There are many ways. The most common are: If the users tell you they're from North Korea, you can tell that they're from North Korea. Also, if they connect from a North Korean IP, you can tell that they're from North Korea.
> And what sensitive information could they access? It’s defacto public.
The request likely had nothing to do with "sensitive information", but instead, sanctions.
> How would you be able to tell?
There are many ways. The most common are: If the users tell you they're from North Korea, you can tell that they're from North Korea. Also, if they connect from a North Korean IP, you can tell that they're from North Korea.
> And what sensitive information could they access? It’s defacto public.
The request likely had nothing to do with "sensitive information", but instead, sanctions.