Skimming through the article, it seems like the extent of this is to require IAAS (Infrastructure) providers to verify the identity of those who are using their services to train AI. It's an attempt to stymie sanctioned or malicious actors, from training AI and especially from hopping between services or using aliases to continue training on their model.
It seems a bit benign and I don't understand the parallels others on this HN discussion are making. Is it that it's a slippery slope or perhaps I'm being naïve in regards to the scope?
Skimming the regulations, this does not seem right. All IAAS providers (which is everyone who allows customers to run custom code, so it includes any web host like Dreamhost) to verify the identity of foreigners who open an account. This would seemingly entail the service provider needing to verify everyone's identity, in order to figure out who is a foreigner and who is not.
In other words, if you want to run your own Wordpress, or Mastodon node, or your own custom CMS web site or group chat or IRC or bitcoin node, you would need to reveal your identity to the hosting service that you want. This does seem quite bad and could obviously be used to identify political dissidents.
On top of that, the IAAS must report to the US Commerce department about foreigners who are using services to train large AI models.
AWS has my name and my credit card number. But they have never asked for a photocopy of my passport, my history of international travel, which nationalities I have and so on. Something tells me that for the goal of this law to be achieved, all those details would need to enter the database.
Amazon is certainly supposed to ensure that you are not a sanctioned person or a citizen of a sanctioned country. This was a concern decades ago when I was in shared web hosting.. don't know why it would have changed?
Not necessarily (although that doesn't necessarily mean I think this is OK). Payment-card-based verification is a longstanding method of doing prima-facie verification like this. When you give your credit card, you give your billing address and typically your phone number -- if the postal code is a US address and the phone number is a US area code and everything else is consistent with that, that might be all the KYC required. If you appear to be a foreign national operating outside the US, they can flag that and require additional paperwork only then.
This proposed rule looks to me like it basically requires providers to come up with their own verification plans, which may then differ from provider to provider, so as to be "flexible and minimally burdensome to their business operations".
[note for the following: I am not a lawyer. The following is not legal advice. Do not fold, spindle or multilate. Do not taunt Happy Fun Ball.]
The real danger, I think, with things like this is, there's an executive order that was issued, but it further specified a rulemaking process be conducted to determine the actual regulations that define compliance. The link in the title is to the proposed rule. There's nothing that says any amount of prior public input will necessarily influence the details of the final rule, or that rule can't change in the future through another rulemaking process, and if it does the only way to challenge it is either to sue the agency on the grounds that it exceeded its discretion (e.g. by making rules that require unconstitutional things) or that the enabling executive order is itself unconstitutional -- but these kinds of federal cases have a pretty high bar for what's called "standing" (the legal grounds to bring a particular lawsuit): you pretty much have to suffer concrete harm or be in obvious and imminent danger of suffering it to a grievous degree. (This is one reason you hear about "test cases" -- often somebody will agree to be the goat who is denied something, fined, or even arrested and convicted of a crime, so that standing to sue to overturn the law can be established.) Other times, if a lot of potential defendants already have standing, a particularly sympathetic defendant will be selected for the actual challenge. The US federal courts are also deferential to "agency discretion" by default, as a matter of doctrine.
What happens all too often with these things is, the initial rulemaking is pretty reasonable, and the public outrage (if there was any) dissipates. Then three years (or however long) on, the next rulemaking imposes onerous restrictions and strict criteria, and people suddenly (relatively speaking) wake up and find they're now in violation of federal regulations that they were in compliance with last week. (This is one reason public-interest groups are so critical -- they have the motivation and sustained attention to comb the Federal Register for announcements about upcoming rounds of rulemaking on various topics.)
I don't think that is a legal requirement in Germany. At least Hetzner lets you rent a German VPS or dedicated server without ID. Though Hetzner may require you to submit an ID if you are flagged by their automated systems upon registration.
It was actually Hetzner that didn't want to provision my VPS without Photo ID. I blanked out the SSN as our government tells us to do and they balked at that as well. After I showed them my government's website explaining how and why to do that they were OK with it but at that point the relationship was already soured and I started looking for alternatives.
Maybe they changed it now but they were asses about it then. I thought it was a legal requirement, they basically said as much though I don't recall the exact details, it was before the pandemic.
Eventually I just moved to Scaleway in France which is much nicer and cheaper and you can even talk to their support on slack.
PS: I don't do anything nefarious on my servers but I just don't want my ID on file anywhere it's not needed.
There are IaaS services out there that accept bitcoin, monero, or anonymous prepaid charge cards. They aren't an IaaS but Mullvad even accepts cash mailed to them in an envelope.
Is it fair to assume, that one can engage in a business relationship with these services outside the US? I'm not sure I see the effect that you are implying. AWS, GCP, Azure don't accept crypto. Mullvad is as you point out not an IaaS provider.
Namecheap, Vultr, BuyVm all operate in the U.S. and at times in the past (I don't know if they still do) have either accepted crypto or anonymous charge cards (available for cash at a convenience store), thus making it possible to get a dedicated server or VM totally anonymously. This new regulation would seem to prevent this.
Some hosts accept alternate payment systems, like gift cards or cryptocurrency. You can also have someone else pay for it with a credit card or bank transfer without giving your name, which can be quite important in some cases. The new rules would presumably make that a crime.
It would not. They're financially motivated to do what they want. They will find a way around it. i.e. scaming the elderly to sign up for cloud services and proxying their KYC requirements.
There are scamers who walk seniors to sign up through Coinbase, the KYC requirements, to order bitcoin.
It's really not benign as far as I can see. There is an implication that its purpose is to allow providers to start writing reports on foreign users training LLMs (which, incidentally, I'm not condoning either), but in the process it requires every American IaaS has to start implementing KYC folly.
No one wants to send in selfies and their passport just to start a Digital Ocean droplet.
I'm curious if the spammers will find a way around this. I would actually like to be ID'd by a provider if that also meant they had no un-ID'd customers. I'd expect their IP range would start to get a pretty good reputation.
The spammers are criminals. They'll just use ID scans and info from data breaches of other companies. Requiring more companies to collect them makes it even worse because now there are more places to exfiltrate them and it makes it easier for criminals to commit identity theft against financial institutions etc.
There are also non-"criminals" who are more than willing to use their actual ID for the sort of things that aren't strictly illegal but will still get your IP space on a bunch of block lists when they can make a buck doing it, so it wouldn't solve the problem even if it could actually identify all of the customers.
And now more people will have thier passports pinched as they'll be opening themselves up to more opportunities to have it stolen.
It'll be great to get ready for that overseas trip, or while returning, to find out you need to now visit an embassy as a forged version of it is now in use.
I think everyone has a sour taste left over from decades of half-baked laws written by politicians that don't understand the basics of the internet or technology in general.
With that said, I also don't understand the issues people are having with this.
I wonder how they deal with the (hopefully) constant abuse reports aimed at them from providers who are tired of their shady customers doing shady things from their IPs.
OK, I'll bite. How exactly are [US] domestic users of services supposed to prove they don't need to prove their identity?
EDIT: it reminds me of the Common Travel Area (between Ireland and of the United Kingdom of Great Britain and Northern Ireland), which has some glorious inconsistencies. For instance that nationals of Ireland and the UK travelling between those two countries do not need a passport, except when you take an international flight and rock up at IE/UK border control it's fairly hard to prove you are a national who doesn't need to provide a passport without having ... a passport (or equivalent ID).
Have you travelled between the UK and Ireland? You most definitely do not need a passport and do not need "equivalent ID". You can travel (by boat) with a student card, driving license, photographic travel pass (ie over-60s pass, young person rail pass), or photographic id from your work.
The check is very much "don't stop walking but hold your ID-looking thing in your hand so a nonchalant man can glance at it". You would attract very little attention with someone else's UK or Irish driving license, a bit more if you decided to test the waters with a weird form of ID.
Children can travel with a birth certificate (no photo).
You need more than this to get on an aeroplane, but that also applies to domestic flights in the UK.
If you get the boat and show eg. a Romanian student card, they might ask you where your passport is, somewhat reasonably since you would have needed it to travel to the UK or to Ireland. They would accept an ID card probably and might let you in with legit looking non-government ID.
That's the sea border. You can cross the land border between the Republic of Ireland and Northern Ireland without any form of ID at all, government-issued, photographic or otherwise. Lots of people do it every day by car or bus and it would not remotely occur to them to take ID with them.
So the Romanian student would have no problem travelling between London and Dublin without showing anything since they could get a boat Glasgow- Belfast and then get a bus to Dublin.
If this was your best example of governments lying and changing the rules, it's not a very good one (and is also kind of offensive to Irish and British people).
> You need more than this to get on an aeroplane, but that also applies to domestic flights in the UK.
Can you clarify what you mean by "more than this"?
I've travelled on many domestic flights within the UK, and ID is not routinely checked.
> If this was your best example of governments lying and changing the rules
Ouch.
The common travel area has its origins way back in 1923, the rules are clear, no-one is lying.
It's just that it's hard to prove you are entitled to its benefits without having an ID document with you that - if you're entitled - it says you don't have to have with you...
When did you last travel on a UK domestic flight? You definitely need government issued ID.
You are suggesting that having to show any photographic ID is the same as having to show a passport. That's obviously silly.
No one has to prove that "they are entitled to not show a passport" by showing British or Irish ID. This is a fantasy.
On the boat everyone, British, Irish or other, has to show ID of some kind. No one has to show a passport. At the land border no one has to show anything.
> When did you last travel on a UK domestic flight? You definitely need government issued ID
"a spokesperson for the CAA, said: “UK aviation security regulations do not require a passenger’s identity to be checked for security purposes prior to boarding a domestic flight, in the same way when travelling within the mainland on a train or bus. Any further requirement on behalf of the carrier to provide identification may be a condition of travel by the carrier itself.”"
You need government ID to get on a domestic flight in the UK. You also need government ID to get on a flight from the UK to Ireland.
As with the sea border and the land border, this completely invalidates your claim about what ID is required to travel between the UK and the Republic of Ireland.
You don't appear to have travelled between the UK and the Republic of Ireland, ever, or to have flown domestically in the UK since 9/11. You stated above that "they do not check ID on UK domestic flights", not "the CAA does not require ID but all airlines do". The first statement is untrue. Not sure why you are making stuff up in support of an urban legend about the UK/Irish border.
Even if there was a difference between the ID required to board a flight from the UK to the RoI and the ID required to board a UK domestic flight (there isn't - both require govt ID, not necessarily a passport), the situation at the boat and at the land border completely disproves your original claim.
KYC stands for Know Your Customer, and is a core regulation in banking. So we can pivot off that and work through what a bank does to verify your identity.
I signed up for a Mercury bank account a few months back for my Delaware corporation without talking to anyone, so I'll use that as a template.
I can't remember the exact steps, but tl;dr submit a passport photo / driver's license photo and a photo I take in the app itself. If it was a not-US passport, then they'd dig into a full verification, not just a quick manual check of "is that face the same as the passport/license, is the passport/license ID # valid, and are the photos edited"
True, I guess I wouldn't call it invading privacy, that's sounds a bit overwrought to me. Then banks invade my privacy, the DMV invades my privacy, etc. There's always tradeoffs, I respect people's concern about them, and I wish there was a gentler to say it.
> Then banks invade my privacy, the DMV invades my privacy, etc.
That is a reasonable and factually accurate statement.
> There's always tradeoffs, I respect people's concern about them, and I wish there was a gentler to say it.
The tradeoff here is astonishingly bad. Studies have shown that AML/KYC have an effectiveness of less than a fraction of one percent. They continue to proliferate because their largest costs fall on the users rather than the companies, so they're the thing that large corporations suggest as a "solution" when they're being pressured to do something. Because people have the perception that it will do some good, even though that perception is inaccurate.
In reality what they do is provide a means to satisfy "something must be done" in a way that dumps the costs on marginalized users instead of politicians and corporations.
I had to look up what "effective" means in this context, found a couple crypto blogs using it as a talking point citing a 2011 UN study, the study says less than <1% of money laundering proceeds are confiscated worldwide, nothing about the laws. Money laundering is defined as an estimate of any money from illegal activity, including tax evasion.
AML laws are completely ineffective. People can write long papers about why, but the underlying reason is simple. Money is fungible.
If Alice is selling heroin to Bob and the government knows this, they don't need AML laws to arrest them. If they don't know this, even if all of the financial records were 100% transparent and tied to the name on their birth certificates, they still wouldn't know this, because Alice and Bob would just claim the payment is for software licensing or personal grooming services or whatever they want to make up, and neither the bank nor the government has any way to know otherwise until they independently prove the underlying crime. Worse, Alice and Bob don't even have to pay each other. Bob can just buy whatever Alice asks him to with his money and then give that to Alice in exchange for the contraband. Then there is no financial transaction linking them at all.
The entire concept of it simply doesn't work. It's all cost and no benefit.
So what else did they pull off your phone? Location data, personal photos, personal files, wifi connections near by, microphone data, ongoing location data?
You don't understand the issues me as a blind person has with it? OK I have to upload a government ID every time I want to use an internet service. That's stupid. It's also considered a general warrant, and I thought we did away with those long ago.
What laws are you talking about? The Internet has grown a lot that’s largely because we have smart politicians and strong institutions. I really think the regulation of the Internet has been amazingly good.
For example: CAN-SPAM. If I want to send emails to a list, I have to burn $90 of my scarce dollars every year just for a PO box for the address at the bottom on the off chance someone sends a letter to unsubscribe. Unless I want to put my home address in every email, which I don't, and no one should. Unsubscribe links and highly effective spam filters were already completely standard when the law was passed in 2003. It doesn't matter if the email you send doesn't actually require it because every mailing list provider requires it.
The point is the rules are daft. A sensible rule would require a functioning unsubscribe process in the email, which every piece of software would then automate as an unsubscribe link. The actual rule requires people to be able to unsubscribe via a postal mailing address, which is unreasonable and ridiculous.
I'm just saying, your earlier comment would have been better without the sentence: "Unsubscribe links and highly effective spam filters were already completely standard when the law was passed in 2003."
The person you're replying to is not the person you're quoting.
But also, the people with unsubscribe links now but not in 2002 would still commonly send their messages from a consistent address, making it easy to block them if you wanted to, and making even primitive spam filters highly effective against them. Meanwhile the people who randomize their from address to prevent this are the people who still don't have a functioning unsubscribe link.
I'm going to need another intelligence to read the full text.
"U.S. IaaS providers and foreign resellers of U.S. IaaS products must exercise reasonable due diligence to ascertain the true identity of any customer or beneficial owner of an Account who claims to be a U.S. person."
So at a minimum, everyone's identity is verified by IaaS provider. If you claim to be a non-U.S. person, additional information is collected.
They mention looking at comments from a previous proposal in 2021, "Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities"
https://www.federalregister.gov/documents/2021/09/24/2021-20...
Who counts as IaaS besides Amazon, Azure, and GCS?
This is not the industry-standard or NIST definitions of these terms. Something like Google Workspace Suite is Software as a Service. Something like Heroku (or Dreamhost or Wordpress) is Platform as a Service. Something like EC2 and S3 are Intrastructure as a Service. The distinction is renting out undifferentiated server space that a customer installs their own software onto. If you rent a VPS from Linode and install self-hosted Wordpress, that's IaaS. If you buy Wordpress's managed hosting, that's PaaS.
Well, it may not be the industry standard definition, but it is the definition used in the actual regulation:
-------
Infrastructure as a Service product
or
IaaS product
means a product or service offered to a consumer, including complimentary or “trial” offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications. The consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications. The term is inclusive of “managed” products or services, in which the provider is responsible for some aspects of system configuration or maintenance, and “unmanaged” products or services, in which the provider is only responsible for ensuring that the product is available to the consumer. The term is also inclusive of “virtualized” products and services, in which the computing resources of a physical machine are split between virtualized computers accessible over the internet (
e.g.,
“virtual private servers”), and “dedicated” products or services in which the total computing resources of a physical machine are provided to a single person (
e.g.,
“bare-metal servers”).
---
So Dreamhost counts, any web host where you can run arbitrary PHP code would count. Wordpess.com -- where you cannot actually modify the PHP code yourself -- would not count as IaaS. But any web host that allows you to install applications on your own, or run any of your own code, would count as IaaS by this regulation.
Wordpress clearly does not meet the definition of IaaS in the document.
> provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications
Services like Github Actions, Google Collab, and web-based IDEs likely meet this definition though as it lets users execute their own custom code on their cloud. So basically all developer stuff may require an ID check.
First, the rule applies to WordPress and all that kind of thing, and then providers would have to KYC WordPress users. Which is a reason not to pass it.
Second, the rule is completely pointless, because it doesn't, and then anyone could create an AI training WordPress plugin that uses whatever arbitrarily fast hardware the server has and thereby easily bypass the rule. Which is a reason not to pass it.
That's silly, no Wordpress hosting has H100 GPUs hooked up to it.
If you skim the full context of this proposal and the topics it focuses on (dedicated servers, virtual servers, AI acceleration), and you've been paying attention to current geopolitics in these areas (top chips being sanctioned), it is completely obvious that goal here is to prevent things like evading sanctions by renting hardware instead of buying it.
What stops them? You could have a WordPress plugin that uses Stable Diffusion to generate images, or encodes uploaded video, or provides an AI chatbot, and needs fast GPUs because there are a lot of users. Providers will supply anything the customer is willing to pay for. The expected AI plugins would be doing inference rather than training, but the user could use the same hardware for plugins that do something else.
> Providers will supply anything the customer is willing to pay for.
I suppose every company and every service should be in scope for KYC then. /s
But the reality is that Wordpress hosts are not in the business of renting people dedicated servers the price of a nice house. And if they were asked to do so, it wouldn't be a simple automated request without scrutiny.
In 2010 it wouldn't have been an automated request. Now there is plenty of demand for it to do inference and some providers are likely to start offering it if they don't already. You're also assuming the providers are interested in preventing foreigners from using their systems for AI training, rather than being interested in making as much money as possible without violating the letter of the law.
The latter is one of the reasons rules like this are simultaneously so expensive and ineffective. Provider A decides to KYC everybody because they're big and risk averse, so the rules inconvenience millions of innocent people. Provider B wants to make money selling GPUs to foreigners, so they implicitly choose a structure that allows that to happen if the rules contain any loopholes whatsoever. (This ignoring that foreign customers could just switch to foreign hosts and cost US companies business for no reason.)
And if the premise is the level of resources being consumed rather than the type of service then why don't the rules exempt anyone spending less than e.g. $50,000/month? That would be almost everyone while still not being anyone buying enough compute to do major AI training. It still wouldn't work but at least it would have much less overhead.
> It might be almost every individual developer. But that isn't really a huge cloud spend at all for an organization.
That's kind of the point. It excludes all of the individuals and small businesses and makes it unambiguous that it doesn't apply to someone paying $10/month for a VPS to use as a VPN endpoint for privacy.
> But speaking of loopholes, what do you think bad actors would do if you told them that they weren't subject to KYC under a certain dollar amount?
In some hypothetical world where the rules were actually effective? Spend $49,000 and then create a new account, which would be highly suspicious and still cause them to get caught.
In practice? Use a cooperative provider (Wells Fargo as a hosting company), or one in another country, the same as they would do regardless.
The whole SUV category of vehicles was spawned as a workaround for the 1975 Energy Policy and Conservation Act of 1975. Demand blocked by laws leads to weird mutations.
I'm thinking that this will simply promote cloud providers that operate outside America, sort of like Binance and FTX were "forced to exit" the US market. Not a bad result.
edit: Vultr info is wrong. They don't have anonymous use anymore.
Vultr, for example.
