Then it would need a GPS-backed proof to allow more location changes while preventing abuse. There's always an intended use case and corner cases which could be handled via support ticket, thus passing through human judgement.

If there is a secure app on your phone, then how can you have multiple accounts?

Well, one answer might be that someone could spin up emulators

Or reverse engineer whatever app you have.

Or reset their phone? (or would you restrict it somehow to one account per physical phone? What happens if it gets sold or given away?)

Having worked in fraud detection a bit, it's _really_ hard to prevent people from making multiple accounts. Short of requiring ID based verification, and even then.

And then you have to still not go overboard and keep the onboarding low friction enough that people will be willing to go through it

Your points are all true. But we must not forget that security is like onion layers. The fact that something can't be made military-grade hack-proof doesn't mean we should leave it wide open for the whole world to abuse.

GPS is a one-way system, how could that ever be proof? You'd need to send people devices with some DRM on it so that they can't modify the code it runs and the check it performs (we all know how well DRM works anyway, or how desirable it is)

GPS could confirm that you are indeed where you claim you are. In the unlikely case you want to change your location for the Nth time.

But I, as the attacker, would just modify the value right?

It's not that the device transmits signals into space and the satellite operator, a trusted third party, would relay to the server where the user was computed to be. Instead, it's the user self-reporting the computed value from GPS satellites' signals

If you decompiled the app, then yes, you could spoof GPS. Still, a well behaved backend would stop you in your tracks.

The user is not self-reporting, the app is.

Again, just because something can't be 100% bulletproof it doesn't mean it needs to stay wide open.

That's a fair argument in general, though in this case I would both say that

- the risk of somehow abusing self-reported city-level location data is very low

- the effort involved in bypassing the proposed security measure is so exceedingly little, anyone who is passingly motivated to abuse it will also simply do that

As someone who works in the digital risk business, I fully subscribe to managing risk and that (as you say) 100% security is usually not a realistic option. Weighing risks against benefits is key, though

I'm less concerned about the abuse of a single self-reported city-level location data. What worries me here is a world-wide-open directory of people (any people) and their locations and interests and social links. It's a target group right there served on a silver platter to _anyone_ on the internet. Sorry, but, no thanks.