would not care about the cookie law in Zimbabwe or Patagonia if I had a web site).
Our hacking attempts dropped by approx 85%, and we use less bandwidth. There are other benefits to blocking traffic to places where you don't do business.
> They could send you letters informing that you did wrong and that you have to pay 1M USD and you would just put that to trash.
I think it's just better to not get those letters in the first place (any more than spam phone calls or texts) and have to waste time reading them, or having to possibly consult an attorney over them to see if they have merit. It's just not something I want to be bothered with, nor should I. It has nothing to do with the company, what we do or our customers.
> Do you (I assume you are not in either of the countries I give an examples, nor travel there) worry about laws in, say, China when you state "Taiwan is an independent country", or Russia when you say "Russia invaded Ukraine", or North Korea when you say "NK is a tyranny", or France when you say "Retirement should be at 60 and not 64".
We don't say anything like that on our company sites.
Ah, now I remember how I got to one of these pages. I wanted to have a look at the local newspaper of Tuttle, Oklahoma because of a funny (and sad for open source devs) event that happened there in 2006: https://www.theregister.com/2006/03/24/tuttle_centos/. It was blocked for GDPR reasons (at the time at least)
Most small local newspapers are owned by huge megacorps. GDPR EU laws and some others explicitly say that they can be enforced to entities outside the EU. I don't know if it has ever been enforced, except for large multinationals.
The US does do that kind of thing though. As a dev, break some law, step foot in the US for a conference, get arrested (ex: Sklyarov 2001 case, for breaking PDF encryption).
Although for most financial things, it's common in US/CA to block non-local IPs. Heck, I was in Mexico and I couldn't login to my provincial government tax portal. There are constant security issues with those sites.
> They can tell whatever they want, but it would need to be a US court (in that case) who would do the litigation. Which they won't.
That's a pretty incomplete view of how jurisdiction works. You do probably need a US court ruling to enforce a claim against a US entity – but if that entity has any EU subsidiaries or assets, you can bet that European courts will come after those.
> Blocking for security is another thing. Maybe a good idea, maybe not - but that's another story.
As a customer/taxpayer that needs access to a service from abroad, I really don't care why I have to jump through hoops to cancel a subscription/order or pay my taxes owed.
> That's a pretty incomplete view of how jurisdiction works. You do probably need a US court ruling to enforce a claim against a US entity – but if that entity has any EU subsidiaries or assets, you can bet that European courts will come after those.
I am not sure you read my post in details - I explicitly mentioned that I am talking about local services, without any international footprint. And mentioned that in case of this footprint - yes, they will be sought after.
This is also exactly waht the US does to enforce their "extraterritoriality"
The business may be local but the owner or other management or employees may wish to keep all of their travel options wide open without fear of some obscure foreign law that might hold them individually responsible.
The golden days of global network accessibility are closing little by little.
They're maybe local services, but they're not local businesses. c.f. my post :)
And they can be enforced not only from assets, but also from travel or various financial tools at their disposal. (it would be surprising, but for many businesses, it's not worth the hassle)
I'm sure there are still some people willing to report the websites to EU commission, it's a guaranteed fine (less so a paycheque, I have no clue if the company has to comply with paying it (unless later on they want to expand to the EU))
This is a fine that the EU can issue but why would the local business care?
If I was issued a fine by the US, China, India or Japan it would directly go to the trashbin. It is their law, and their problem, not mine.
Of course this means that I will not be able to do business there, if I travel I may be in trouble etc. But again - we are talking about small local newspapers (and similar businesses).
They care because no matter how small with travel and such these days there are potential risks if they're 'found' to be non-compliant. Simpler to say "no, we can't comply" than spend time/money/risk fighting about it later.
Not that I disagree with you on the 'it seems stupid' front. But that doesn't change the risk profile for the company.
I also did something similar, plus all my home automation which is 98% local-first|only. My trip was just 3 weeks but on the first day leaving, between one plane and another, my power company had a 4hours extraordinary maintenance cut, my UPS didn't last enough and with that blackout the RPi SD card died, and I was locked out my LAN for all the trip.
Lesson learned: configure the UPS to communicate with the servers and shut them down in a controlled manner when batteries are dying.
Banning new signups/sales from overseas IPs can make sense for legal, tax, and shipping reasons – but please do provide some way for existing customers to access their subscriptions/orders/accounts from abroad. International travel is a thing.
Traffic source does not equal the geographical position of a person issuing the request. Geographical position of a person does not equal their legal status.
Blocking users on a two-level-deep assumption is wrong.
GDPR says it applies to companies outside the EU who are offering goods and services to people in the Union. One of the recitals explains that there is an intent component to this. The company had to envisage such offerings.
Even though blocking by traffic source is not always accurate, I’d expect that it would still greatly help show that the site did not envisage offering goods and services to people in the EU.
That's not how GDPR works but it is a common misconception and I can't really blame non-EU businesses for not taking the time to understand a foreign law when blocking is so easy.
What do you mean? That's pretty much how it works. You load up Homedepot website and they along with a bunch of 3rd parties that they partner with will start collecting data about you and storing it. You can't do that to someone from the EU without getting permission along with other restrictions.
For Homedepot to comply with GPDR, they would have to treat EU and non-EU users differently, or they could just block EU. Since you're not trying to sell anything to EU users, blocking them makes things easier.
I believe the California law came after the EU one. And it's still easier to just block EU traffic rather than spending several weeks implementing GDPR cookie popups.
And if you decide to treat everyone the same way, you likely end up with a higher bounce rate for the existing US customers. Hence, blocking.
GDPR doesn't care about where people are located right now. From the GDPR point of view you still have to treat EU-residents in a special way, even if they're located in US right now.