There are high-quality IaaS providers that accept bitcoin for payment, allowing someone to host a server on their platform without revealing their identity.
Given that top GPUs are sanctioned, I'm sure preventing access to them remotely is a part of this. But just generally speaking, doing any malicious crap out of an EC2 instance is an easy way for a foreign actor in China/Russia/Iran to look more legit.
IaaS is defined as a provider of computing resources the allows you to run software that is not predefined. So that would seem to include basically every web host. If you can install Wordpress or Mastodon on the servers they provide, they are an IaaS.
Definitely not in this case (unless you're using Digital Ocean as a VPN end point or something). EO 13984 (which is cited as the enabling act) has a narrow definition:
(e) The term ‘‘Infrastructure as a Service Product’’ means any product or service offered to a consumer, including complimentary or ‘‘trial’’ offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications. The consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications. The term is inclusive of ‘‘managed’’ products or services, in which the provider is responsible for some aspects of system configuration or maintenance, and ‘‘unmanaged’’ products or services, in which the provider is only responsible for ensuring that the product is available to the consumer. The term is also inclusive of ‘‘virtualized’’ products and services, in which the computing resources of a physical machine are split between virtualized computers accessible over the internet (e.g., ‘‘virtual private servers’’), and ‘‘dedicated’’ products or services in which the total computing resources of a physical machine are provided to a single person (e.g., ‘‘bare-metal’’ servers)
Do you have a basis for this claim or are you just throwing it out there to see if it catches on? The document linked refers to IaaS, which as an acronym definitely does not include ISPs.
In practice, as long as a definition can conceivably cover something, the DOJ or some agency will use it. Case in point from yesterday: money transmitter as applied to arresting the developers of a NON-CUSTODIAL wallet, as part of a wider war on crypto mixing:
Reading the definition https://www.federalregister.gov/d/2024-01580/p-46 and the paragraph following it, it's intentionally broad and i'd say it's not that much of a stretch to say ISPs provide services that match this.
Some AI services such as Synthesia
https://www.synthesia.io › ethics
" Your avatar can be created only with your explicit consent, following a thorough KYC-like procedure. Complete control: Our platform ensures you can decide"
There are probably very few ISPs that can fall outside of this standard. For example if your provider provides e-mail, it's providing infrastructure. And yet, the slope can get much more slippery than this.
Please read EO 13894 before proceeding further. Is the user able to run custom software directly with a customary ISP (because that's in the definition)? I agree with EGreg that they can possibly twist this, but as written it's actually narrower than you think.
This won't work. Foreign nations have enough skill and resources to pass KYC as a citizen (steal someone's documents, pay a homeless for verification etc). And as I understand, US doesn't have a central citizen database so it is difficult to verify a document.
From the executive order (Executive Order 14110) it seems to affect only massive compute infrastructure:
> (i) any model that was trained using a quantity of computing power greater than 10^26 integer or floating-point operations, or using primarily biological sequence data and using a quantity of computing power greater than 10^23 integer or floating-point operations; and
> (ii) any computing cluster that has a set of machines physically co-located in a single datacenter, transitively connected by data center networking of over 100 Gbit/s, and having a theoretical maximum computing capacity of 10^20 integer or floating-point operations per second for training AI.
Keep in mind that most consumer graphics cards are in the _teraflops_ range, which is 10^12. It's hard to imagine this affecting the average person, it seems that they are specifying KYC for people using clusters with thousands or tens of thousands of cards.
No, that is just one part of it. The proposed rules are intended to cover both EO13984, which addresses foreign entities using US IaaS for Cyber attacks, and EO14110 which addresses foreign entities using AI hardware.
They require all IaaS[1] to determine if customers are US persons, and if not to collect and retain certain identifying information[2], and provide annual reports describing their processes[3]. It grants the Secretary of Commerce extra-judicial power to force any IaaS to stop doing business with any foreign customer, or place restrictions on their use[4]. This section lists things that the Secretary should consider in doing so, but doesn't have any hard requirements. Finally, it requires the IaaS to report certain foreign use of AI[5].
> It grants the Secretary of Commerce extra-judicial power to force any IaaS to stop doing business with any foreign customer
This can backfire, as foreign customers of public clouds may switch to local providers, which erodes the US near-monopoly on cloud services. Ironically this can reduce the visibility and control the US government has over foreign nation states.
E.g.: most of the Australian government is hosted in either Azure or AWS. That kind of thing might stop if extrajudicial power is granted to pull the plug on any customer on any time.
If they’re inspecting what people are running on GPU instances to report that information back to the US government it’s going to give a lot of people pause for thought. It’s basically violating guarantees that many businesses have with cloud providers.
> Is it that it's a slippery slope or perhaps I'm being naïve in regards to the scope?
This. Also, it won't stop malicious actors. Setting up a LLC to mask your true identity is cheap and easy. Not to mention that providing a fake identity or pretending your are not a "foreign person" is also cheap and easy.
> seems like the extent of this is to require IAAS (Infrastructure) providers to verify the identity of those who are using their services to train AI.
Only foriegners.
> It's an attempt to stymie sanctioned or malicious actors, from training AI and especially from hopping between services or using aliases to continue training on their model.
Unlikely, since it exempts non-foriegn malicious actors
>>"require U.S. IaaS providers to verify the identity of foreign users of U.S. IaaS products, ... which calls for the Department to require U.S. IaaS providers to ensure that their foreign resellers verify the identity of foreign users. E.O. 14110 also provides the Department with authority to require U.S. IaaS providers submit a report to the Department whenever a foreign person transacts with them to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity."
We damn well SHOULD be identifying foreign users of our services, particularly those which have high-powered potential to cause harm.
This knee-jerk [govt identifying anybody is bad] response prevalent here deeply undermines the cause of actually maintaining privacy. There are actually very bad actors out there, and if we fail to identify and contain them, things will be far worse. The reality is that some measures must be taken — let's focus on containing the real threats, not cry foul at every shadow of a hint that we might approach a slippery slope.
This seems, to me, an utterly malignant attack on anonymity, which is a protected constitutional right. It's the idea that every internet packet needs to be tied back to some verified identity. We're in frog-boiling territory with this garbage.
There is no absolute right to anonymity in the US constitution.
(The courts have "recognized relatively strong First Amendment presumptions on behalf of purveyors of anonymous speech, especially for those that are statements of opinions rather than obvious falsehoods, while recognizing that government sometimes has the right to identify such speakers when they have used their platforms to harass, engage in slander or sexual predation, make true threats, or allow foreign governments to influence U.S. elections")
> I see controversy and a lot of dissent among Justices,
Precedent is set by the majority, not the dissent.
> but no decisions that explicitly declare a Constitutional right to anonymity.
Weird then that there are several decisions striking down laws that violate the right to anonymous speech?
> And the modern Court explicitly declared that a Constitutional right to privacy does not exist, and one cannot have anonymity without privacy
One cannot refuse to turn over one's papers and effects in the absence of probable cause without privacy either.
Consider the possibility that there could be a right to anonymous speech without a right to anonymous practice of medicine. A universal right to privacy would require both. Just because it isn't both doesn't mean it's neither.
>One cannot refuse to turn over one's papers and effects in the absence of probable cause without privacy either.
Yes. I believe a right to privacy once existed, but it was nullified as it formed the basis of the case for Roe V. Wade. As a result even the Fourth Amendment is weakened because it must be interpreted in the light of a right to privacy no longer existing.
What I'm trying to put forth is that the assumptions you're working under are no longer valid and we've thrown the baby out with the bathwater.
> I believe a right to privacy once existed, but it was nullified as it formed the basis of the case for Roe V. Wade.
It was kind of the other way around. There is clearly no explicit right to abortion in the constitution, so to find one it would have to be implicit, but the Court in Roe wanted to find one, so they made one up. The reasoning was something like, the constitution implies there is a general right to privacy and laws against abortion violate it. The people who liked the result were then stuck trying to defend its inconsistent reasoning for 50 years, because the same logic would cause all kinds of other laws to be a violation of the same right. Obvious example would be drug prohibition; government invading your privacy by trying to control what you put into your own body. Same logic as Roe.
But Roe was never actually extended to any of that stuff, so overturning it didn't re-enable drug prohibition after it was struck down, since it was (inconsistently) never struck down to begin with.
The cases having to do with anonymous speech are independent and use entirely different logic. The general idea is that people are deterred from speaking (chilling effects) if people can associate what they have to say with a physical person who can then be harassed for expressing an unpopular opinion. It doesn't have any of the same problems because there is no First Amendment right to morphine, which they could ban outright under the same justification as they ban heroin, so having to show your ID to get morphine isn't deterring you from exercising your right to free speech.
The converse would have to be true then, that the government has the legitimate power to intimidate people to not express their opinion. This does not seem like a legitimate power for government to have, but now I need to be careful whether I express it at all.
Laws against slander, libel, intimidation, conspiracy, perjury, etc are based upon the government's power to intimidate people from expressing opinions. It is a felony in the US to express the opinion that the President should be killed. Speech in the US has never been a free for all.
Those are not opinions, they're provably false statements or threats. Conspiracy is essentially committing a crime as a group rather than an individual, and the statements are the evidence of the crime rather than the crime in itself.
The closest the government comes to prohibiting an opinion is copyright, but even then you can restate the opinion in your own words, and when an exact quote is necessary to make your point it's fair use specifically because it would otherwise violate free speech.
> . It's the idea that every internet packet needs to be tied back to some verified identity
There's been multiple attempts to do this. Via KOSA and a few others lately in our Congress. PR friendly candidates like Duckworth have been trying to walk this through the system.
> You're calling a collection and storage of your personal information as "benign"?!
All major cloud services already collect this information. I filled in the bare minimum on AWS, and they've got my full name, address, phone number, email, and credit card details.
You should really read patio11's article on KYC [0]. A relevant paragraph:
> Many people believe that the law requires a bank to see your government-issued ID in person to open a bank account. Again, this is incorrect; the law very rarely requires any particular action. The most prescriptive the US gets is that the sort of KYC information required about a customer include their true identity, including a name (not, incidentally, their “true” name because governments actually have some glimmer of understanding that that is not a thing which exists), a residential address, their date of birth, and an identifying number.
Looks like his argument is that randomized and client to client based rules are better. To some extent I agree.
However, it's inconsistent and we have a government that is punitive, which is why I see that these KYC approaches are reactive to that. There's not punitive measures for violating privacy concerns and storing/profiting from this data.
In practice, to buy crypto, you have to give a disreputable private entity (crypto exchanges have a terrible history of not being scummy.. is cryptobase good? only time will tell) very sensitive documents.
Your biometrics and gov ID data don't have to be collected or stored by the provider.
They can be used during the identity check and deleted right after, without ever entering the provider's infrastructure (assuming they are using a trusted 3rd party).
> They can be used during the identity check and deleted right after, without ever entering the provider's infrastructure
You trust them to delete it right after? What about the human reviewers in other countries that are working at home taking pictures of their laptops with your id on it?
> trusted 3rd party
You trust that 3rd party's intent and word? It's pretty weird to bring another company to steal your data and details.
At a quick reading, it doesn't sound like those are requirements. It also doesn't look like any documentation is technically required. One of the methods permitted is "Verification through non-documentary methods".
> * gives them a "reasonable belief that it knows the true identity of each customer"
> * and "a sound basis to verify the true identity of their customer and beneficial owners and reflect reasonable due diligence efforts".
I'm reading in to that in a conservative manner where it's "internally justified" that going the full privacy abusive route is justified. "Reasonable due diligence" is respective to the organization that could be punished, not a public sense.
Given that it's on the company's discretion of diligent checks, I can completely see that their more aggressive requirements of: "your biometrics, copies of your official documents, 20 years of criminal background checks, a polygraph, approval by the Democratic National Party for appropriate speech, history of pornography consumption" being the standard.
We're not getting a solution from the government that's a secure "is this person a US citizen?"/"Valid for IaaS service?" data point. The business is receiving all of the data to ask that question and are not trustable entities.
Going down the argument of "don't use anyone you don't trust" brings up the argument of.. well why are you paying Experian?
Where I'm getting to this is: We often times don't have a choice, that choice that looks like we have it is untrustable in the future, and we're being aggressively pushed into a situation where you have people of questionable interests. This rule/law encourages them to collect it, but there's no aggressive lifestyle ending punishments for crossing the line.
The TL;DR is that the must collect name, address, email, phone number, IP address, and payment information and use that information for "verifying the identity of each foreign customer to the extent it enables the U.S. IaaS provider or foreign reseller of U.S. IaaS products to form a reasonable belief that it knows the true identity of each customer."
AWS already has all of this information on my account.
It doesn't correspond to location any more than "name" does. But it is useful, in conjunction with other things, for determining identity, which is what those requirements are about.
What an absolute nightmare. I would also be surprised if iaas providers arent in vehement opposition, i will instantly migrate all cloud resources away from AWS if they start requiring KYC docs. Theres close to zero effort for doing so
Wow, what layer of abstraction do you have that allows for that?
Even with typical IaC, Terraform, it's going to be a rewrite.
If you're leveraging anything beyond load balancers, compute, and containers I don't see how that approaches zero. Some of the services could end up with you having to build/run your own to get any equivalence.
Why is it so hard time for some of this site to understand that some of us are principled when it comes to choosing technologies? Or you know, actually learned from past trauma and make choice to avoid getting burned in the future.
Ansible comes to mind. Used it to orchestrate hundreds of servers with migrations. Could also simply set up proxmox services beforehand if you're truly motivated, then just replicate the server to another instance.
Since the "vet" maybe didnt give it away, 95% of the cncf landscape is a trashfire joke of hodge podgey vc funded golang crap.
This site is so damn funny. I reply to a burner account in a day old thread, and then my comment is downmodded less than 60 seconds later. Points to some shockingly pathetic behavior, dang maybe you could check the IP on that alt account, might be interesting.
Exactly. At the startup I work for, we built from the old methods of bare metal, and integrate cloud services as needed. At any time though, if we are not satisfied with sed service, we're able to jump ship without headache pretty easily. As simple as spinning up a new container cluster elsewhere, migrating data, and ramping down the old. The founders were very clear on never being entrenched into a singular provider.
Uh, I not implying or saying anything about who has the power. My comment is kinda hard to read in any other way than directed at the people who chose to intimately tie their product up with a proprietary price-gouging, lock-in platform.
Idk, I guess if I take the less charitable read of your comment, ... if you're sitting here blaming your circumstances for not knowing anything other than how to spin up overpriced Amazon serives idk what to tell you.
I think this is about preventing sanctioned countries or individuals using US technology we don't want them to have access too (like China not having modern GPUs). That goal seems reasonable though there's always a fear that the law is way broader than the high level intent. Why would it be "an absolute nightmare" if it's so easy to migrate?
That's the stated goal. The actual goal is more likely complete knowledge of any person using IaaS service whether domestic or foreign and what they're up to.
I meant an absolute nightmare of a bill in general and for the IaaS providers. The US is winning the AI race because of their open ecosystem and capability to execute and these types of things hurt that bad.
I work on KYC systems at a medium/large sized financial institution. The trend of adding KYC requirements to more and more online services is troubling.
KYC adds a huge burden to anyone trying to offer a service. Implementing KYC imposes significant burdens on service providers due to the complexity of identifying users across different countries and understanding varied regional regulations. You end up outsourcing your KYC to another company. But most KYC vendors don't support all the countries you want to support, so you either end up limiting your service to the service area of your KYC vendor. Or you end up integrating multiple vendors together, which is challenging since vendors generally prefer exclusivity.
If you didn't have an engineering team working on KYC before, you will now. You will likely need to add to or expand your compliance team. Your company will shift either slightly or significantly from being an engineering or product driven company to being a compliance driven company.
KYC raises barriers and entrenches incumbents. Look at financial institutions and porn.
KYC is generally not evidence based policy either [1, 2]. Bad actors get around your KYC requirements, and your KYC system ends up being a hurdle for innocent users. A lot of KYC systems rely on data aggregators (aka the people who buy your personal data), and if you aren't "in the system" either because you are young, poor, or privacy conscious, you are faced with suspicion.
My experience is that anti-fraud systems tend to weed out bad actors better than KYC systems that are mandated in a governmental top down manner.
For those who didn't know, KYC stands for "know your customer". It's a good idea to spell out abbreviations the first time they're used, especially since the abbreviation itself is not used in the linked article. It's also worth noting that the proposal is about US infrastructure as a service (IaaS) products specifically, not "internet services" in general.
Yeah that's a clever way to avoid having the rules struck down as unconstitutional. In practice though to avoid liability and possibly jail time, providers will have to assume that every customer is a foreigner until they "prove" their US citizenship (by uploading the same ID and other documentation required by foreigners).
The US government has shown over and over that these dragnet types of regulations are used to gobble up any information the TLAs want and hand wave it away as meta or "incidental" information "found in pursuit of foreign {$INVESTIGATION}"
It depends, but I'd say not usually. Many financial service applications, which have strict KYC requirements, just correlate different data sources to ensure everything matches up, and tries to determine some level of risk about the client making the application (i.e. match applicant name with DOB with SSN with known addresses, etc.) FWIW, given the huge number of data breaches I'm not sure why that info is sufficient, but it usually is. It's only when some backend risk engine determines "This data doesn't match up, or this client looks sketchy" is a photo ID requested.
I don't disagree with your premise that KYC enables governments to violate the 4th amendment, but in general, for certain industries this is just generally a really good idea. Banking is the first industry where I encountered KYC, and it strikes me as being obviously good there.
Isn't effectively the majority of what the Snowden leaks covered essentially violating the 4th amendment?
>Banking is the first industry where I encountered KYC, and it strikes me as being obviously good there.
This is not obvious to me as my experience has been largely negative post-KYC/9-11 vs pre-KYC/9-11. I am a legal law abiding citizen [and voter!] and it's just added extra hassle on various occasions and then the background anxiety of knowing an institution with crappy security track records hold a photocopy of my ID. And yet all the things KYC was supposed to prevent still continue unabated: money laundering, terrorist financing, identity theft, and financial fraud.
I'm curious to hear why you think it's obviously good and if you were using these services before KYC.
The people who donated to the Canadian truckers' protest had their accounts frozen by the Trudeau regime because of KYC.
The problem is that there are no checks and balances preventing banks from freezing assets because they want to or the government told them to.
Banking needs to be a right, and unless someone is convicted of a crime involving the bank account's assets, banks and governments should not be able to freeze them. There can be exceptions for fraud like FTX where there will be a significant financial harm to other individuals if the assets aren't frozen, but what we have today is unchecked government financial terrorism against individuals they do not like, and now they want to extend that terrorism to speech.
I am familiar with KYC from a banker's perspective (at least that of a close relative who was a bank manager).
KYC helped them by deny-listing abusive clients between branches, or by allowing the bank to develop heuristics for things like allowing customers to bypass cheque clearing times.
From an end-user perspective, I've had no hangups personally but I do share your grievances about yet-another-shoddy institution holding a photocopy of my ID. My bank truncates passwords when setting them, and when logging in, without telling the user. It boggles the mind.
Thanks for replying I appreciate the insight, although as someone else mentioned the most obvious use (to me) for KYC is censorship / de-banking and I think that was it's intended purpose all along because there's nothing about KYC that specifically enables the two things you mentioned that couldn't be done by a bank on it's own.
The bank can choose to require such identification of their customers for their own business purposes independent of any regulation requiring them to do so.
KYC basically means that the job of collecting evidence to prosecute potential (read: non-existent yet) crimes has fallen to yourself and your bank/cloud provider/etc., rather than forcing the government to collect evidence to prosecute a crime. Essentially an end-run around the 4th amendment and the whole idea of "innocent until proven guilty".
