In May 2011, James and Theresa Arnold moved into a century-old home in rural Kansas with their two sons. They rented the home because it was near their son's school and Theresa's mother's nursing home. The house was on 360 acres an hour's drive from civilization, which the Arnolds loved because they are very private people.
But the isolated paradise turned out to have one very big problem. The week the family moved in, two sheriff's deputies showed up looking for a stolen truck. This was the first of many unexpected and unwanted visits they would receive. According to a federal complaint filed Friday (available below), they "were repeatedly awakened from their sleep or disturbed from their daily activities by local, state or federal officials looking for a runaway child or a missing person, or evidence of a computer fraud, or call of an attempted suicide."
James Arnold was accused of "holding girls at the residence for the purpose of making pornographic films." The Arnold family was accused by police and Internet vigilantes of hacking people's email, stealing identities, committing tax fraud, harassing people, and stealing bitcoin. Once, someone left a broken toilet in their driveway as a strange, indefinite threat.
This went on for five years and they had no idea why until a few months ago when I wrote a story about the home they were renting: "How an internet mapping glitch turned a random Kansas farm into a digital hell."
Along with security researcher Dave Maynor, I discovered that the GPS coordinates that corresponded with the home's front yard had been chosen as the default center of the United States by MaxMind, an IP address mapping company based in Massachusetts that's used by thousands of businesses to determine the locations of smartphones and computers to, for example, geolocate ads.
When MaxMind isn't exactly sure where an IP address is, it will return an approximate physical address. If it knows only that an IP address is in the United States, it returns the default address associated with the Arnold's Kansas home. At the time I published the story, there were over 600 million IP addresses associated with the property, making it look like there were millions of devices located there, some of them evidently being used by people up to very bad things.
"At that time, we picked a latitude and longitude that was in the center of the country, and it didn’t occur to us that people would use the database to attempt to locate people down to a household level," MaxMind co-founder Thomas Mather told me earlier this year. As with Pokémon Go, the company didn't realize its digital map of the country would have consequences for the people located at the real-world coordinates.
When I wrote the first story, I spoke with Joyce Taylor, the 82-year-old owner of the property, who also suffered from the digital fall-out. Her renters, the Arnolds, did not talk with me, because as their lawyer Randall Rathbun explains, "they are very private people."
In their lawsuit, the Arnolds say that MaxMind's conduct "placed them in a false light and invaded their privacy," resulting in "great emotional distress, fear for their safety, and humiliation." The damages amount to at least $75,000. Rathbun estimates that it will take at least a year for the case to go to trial.
MaxMind did not respond to a request for comment. But after my story, they changed the default location for the U.S. in their database. It is now conveniently located in a nearby lake.