But EU has less of the leverage if company refuses to do business in EU — that's true.
> treat EU-residents in a special way, even if they're located in US right now.
This part of GDPR has always seemed completely unpracticable/unenforceable to me. How would a non-EU company even know that one of their customers is an EU resident and only temporarily visiting? Most services in the US aren't asking for my passport, at least.
Practically, I'd assume that this will be interpreted by courts to only apply to companies "intentionally doing business with/commercially targeting EU residents", which is already the case for similar scenarios (e.g. that's how, to my understanding, German law requiring all sites to provide an imprint has been interpreted by courts).
In any case, I suppose we'll have to wait for precedent; I'm not aware of any at the moment.
No, it isn't. see article 3, section 2 of the regulation. You need to offer goods or services to EU citizens for the law to be in effect. If home Depot doesn't operate in Europe, doesn't market to Europeans, doesn't ship to Europe, and doesn't offer any services to Europeans, then they are not impacted by gdpr.
The first part of section 2 says the data subjects need to be in the Union. A European moving to America and shopping at home Depot doesn't (alone) require them to be GDPR compliant.
> 2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
> (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
> (b) the monitoring of their behaviour as far as their behaviour takes place within the Union
Did I quote the correct section? Doesn't collecting all the analytics fall under section B? I'm not a lawyer of course, but it seems pretty reasonable to me that if you have interest in the EU market, blocking them is easier than figuring out if GDPR applies to you or not.
Or you could just not spy on your users of course, but I guess I'm too pessimistic to see that as an option a company would choose.
It took my team six months to get our company GDPR-compliant, and that included hiring three external consultants with extensive knowledge of GDPR and its implementation across the various EU countries we did business in. We were a short-term car rental company, we did not earn money with user-tracking, advertising or selling user data. But we did process drivers licenses, user data, trip data. We had to re-write big parts of our car-tracking module because having it tied to the current driver (customer) automatically made it personal data, which can be requested on demand when the customer wants to. It also limited us on what we could log to our logging server and store in a database.
I can understand that an American company does not want to make such an investment when there is literally 0 added business value, as EU customers don't shop at that company.
So if I order something on Home Depot, the shipment is delayed, and I want to check on that (or even just find the support phone number, some sites block all HTTP requests from foreign IPs!) while I'm traveling out of country, I just don't get to do that without a VPN due to GDPR?
They are an American business that does not deal with other countries outside North America. Why would they care about the world outside of "ol' Merica?"
And they are fine with that just like large numbers of retail chains in Europe, Africa, Asia, South America, Australia, New Zealand, etc. which don't have a presence in the US or other countries outside their own or their own economic region. Home Depot does operate stores outside the US in Mexico and Canada.
Standing up and maintaining a distribution network is non trivial, especially for bulky goods that aren't practical for mail order shipping. Home Depot doesn't contract out locally sourced production like your examples do.
I don't know first hand, nor am I speaking for my employer (who happens to be one of the two companies you mentioned), but if it was me, I would assume that if my company doesn't do business outside of the United States, then may as well deny traffic for services that wouldn't be available outside of the United States, since it is more often than not problematic traffic. This means sometimes legit traffic would be inconvenienced, as you were, and sorry about that, but it is a realistic scenario that the small amount of legit pain is worth the incredibly reduced risk footprint. Of course, baddies could get VPNs, too, but that's all part of the game.
My Canadian stepfather died. Family is not close and I’m in the US. The Canadian newspaper where his obit would be doesn’t allow connections from the US.
More than a “small amount of legit pain” was the result.
Also, plenty of people live far away from family and have to deal with death (I’m in the same boat). It sucks but I’m also curious why the obit was particularly important to you because as far as I understand that’s topically just a small blurb in the newspaper? My family doesn’t do obits so I’m curious.
Not to minimize what you went through at all, but it’s interesting in today’s times how we expect so much immediacy. My immediate family escaped the USSR just before it collapsed but my dad’s was family was stuck in Russia and couldn’t leave even after it fell. My father had to deal with his brother, father, and mother dying within 5 years or so with no visits in between that time (a combination of finances + probably fear about traveling back). Comparatively I personally have a much easier time in that I at least get to see my family once a year or so. Again, in no way a comparison as dealing with loss and living far away from family is always hard. Just a reflection of how much technology has changed and made maintaining more closeness easier (eg video calling).
I am sorry for your loss, and I'm not trying to minimize your pain. This is the problem with data, it's unfeeling and cold. You and I are two customers of something companies with lots more than us, and a spreadsheet doesn't capture our pains when we feel them.
> it is a realistic scenario that the small amount of legit pain is worth the incredibly reduced risk footprint.
Well, I guess it depends on the type of attacks one experiences, but hackers and spammers who target US-based businesses are not idiots, they know how to use vpns and tor and proxies. So on a technical level you get close to nothing security-wise. You reduce a number of bots and worms randomly accessing your servers, can stop some script kiddies who don't know better and make life a bit harder to web scrapers (but not much) - and that's it.
Did you do anything to handle the event where, say, you lose connectivity and the system needs a reboot? Just curious about what would be the best way to handle that scenario.
While I didn't do this last time, in the future, I would plug the Raspberry pi to one of my smart power outlet (ie Kasa wifi power outlet) connected via HomeAssistant, so I can remotely restart it if Raspberry Pi becomes unresponsive. I also have another Raspberry Pi (again, the original 2012), so I could add redundancy by running second WireVPN on it, too.
You can have local watchdog process and reboot to failsafe configuration on next boot. You can also set a timer to do this unconditionally when trying a new network configuration.
Also, the original Pi (2012) was able to run Wireguard well enough for light VPN, although I didn't push it too much since I didn't use it for anything heavy like video streaming.