That's similar to what I said in my comment to the department. " Under the fourth amendment, this would be an unconstitutional general warrant. I thought we did away with those long ago. It does not describe the particular things to be seized."
I think we don't understand each other. I'm not giving a moral or legal judgement on what Snowden in particular did. I'm saying, the information he disclosed showed a vast and total violation of American's 4th amendment rights on behalf of the US government.
This KYC requirement seems to me, at a glance, as being a small erosion of our digital privacy.
You're not wrong, but there is an important big difference between this and the Snowden revelations: The Snowden stuff was illegal and was being done in secret, and once exposed they had to stop. It was considered bad and embarrassing. This would be legal, and will set a strong precedent.
Yeah this is a very industry standard term in banking and anyone in that industry is going to immediately know what you are talking about, but outside of that industry, chances are high that a layman will not
Unfortunately, KYC has been bleeding into far more commercial interactions over time. I now deal with KYC multiple times per year in unrelated contexts and I don't work in finance. It has become quite intrusive.
In defense of the person who wrote the HN title, I’ve seen KYC discussed in front-page articles roughly weekly for the past several years straight. I’ve learned about as much of it as I care to know (and more, honestly) from HN comments on 1st and 2nd page posts in that time. In just the past year, I can see that there have been about 1,000 comments mentioning KYC, and about 21 1st/2nd page posts that are explicitly about KYC (nearly 2 per month). Honestly I don't expect all of HN to know what KYC is, but I did expect most HN readers to have a general idea of what it is and why it's a huge pain for a small % of people (but very large number, 1% of the USA is still >3 million people).
Once you're familiar with it, your brain/eyes key onto "KYC" much more strongly than "know your customer". I might have missed the latter, but "KYC" in the title grabbed my attention instantly and reading the title made my heart jump a bit, because generally KYC means a pain in my ass, and even moreso for friends here on visa.
I have a Canadian friend visiting and staying with my girlfriend and I for a month or so. KYC causes actual headaches for her, to the point that she just decides not to get cellular service at all while she visits unless I get a pre-paid SIM under my name and hand it to her. When she pays for things like restaurants, I can't just Venmo/Paypal/Zelle/ApplePay her back on the spot, I have to withdraw cash at some point and coordinate giving it to her.
The general concept of "KYC" makes sense for some situations, but actual implementations really fucking suck for a lot of people. It's very scary to me to see it be required for more and more categories of services because of the way it's currently implemented.
But remembering the meaning of an acronym while scanning front page post titles without much context? No. My brain is pretty ruthless at evicting TLAs that are reasonably distant from my core areas of interest.
Maybe less important than knowing what it stands for is knowing what the implications are for businesses.
KYC is essentially about knowing who you are doing business with.
For individuals that's relatively easy, just the name and identification is required but typically there is the need to verify that the identification actually belongs to the person signing up. In banking that's why you typically have some video call with a verification provider.
For businesses it gets a lot more complex because it's not enough to know what business your client is, you also have to look through its corporate structure to figure out who the "ultimate beneficial owner" is. Essentially, who is actually controlling the business.
Now it got a lot easier recently as many countries now require businesses to file who their ultimate beneficial owners (UBOs) are.
The painful part is that it introduces friction in customer journeys as now you have to request the documentation.
In the financial industry you also have to run checks on those UBO's so that they are not known terrorists or sanctioned individuals but it seems this regulation is just that IaaS providers need to know who actually operates a server. Presumably for forensic analysis after a cyber attack.
No definitely not, I fully agree with you and others there. Just was a bit surprised by how many of you were there. But that’s okay. Days where we learn are rich days. The richest of them all.
I posted my comment because the linked proposal itself never uses the abbreviation "KYC" and none of the early comments spelled it out, so if (like me) you didn't already know what it means a quick Ctrl-F wouldn't help.
The proposal seems to use the term Customer Identification Program (CIP) instead, mentioning KYC (spelled out) only once, in the introduction:
> Section 1 of E.O. 13984 requires the Secretary to propose, for notice and comment, regulations that mandate that U.S. IaaS providers verify the identity of foreign persons that sign up for or maintain accounts that access or utilize U.S. IaaS providers' IaaS products or services (Accounts or Account)—that is, a know-your-customer program or Customer Identification Program (CIP).
A very significant percentage of us (I suspect a large majority) haven't really bothered with blockchain tech. Blockchain tech doesn't solve any problems that most of us actually need solving.
We have exactly 4 days to leave comments to the Federal Government of the United States of America contesting the requirement of KYC by internet service providers.
This law is not conducive to a free internet/society.
I ask this 100% genuinely, since this isn't a subject I've ever given any mind to. Why should we oppose this? What are the potential negative outcomes if this goes through? Can you steelman the argument for why people support this, and explain why you find the arguments unconvincing?
I think that the biggest argument in favour is that it would remove anonymity on the internet, at least from governments, and that could enable law enforcement to more easily find people committing real crimes. CSAM, scams, etc.
I think the biggest argument against it is that this removes anonymity on the internet, at least from governments, and that would remove people's ability to freely voice their opinions without fears of repercussions (will the first amendment ever be modified? Will people who discuss what it's like to be an illegal immigrant/drug user/etc. be persecuted)? Also, it raises the question of what happens to users of VPN's, public internet, etc.
Does this actually remove anonymity on the internet?
It seems to de-anonymize a set of IaaS customers, sure; but that's not nearly the same thing as removing anonymity completely. I've only just scanned this but it seems at first glance to mean that a foreign company can't anonymously spin up an AWS instance, that's all. Am I reading this incorrectly?
A set? Only US customers are unaffected, i.e. 96% of the planet would no longer be able to use AWS (or anything similar based in the US, all the way down to simple web hosting or e-mail services) without going through KYC.
There are so many things that can fall under the IaaS bracket. Think anything 'cloud'. Maybe that's not how they'll apply it, but legally they are free to do so. It's a huge reach.
The only away for US citizens to prove that they are such would be for them to also submit their IDs. So it affects everyone.
Basically, it forces providers of a very wide variety of tech related services to collect identifying info on anyone who uses their services, and then store that info to either eventually be exposed in a breach, subpoenaed by the government, or sold to the highest bidder (might as well monetize it if you're forced to collect it )
This certainly makes it more hostile for an unsavory advocacy group to create a webpage and use the internet to organize a group to fight an anti-democratic bill.
> …directs the Secretary of Commerce (Secretary) to propose regulations requiring U.S. Infrastructure as a Service (IaaS) providers of IaaS products to verify the identity of their foreign customers… (from TFA)
This is about IaaS not “internet services”. It doesn’t remove anonymity from internet users, just foreign customers renting cloud servers and other infrastructure.
> This proposed definition adopts the E.O. 13984 definition for “Infrastructure as a Service product”, which is any product or service offered to a consumer, including complimentary or “trial” offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications.
How would an ISP not be misconstrued as a "managed network"? Deploy/run software could just as easily be running some protocol over the network connection?
Sure, there are very few international ISPs which would be affected by this as physical infrastructure must be local to the user, but I wonder if this would be true always (e.g.: Starlink)
I can't see how an ISP (or VPN for that matter) would qualify for the second half "and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications."
This would apply to all hosting providers, which is bad enough.
- TCP is a spec delivered by a software implementation program. Maybe you disagree that TCP is being "deployed" as opposed to "used"?
- What about peer-to-peer hosted webpages? Certainly this is deployed software served over the internet connection?
The devil is in the details... details which are not specified in the order. It wouldn't be hard to imagine a lawyer arguing the finer details of "deployed" and "software" and falling on a definition which results in a less "open" Internet.
Also, I think of the meaning of "that is not predefined" is not at all clear. Predefined at what point in time?
It is great that you ask a question, because we live in a world with the freedom to opine on things. What could be considered a massive issue to me may not be a massive issue to another; and if we feel the world will be better by debating our positions, we have the right to do so.
Today, anonymity and pseudonymity exist and allow people to speak freely without risk of backlash for having a different opinion as often times the right opinion may differ with that of social consensus.
If KYC is introduced, the ability to maintain freedom of speech, online, will likely diminish.
This is of negative consequence to the people of the world.
Further, with internet 'forever data', LLM NLP and so forth, character profiles are too easy to develop for people which can cause further harm as we begin segregating based on said profiles.
I believe this KYC requirement can even extend to blockchain node operators and so forth as well.
These are just a few reasons but there are many more.
I'm not in favor of this rule, but it seems to me you are conflating several issues into one without showing the effect of the rule. Can you explain how the rule that would be implemented causes these effects? I do not see the connection here.
This doesn't seem to affect users of internet services, though. It's just IaaS, so things like AWS. With that limited scope, what is the adverse affect of KYC laws on freedom of speech?
It affects all web hosts, so if you want to lease a server in order to install Wordpress or Mastodon you would need to submit your identification to the provider.
How much longer before IaaS platforms require their customers to also have similar KYC policies in their ToS to be able to shift liability downward in case anything goes down?
One example I've seen is a less-than-savory company make a purposefully confusing KYC process after purchase of their service/product to prevent users from realizing they're being scammed and are kept in KYC hell hoping to get verified when they never will. Time to start an ISP...
This would make it illegal to anonymously run your own Wordpress install or Mattermost/groupchat server, you would have to reveal your identity to the web host. Do you trust the powers-that-be to never use this information to find and punish dissidents?
I know for me I'll have to stop using the internet. I can't take any chances. I can't upload government Ids everywhere I go, especially if the systems are not accessible with screen readers.
why recreate this important argument with coffee? The Berkman Center at Harvard or one hundred other places has decades of written policy work and case studies on these topics ..
I too would have asked the same question as GP, and also meant it genuinely.
It feels like HN is a place where someone could summarise the (presumably strong) arguments against this? Or links to a good source as suggested by a sibling comment.
This is my question too. IDGI. If I am a foreigner how do they verify that my ID is real? just because it looks "real enough"?
This discriminates people from other countries from having tech resources, possibly increasing poverty by limiting opportunities, at the same time it exposes people to have their data leaked. I don't see how this is a good idea.
The talking point we should be using is: if banks know their customers, we don’t have to.
The trail of knowing ones customers always leads to payments and finance.
If we are accepting payment for our services with standard bank card transactions or wire transfers, etc., then the knowing of the customer can be centralized at the banks.
Also, the banks have proven themselves fairly inept at it.
The problem is that KYC, being a cost centre with no upside other than "it's imposed on us by law", immediately turns into a box-checking exercise.
The industry will barf up some terrible "compliance in a box" solution, everyone will use it, it will eventually get databreached, and the people who brought us Bulletproof Hosting back in the Viagra Spam era will come back with Bulletproof Rack Full Of Quadros.
Exactly. What is the point of repeating KYC across every industry? I work on the KYC team of a banking/finance company. It takes a significant amount of resources.
Unless we create global governing initiatives similar to FATF for IaaS products, American IaaS offering will become less competitive.
"Liveness checks" where we have to turn on our webcam and let some stranger make a full biometric model of our head to use basic internet infrastructure is the dystopia we deserve, and it's the one we're gonna get.
I hope the "AI" was worth it. Let's see if you can fix this problem you created.
Already happening at the IRS. There's a reason government was so reticent in regulating facial recognition in any meaningful way: The government database of everyone's faces, purchased and cobbled together from private partners, isn't complete enough yet.
This has nothing to do with AI, but an out-of-control executive branch and intelligence agencies. AI is just another tool that will make it cheaper.
For those of us who don't know what this is, an explanation is a bit down the page:
> To address these threats, the President issued E.O. 13984, “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities,” which provides the Department with authority to require U.S. IaaS providers to verify the identity of foreign users of U.S. IaaS products, to issue standards and procedures that the Department may use to make a finding to exempt IaaS providers from such a requirement, to impose recordkeeping obligations with respect to foreign users of U.S. IaaS products, and to limit certain foreign actors' access to U.S. IaaS products in appropriate circumstances. The President subsequently issued E.O. 14110, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence,” which calls for the Department to require U.S. IaaS providers to ensure that their foreign resellers verify the identity of foreign users. E.O. 14110 also provides the Department with authority to require U.S. IaaS providers submit a report to the Department whenever a foreign person transacts with them to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity.
> (e) The term “Infrastructure as a Service Product” means any product or service offered to a consumer, including complimentary or “trial” offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications. The consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications. The term is inclusive of “managed” products or services, in which the provider is responsible for some aspects of system configuration or maintenance, and “unmanaged” products or services, in which the provider is only responsible for ensuring that the product is available to the consumer. The term is also inclusive of “virtualized” products and services, in which the computing resources of a physical machine are split between virtualized computers accessible over the internet (e.g., “virtual private servers”), and “dedicated” products or services in which the total computing resources of a physical machine are provided to a single person (e.g., “bare-metal” servers);
I read the document a bit, it seems like this is essentially saying that services like AWS need to know the identity of their customer if they suspect they are a foreign entity.
I don't think this would cover VPNs or internet access, mainly just people spending lots of $$ on compute. Is that correct? If so it seems reasonable. If a non US group is spending lots of money using US technology to develop an AI model I do think that falls under foreign trade and should be documented.
I can’t tell if you’re being sarcastic or not. I didn’t think the UK even provided IaaS services.
On the other hand it seems like half the business of The City is providing cover for dodgy foreign companies, which would be perfect for people trying to get around these laws.
Can anyone glean from this wall of text what documents Uncle Sam is going to expect me, a dirty and potentially smelly foreigner, to submit in order to keep my AWS account?
Those in authority don't want us sharing information with anyone they can't track. So many of the websites I use are already blocking VPN access, and it's only getting worse. Codifying it as law will just be the last step to protect the censors from prosecution for violating the 1st Amendment.
This will pass regardless of comments and KYC will only get more strict from here on out. What other end result could there have been when the combined gov-corp-tech behemoth is incredibly data-hungry, obsessed with draconian surveillance, and about to be deluged with malicious AI across the internet? It starts with "suspected" foreign actors and ends with everyone needing to prove their humanity for every little thing on the web. This is why we can't have nice things..
Next thing you know if you make one comment about Israel or certain coincidences you will be debanked, cut off from all Internet services, unable to make payments, blacklisted from all employers, your payment accounts frozen, ultimately resulting in eviction for non-payment, then shortly thereafter homeless, hungry, dead, or in prison.
That's the logical end-game of all this in case you don't have the foresight to see where this road leads.
Even foresight isn't enough to avoid it if you don't have the fortitude to avoid paths of least resistance, or the ability to oppose entrenched power structures.
Then surely all the good actors have to do KYC, and all the bad actors can just pretend to be American entities.
I don't agree with this on principle, but even just from a practical perspective it seems like they are leaving the door completely open by doing that. What's even the point?
This is about foreign customers only, so as an attempt to abolish the constitution, it is severely flawed in respecting it enough to keep its distance.
I can't think of any US service I am using that doesn't already require KYC? None of the large providers will let you get far without a credit card, as far as I remember?
Since the discussion here will consider itself mostly with upright revolutionaries being disenfranchised by such insult to their liberties, it is worth noting that when the revolutionaries are foreigners, the US often doesn't have the same incentive to disenfranchise them as it might have for domestic troublemakers.
In fact the US has quite a track record of granting rights to foreigners in excess of what they find at home, and even when it concerns allies: request by European courts and law enforcement are regularly rejected based on US norms when, for example, someone hosts their hat speech blog with an US-only provider.
> I can't think of any US service I am using that doesn't already require KYC? None of the large providers will let you get far without a credit card, as far as I remember?
There are several credit card vendors that do not require KYC that are easily available. I don't know of any banks that don't require KYC that you would use to pay those CC bills, but I wouldn't be surprised if they exist.
Providing a credit card is a far cry from KYC. But it also highlights that we probably don't need IAAS businesses to implement KYC as long as the payment providers already do.
What can we do to actually contest it? I see this website lets you submit a “formal comment”. But is that enough? Who is in charge of the decision and who else can be pressured to stop it (certain legislators)?
A number of threads seem to assume that KYC (or identity check) implies that your biometrics or gov ID data is collected/stored by the provider, but it does not have to be.
The identity check is typically done by a trusted 3rd party that can delete the data right after the identity check (and can be required to do so).
So you basically end up guaranteeing that the name, address and D.O.B that you provided to the IaaS provider is actually correct, nothing more and nothing less.
To be frank, I'd be more comfortable with this sort of thing more if there was a full-fat government-based ID platform. Some sort of SSO-style "Sign on with identity.gov" button, where it tells you clearly exactly what information is granted to the vendor, which should be pretty much "nation of citizenship" and nothing else, before you click through.
I trust a "trusted third party" far, far less. Inevitably it's a data hoarder like our credit-bureau overlords, which has commercial motivations to ask for more data than needed, and hold it longer than necessary, and will likely suffer only a slap on the wrist when they inevitably data-breach.
We really needed a coherent plan for national and digital ID 20 years ago, but as they say, the second best time would be now.
.This is what I wrote into the federal register.
Please do not allow KYC for the entire internet. This is in fact a miserable failure of an idea. You want to hand our data to AI companies, huh? I do not want to have anything to do with that, or you, if you don't come up with better data privacy regulations.
Under the fourth amendment, this would be an unconstitutional general warrant. I thought we did away with those long ago. It does not describe the particular things to be seized.
KYC is a ridiculous idea in the first place. It is not designed for the entire internet infrastructure. All the department is doing, is enabling more mass surveillance.
By trying to shoehorn KYC into the internet infrastructure, you will make the internet less convenient to use for blind people like me. I rely on it in my every day life. If you decide to make the worst mistake ever, I will have to stop using the internet in favor of my privacy.
Controversial point: if you run a Internet presence of any kind, this is like a property of land on which you run business. The property needs also a legal owner. For real businesses, this is normal. It is unregulated IT who does not understand this and is still in the wild West.
Obviously, modern data processing creates the rightful fear of surveillance. What we lack is a culture of privacy. In other countries if the state or anyone else wants to access the land registry or any other: good luck without a lawful reason.
A fast-moving emergency that can't be fixed by normal constitutional lawmaking processes, and must resort, exceptionally, to executive-branch emergency decrees—for expedience. Nevermind the executive order it's drawing authority from was written three years ago. It was a fast-moving emergency then, too, I suppose.
We're in a permanent emergency now. Which is no surprise - if a mere voluntary act of declaring emergency lets the government do what they otherwise can't - why not declare it over and over?
In the US we have 42 (!) ongoing national emergencies. The oldest dating back to 1979. I think most of US-based HN readers never lived in non-emergency US.
They are declared in an emergency (most of them are sanctions to freeze money and freedoms of foreigners). That does not mean you live in an emergency. That they are still active means only that the Parlament was too lazy or too blocked to put them in a law.
Legally, it means exactly that - the government wasn't allowed to do X, but they said the magic word "emergency", and now they are allowed to do X as much as they want, until they decide they are done. Of course, this means they were always allowed to do X, it's just that the public will eat it more easily if instead of saying "the government can take your freedoms anytime" they'd say "the government can't take you freedom ever - except if there's a real dangerous emergency". Functionally, those are exactly the same, but the latter sounds much more "reasonable".
What you describe is the abuse of the power. In the list of US emergencies 80% are sanctions (which qualify as emergencies I would say bc they would not work), 15% real emergencies and the there are the ones which start to be controversial. All what I am saying is: it is a tool for an government. Governments do things wrong. They wrongfully arrest, invade countries, collaterally murder, take bribes, etc. That is daily happening. And the courts and Parlament habe the job to fix , prevent or correct that.
It is not easy to run your life, company or government org without doing once in a while something wrong. It is how you behave afterwards and overall which matters.
