Not OP but there are many methods, with more available as you gain more execution privileges. On the “no privileges” end, you have things like accept-language and ping times (which can be coupled with known location of exit node to get an extremely rough “ping to exit” time.. not very useful but at least another data point). Then you have linkage to other devices, e.g. same account logs into site with and without VPN. Or if you have any inputs from the user (search history), maybe they make some typos or Autocorrect that leaks metadata about their native language. On the “some privileges” point of the spectrum, if you’ve got JavaScript execution, you can learn a _lot_ about the region of the user. And on the “many privileges” side, where you’ve got native code execution in a mobile app or similar, it’s game over.
For literature on this kind of thing, look into “PETS” (privacy enhancing technology) research. Incidentally, Tor spends a lot of time plugging these holes in their browser…
Tbh, all these sound like obvious noob mistakes. If I'd be trying to fake coming from NY then of course I don't use my russian-language browser or run Javascript code in a non-sandboxed environment that leaks where I am. The login and auto-complete channels don't really work either because all those things use HTTPS/SSL/TLS/... nowadays and you are rarely the endpoint. If you are and they still do this then again, they don't really know what they are doing.
It doesn't need a highly skilled+funded state actor to avoid those mistakes.
Not OP but there are many methods, with more available as you gain more execution privileges. On the “no privileges” end, you have things like accept-language and ping times (which can be coupled with known location of exit node to get an extremely rough “ping to exit” time.. not very useful but at least another data point). Then you have linkage to other devices, e.g. same account logs into site with and without VPN. Or if you have any inputs from the user (search history), maybe they make some typos or Autocorrect that leaks metadata about their native language. On the “some privileges” point of the spectrum, if you’ve got JavaScript execution, you can learn a _lot_ about the region of the user. And on the “many privileges” side, where you’ve got native code execution in a mobile app or similar, it’s game over.
For literature on this kind of thing, look into “PETS” (privacy enhancing technology) research. Incidentally, Tor spends a lot of time plugging these holes in their browser…
Tbh, all these sound like obvious noob mistakes. If I'd be trying to fake coming from NY then of course I don't use my russian-language browser or run Javascript code in a non-sandboxed environment that leaks where I am. The login and auto-complete channels don't really work either because all those things use HTTPS/SSL/TLS/... nowadays and you are rarely the endpoint. If you are and they still do this then again, they don't really know what they are doing.
It doesn't need a highly skilled+funded state actor to avoid those mistakes.
How can you learn about a user’s region with JavaScript?