Last week prediction/betting platform Polymarket was in the news for a Justice Department raid, arising out of Polymarket allegedly accepting trades from US-based traders. Suppose we stipulate that Polymarket betting is illegal for US users, and Polymarket must keep US users out, to the very best of its ability, to avoid liability under US law. How exactly would it do so?
This question is familiar for me because my first service as a litigation expert, in February 2000, covered a surprisingly similar subject. There, Canadian video streamer iCraveTV wanted (or purported to want) its service to be available to Canadians but specifically not to Americans. I say “purported” because iCraveTV didn’t try very hard, and Americans could access the video easily — as I showed in two declarations as well as oral testimony. In a 2001 regulatory comment, I pointed out that when there’s something valuable on the Internet that motivated users want to access, users have multiple methods to get the desired access. My bottom line was if some body of material is so sensitive that a significant country rightly and properly disallows it, by far the easiest approach is to keep that content off the Internet altogether — as, to be sure, an injunction did to iCraveTV.
For Polymarket, the situation is somewhat different. It seems many people agree that Polymarket is properly allowed in other countries, yet properly disallowed in the US. Fine: reasonable people, and reasonable countries, can disagree. So, the engineering requirement is a system that robustly separates US users from international users — a geofence. Importantly, the geofence must be strong enough that even motivated US users can’t climb over. “Bob the Builder” fans, rejoice: Can we build it? Yes we can!
Here’s how I’d approach robust geofencing in a scenario like Polymarket, where users register and provide substantial information.
1. Block all users whose network connection indicates a location in the United States. Check a user’s IP address via standard geolocation services. Easy enough.
2. Block users based on their registered physical addresses. In any registration form that requests a street address, or any correspondence or other procedure that requests a street address, a US address is a clear indication of a US affiliation. Gold standard here is to check that the address is truthful — not just that it exists, but that a person can receive a one-time PIN sent by mail to this address.
3. Block users based on their phone number. A US phone number similarly indicates a US affiliation. Check that the user really has this number via a one-time PIN sent by voice or SMS.
4. Block users based on payment mechanisms linked to their account. Some might expect all Polymarket users to pay with a privacy-protecting payment mechanism such as crypto. But in fact Polymarket supports debit and credit cards as well as bank transfer. A payment instrument associated with a US financial institution indicates a US affiliation.
5. Block users based on geolocation in a desktop web browser. Web pages can request a user’s geolocation using the W3C geolocation API. Most web browsers ask their users if they want to share location. If a user does share, and if the location says US, proceed no further. It may seem implausible that users would voluntarily disclose, but one mistaken click could reveal — and a diligent site should at least try. Maybe a site should require a user to grant geolocation permission in order to proceed — everyone has to be somewhere, and Polymarket could demand that users reveal. On this theory, a failed geolocation API request would itself prevent login.
6. Block users based on geolocation in a mobile app. In a mobile app, it’s much easier to seek a user’s geolocation — a common permission that users are accustomed to granting. It might seem illogical for a user on a desktop device to have to switch to mobile just to confirm geolocation, but many sites require a switch to mobile for some aspect of security such as a secure photo upload, so this isn’t out of the question. As usual, users can override device geolocation, but this requires increasing technical skill.
7. Detect proxy servers and VPNs. A savvy user can use a proxy sever or virtual private network to bounce traffic through a server in a different country, then browse “from” there, with the server relaying requests and responses back and forth. At first this might seem unworkable for a service like Polymarket: How would they know which IP addresses are used by proxies and VPNs? But actually they have multiple reasonable paths:
- The natural starting point is to ask the largest proxy and VPN makers to share their lists of IP addresses. They may refuse, but the mere act of asking shows an attempt.
- Test the largest proxy networks and VPNs to find representative IP address ranges (or pay a specialist to do so). Hands-on testing also creates an opportunity to check whether there’s something unusual about their traffic (such as reverse DNS or a distinctive protocol-level header) that actually gives them away. (In my testing, this happens surprisingly often.)
- Look for implausible patterns in user IP address logins. If a user is purportedly in Frankfurt at 8:00 and Seoul at 8:30, maybe the user is actually in neither place — and is actually bouncing back and forth via proxy or VPN.
- Use these learnings to find others. If a user is logging in from an IP address widely used by other users who bounce back and forth, the user is probably on a proxy or VPN.
The logical final step is to require affirmative proof of nexus with a country where Polymarket’s service is lawful. When creating an account with Wise, I was impressed by their multiple methods of verification — photo ID, proof address, even uploading a picture showing face and ID together. These must hinder users’ account creation — every step and every click cause users to drop off. Despite that cost, such methods provide particularly strong proof of a user’s nationality. And if Wise can do it in their highly-regulated sector (money transmission), it’s hard to see why Polymarket should have lower standards.
I take no position on the wisdom of laws disallowing Polymarket and kin. And reasonable people may disagree about which of the tactics above should be required — how much a site like Polymarket can be required to inconvenience some of its users, in order to keep US users out. Fair questions! But to the basic adversarial question, I answer decidedly in the affirmative: A motivated site operator can keep out most US users, and can make sure that even those who sneak through end up feeling uncomfortable.
A separate challenge is the prospect of a site going through the motions rather than making a good-faith effort (not to mention investing in genuine innovation in this area). Certainly sites have every reason to tread lightly: Every user means growth, and every user contributes positive expected profit. So turning away more users means correspondingly weaker economic results. These factors create a direct economic incentive to look the other way. Meanwhile, a high-functioning compliance team would need real resources including talented engineers and data scientists. If I were evaluating whether a site truly did everything possible, I’d want to see real resources invested, multiple methods tried and compared, and multiple imperfect methods used in combination in order to increase overall effectiveness.