Well, yes it is - but it's completely legal abuse and the society seems to be willing to tolerate it (and much worse abuses, evidently - like total warrantless surveillance absent any proof it's actually useful for anything except partisan political squabbles). I wish the courts and the parliament would be willing to do something about it, but they aren't, and they aren't, because most of the society seems to be fine with it. Sad.
They're mostly sanctions regimes though it looks like which the Executive can largely implement on it's own (under current constitutional interpretations). It probably included other things that have since been ended and the sanctions are the only thing really left.
So national security trumps democracy and freedom? What do you have left to protect when you give it all up? Might as well just elect a king and be done with it.
Freedom has been on a steady decline since the establishment of the Federal Reserve in 1913 when established banking dynasties seized control over the currency of the country. The symbolic destruction of the constitution occurred on 9/11/2001 when the modern police state went into full force.
We established the Fed (and later, the FDIC) because people were sick and tired of bankers controlling monetary policy and wiping out their life savings. How the Fed turned into the ancap Boogeyman is the real destructive force in our society.
> We established the Fed (and later, the FDIC) because people were sick and tired of bankers controlling monetary policy and wiping out their life savings
The Great Depression, the savings and loan crisis, and the GFC all happened after the establishment of the Federal Reserve. Sure, I guess you could claim that all of those would have been worse without the Fed, but reasonable minds can differ on that without being an "ancap".
And not long after we got the great depression, and more recently the destruction of the housing market by pinning interest rates near zero bidding property into infinity and then jacking rates up to disenfranchise the youth while everyone else sits on negative real rates mortgages for 30 years that they'll only give up for a kings ransom.
The only thing worse than a bunch private bankers controlling monetary policy, is a central bank controlling monetary policy.
Interest rates, inflation. Pick one. I'd rather the Fed print the money than banking execs with no oversight; the banking execs would prefer the highest interest rate the market will bear, and the Fed has every incentive to keep them as low.
"We" didn't establish anything. An elite few met at The Meeting at Jekyll Island to discuss the matter and the public had zero say in it. Just like we continue to have no say in government today. Bills are rammed through congress and the president's desk and they just rubber stamp everything put out by the deep state or they risk getting CP'd by the intelligence apparatus. The main group of opposition to the Fed was 9/11'd in the sinking of the "unsinkable" Titanic because internal defenses against sinking were deliberately sabotaged just like the power went out for "maintenance" in the Twin Towers for 24 hours before 9/11 when anybody was allowed in to go anywhere inside whereas the building security was tightly controlled since the day it opened without fail up to that point.
You elect a executive branch to protect you. Sometimes that includes executive orders. And if these survive the check and balances, maybe it is for the greater good.
If you do not want that, the country has to work on a functional Parlament and switch away from a presidential system.
This level of lack of understanding the basics of our system of government is why we used to have civics classes.
If someone is using infomercial level logic/details/understanding to get you riled up, step one is to step back and get a better understanding, not to grab a pitchfork and get bitter.
An post highlighting that the government is soliciting comments shows we don't actually have a king that can do whatever they want. You personally can comment on this proposal, and if you have a compelling argument, can stop it or in the future force your comment to be addressed. Remember the standard is that the Federal government's actions can not be arbitrary and capricious.
I am not a US resident. I take here a pragmatic perspective. Laws, the level of bureaucracy etc is a choice we do in our societies.
> Remember the standard is that the Federal government's actions can not be arbitrary and capricious.
That assumes that everything is regulated by law (unrealistic) and that you have a working parlament (currently not the case in the US). Imagine Russia is invading Canada. Would you prefer a US president with the power of declaring war or the parlament starting to debate over it. A war has 100x more consequence than this KYC thingy here.
"What important truth do very few people agree with you on?": I believe that nobody is running the show. The systems we have created are more complex than we understand. I think a few people individually understand a few aspects of the different systems (we are not at the complete mercy to these systems).
I also believe that we have a psycological need to know our social heirachies therefore we create stories about who we think is in control. That need creates conspiracy theories! That need creates narratives that certain people are running the world (but when you look closy at those people they are not running things - they don't understand how everything works even though they put much effort into trying to).
Are you trying to argue that money is more important than banking? But that banking was the most important thing? Your logic elludes me.
Or maybe you have a manipulative world view? What is more important - money or power? If you have power do you need money? Is power equivalent to money?
"Money" is a means of exchange, and in some contexts it is a status signal.
Money is a measure, not an ends in itself. People want the money to do something with: the something is faaaar more important than money. Find me a person with money, and I will easily find ten things they would prefer.
Anecdotally:
My friends don't value money above other things. Other friends could easily take nearly all my money if they chose to (I put myself into very submissive situations). I don't work because I don't need more money.
Perhaps I live in a different world than you.
The people I know all have complex desires, and few of my friends are concentrating on making money (and the smartest friends I know don't make money their central goal). I do have a couple of friends who try to make money and they seem to do it quite well without too much difficulty.
Have you tried to offer money to people? If it is so critical then people would take it. My experience is that a few do but many don't. I've offered large amounts to acquaintances that haven't taken it (perhaps with or without hooks).
Yes, rodger that, wealth is irrelevant to money - a concept plenty of people grok with time.
Your logic appears poor to me: perhaps that is why you employ logicians - money is your solution? Money doesn't write software, people do. People's motivations are crazy complex: which causes good or bad software to be created.
> Nobody
Somebody: My guest today was working for $0 on two systems (one maintenance, one he is developing). Both were difficult and annoying computer systems with a complex userbase. He didn't seem to really want to do the job: yet he was doing it for free (well, actually it was costing him)! Why does he need money if he gets his needs met by friends and acquantances. His only payment appears to be friendship and good company and his internal satisfaction (for varied reasons). I don't understand his motivations but yesterday he had said that offering him money would strongly demotivate him. Illogical?
Perhaps your philosophical world view has little overlap with mine. I have retired early so that is a signal that my world view is different from most people's. I haven't recently needed to buy development time so maybe my opinions are stale.
I agree with this. I this misunderstanding is the root cause of, well a lot of shit, but particularly the increase in belief in conspiracy theories by members of the public. Most people lack a conceptual understanding of emergent behavior in complex systems, and instead rely on linear narrativization to understand the world (which by the way is not an insult to the public's intelligence, it's just the way our brains work unless you make a concerted effort to step outside of that default). And if you aren't considering multivariate, emergent behavior as a possible explanation for unpredictable and inscrutable world events, the next and really only reasonable explanation is intricate conspiracies by powerful agents.
I mean, a monarchy is also a system, but I also recognize that's not what you're talking about.
I'm inclined to agree, though I do think there's a disproportionate amount of influence in some groups. I also worry that the true danger of an artificial super-intelligence is not in a SkyNet-like scenario, but a more subtle and slower influence over global societies via trade and economics. It already more or less runs the world in abstract, so a thing that can understand all the complexities and manipulate them with capital has the potential to be very dangerous.
Its long been this way. Even in the 1950s the were fed justices commenting that if a nuclear bomb were to be stolen, its retrieval would be a reasonable predicate justifying suspension of the bill of rights until the warhead's retrieval.
There is no such thing as a benevolent monarchy, if that monarchy exists as anything more than a figurehead. No position of absolute and uncheckable power, least of all derived from a claim of divine right or racial purity, can be considered benevolent.
Yes, an argument can be made. And such an argument can and should be quickly discarded with a glance at the last thousand years or so of human history. We tried it. Rolling the dice that the next king or tsar or emperor to own the people will at least treat them kindly. And we decided that being owned by a government in which we have no franchise is a bad idea. A very bad idea.
Dynastic monarchies have one advantage over liberal democracies: If you want your bloodline to stay in power, you are incentivised to leave the country off better than you inherited it - if you act out too much, there's a good chance your offspring will follow you not on the throne, but on the guillotine. This immediately makes 'fuck you, I got mine' style politics unfeasable.
If we ever could find a Superman who would agree to be a benevolent monarch, sure. The only problem is that Superman is actually a work of fiction (and even a fictional one would refuse the role) and real people have, let's say, not so stellar record of being benevolent. It's one of those nice ideal arguments that works very well as long as you are allowed to assume magical entities that can't actually exist in the real world.
In a monarchy at least there's a chance of getting a good ruler by the genetic lottery. In a political system almost inevitably the people who get to the top are the best liars and manipulators, not good people.
Idea: let's make it so all emergency powers have to be re-authorized every week by Congress at midnight on Friday with a 90% quorum of physically-present representatives.
If "emergency" action is needed because Congress is too slow, then let's make sure they are working through the process to create real law. Or if they aren't, I guess it wasn't an emergency, and there's no reason for administrative law to "fill in" using a non-democratic process.
Great! I'm looking forward to seeing this requirement applied to also dissolve the judicial branch entirely so that Congress is entirely responsible for both enforcment and adjudication of the law. Let's work together to end separation of powers.
You seem to be suggesting that Congress making law is intruding on the power of an agency to make Administrative law? The latter is not (supposed to be) an actual branch of government. Congress has full power to rewrite all the administrative law as they see fit.
What provision of the constitution does it violate? Do you know of court precedents that support that claim?
I'm not writing this to argue against your position, but to help people craft effective comments to submit in response to the proposed regulation. Federal agencies are not responsive to comments about people disliking a proposed rule, but are very responsive to concrete examples of why it might be legally problematic.
> “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things ...
How does verifying your identity in any way violate that, though? You have a physical address that you live at, and the government verifies that you are the person living at that address, and that is not violating the fourth amendment. This would be pretty similar to that.
Of course the words are open to interpretation but "unreasonable searches" seem to encompass this sort of thing. Usually it's taken case by case and reasons would need to be given for every individual being searched. This is a blanket excuse to search every interaction without a reason.
The fourth amendment requires probable cause of a crime prior to being forced to identify yourself. This rule is forcing companies to verify the identities of their customers on behalf of the government for vague national security reasons.
Isn't this a clear violation of the 4th amendment?
> “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things ...
Note it says "the people" and not "citizens of the United States". Everyone has this protection within U.S. borders, SCOTUS has ruled to this effect.
So the government forcing yet more private companies to do their unconstitutional bidding seems like something that should b opposed. I believe banks being required to collect KYC came about through The Patriot Act. If this trend continues, you'll need to verify your identity to use any service.
That isn’t just a trend, that’s actually this proposed rule change!
Banks collecting KYC actually started with the Banking Secrecy Act of 1970. This was tried in the Supreme Court case California Bankers Association v Schultz (1974). It holds that recordkeeping requirements do not constitute a privacy violation under the 4th amendment absent reporting requirements. Since this new rule (2024) applies only to foreign entities and OFAC controls provide penalties for domestic companies, there’s no fifth amendment issue either (which is a shame imo, the 5th amendment argument in Bankers v Schultz seems incredibly shaky).
There’s no reporting requirements or new crime being created here; the intention is to “”aid”” IaaS providers in complying with OFAC requirements, and, when a warrant is issued, the actual identities of the customers to be known.
> If this trend continues, you'll need to verify your identity to use any service.
Once we started to send "National Security Letters" to public libraries after PATRIOT to find out what people were reading, this future became an inevitability.
And who pays for it. Yet another compliance procedure to add to the stack.
I propose that any new regulation gets financed by the the regulators . And retro actively get all regulations to have their cost covered by the government.
Who pays the auditors. Who pays Accountants, who paid for data protections schemes, who pays for random sanctions making countless companies suddenly lose large part of their business . Regulations are great, it should be at the government charge though, so that we can continue to do business, prevent market entry costs which promotes monopolies/oligopolies, encourage compliance.
I would argue that for most use cases Internet Services are already collecting sufficient KYC data that it won't make a difference. Try signing up for anything infrastructure related without providing a credit card and/or billing address and/or cell phone number and see how far you get.
That said the system is only as strong as the weakest link in the chain, and while getting a credit card/cell phone number in the US requires a certain standard of identity verification, the same might not be true for other countries (or in cases of deliberate fraud). I think that is what the legislation seems to be targeting.
That doesn't mean it is good legislation or won't have unforeseen side effects.
This totally depends on what is collected, if the requirements are some form of national id submission, ie. licenses or passports, then it opens all handlers up to tremendous abuse possibilities. Or at the very least paints a big sign on their backs that they handle mass quantities of offical government forms of biometric id, something I think would do much more harm than good in the long run as each company would need to be bulletproof to avoid.
Skimming through the article, it seems like the extent of this is to require IAAS (Infrastructure) providers to verify the identity of those who are using their services to train AI. It's an attempt to stymie sanctioned or malicious actors, from training AI and especially from hopping between services or using aliases to continue training on their model.
It seems a bit benign and I don't understand the parallels others on this HN discussion are making. Is it that it's a slippery slope or perhaps I'm being naïve in regards to the scope?
Skimming the regulations, this does not seem right. All IAAS providers (which is everyone who allows customers to run custom code, so it includes any web host like Dreamhost) to verify the identity of foreigners who open an account. This would seemingly entail the service provider needing to verify everyone's identity, in order to figure out who is a foreigner and who is not.
In other words, if you want to run your own Wordpress, or Mastodon node, or your own custom CMS web site or group chat or IRC or bitcoin node, you would need to reveal your identity to the hosting service that you want. This does seem quite bad and could obviously be used to identify political dissidents.
On top of that, the IAAS must report to the US Commerce department about foreigners who are using services to train large AI models.
Aren't you basically revealing yourself anyway because you need to pay them?
AWS has my name and my credit card number. But they have never asked for a photocopy of my passport, my history of international travel, which nationalities I have and so on. Something tells me that for the goal of this law to be achieved, all those details would need to enter the database.
Amazon is certainly supposed to ensure that you are not a sanctioned person or a citizen of a sanctioned country. This was a concern decades ago when I was in shared web hosting.. don't know why it would have changed?
When has big tech had a good history of proactive compliance?
AWS has a denied party screening team and absolutely restricts access to services based on the BIS entity list and other sanctioned parties.
I've been in big tech for a while and oh wow is there a lot of proactive compliance.
Not necessarily (although that doesn't necessarily mean I think this is OK). Payment-card-based verification is a longstanding method of doing prima-facie verification like this. When you give your credit card, you give your billing address and typically your phone number -- if the postal code is a US address and the phone number is a US area code and everything else is consistent with that, that might be all the KYC required. If you appear to be a foreign national operating outside the US, they can flag that and require additional paperwork only then.
This proposed rule looks to me like it basically requires providers to come up with their own verification plans, which may then differ from provider to provider, so as to be "flexible and minimally burdensome to their business operations".
[note for the following: I am not a lawyer. The following is not legal advice. Do not fold, spindle or multilate. Do not taunt Happy Fun Ball.]
The real danger, I think, with things like this is, there's an executive order that was issued, but it further specified a rulemaking process be conducted to determine the actual regulations that define compliance. The link in the title is to the proposed rule. There's nothing that says any amount of prior public input will necessarily influence the details of the final rule, or that rule can't change in the future through another rulemaking process, and if it does the only way to challenge it is either to sue the agency on the grounds that it exceeded its discretion (e.g. by making rules that require unconstitutional things) or that the enabling executive order is itself unconstitutional -- but these kinds of federal cases have a pretty high bar for what's called "standing" (the legal grounds to bring a particular lawsuit): you pretty much have to suffer concrete harm or be in obvious and imminent danger of suffering it to a grievous degree. (This is one reason you hear about "test cases" -- often somebody will agree to be the goat who is denied something, fined, or even arrested and convicted of a crime, so that standing to sue to overturn the law can be established.) Other times, if a lot of potential defendants already have standing, a particularly sympathetic defendant will be selected for the actual challenge. The US federal courts are also deferential to "agency discretion" by default, as a matter of doctrine.
What happens all too often with these things is, the initial rulemaking is pretty reasonable, and the public outrage (if there was any) dissipates. Then three years (or however long) on, the next rulemaking imposes onerous restrictions and strict criteria, and people suddenly (relatively speaking) wake up and find they're now in violation of federal regulations that they were in compliance with last week. (This is one reason public-interest groups are so critical -- they have the motivation and sustained attention to comb the Federal Register for announcements about upcoming rounds of rulemaking on various topics.)
Thanks, this was useful clarification.
[flagged]
If you rent a VPS in supposedly privacy-conscious Germany they need photo id too :(
Luckily there's other cheap options in Europe like in France.
I don't think that is a legal requirement in Germany. At least Hetzner lets you rent a German VPS or dedicated server without ID. Though Hetzner may require you to submit an ID if you are flagged by their automated systems upon registration.
It was actually Hetzner that didn't want to provision my VPS without Photo ID. I blanked out the SSN as our government tells us to do and they balked at that as well. After I showed them my government's website explaining how and why to do that they were OK with it but at that point the relationship was already soured and I started looking for alternatives.
Maybe they changed it now but they were asses about it then. I thought it was a legal requirement, they basically said as much though I don't recall the exact details, it was before the pandemic.
Eventually I just moved to Scaleway in France which is much nicer and cheaper and you can even talk to their support on slack.
PS: I don't do anything nefarious on my servers but I just don't want my ID on file anywhere it's not needed.
There are IaaS services out there that accept bitcoin, monero, or anonymous prepaid charge cards. They aren't an IaaS but Mullvad even accepts cash mailed to them in an envelope.
Is it fair to assume, that one can engage in a business relationship with these services outside the US? I'm not sure I see the effect that you are implying. AWS, GCP, Azure don't accept crypto. Mullvad is as you point out not an IaaS provider.
Namecheap, Vultr, BuyVm all operate in the U.S. and at times in the past (I don't know if they still do) have either accepted crypto or anonymous charge cards (available for cash at a convenience store), thus making it possible to get a dedicated server or VM totally anonymously. This new regulation would seem to prevent this.
Interesting, I did not know this. The actual anonymity of crypto currencies aside, it's good to see these kind of businesses do still exist.
Some hosts accept alternate payment systems, like gift cards or cryptocurrency. You can also have someone else pay for it with a credit card or bank transfer without giving your name, which can be quite important in some cases. The new rules would presumably make that a crime.
“Say you host spammers and scammers without saying you host them.”
Tbh this is fine by me. It's about time the US stop being the center of the world for internet infrastructure.
i’m reading through the contrarian takes here and thinking, “yeah i’m kind of ok with that?”
this would make it much trickier for bad actors to get away with everything from online ai scams to swatting. i could live with that.
It would not. They're financially motivated to do what they want. They will find a way around it. i.e. scaming the elderly to sign up for cloud services and proxying their KYC requirements.
There are scamers who walk seniors to sign up through Coinbase, the KYC requirements, to order bitcoin.
It's fine to make me, a blind person have to upload a government ID. Cool dude.
I think you need to re-read my comment.
Post a comment to the federal register.
Good. It’s not 1999.
There are so many malicious actors putting human life at risk in some scenarios it should be possible to figure out who owns what.
Now, I would start with corporate ownership and focus on anonymous entities controlling things like Delaware and Nevada corporations. But that’s me.
You guys are stupid. That's exactly what they want to use it for is to train AI.
It's really not benign as far as I can see. There is an implication that its purpose is to allow providers to start writing reports on foreign users training LLMs (which, incidentally, I'm not condoning either), but in the process it requires every American IaaS has to start implementing KYC folly.
No one wants to send in selfies and their passport just to start a Digital Ocean droplet.
I'm curious if the spammers will find a way around this. I would actually like to be ID'd by a provider if that also meant they had no un-ID'd customers. I'd expect their IP range would start to get a pretty good reputation.
The spammers are criminals. They'll just use ID scans and info from data breaches of other companies. Requiring more companies to collect them makes it even worse because now there are more places to exfiltrate them and it makes it easier for criminals to commit identity theft against financial institutions etc.
There are also non-"criminals" who are more than willing to use their actual ID for the sort of things that aren't strictly illegal but will still get your IP space on a bunch of block lists when they can make a buck doing it, so it wouldn't solve the problem even if it could actually identify all of the customers.
And now more people will have thier passports pinched as they'll be opening themselves up to more opportunities to have it stolen. It'll be great to get ready for that overseas trip, or while returning, to find out you need to now visit an embassy as a forged version of it is now in use.
It's absolutely folly! Foolishness by the department of commerce. What were they thinking?
I think everyone has a sour taste left over from decades of half-baked laws written by politicians that don't understand the basics of the internet or technology in general.
With that said, I also don't understand the issues people are having with this.
I wonder how they deal with the (hopefully) constant abuse reports aimed at them from providers who are tired of their shady customers doing shady things from their IPs.
They wouldn't.
> With that said, I also don't understand the issues people are having with this.
The regulation "requir[es] U.S. Infrastructure as a Service (IaaS) providers of IaaS products to verify the identity of their foreign customers"
Q: How would one propose to determine if a customer is foreign or not?
A checkbox, perhaps? <rolls eyes>
No bad actor would possibly pretend to be a domestic customer, of course... <rolls eyes again>
That's a strawman. <rolls eyes> It won't be a checkbox, of course... <rolls eyes again>
> That's a strawman [..]
OK, I'll bite. How exactly are [US] domestic users of services supposed to prove they don't need to prove their identity?
EDIT: it reminds me of the Common Travel Area (between Ireland and of the United Kingdom of Great Britain and Northern Ireland), which has some glorious inconsistencies. For instance that nationals of Ireland and the UK travelling between those two countries do not need a passport, except when you take an international flight and rock up at IE/UK border control it's fairly hard to prove you are a national who doesn't need to provide a passport without having ... a passport (or equivalent ID).
Have you travelled between the UK and Ireland? You most definitely do not need a passport and do not need "equivalent ID". You can travel (by boat) with a student card, driving license, photographic travel pass (ie over-60s pass, young person rail pass), or photographic id from your work.
The check is very much "don't stop walking but hold your ID-looking thing in your hand so a nonchalant man can glance at it". You would attract very little attention with someone else's UK or Irish driving license, a bit more if you decided to test the waters with a weird form of ID.
Children can travel with a birth certificate (no photo).
You need more than this to get on an aeroplane, but that also applies to domestic flights in the UK.
If you get the boat and show eg. a Romanian student card, they might ask you where your passport is, somewhat reasonably since you would have needed it to travel to the UK or to Ireland. They would accept an ID card probably and might let you in with legit looking non-government ID.
That's the sea border. You can cross the land border between the Republic of Ireland and Northern Ireland without any form of ID at all, government-issued, photographic or otherwise. Lots of people do it every day by car or bus and it would not remotely occur to them to take ID with them.
So the Romanian student would have no problem travelling between London and Dublin without showing anything since they could get a boat Glasgow- Belfast and then get a bus to Dublin.
If this was your best example of governments lying and changing the rules, it's not a very good one (and is also kind of offensive to Irish and British people).
> You need more than this to get on an aeroplane, but that also applies to domestic flights in the UK.
Can you clarify what you mean by "more than this"?
I've travelled on many domestic flights within the UK, and ID is not routinely checked.
> If this was your best example of governments lying and changing the rules
Ouch.
The common travel area has its origins way back in 1923, the rules are clear, no-one is lying.
It's just that it's hard to prove you are entitled to its benefits without having an ID document with you that - if you're entitled - it says you don't have to have with you...
When did you last travel on a UK domestic flight? You definitely need government issued ID.
You are suggesting that having to show any photographic ID is the same as having to show a passport. That's obviously silly.
No one has to prove that "they are entitled to not show a passport" by showing British or Irish ID. This is a fantasy.
On the boat everyone, British, Irish or other, has to show ID of some kind. No one has to show a passport. At the land border no one has to show anything.
> When did you last travel on a UK domestic flight? You definitely need government issued ID
"a spokesperson for the CAA, said: “UK aviation security regulations do not require a passenger’s identity to be checked for security purposes prior to boarding a domestic flight, in the same way when travelling within the mainland on a train or bus. Any further requirement on behalf of the carrier to provide identification may be a condition of travel by the carrier itself.”"
https://www.independent.co.uk/travel/news-and-advice/british...
Did you read the headline of that article?
You need government ID to get on a domestic flight in the UK. You also need government ID to get on a flight from the UK to Ireland.
As with the sea border and the land border, this completely invalidates your claim about what ID is required to travel between the UK and the Republic of Ireland.
You don't appear to have travelled between the UK and the Republic of Ireland, ever, or to have flown domestically in the UK since 9/11. You stated above that "they do not check ID on UK domestic flights", not "the CAA does not require ID but all airlines do". The first statement is untrue. Not sure why you are making stuff up in support of an urban legend about the UK/Irish border.
Even if there was a difference between the ID required to board a flight from the UK to the RoI and the ID required to board a UK domestic flight (there isn't - both require govt ID, not necessarily a passport), the situation at the boat and at the land border completely disproves your original claim.
KYC stands for Know Your Customer, and is a core regulation in banking. So we can pivot off that and work through what a bank does to verify your identity.
I signed up for a Mercury bank account a few months back for my Delaware corporation without talking to anyone, so I'll use that as a template.
I can't remember the exact steps, but tl;dr submit a passport photo / driver's license photo and a photo I take in the app itself. If it was a not-US passport, then they'd dig into a full verification, not just a quick manual check of "is that face the same as the passport/license, is the passport/license ID # valid, and are the photos edited"
You seem to be conceding the point that they would be forced to invade the privacy of their US customers in addition to just foreign ones.
True, I guess I wouldn't call it invading privacy, that's sounds a bit overwrought to me. Then banks invade my privacy, the DMV invades my privacy, etc. There's always tradeoffs, I respect people's concern about them, and I wish there was a gentler to say it.
> Then banks invade my privacy, the DMV invades my privacy, etc.
That is a reasonable and factually accurate statement.
> There's always tradeoffs, I respect people's concern about them, and I wish there was a gentler to say it.
The tradeoff here is astonishingly bad. Studies have shown that AML/KYC have an effectiveness of less than a fraction of one percent. They continue to proliferate because their largest costs fall on the users rather than the companies, so they're the thing that large corporations suggest as a "solution" when they're being pressured to do something. Because people have the perception that it will do some good, even though that perception is inaccurate.
In reality what they do is provide a means to satisfy "something must be done" in a way that dumps the costs on marginalized users instead of politicians and corporations.
I had to look up what "effective" means in this context, found a couple crypto blogs using it as a talking point citing a 2011 UN study, the study says less than <1% of money laundering proceeds are confiscated worldwide, nothing about the laws. Money laundering is defined as an estimate of any money from illegal activity, including tax evasion.
There have been more than one study and some of them more recent, e.g.:
https://www.tandfonline.com/doi/full/10.1080/25741292.2020.1...
AML laws are completely ineffective. People can write long papers about why, but the underlying reason is simple. Money is fungible.
If Alice is selling heroin to Bob and the government knows this, they don't need AML laws to arrest them. If they don't know this, even if all of the financial records were 100% transparent and tied to the name on their birth certificates, they still wouldn't know this, because Alice and Bob would just claim the payment is for software licensing or personal grooming services or whatever they want to make up, and neither the bank nor the government has any way to know otherwise until they independently prove the underlying crime. Worse, Alice and Bob don't even have to pay each other. Bob can just buy whatever Alice asks him to with his money and then give that to Alice in exchange for the contraband. Then there is no financial transaction linking them at all.
The entire concept of it simply doesn't work. It's all cost and no benefit.
Yeah like me. I will not be able to use the internet anymore, litterally.
> a photo I take in the app itself
So what else did they pull off your phone? Location data, personal photos, personal files, wifi connections near by, microphone data, ongoing location data?
Exactly, they just want more mass surveillance.
None of those, just asked for the photo
You said it was their app correctly?
Have you validated that they didn't take the other bits off your phone?
Every modern smartphone has permissions on that stuff for years now. I don't self-peasantize with "but what if..."
You don't understand the issues me as a blind person has with it? OK I have to upload a government ID every time I want to use an internet service. That's stupid. It's also considered a general warrant, and I thought we did away with those long ago.
What laws are you talking about? The Internet has grown a lot that’s largely because we have smart politicians and strong institutions. I really think the regulation of the Internet has been amazingly good.
For example: CAN-SPAM. If I want to send emails to a list, I have to burn $90 of my scarce dollars every year just for a PO box for the address at the bottom on the off chance someone sends a letter to unsubscribe. Unless I want to put my home address in every email, which I don't, and no one should. Unsubscribe links and highly effective spam filters were already completely standard when the law was passed in 2003. It doesn't matter if the email you send doesn't actually require it because every mailing list provider requires it.
Eh, unsubscribe links were definitely not universal in 2003 and they barely are today. But the situation has definitely improved in the last 20 years.
The point is the rules are daft. A sensible rule would require a functioning unsubscribe process in the email, which every piece of software would then automate as an unsubscribe link. The actual rule requires people to be able to unsubscribe via a postal mailing address, which is unreasonable and ridiculous.
Yeah, who wants to do that? I don't want to, no one wants to. It's a stupid law!
I'm just saying, your earlier comment would have been better without the sentence: "Unsubscribe links and highly effective spam filters were already completely standard when the law was passed in 2003."
The person you're replying to is not the person you're quoting.
But also, the people with unsubscribe links now but not in 2002 would still commonly send their messages from a consistent address, making it easy to block them if you wanted to, and making even primitive spam filters highly effective against them. Meanwhile the people who randomize their from address to prevent this are the people who still don't have a functioning unsubscribe link.
https://en.wikipedia.org/wiki/Stop_Online_Piracy_Act
https://en.wikipedia.org/wiki/PROTECT_IP_Act
https://en.wikipedia.org/wiki/Anti-Counterfeiting_Trade_Agre...
https://en.wikipedia.org/wiki/Digital_Millennium_Copyright_A...
https://en.wikipedia.org/wiki/Patriot_Act
https://en.wikipedia.org/wiki/PRISM
Yep, all of those need to go the way of the creamitorium!!!! You forgot FISA and CISA though, how'd you do that.
[flagged]
AI is mentioned, but the scope is significantly larger if you read the fulltext.
I'm going to need another intelligence to read the full text.
"U.S. IaaS providers and foreign resellers of U.S. IaaS products must exercise reasonable due diligence to ascertain the true identity of any customer or beneficial owner of an Account who claims to be a U.S. person."
So at a minimum, everyone's identity is verified by IaaS provider. If you claim to be a non-U.S. person, additional information is collected.
They mention looking at comments from a previous proposal in 2021, "Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities" https://www.federalregister.gov/documents/2021/09/24/2021-20...
Who counts as IaaS besides Amazon, Azure, and GCS?
Dreamhost, Wordpress, etc
This is not the industry-standard or NIST definitions of these terms. Something like Google Workspace Suite is Software as a Service. Something like Heroku (or Dreamhost or Wordpress) is Platform as a Service. Something like EC2 and S3 are Intrastructure as a Service. The distinction is renting out undifferentiated server space that a customer installs their own software onto. If you rent a VPS from Linode and install self-hosted Wordpress, that's IaaS. If you buy Wordpress's managed hosting, that's PaaS.
Well, it may not be the industry standard definition, but it is the definition used in the actual regulation:
-------
Infrastructure as a Service product
or
IaaS product
means a product or service offered to a consumer, including complimentary or “trial” offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications. The consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications. The term is inclusive of “managed” products or services, in which the provider is responsible for some aspects of system configuration or maintenance, and “unmanaged” products or services, in which the provider is only responsible for ensuring that the product is available to the consumer. The term is also inclusive of “virtualized” products and services, in which the computing resources of a physical machine are split between virtualized computers accessible over the internet (
e.g.,
“virtual private servers”), and “dedicated” products or services in which the total computing resources of a physical machine are provided to a single person (
e.g.,
“bare-metal servers”).
---
So Dreamhost counts, any web host where you can run arbitrary PHP code would count. Wordpess.com -- where you cannot actually modify the PHP code yourself -- would not count as IaaS. But any web host that allows you to install applications on your own, or run any of your own code, would count as IaaS by this regulation.
Wordpress clearly does not meet the definition of IaaS in the document.
> provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications
Services like Github Actions, Google Collab, and web-based IDEs likely meet this definition though as it lets users execute their own custom code on their cloud. So basically all developer stuff may require an ID check.
That was just part of the definition that I quoted.
In the full context, it is quite clear it is targeting things like EC2, dedicated hosting, etc.
https://www.federalregister.gov/d/2024-01580/p-46
I don't think it's reasonable to read this as if MS Excel qualifies as an IaaS.
Does Scratch count?
Can you not add plugins to Wordpress?
You cannot install Debian or Windows 11 on Wordpress.
It applies to any "software that is not predefined". An OS is just an non-exhaustive example of one type of software that applies.
The next sentence is:
> The consumer [...] has control over the operating systems, storage, and any deployed applications.
That was just a snippet of the full definition here:
https://www.federalregister.gov/d/2024-01580/p-46
There are two possibilities here.
First, the rule applies to WordPress and all that kind of thing, and then providers would have to KYC WordPress users. Which is a reason not to pass it.
Second, the rule is completely pointless, because it doesn't, and then anyone could create an AI training WordPress plugin that uses whatever arbitrarily fast hardware the server has and thereby easily bypass the rule. Which is a reason not to pass it.
That's silly, no Wordpress hosting has H100 GPUs hooked up to it.
If you skim the full context of this proposal and the topics it focuses on (dedicated servers, virtual servers, AI acceleration), and you've been paying attention to current geopolitics in these areas (top chips being sanctioned), it is completely obvious that goal here is to prevent things like evading sanctions by renting hardware instead of buying it.
What stops them? You could have a WordPress plugin that uses Stable Diffusion to generate images, or encodes uploaded video, or provides an AI chatbot, and needs fast GPUs because there are a lot of users. Providers will supply anything the customer is willing to pay for. The expected AI plugins would be doing inference rather than training, but the user could use the same hardware for plugins that do something else.
> Providers will supply anything the customer is willing to pay for.
I suppose every company and every service should be in scope for KYC then. /s
But the reality is that Wordpress hosts are not in the business of renting people dedicated servers the price of a nice house. And if they were asked to do so, it wouldn't be a simple automated request without scrutiny.
In 2010 it wouldn't have been an automated request. Now there is plenty of demand for it to do inference and some providers are likely to start offering it if they don't already. You're also assuming the providers are interested in preventing foreigners from using their systems for AI training, rather than being interested in making as much money as possible without violating the letter of the law.
The latter is one of the reasons rules like this are simultaneously so expensive and ineffective. Provider A decides to KYC everybody because they're big and risk averse, so the rules inconvenience millions of innocent people. Provider B wants to make money selling GPUs to foreigners, so they implicitly choose a structure that allows that to happen if the rules contain any loopholes whatsoever. (This ignoring that foreign customers could just switch to foreign hosts and cost US companies business for no reason.)
And if the premise is the level of resources being consumed rather than the type of service then why don't the rules exempt anyone spending less than e.g. $50,000/month? That would be almost everyone while still not being anyone buying enough compute to do major AI training. It still wouldn't work but at least it would have much less overhead.
I don't think anyone is under the presumption that these requirements are bulletproof. The point is to just target one big glaring loophole.
> $50,000/month? That would be almost everyone
It might be almost every individual developer. But that isn't really a huge cloud spend at all for an organization.
https://www.cloudzero.com/wp-content/uploads/2023/10/flexera...
But speaking of loopholes, what do you think bad actors would do if you told them that they weren't subject to KYC under a certain dollar amount? lol
> It might be almost every individual developer. But that isn't really a huge cloud spend at all for an organization.
That's kind of the point. It excludes all of the individuals and small businesses and makes it unambiguous that it doesn't apply to someone paying $10/month for a VPS to use as a VPN endpoint for privacy.
> But speaking of loopholes, what do you think bad actors would do if you told them that they weren't subject to KYC under a certain dollar amount?
In some hypothetical world where the rules were actually effective? Spend $49,000 and then create a new account, which would be highly suspicious and still cause them to get caught.
In practice? Use a cooperative provider (Wells Fargo as a hosting company), or one in another country, the same as they would do regardless.
The whole SUV category of vehicles was spawned as a workaround for the 1975 Energy Policy and Conservation Act of 1975. Demand blocked by laws leads to weird mutations.
I'm thinking that this will simply promote cloud providers that operate outside America, sort of like Binance and FTX were "forced to exit" the US market. Not a bad result.
"and applications", not just operating systems.
I think it’s most reasonable to read that as “includes [all of these examples]” not “excludes if it can’t [any of these examples]”
AWS Lambda would clearly (IMO) be in-scope as IaaS by this definition, as an example, even though I can’t install another OS.
AWS Lambda qualifies because it is part of AWS and an AWS account gives you access to EC2 which definitely qualifies.
Literally every software that you can host.
This effort will end anonymity on the internet. For everyone.
Crypto was just the beginning. Next is end-to-end encryption. And it's going on worldwide, not just in USA:
https://community.qbix.com/t/the-coming-war-on-end-to-end-en...
edit: Vultr info is wrong. They don't have anonymous use anymore.
Vultr, for example.
There are high-quality IaaS providers that accept bitcoin for payment, allowing someone to host a server on their platform without revealing their identity.
Vultur requires a card linked for ID verification even if paying for BTC. Or at least they did in the past when I tried.
Interesting. I can't even create an account with a privacy address (passmail.net forwarding). Wankers.
You are correct. "Account must be funded by credit card or PayPal before making a Bitcoin deposit." No more anonymity on Vultr.
In their definition, everything does, HN included.
Given that top GPUs are sanctioned, I'm sure preventing access to them remotely is a part of this. But just generally speaking, doing any malicious crap out of an EC2 instance is an easy way for a foreign actor in China/Russia/Iran to look more legit.
As if they won't just use a stolen identity. And like usual the victim will never even find out because it won't show up on their credit report.
Of course, people who want to circumvent laws will always attempt to do so. That doesn't mean all legal mitigations are useless.
Indeed it does not.
But that also doesn't mean this legal mitigation is either useful or worthwhile.
It's still just for IaaS companies, though, right?
Not that that makes this all okay, but it is a much more limited proposal than "internet services" makes it sound.
IaaS is defined as a provider of computing resources the allows you to run software that is not predefined. So that would seem to include basically every web host. If you can install Wordpress or Mastodon on the servers they provide, they are an IaaS.
Legally speaking, internet service providers are infrastructure providers.
Definitely not in this case (unless you're using Digital Ocean as a VPN end point or something). EO 13984 (which is cited as the enabling act) has a narrow definition:
(e) The term ‘‘Infrastructure as a Service Product’’ means any product or service offered to a consumer, including complimentary or ‘‘trial’’ offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications. The consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications. The term is inclusive of ‘‘managed’’ products or services, in which the provider is responsible for some aspects of system configuration or maintenance, and ‘‘unmanaged’’ products or services, in which the provider is only responsible for ensuring that the product is available to the consumer. The term is also inclusive of ‘‘virtualized’’ products and services, in which the computing resources of a physical machine are split between virtualized computers accessible over the internet (e.g., ‘‘virtual private servers’’), and ‘‘dedicated’’ products or services in which the total computing resources of a physical machine are provided to a single person (e.g., ‘‘bare-metal’’ servers)
(https://www.govinfo.gov/content/pkg/FR-2021-01-25/pdf/2021-0...)
That's not a narrow definition.
Do you have a basis for this claim or are you just throwing it out there to see if it catches on? The document linked refers to IaaS, which as an acronym definitely does not include ISPs.
In practice, as long as a definition can conceivably cover something, the DOJ or some agency will use it. Case in point from yesterday: money transmitter as applied to arresting the developers of a NON-CUSTODIAL wallet, as part of a wider war on crypto mixing:
https://www.coindesk.com/policy/2024/04/24/samourai-wallet-f...
This comes amid a war on end-to-end encryption, and so on. It's not like they are going to stop here.
Reading the definition https://www.federalregister.gov/d/2024-01580/p-46 and the paragraph following it, it's intentionally broad and i'd say it's not that much of a stretch to say ISPs provide services that match this.
Some AI services such as Synthesia https://www.synthesia.io › ethics " Your avatar can be created only with your explicit consent, following a thorough KYC-like procedure. Complete control: Our platform ensures you can decide"
There are probably very few ISPs that can fall outside of this standard. For example if your provider provides e-mail, it's providing infrastructure. And yet, the slope can get much more slippery than this.
Please read EO 13894 before proceeding further. Is the user able to run custom software directly with a customary ISP (because that's in the definition)? I agree with EGreg that they can possibly twist this, but as written it's actually narrower than you think.
This won't work. Foreign nations have enough skill and resources to pass KYC as a citizen (steal someone's documents, pay a homeless for verification etc). And as I understand, US doesn't have a central citizen database so it is difficult to verify a document.
It's funny they don't need ID to vote but they'll need one for a VPS.
EDIT: I know it's about IaSS.
That isn't even the first reason it won't work.
Computing is a global commodity. There are providers in other countries. They would just use one of those.
It's not meant to work.
True that!
From the executive order (Executive Order 14110) it seems to affect only massive compute infrastructure:
> (i) any model that was trained using a quantity of computing power greater than 10^26 integer or floating-point operations, or using primarily biological sequence data and using a quantity of computing power greater than 10^23 integer or floating-point operations; and
> (ii) any computing cluster that has a set of machines physically co-located in a single datacenter, transitively connected by data center networking of over 100 Gbit/s, and having a theoretical maximum computing capacity of 10^20 integer or floating-point operations per second for training AI.
Keep in mind that most consumer graphics cards are in the _teraflops_ range, which is 10^12. It's hard to imagine this affecting the average person, it seems that they are specifying KYC for people using clusters with thousands or tens of thousands of cards.
No, that is just one part of it. The proposed rules are intended to cover both EO13984, which addresses foreign entities using US IaaS for Cyber attacks, and EO14110 which addresses foreign entities using AI hardware.
They require all IaaS[1] to determine if customers are US persons, and if not to collect and retain certain identifying information[2], and provide annual reports describing their processes[3]. It grants the Secretary of Commerce extra-judicial power to force any IaaS to stop doing business with any foreign customer, or place restrictions on their use[4]. This section lists things that the Secretary should consider in doing so, but doesn't have any hard requirements. Finally, it requires the IaaS to report certain foreign use of AI[5].
[1]§7.301 https://www.federalregister.gov/d/2024-01580/p-189
[2]§7.302 https://www.federalregister.gov/d/2024-01580/p-219
[3]§7.304 https://www.federalregister.gov/d/2024-01580/p-266
[4]§7.307 https://www.federalregister.gov/d/2024-01580/p-377
[5]§7.308 https://www.federalregister.gov/d/2024-01580/p-403
> It grants the Secretary of Commerce extra-judicial power to force any IaaS to stop doing business with any foreign customer
This can backfire, as foreign customers of public clouds may switch to local providers, which erodes the US near-monopoly on cloud services. Ironically this can reduce the visibility and control the US government has over foreign nation states.
E.g.: most of the Australian government is hosted in either Azure or AWS. That kind of thing might stop if extrajudicial power is granted to pull the plug on any customer on any time.
If they’re inspecting what people are running on GPU instances to report that information back to the US government it’s going to give a lot of people pause for thought. It’s basically violating guarantees that many businesses have with cloud providers.
> Keep in mind that most consumer graphics cards are in the _teraflops_ range, which is 10^12.
Something like 40 of them, or 100-300 if you're looking at FP16. So well over 2^14.
And that's per second, give it your idle cycles for four months and that's 10^7 seconds.
It gets pretty close to 10^23.
> Is it that it's a slippery slope or perhaps I'm being naïve in regards to the scope?
This. Also, it won't stop malicious actors. Setting up a LLC to mask your true identity is cheap and easy. Not to mention that providing a fake identity or pretending your are not a "foreign person" is also cheap and easy.
I'll certainly get one, or two, if this goes through.
> seems like the extent of this is to require IAAS (Infrastructure) providers to verify the identity of those who are using their services to train AI.
Only foriegners.
> It's an attempt to stymie sanctioned or malicious actors, from training AI and especially from hopping between services or using aliases to continue training on their model.
Unlikely, since it exempts non-foriegn malicious actors
On top of that, it is to identify FOREIGN users
>>"require U.S. IaaS providers to verify the identity of foreign users of U.S. IaaS products, ... which calls for the Department to require U.S. IaaS providers to ensure that their foreign resellers verify the identity of foreign users. E.O. 14110 also provides the Department with authority to require U.S. IaaS providers submit a report to the Department whenever a foreign person transacts with them to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity."
We damn well SHOULD be identifying foreign users of our services, particularly those which have high-powered potential to cause harm.
This knee-jerk [govt identifying anybody is bad] response prevalent here deeply undermines the cause of actually maintaining privacy. There are actually very bad actors out there, and if we fail to identify and contain them, things will be far worse. The reality is that some measures must be taken — let's focus on containing the real threats, not cry foul at every shadow of a hint that we might approach a slippery slope.
> It seems a bit benign
This seems, to me, an utterly malignant attack on anonymity, which is a protected constitutional right. It's the idea that every internet packet needs to be tied back to some verified identity. We're in frog-boiling territory with this garbage.
There is no absolute right to anonymity in the US constitution.
(The courts have "recognized relatively strong First Amendment presumptions on behalf of purveyors of anonymous speech, especially for those that are statements of opinions rather than obvious falsehoods, while recognizing that government sometimes has the right to identify such speakers when they have used their platforms to harass, engage in slander or sexual predation, make true threats, or allow foreign governments to influence U.S. elections")
How is one supposed to exercise their right to anonymously express political opinions if anonymity is prohibited by law?
There is no right to anonymously express political opinions.
There is a right to express political opinions, but anonymity is a privilege, not a right.
Then how do you explain these?
https://cs.stanford.edu/people/eroberts/cs181/projects/anony...
I see controversy and a lot of dissent among Justices, but no decisions that explicitly declare a Constitutional right to anonymity.
And the modern Court explicitly declared that a Constitutional right to privacy does not exist, and one cannot have anonymity without privacy, so no.
> I see controversy and a lot of dissent among Justices,
Precedent is set by the majority, not the dissent.
> but no decisions that explicitly declare a Constitutional right to anonymity.
Weird then that there are several decisions striking down laws that violate the right to anonymous speech?
> And the modern Court explicitly declared that a Constitutional right to privacy does not exist, and one cannot have anonymity without privacy
One cannot refuse to turn over one's papers and effects in the absence of probable cause without privacy either.
Consider the possibility that there could be a right to anonymous speech without a right to anonymous practice of medicine. A universal right to privacy would require both. Just because it isn't both doesn't mean it's neither.
>One cannot refuse to turn over one's papers and effects in the absence of probable cause without privacy either.
Yes. I believe a right to privacy once existed, but it was nullified as it formed the basis of the case for Roe V. Wade. As a result even the Fourth Amendment is weakened because it must be interpreted in the light of a right to privacy no longer existing.
What I'm trying to put forth is that the assumptions you're working under are no longer valid and we've thrown the baby out with the bathwater.
> I believe a right to privacy once existed, but it was nullified as it formed the basis of the case for Roe V. Wade.
It was kind of the other way around. There is clearly no explicit right to abortion in the constitution, so to find one it would have to be implicit, but the Court in Roe wanted to find one, so they made one up. The reasoning was something like, the constitution implies there is a general right to privacy and laws against abortion violate it. The people who liked the result were then stuck trying to defend its inconsistent reasoning for 50 years, because the same logic would cause all kinds of other laws to be a violation of the same right. Obvious example would be drug prohibition; government invading your privacy by trying to control what you put into your own body. Same logic as Roe.
But Roe was never actually extended to any of that stuff, so overturning it didn't re-enable drug prohibition after it was struck down, since it was (inconsistently) never struck down to begin with.
The cases having to do with anonymous speech are independent and use entirely different logic. The general idea is that people are deterred from speaking (chilling effects) if people can associate what they have to say with a physical person who can then be harassed for expressing an unpopular opinion. It doesn't have any of the same problems because there is no First Amendment right to morphine, which they could ban outright under the same justification as they ban heroin, so having to show your ID to get morphine isn't deterring you from exercising your right to free speech.
The converse would have to be true then, that the government has the legitimate power to intimidate people to not express their opinion. This does not seem like a legitimate power for government to have, but now I need to be careful whether I express it at all.
Laws against slander, libel, intimidation, conspiracy, perjury, etc are based upon the government's power to intimidate people from expressing opinions. It is a felony in the US to express the opinion that the President should be killed. Speech in the US has never been a free for all.
Those are not opinions, they're provably false statements or threats. Conspiracy is essentially committing a crime as a group rather than an individual, and the statements are the evidence of the crime rather than the crime in itself.
The closest the government comes to prohibiting an opinion is copyright, but even then you can restate the opinion in your own words, and when an exact quote is necessary to make your point it's fair use specifically because it would otherwise violate free speech.
> . It's the idea that every internet packet needs to be tied back to some verified identity
There's been multiple attempts to do this. Via KOSA and a few others lately in our Congress. PR friendly candidates like Duckworth have been trying to walk this through the system.
the more information they keep, the more they will expose it in data breaches, or sell/share it with others.
This is a terrible idea!
[dead]
[flagged]
> You're calling a collection and storage of your personal information as "benign"?!
All major cloud services already collect this information. I filled in the bare minimum on AWS, and they've got my full name, address, phone number, email, and credit card details.
They collect biometric data (selfie) plus a copy of your drivers license? That's a big part of KYC/AML.
That's a huge difference from address, email, CC number.
You should really read patio11's article on KYC [0]. A relevant paragraph:
> Many people believe that the law requires a bank to see your government-issued ID in person to open a bank account. Again, this is incorrect; the law very rarely requires any particular action. The most prescriptive the US gets is that the sort of KYC information required about a customer include their true identity, including a name (not, incidentally, their “true” name because governments actually have some glimmer of understanding that that is not a thing which exists), a residential address, their date of birth, and an identifying number.
[0] https://www.bitsaboutmoney.com/archive/kyc-and-aml-beyond-th...
Looks like his argument is that randomized and client to client based rules are better. To some extent I agree.
However, it's inconsistent and we have a government that is punitive, which is why I see that these KYC approaches are reactive to that. There's not punitive measures for violating privacy concerns and storing/profiting from this data.
In practice, to buy crypto, you have to give a disreputable private entity (crypto exchanges have a terrible history of not being scummy.. is cryptobase good? only time will tell) very sensitive documents.
Your biometrics and gov ID data don't have to be collected or stored by the provider.
They can be used during the identity check and deleted right after, without ever entering the provider's infrastructure (assuming they are using a trusted 3rd party).
> They can be used during the identity check and deleted right after, without ever entering the provider's infrastructure
You trust them to delete it right after? What about the human reviewers in other countries that are working at home taking pictures of their laptops with your id on it?
> trusted 3rd party
You trust that 3rd party's intent and word? It's pretty weird to bring another company to steal your data and details.
At a quick reading, it doesn't sound like those are requirements. It also doesn't look like any documentation is technically required. One of the methods permitted is "Verification through non-documentary methods".
Do you mind expanding on what "non-documentary methods" means?
It is all defined in TFA:
https://www.federalregister.gov/documents/2024/01/29/2024-01...
The TL;DR is that it can be whatever the provider wants, as long as it:
* includes name, address, email, phone number, IP address, and payment information,
* is written down,
* gives them a "reasonable belief that it knows the true identity of each customer"
* and "a sound basis to verify the true identity of their customer and beneficial owners and reflect reasonable due diligence efforts".
> * gives them a "reasonable belief that it knows the true identity of each customer"
> * and "a sound basis to verify the true identity of their customer and beneficial owners and reflect reasonable due diligence efforts".
I'm reading in to that in a conservative manner where it's "internally justified" that going the full privacy abusive route is justified. "Reasonable due diligence" is respective to the organization that could be punished, not a public sense.
Given that it's on the company's discretion of diligent checks, I can completely see that their more aggressive requirements of: "your biometrics, copies of your official documents, 20 years of criminal background checks, a polygraph, approval by the Democratic National Party for appropriate speech, history of pornography consumption" being the standard.
We're not getting a solution from the government that's a secure "is this person a US citizen?"/"Valid for IaaS service?" data point. The business is receiving all of the data to ask that question and are not trustable entities.
If the business is not a "trustable entity", then why are you using them for hosting?
You have no choice.
Going down the argument of "don't use anyone you don't trust" brings up the argument of.. well why are you paying Experian?
Where I'm getting to this is: We often times don't have a choice, that choice that looks like we have it is untrustable in the future, and we're being aggressively pushed into a situation where you have people of questionable interests. This rule/law encourages them to collect it, but there's no aggressive lifestyle ending punishments for crossing the line.
??? There's nobody forcing you to have an account at a cloud provider. There are many other choices.
If you really do not trust someone else to operate a computer on your behalf, you can operate one yourself.
> propose regulations requiring U.S. Infrastructure as a Service (IaaS) providers of IaaS products to verify the identity of their foreign customers,
Sounds like solid policy to me.
And how do you know that one customer is a foreign one and one is not?
That is outlined in §7.302
The TL;DR is that the must collect name, address, email, phone number, IP address, and payment information and use that information for "verifying the identity of each foreign customer to the extent it enables the U.S. IaaS provider or foreign reseller of U.S. IaaS products to form a reasonable belief that it knows the true identity of each customer."
AWS already has all of this information on my account.
How does an email correspond to your location?
My email goes through Switzerland and I have a domain address that ends in ".de" am I a US resident, German, or Swiss?
It doesn't correspond to location any more than "name" does. But it is useful, in conjunction with other things, for determining identity, which is what those requirements are about.
Same way banks do. Documentation.
What an absolute nightmare. I would also be surprised if iaas providers arent in vehement opposition, i will instantly migrate all cloud resources away from AWS if they start requiring KYC docs. Theres close to zero effort for doing so
Wow, what layer of abstraction do you have that allows for that? Even with typical IaC, Terraform, it's going to be a rewrite. If you're leveraging anything beyond load balancers, compute, and containers I don't see how that approaches zero. Some of the services could end up with you having to build/run your own to get any equivalence.
Why is it so hard time for some of this site to understand that some of us are principled when it comes to choosing technologies? Or you know, actually learned from past trauma and make choice to avoid getting burned in the future.
Not all of us are enlightened. Wouldn't you mind telling us what those technologies are?
Ansible comes to mind. Used it to orchestrate hundreds of servers with migrations. Could also simply set up proxmox services beforehand if you're truly motivated, then just replicate the server to another instance.
And all networking configuration and everything else is transferred with close to zero effort?
You could roll your own SDN with the likes of wireguard.
Hello, may I interest you in NixOS? All your config, in one place, build it again and you got a copy. :)
Their username says it all: https://landscape.cncf.io/
Since the "vet" maybe didnt give it away, 95% of the cncf landscape is a trashfire joke of hodge podgey vc funded golang crap.
This site is so damn funny. I reply to a burner account in a day old thread, and then my comment is downmodded less than 60 seconds later. Points to some shockingly pathetic behavior, dang maybe you could check the IP on that alt account, might be interesting.
Exactly. At the startup I work for, we built from the old methods of bare metal, and integrate cloud services as needed. At any time though, if we are not satisfied with sed service, we're able to jump ship without headache pretty easily. As simple as spinning up a new container cluster elsewhere, migrating data, and ramping down the old. The founders were very clear on never being entrenched into a singular provider.
Probably because most employees don't get to pick and choose the tech stacks? You're either being incredibly obtuse or I'm missing your point.
Uh, I not implying or saying anything about who has the power. My comment is kinda hard to read in any other way than directed at the people who chose to intimately tie their product up with a proprietary price-gouging, lock-in platform.
Idk, I guess if I take the less charitable read of your comment, ... if you're sitting here blaming your circumstances for not knowing anything other than how to spin up overpriced Amazon serives idk what to tell you.
I think this is about preventing sanctioned countries or individuals using US technology we don't want them to have access too (like China not having modern GPUs). That goal seems reasonable though there's always a fear that the law is way broader than the high level intent. Why would it be "an absolute nightmare" if it's so easy to migrate?
That's the stated goal. The actual goal is more likely complete knowledge of any person using IaaS service whether domestic or foreign and what they're up to.
Yeah, mass surveillance.
I meant an absolute nightmare of a bill in general and for the IaaS providers. The US is winning the AI race because of their open ecosystem and capability to execute and these types of things hurt that bad.
I work on KYC systems at a medium/large sized financial institution. The trend of adding KYC requirements to more and more online services is troubling.
KYC adds a huge burden to anyone trying to offer a service. Implementing KYC imposes significant burdens on service providers due to the complexity of identifying users across different countries and understanding varied regional regulations. You end up outsourcing your KYC to another company. But most KYC vendors don't support all the countries you want to support, so you either end up limiting your service to the service area of your KYC vendor. Or you end up integrating multiple vendors together, which is challenging since vendors generally prefer exclusivity.
If you didn't have an engineering team working on KYC before, you will now. You will likely need to add to or expand your compliance team. Your company will shift either slightly or significantly from being an engineering or product driven company to being a compliance driven company.
KYC raises barriers and entrenches incumbents. Look at financial institutions and porn.
KYC is generally not evidence based policy either [1, 2]. Bad actors get around your KYC requirements, and your KYC system ends up being a hurdle for innocent users. A lot of KYC systems rely on data aggregators (aka the people who buy your personal data), and if you aren't "in the system" either because you are young, poor, or privacy conscious, you are faced with suspicion.
My experience is that anti-fraud systems tend to weed out bad actors better than KYC systems that are mandated in a governmental top down manner.
1) https://www.economist.com/finance-and-economics/2021/04/12/t...
2) https://www.tandfonline.com/doi/full/10.1080/25741292.2020.1...
I know i'll be done with the internet completely if this rule goes through. I will not want to upload government IDs with inaccessible systems.
For those who didn't know, KYC stands for "know your customer". It's a good idea to spell out abbreviations the first time they're used, especially since the abbreviation itself is not used in the linked article. It's also worth noting that the proposal is about US infrastructure as a service (IaaS) products specifically, not "internet services" in general.
In fairness, though, HN has a limit on title length, so I'm not sure it was all that possible in the headline here.
> We have 4 days to contest "Know Your Customer"
would have been a better title. The missing information is more easily guessed from skimming the article than the mystery acronym.
It also looks like it only applies to foreign peoples? That said, I don’t know how you select for only foreigners without collecting identity.
Yeah that's a clever way to avoid having the rules struck down as unconstitutional. In practice though to avoid liability and possibly jail time, providers will have to assume that every customer is a foreigner until they "prove" their US citizenship (by uploading the same ID and other documentation required by foreigners).
Resulting in AT&T 2.0 data breach. Already dealing with the consequences of our SSN#s being leaked in AT&T 1.0 breach.
Can you name some of those consequences?
It sseems unconstitutional to me. that's just me though.
It does to me as well, but unfortunately our opinions don't matter. Only the opinions of the nine supreme Court justices do.
The US government has shown over and over that these dragnet types of regulations are used to gobble up any information the TLAs want and hand wave it away as meta or "incidental" information "found in pursuit of foreign {$INVESTIGATION}"
In practice this often means requiring a photo ID scan.
It depends, but I'd say not usually. Many financial service applications, which have strict KYC requirements, just correlate different data sources to ensure everything matches up, and tries to determine some level of risk about the client making the application (i.e. match applicant name with DOB with SSN with known addresses, etc.) FWIW, given the huge number of data breaches I'm not sure why that info is sufficient, but it usually is. It's only when some backend risk engine determines "This data doesn't match up, or this client looks sketchy" is a photo ID requested.
KYC in the context of internet services stands for "violating the 4th Amendment".
I don't disagree with your premise that KYC enables governments to violate the 4th amendment, but in general, for certain industries this is just generally a really good idea. Banking is the first industry where I encountered KYC, and it strikes me as being obviously good there.
Isn't effectively the majority of what the Snowden leaks covered essentially violating the 4th amendment?
>Banking is the first industry where I encountered KYC, and it strikes me as being obviously good there.
This is not obvious to me as my experience has been largely negative post-KYC/9-11 vs pre-KYC/9-11. I am a legal law abiding citizen [and voter!] and it's just added extra hassle on various occasions and then the background anxiety of knowing an institution with crappy security track records hold a photocopy of my ID. And yet all the things KYC was supposed to prevent still continue unabated: money laundering, terrorist financing, identity theft, and financial fraud.
I'm curious to hear why you think it's obviously good and if you were using these services before KYC.
The people who donated to the Canadian truckers' protest had their accounts frozen by the Trudeau regime because of KYC.
The problem is that there are no checks and balances preventing banks from freezing assets because they want to or the government told them to.
Banking needs to be a right, and unless someone is convicted of a crime involving the bank account's assets, banks and governments should not be able to freeze them. There can be exceptions for fraud like FTX where there will be a significant financial harm to other individuals if the assets aren't frozen, but what we have today is unchecked government financial terrorism against individuals they do not like, and now they want to extend that terrorism to speech.
I am familiar with KYC from a banker's perspective (at least that of a close relative who was a bank manager).
KYC helped them by deny-listing abusive clients between branches, or by allowing the bank to develop heuristics for things like allowing customers to bypass cheque clearing times.
From an end-user perspective, I've had no hangups personally but I do share your grievances about yet-another-shoddy institution holding a photocopy of my ID. My bank truncates passwords when setting them, and when logging in, without telling the user. It boggles the mind.
Thanks for replying I appreciate the insight, although as someone else mentioned the most obvious use (to me) for KYC is censorship / de-banking and I think that was it's intended purpose all along because there's nothing about KYC that specifically enables the two things you mentioned that couldn't be done by a bank on it's own.
The bank can choose to require such identification of their customers for their own business purposes independent of any regulation requiring them to do so.
KYC basically means that the job of collecting evidence to prosecute potential (read: non-existent yet) crimes has fallen to yourself and your bank/cloud provider/etc., rather than forcing the government to collect evidence to prosecute a crime. Essentially an end-run around the 4th amendment and the whole idea of "innocent until proven guilty".
That's similar to what I said in my comment to the department. " Under the fourth amendment, this would be an unconstitutional general warrant. I thought we did away with those long ago. It does not describe the particular things to be seized."
What is being proposed here will be used as a tool of fear by the government to suppress speech it doesn't like.
Comparing what one individual did in the past to a formal government policy doxxing away peoples' 4th amendment rights is a strawman argument.
I think we don't understand each other. I'm not giving a moral or legal judgement on what Snowden in particular did. I'm saying, the information he disclosed showed a vast and total violation of American's 4th amendment rights on behalf of the US government.
This KYC requirement seems to me, at a glance, as being a small erosion of our digital privacy.
You're not wrong, but there is an important big difference between this and the Snowden revelations: The Snowden stuff was illegal and was being done in secret, and once exposed they had to stop. It was considered bad and embarrassing. This would be legal, and will set a strong precedent.
> The Snowden stuff was illegal
I would say "unconstitutional" (it was on its face legal), but yup.
> and was being done in secret
Do open secrets count? We all knew they were spying.
> and once exposed they had to stop
BAHAHAHAHAHAHAHAHAHAHA
They still haven't stopped.
Well yes, so does FISA.
Yes! If they put it into the entire internet infrastructure, it's considered a general warrant. Hmm... I thought we did away with those in 1789.
Thank God for the Constitution
synthesia requires KYC:" Your avatar can be created only with your explicit consent, following a thorough KYC-like procedure.
Yeah this is a very industry standard term in banking and anyone in that industry is going to immediately know what you are talking about, but outside of that industry, chances are high that a layman will not
Unfortunately, KYC has been bleeding into far more commercial interactions over time. I now deal with KYC multiple times per year in unrelated contexts and I don't work in finance. It has become quite intrusive.
In the past that would be true. But given most blockchain platforms require it, I imagine it is more widely known in the tech-savy hn-like realms?
Then again I worked on blockchain tech around half a decade ago, so I might be knowledge biased here?
Definitely biased. I had no idea what KYC means. I don't think typing it out fully once at the beginning is too much to ask, is it?
In defense of the person who wrote the HN title, I’ve seen KYC discussed in front-page articles roughly weekly for the past several years straight. I’ve learned about as much of it as I care to know (and more, honestly) from HN comments on 1st and 2nd page posts in that time. In just the past year, I can see that there have been about 1,000 comments mentioning KYC, and about 21 1st/2nd page posts that are explicitly about KYC (nearly 2 per month). Honestly I don't expect all of HN to know what KYC is, but I did expect most HN readers to have a general idea of what it is and why it's a huge pain for a small % of people (but very large number, 1% of the USA is still >3 million people).
Once you're familiar with it, your brain/eyes key onto "KYC" much more strongly than "know your customer". I might have missed the latter, but "KYC" in the title grabbed my attention instantly and reading the title made my heart jump a bit, because generally KYC means a pain in my ass, and even moreso for friends here on visa.
I have a Canadian friend visiting and staying with my girlfriend and I for a month or so. KYC causes actual headaches for her, to the point that she just decides not to get cellular service at all while she visits unless I get a pre-paid SIM under my name and hand it to her. When she pays for things like restaurants, I can't just Venmo/Paypal/Zelle/ApplePay her back on the spot, I have to withdraw cash at some point and coordinate giving it to her.
The general concept of "KYC" makes sense for some situations, but actual implementations really fucking suck for a lot of people. It's very scary to me to see it be required for more and more categories of services because of the way it's currently implemented.
I've heard of it and I roughly know what it is.
But remembering the meaning of an acronym while scanning front page post titles without much context? No. My brain is pretty ruthless at evicting TLAs that are reasonably distant from my core areas of interest.
Maybe less important than knowing what it stands for is knowing what the implications are for businesses.
KYC is essentially about knowing who you are doing business with.
For individuals that's relatively easy, just the name and identification is required but typically there is the need to verify that the identification actually belongs to the person signing up. In banking that's why you typically have some video call with a verification provider.
For businesses it gets a lot more complex because it's not enough to know what business your client is, you also have to look through its corporate structure to figure out who the "ultimate beneficial owner" is. Essentially, who is actually controlling the business.
Now it got a lot easier recently as many countries now require businesses to file who their ultimate beneficial owners (UBOs) are.
The painful part is that it introduces friction in customer journeys as now you have to request the documentation.
In the financial industry you also have to run checks on those UBO's so that they are not known terrorists or sanctioned individuals but it seems this regulation is just that IaaS providers need to know who actually operates a server. Presumably for forensic analysis after a cyber attack.
No definitely not, I fully agree with you and others there. Just was a bit surprised by how many of you were there. But that’s okay. Days where we learn are rich days. The richest of them all.
I posted my comment because the linked proposal itself never uses the abbreviation "KYC" and none of the early comments spelled it out, so if (like me) you didn't already know what it means a quick Ctrl-F wouldn't help.
The proposal seems to use the term Customer Identification Program (CIP) instead, mentioning KYC (spelled out) only once, in the introduction:
> Section 1 of E.O. 13984 requires the Secretary to propose, for notice and comment, regulations that mandate that U.S. IaaS providers verify the identity of foreign persons that sign up for or maintain accounts that access or utilize U.S. IaaS providers' IaaS products or services (Accounts or Account)—that is, a know-your-customer program or Customer Identification Program (CIP).
A very significant percentage of us (I suspect a large majority) haven't really bothered with blockchain tech. Blockchain tech doesn't solve any problems that most of us actually need solving.
KYC is that poorly known? I would have expected most white-collar professionals to have at least heard of it.
If someone knows about KYC because of their profession, they are quite literally the opposite of a layperson.
I thought it was a zipper manufacturer tbh
I've studied crypto currency. I know exactly what KYC means.
[flagged]
Except it’s goose that they’re cooking.
[dead]
Google is your friend
Submission Statement:
We have exactly 4 days to leave comments to the Federal Government of the United States of America contesting the requirement of KYC by internet service providers.
This law is not conducive to a free internet/society.
I ask this 100% genuinely, since this isn't a subject I've ever given any mind to. Why should we oppose this? What are the potential negative outcomes if this goes through? Can you steelman the argument for why people support this, and explain why you find the arguments unconvincing?
I think that the biggest argument in favour is that it would remove anonymity on the internet, at least from governments, and that could enable law enforcement to more easily find people committing real crimes. CSAM, scams, etc.
I think the biggest argument against it is that this removes anonymity on the internet, at least from governments, and that would remove people's ability to freely voice their opinions without fears of repercussions (will the first amendment ever be modified? Will people who discuss what it's like to be an illegal immigrant/drug user/etc. be persecuted)? Also, it raises the question of what happens to users of VPN's, public internet, etc.
Does this actually remove anonymity on the internet?
It seems to de-anonymize a set of IaaS customers, sure; but that's not nearly the same thing as removing anonymity completely. I've only just scanned this but it seems at first glance to mean that a foreign company can't anonymously spin up an AWS instance, that's all. Am I reading this incorrectly?
It establishes the principle, so that later it can be expanded by degrees. The trick is to oppose the principle so that it can't be expanded later.
This can’t be the only way to de anonymize an internet user today
A set? Only US customers are unaffected, i.e. 96% of the planet would no longer be able to use AWS (or anything similar based in the US, all the way down to simple web hosting or e-mail services) without going through KYC.
There are so many things that can fall under the IaaS bracket. Think anything 'cloud'. Maybe that's not how they'll apply it, but legally they are free to do so. It's a huge reach.
The only away for US citizens to prove that they are such would be for them to also submit their IDs. So it affects everyone.
Basically, it forces providers of a very wide variety of tech related services to collect identifying info on anyone who uses their services, and then store that info to either eventually be exposed in a breach, subpoenaed by the government, or sold to the highest bidder (might as well monetize it if you're forced to collect it )
This certainly makes it more hostile for an unsavory advocacy group to create a webpage and use the internet to organize a group to fight an anti-democratic bill.
> …directs the Secretary of Commerce (Secretary) to propose regulations requiring U.S. Infrastructure as a Service (IaaS) providers of IaaS products to verify the identity of their foreign customers… (from TFA)
This is about IaaS not “internet services”. It doesn’t remove anonymity from internet users, just foreign customers renting cloud servers and other infrastructure.
It seems the definition of IaaS Products could very well extend to ISPs: https://www.federalregister.gov/d/2024-01580/p-46
> This proposed definition adopts the E.O. 13984 definition for “Infrastructure as a Service product”, which is any product or service offered to a consumer, including complimentary or “trial” offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications.
How would an ISP not be misconstrued as a "managed network"? Deploy/run software could just as easily be running some protocol over the network connection?
Sure, there are very few international ISPs which would be affected by this as physical infrastructure must be local to the user, but I wonder if this would be true always (e.g.: Starlink)
I can't see how an ISP (or VPN for that matter) would qualify for the second half "and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications."
This would apply to all hosting providers, which is bad enough.
Some counterexamples:
- TCP is a spec delivered by a software implementation program. Maybe you disagree that TCP is being "deployed" as opposed to "used"?
- What about peer-to-peer hosted webpages? Certainly this is deployed software served over the internet connection?
The devil is in the details... details which are not specified in the order. It wouldn't be hard to imagine a lawyer arguing the finer details of "deployed" and "software" and falling on a definition which results in a less "open" Internet.
Also, I think of the meaning of "that is not predefined" is not at all clear. Predefined at what point in time?
IANAL.
Internet connections can be used to SSH into a box to deploy and run software. IANAL, but I could see that catching ISP's and VPN's.
how will US customers prove that they're not foreign customers?
It is great that you ask a question, because we live in a world with the freedom to opine on things. What could be considered a massive issue to me may not be a massive issue to another; and if we feel the world will be better by debating our positions, we have the right to do so.
Today, anonymity and pseudonymity exist and allow people to speak freely without risk of backlash for having a different opinion as often times the right opinion may differ with that of social consensus.
If KYC is introduced, the ability to maintain freedom of speech, online, will likely diminish.
This is of negative consequence to the people of the world.
Further, with internet 'forever data', LLM NLP and so forth, character profiles are too easy to develop for people which can cause further harm as we begin segregating based on said profiles.
I believe this KYC requirement can even extend to blockchain node operators and so forth as well.
These are just a few reasons but there are many more.
I'm not in favor of this rule, but it seems to me you are conflating several issues into one without showing the effect of the rule. Can you explain how the rule that would be implemented causes these effects? I do not see the connection here.
This doesn't seem to affect users of internet services, though. It's just IaaS, so things like AWS. With that limited scope, what is the adverse affect of KYC laws on freedom of speech?
It affects all web hosts, so if you want to lease a server in order to install Wordpress or Mastodon you would need to submit your identification to the provider.
I think it effectively affects all web hosts… Certainly how we expect them to work in 2024…
But remember that you can have a perfectly effective web host that simply accepts HTML uploads.
Certainly a tremendous loss of convenience and features but speech itself could still be available under this regime…
How much longer before IaaS platforms require their customers to also have similar KYC policies in their ToS to be able to shift liability downward in case anything goes down?
This law already includes platforms that resell IaaS. So about 4 days.
One example I've seen is a less-than-savory company make a purposefully confusing KYC process after purchase of their service/product to prevent users from realizing they're being scammed and are kept in KYC hell hoping to get verified when they never will. Time to start an ISP...
Provides the prerequisites for an authoritarian regime when they inevitable coopt the internet
Well some authoritarian regime would otherwise just do it whenever it got started, and it would require maybe a week?
This would make it illegal to anonymously run your own Wordpress install or Mattermost/groupchat server, you would have to reveal your identity to the web host. Do you trust the powers-that-be to never use this information to find and punish dissidents?
I know for me I'll have to stop using the internet. I can't take any chances. I can't upload government Ids everywhere I go, especially if the systems are not accessible with screen readers.
It's on the parties sponsoring and proposing the law to rigorously explain the benefits (and to discuss any negatives). Maybe go ask them?
why recreate this important argument with coffee? The Berkman Center at Harvard or one hundred other places has decades of written policy work and case studies on these topics ..
I would also find a link to those arguments to be satisfactory.
I too would have asked the same question as GP, and also meant it genuinely. It feels like HN is a place where someone could summarise the (presumably strong) arguments against this? Or links to a good source as suggested by a sibling comment.
This is not about Internet Service Providers. This is about Infrastructure as a Service providers, e.g. AWS, Linode, Azure, GoDaddy, etc.
See https://www.federalregister.gov/d/2024-01580/p-46 for their definition.
Misrepresenting what this is about is not helpful.
im not sure i understand are customers of AWS/Linode/Digitalocean now required to submit passport/drivers license to host a blog or website?
This is my question too. IDGI. If I am a foreigner how do they verify that my ID is real? just because it looks "real enough"?
This discriminates people from other countries from having tech resources, possibly increasing poverty by limiting opportunities, at the same time it exposes people to have their data leaked. I don't see how this is a good idea.
Yes please do! I did.
The talking point we should be using is: if banks know their customers, we don’t have to.
The trail of knowing ones customers always leads to payments and finance.
If we are accepting payment for our services with standard bank card transactions or wire transfers, etc., then the knowing of the customer can be centralized at the banks.
Also, the banks have proven themselves fairly inept at it.
The problem is that KYC, being a cost centre with no upside other than "it's imposed on us by law", immediately turns into a box-checking exercise.
The industry will barf up some terrible "compliance in a box" solution, everyone will use it, it will eventually get databreached, and the people who brought us Bulletproof Hosting back in the Viagra Spam era will come back with Bulletproof Rack Full Of Quadros.
Exactly. What is the point of repeating KYC across every industry? I work on the KYC team of a banking/finance company. It takes a significant amount of resources.
Unless we create global governing initiatives similar to FATF for IaaS products, American IaaS offering will become less competitive.
Simple ID scans are already on their way out.
"Liveness checks" where we have to turn on our webcam and let some stranger make a full biometric model of our head to use basic internet infrastructure is the dystopia we deserve, and it's the one we're gonna get.
I hope the "AI" was worth it. Let's see if you can fix this problem you created.
Already happening at the IRS. There's a reason government was so reticent in regulating facial recognition in any meaningful way: The government database of everyone's faces, purchased and cobbled together from private partners, isn't complete enough yet.
This has nothing to do with AI, but an out-of-control executive branch and intelligence agencies. AI is just another tool that will make it cheaper.
For those of us who don't know what this is, an explanation is a bit down the page:
> To address these threats, the President issued E.O. 13984, “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities,” which provides the Department with authority to require U.S. IaaS providers to verify the identity of foreign users of U.S. IaaS products, to issue standards and procedures that the Department may use to make a finding to exempt IaaS providers from such a requirement, to impose recordkeeping obligations with respect to foreign users of U.S. IaaS products, and to limit certain foreign actors' access to U.S. IaaS products in appropriate circumstances. The President subsequently issued E.O. 14110, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence,” which calls for the Department to require U.S. IaaS providers to ensure that their foreign resellers verify the identity of foreign users. E.O. 14110 also provides the Department with authority to require U.S. IaaS providers submit a report to the Department whenever a foreign person transacts with them to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity.
> (e) The term “Infrastructure as a Service Product” means any product or service offered to a consumer, including complimentary or “trial” offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications. The consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications. The term is inclusive of “managed” products or services, in which the provider is responsible for some aspects of system configuration or maintenance, and “unmanaged” products or services, in which the provider is only responsible for ensuring that the product is available to the consumer. The term is also inclusive of “virtualized” products and services, in which the computing resources of a physical machine are split between virtualized computers accessible over the internet (e.g., “virtual private servers”), and “dedicated” products or services in which the total computing resources of a physical machine are provided to a single person (e.g., “bare-metal” servers);
This is a good overview https://www.akingump.com/en/insights/alerts/commerce-issues-...
I read the document a bit, it seems like this is essentially saying that services like AWS need to know the identity of their customer if they suspect they are a foreign entity.
I don't think this would cover VPNs or internet access, mainly just people spending lots of $$ on compute. Is that correct? If so it seems reasonable. If a non US group is spending lots of money using US technology to develop an AI model I do think that falls under foreign trade and should be documented.
There's a surprising amount of debate in this thread on the rights and wrongs of this topic.
As a matter of simple efficiency, what I suggest to you all is that you imagine this was being rolled out by the British government.
Because then you'd all be certain what it meant and what was necessary.
I can’t tell if you’re being sarcastic or not. I didn’t think the UK even provided IaaS services.
On the other hand it seems like half the business of The City is providing cover for dodgy foreign companies, which would be perfect for people trying to get around these laws.
Can anyone glean from this wall of text what documents Uncle Sam is going to expect me, a dirty and potentially smelly foreigner, to submit in order to keep my AWS account?
I suppose VPN's will become illegal next?
Those in authority don't want us sharing information with anyone they can't track. So many of the websites I use are already blocking VPN access, and it's only getting worse. Codifying it as law will just be the last step to protect the censors from prosecution for violating the 1st Amendment.
As if KYC for bank accounts was an astounding success on international crime, corruption and terrorism financing.
No it wasn't. The terrorism and cartels just got their aunts to register account.
This will pass regardless of comments and KYC will only get more strict from here on out. What other end result could there have been when the combined gov-corp-tech behemoth is incredibly data-hungry, obsessed with draconian surveillance, and about to be deluged with malicious AI across the internet? It starts with "suspected" foreign actors and ends with everyone needing to prove their humanity for every little thing on the web. This is why we can't have nice things..
Next thing you know if you make one comment about Israel or certain coincidences you will be debanked, cut off from all Internet services, unable to make payments, blacklisted from all employers, your payment accounts frozen, ultimately resulting in eviction for non-payment, then shortly thereafter homeless, hungry, dead, or in prison.
That's the logical end-game of all this in case you don't have the foresight to see where this road leads.
Even foresight isn't enough to avoid it if you don't have the fortitude to avoid paths of least resistance, or the ability to oppose entrenched power structures.
This does not appear to affect domestic customers.
How would they know a customer is domestic or foreign without some level of identification on everyone?
Bingo. They'll have to KYC everyone to avoid liability of missing a faking foreigner.
Then surely all the good actors have to do KYC, and all the bad actors can just pretend to be American entities.
I don't agree with this on principle, but even just from a practical perspective it seems like they are leaving the door completely open by doing that. What's even the point?
Yet.
This is about foreign customers only, so as an attempt to abolish the constitution, it is severely flawed in respecting it enough to keep its distance.
I can't think of any US service I am using that doesn't already require KYC? None of the large providers will let you get far without a credit card, as far as I remember?
Since the discussion here will consider itself mostly with upright revolutionaries being disenfranchised by such insult to their liberties, it is worth noting that when the revolutionaries are foreigners, the US often doesn't have the same incentive to disenfranchise them as it might have for domestic troublemakers.
In fact the US has quite a track record of granting rights to foreigners in excess of what they find at home, and even when it concerns allies: request by European courts and law enforcement are regularly rejected based on US norms when, for example, someone hosts their hat speech blog with an US-only provider.
> I can't think of any US service I am using that doesn't already require KYC? None of the large providers will let you get far without a credit card, as far as I remember?
There are several credit card vendors that do not require KYC that are easily available. I don't know of any banks that don't require KYC that you would use to pay those CC bills, but I wouldn't be surprised if they exist.
And FISA was only about surveilling non-US persons.
No. With a court order, FISA always allowed surveillance of "agents of foreign powers", even if they were US citizens: https://en.wikipedia.org/wiki/Foreign_Intelligence_Surveilla....
Providing a credit card is a far cry from KYC. But it also highlights that we probably don't need IAAS businesses to implement KYC as long as the payment providers already do.
> verify the identity of their foreign customers
Makes you wonder how they are going to first determine which are foriegn...
This seems like the key section people should read through and where they should focus their submitted comments:
https://www.federalregister.gov/d/2024-01580/p-70
What can we do to actually contest it? I see this website lets you submit a “formal comment”. But is that enough? Who is in charge of the decision and who else can be pressured to stop it (certain legislators)?
[dead]
So this is just to make it easier to ban non-US citizens from using US IaaS (or track them).
Just don't use American IaaS in the first place. It's not like computers are available only in the US.
Computers outside of the US sure, but the latest chips used for AI training have export controls so not so much.
A number of threads seem to assume that KYC (or identity check) implies that your biometrics or gov ID data is collected/stored by the provider, but it does not have to be.
The identity check is typically done by a trusted 3rd party that can delete the data right after the identity check (and can be required to do so).
So you basically end up guaranteeing that the name, address and D.O.B that you provided to the IaaS provider is actually correct, nothing more and nothing less.
To be frank, I'd be more comfortable with this sort of thing more if there was a full-fat government-based ID platform. Some sort of SSO-style "Sign on with identity.gov" button, where it tells you clearly exactly what information is granted to the vendor, which should be pretty much "nation of citizenship" and nothing else, before you click through.
I trust a "trusted third party" far, far less. Inevitably it's a data hoarder like our credit-bureau overlords, which has commercial motivations to ask for more data than needed, and hold it longer than necessary, and will likely suffer only a slap on the wrist when they inevitably data-breach.
We really needed a coherent plan for national and digital ID 20 years ago, but as they say, the second best time would be now.
are they going to start requiring an ID to buy a GPU too
What can I do as a broke guy to stop this? Write a comment? Will it be read or considered?
There is literally nothing you can do. The intelligence agencies are building the top of the funnel for the gulags to host us in the near future.
It will be read and considered - you can safely assume that it will affect your social credit score accordingly.
Is this more onerous than verifying the name of the person or company you're serving does not appear on the OFAC list?
This is generally not difficult for anyone concerned, unless they happen to share a name with somebody on that list.
If you're going to editoralize the title, could you possibly tell us what KYC stands for?
Know Your Customer - it’s a term describing how organizations like banks want to know what you’re doing so they can avoid enabling criminal activity.
This seems like a slippery slope.
If I host a site that is vulnerable to XSS, is it inadvertant Iaas?
.This is what I wrote into the federal register. Please do not allow KYC for the entire internet. This is in fact a miserable failure of an idea. You want to hand our data to AI companies, huh? I do not want to have anything to do with that, or you, if you don't come up with better data privacy regulations. Under the fourth amendment, this would be an unconstitutional general warrant. I thought we did away with those long ago. It does not describe the particular things to be seized. KYC is a ridiculous idea in the first place. It is not designed for the entire internet infrastructure. All the department is doing, is enabling more mass surveillance. By trying to shoehorn KYC into the internet infrastructure, you will make the internet less convenient to use for blind people like me. I rely on it in my every day life. If you decide to make the worst mistake ever, I will have to stop using the internet in favor of my privacy.
Controversial point: if you run a Internet presence of any kind, this is like a property of land on which you run business. The property needs also a legal owner. For real businesses, this is normal. It is unregulated IT who does not understand this and is still in the wild West.
Obviously, modern data processing creates the rightful fear of surveillance. What we lack is a culture of privacy. In other countries if the state or anyone else wants to access the land registry or any other: good luck without a lawful reason.
> We have 4 days to contest KYC being required by internet services
The acronym "KYC" doesn't appear in the linked article. What is this even about?
Know Your Customer. It's when you are asked for legal docs so a business can verify your identity. Like what banks do
Thanks. Just commented in support.
"I'm from the government, and I'm here to help"
- "To Address the National Emergency"
A fast-moving emergency that can't be fixed by normal constitutional lawmaking processes, and must resort, exceptionally, to executive-branch emergency decrees—for expedience. Nevermind the executive order it's drawing authority from was written three years ago. It was a fast-moving emergency then, too, I suppose.
https://www.federalregister.gov/documents/2021/01/25/2021-01... ("Taking Additional Steps To Address the National Emergency [sic] With Respect to Significant Malicious Cyber-Enabled Activities" (2021))
We're in a permanent emergency now. Which is no surprise - if a mere voluntary act of declaring emergency lets the government do what they otherwise can't - why not declare it over and over?
Check this out: https://en.wikipedia.org/wiki/List_of_national_emergencies_i...
In the US we have 42 (!) ongoing national emergencies. The oldest dating back to 1979. I think most of US-based HN readers never lived in non-emergency US.
That’d be September 1978 – November 1979 and before then during the roaring twenties if I read this right.
Maybe POTUS should declare an emergency to reduce the number of emergencies?
Looks like that's exactly how they got a full non-emergency year: https://en.wikipedia.org/wiki/Report_of_the_Special_Committe...
Of course, it didn't last long - as soon as the focus moved on, emergencies started popping back up.
They are declared in an emergency (most of them are sanctions to freeze money and freedoms of foreigners). That does not mean you live in an emergency. That they are still active means only that the Parlament was too lazy or too blocked to put them in a law.
Legally, it means exactly that - the government wasn't allowed to do X, but they said the magic word "emergency", and now they are allowed to do X as much as they want, until they decide they are done. Of course, this means they were always allowed to do X, it's just that the public will eat it more easily if instead of saying "the government can take your freedoms anytime" they'd say "the government can't take you freedom ever - except if there's a real dangerous emergency". Functionally, those are exactly the same, but the latter sounds much more "reasonable".
What you describe is the abuse of the power. In the list of US emergencies 80% are sanctions (which qualify as emergencies I would say bc they would not work), 15% real emergencies and the there are the ones which start to be controversial. All what I am saying is: it is a tool for an government. Governments do things wrong. They wrongfully arrest, invade countries, collaterally murder, take bribes, etc. That is daily happening. And the courts and Parlament habe the job to fix , prevent or correct that.
It is not easy to run your life, company or government org without doing once in a while something wrong. It is how you behave afterwards and overall which matters.
Well, yes it is - but it's completely legal abuse and the society seems to be willing to tolerate it (and much worse abuses, evidently - like total warrantless surveillance absent any proof it's actually useful for anything except partisan political squabbles). I wish the courts and the parliament would be willing to do something about it, but they aren't, and they aren't, because most of the society seems to be fine with it. Sad.
Fun fact: we've got active national emergencies dating back to 1979! https://en.wikipedia.org/wiki/List_of_national_emergencies_i...
They're mostly sanctions regimes though it looks like which the Executive can largely implement on it's own (under current constitutional interpretations). It probably included other things that have since been ended and the sanctions are the only thing really left.
Geez … those are some long emerging occurrences.
So national security trumps democracy and freedom? What do you have left to protect when you give it all up? Might as well just elect a king and be done with it.
Freedom has been on a steady decline since the establishment of the Federal Reserve in 1913 when established banking dynasties seized control over the currency of the country. The symbolic destruction of the constitution occurred on 9/11/2001 when the modern police state went into full force.
We established the Fed (and later, the FDIC) because people were sick and tired of bankers controlling monetary policy and wiping out their life savings. How the Fed turned into the ancap Boogeyman is the real destructive force in our society.
> We established the Fed (and later, the FDIC) because people were sick and tired of bankers controlling monetary policy and wiping out their life savings
The Great Depression, the savings and loan crisis, and the GFC all happened after the establishment of the Federal Reserve. Sure, I guess you could claim that all of those would have been worse without the Fed, but reasonable minds can differ on that without being an "ancap".
Your examples would be better if they weren't all securities bubbles.
And not long after we got the great depression, and more recently the destruction of the housing market by pinning interest rates near zero bidding property into infinity and then jacking rates up to disenfranchise the youth while everyone else sits on negative real rates mortgages for 30 years that they'll only give up for a kings ransom.
The only thing worse than a bunch private bankers controlling monetary policy, is a central bank controlling monetary policy.
Interest rates, inflation. Pick one. I'd rather the Fed print the money than banking execs with no oversight; the banking execs would prefer the highest interest rate the market will bear, and the Fed has every incentive to keep them as low.
"We" didn't establish anything. An elite few met at The Meeting at Jekyll Island to discuss the matter and the public had zero say in it. Just like we continue to have no say in government today. Bills are rammed through congress and the president's desk and they just rubber stamp everything put out by the deep state or they risk getting CP'd by the intelligence apparatus. The main group of opposition to the Fed was 9/11'd in the sinking of the "unsinkable" Titanic because internal defenses against sinking were deliberately sabotaged just like the power went out for "maintenance" in the Twin Towers for 24 hours before 9/11 when anybody was allowed in to go anywhere inside whereas the building security was tightly controlled since the day it opened without fail up to that point.
I'll, uhh, let your comment speak for itself. Good luck in your future endeavors.
You elect a executive branch to protect you. Sometimes that includes executive orders. And if these survive the check and balances, maybe it is for the greater good.
If you do not want that, the country has to work on a functional Parlament and switch away from a presidential system.
This level of lack of understanding the basics of our system of government is why we used to have civics classes.
If someone is using infomercial level logic/details/understanding to get you riled up, step one is to step back and get a better understanding, not to grab a pitchfork and get bitter.
An post highlighting that the government is soliciting comments shows we don't actually have a king that can do whatever they want. You personally can comment on this proposal, and if you have a compelling argument, can stop it or in the future force your comment to be addressed. Remember the standard is that the Federal government's actions can not be arbitrary and capricious.
I am not a US resident. I take here a pragmatic perspective. Laws, the level of bureaucracy etc is a choice we do in our societies.
> Remember the standard is that the Federal government's actions can not be arbitrary and capricious.
That assumes that everything is regulated by law (unrealistic) and that you have a working parlament (currently not the case in the US). Imagine Russia is invading Canada. Would you prefer a US president with the power of declaring war or the parlament starting to debate over it. A war has 100x more consequence than this KYC thingy here.
Why elect a king when you already have a private group of bankers running the show
Systems run the show, not people.
"What important truth do very few people agree with you on?": I believe that nobody is running the show. The systems we have created are more complex than we understand. I think a few people individually understand a few aspects of the different systems (we are not at the complete mercy to these systems).
I also believe that we have a psycological need to know our social heirachies therefore we create stories about who we think is in control. That need creates conspiracy theories! That need creates narratives that certain people are running the world (but when you look closy at those people they are not running things - they don't understand how everything works even though they put much effort into trying to).
Banking is the foundation of all so-called systems. Take away the financing and nothing gets done.
People's desires are the foundation of all so-called systems. Take away the people and nothing gets done.
Or were atoms the foundation? Or thinking? Or maths? Or law? Or take away black holes and nothing gets done?
Ranking interdependent systems is nonsense. Reductionism and false arguments don't help much either.
You can make people do just about anything for money. Nothing else even comes close except ideology in a distant second place.
Are you trying to argue that money is more important than banking? But that banking was the most important thing? Your logic elludes me.
Or maybe you have a manipulative world view? What is more important - money or power? If you have power do you need money? Is power equivalent to money?
"Money" is a means of exchange, and in some contexts it is a status signal.
Money is a measure, not an ends in itself. People want the money to do something with: the something is faaaar more important than money. Find me a person with money, and I will easily find ten things they would prefer.
Anecdotally:
My friends don't value money above other things. Other friends could easily take nearly all my money if they chose to (I put myself into very submissive situations). I don't work because I don't need more money.
Perhaps I live in a different world than you.
The people I know all have complex desires, and few of my friends are concentrating on making money (and the smartest friends I know don't make money their central goal). I do have a couple of friends who try to make money and they seem to do it quite well without too much difficulty.
Have you tried to offer money to people? If it is so critical then people would take it. My experience is that a few do but many don't. I've offered large amounts to acquaintances that haven't taken it (perhaps with or without hooks).
(Slight edits for clarity).
Yes, I pay people do to work on difficult and annoying computer systems. Nobody would want to do this job for free.
Yes, rodger that, wealth is irrelevant to money - a concept plenty of people grok with time.
Your logic appears poor to me: perhaps that is why you employ logicians - money is your solution? Money doesn't write software, people do. People's motivations are crazy complex: which causes good or bad software to be created.
> Nobody
Somebody: My guest today was working for $0 on two systems (one maintenance, one he is developing). Both were difficult and annoying computer systems with a complex userbase. He didn't seem to really want to do the job: yet he was doing it for free (well, actually it was costing him)! Why does he need money if he gets his needs met by friends and acquantances. His only payment appears to be friendship and good company and his internal satisfaction (for varied reasons). I don't understand his motivations but yesterday he had said that offering him money would strongly demotivate him. Illogical?
Perhaps your philosophical world view has little overlap with mine. I have retired early so that is a signal that my world view is different from most people's. I haven't recently needed to buy development time so maybe my opinions are stale.
A point very eloquently made by Rick and Morty
I agree with this. I this misunderstanding is the root cause of, well a lot of shit, but particularly the increase in belief in conspiracy theories by members of the public. Most people lack a conceptual understanding of emergent behavior in complex systems, and instead rely on linear narrativization to understand the world (which by the way is not an insult to the public's intelligence, it's just the way our brains work unless you make a concerted effort to step outside of that default). And if you aren't considering multivariate, emergent behavior as a possible explanation for unpredictable and inscrutable world events, the next and really only reasonable explanation is intricate conspiracies by powerful agents.
I mean, a monarchy is also a system, but I also recognize that's not what you're talking about.
I'm inclined to agree, though I do think there's a disproportionate amount of influence in some groups. I also worry that the true danger of an artificial super-intelligence is not in a SkyNet-like scenario, but a more subtle and slower influence over global societies via trade and economics. It already more or less runs the world in abstract, so a thing that can understand all the complexities and manipulate them with capital has the potential to be very dangerous.
Its long been this way. Even in the 1950s the were fed justices commenting that if a nuclear bomb were to be stolen, its retrieval would be a reasonable predicate justifying suspension of the bill of rights until the warhead's retrieval.
Ironically enough, we’d already lost one by then: https://nationalinterest.org/blog/reboot/us-military-missing...
Don't worry--we seem to be actively working on this one, too.
And lose the profits on electoral show every 2 years? Do you know how much money can one make on an election? That's be silly to give up all that.
There's an argument to be made that we would be far better off with a benevolent monarchy than whatever this is.
There is no such thing as a benevolent monarchy, if that monarchy exists as anything more than a figurehead. No position of absolute and uncheckable power, least of all derived from a claim of divine right or racial purity, can be considered benevolent.
Yes, an argument can be made. And such an argument can and should be quickly discarded with a glance at the last thousand years or so of human history. We tried it. Rolling the dice that the next king or tsar or emperor to own the people will at least treat them kindly. And we decided that being owned by a government in which we have no franchise is a bad idea. A very bad idea.
Dynastic monarchies have one advantage over liberal democracies: If you want your bloodline to stay in power, you are incentivised to leave the country off better than you inherited it - if you act out too much, there's a good chance your offspring will follow you not on the throne, but on the guillotine. This immediately makes 'fuck you, I got mine' style politics unfeasable.
If we ever could find a Superman who would agree to be a benevolent monarch, sure. The only problem is that Superman is actually a work of fiction (and even a fictional one would refuse the role) and real people have, let's say, not so stellar record of being benevolent. It's one of those nice ideal arguments that works very well as long as you are allowed to assume magical entities that can't actually exist in the real world.
In a monarchy at least there's a chance of getting a good ruler by the genetic lottery. In a political system almost inevitably the people who get to the top are the best liars and manipulators, not good people.
Idea: let's make it so all emergency powers have to be re-authorized every week by Congress at midnight on Friday with a 90% quorum of physically-present representatives.
If "emergency" action is needed because Congress is too slow, then let's make sure they are working through the process to create real law. Or if they aren't, I guess it wasn't an emergency, and there's no reason for administrative law to "fill in" using a non-democratic process.
Great! I'm looking forward to seeing this requirement applied to also dissolve the judicial branch entirely so that Congress is entirely responsible for both enforcment and adjudication of the law. Let's work together to end separation of powers.
You seem to be suggesting that Congress making law is intruding on the power of an agency to make Administrative law? The latter is not (supposed to be) an actual branch of government. Congress has full power to rewrite all the administrative law as they see fit.
[dead]
[dead]
if you are all just going to vote for Biden again anyway, stop complaining
You're suffering from Biden Derangement Syndrome.
Unconstitutional.
What provision of the constitution does it violate? Do you know of court precedents that support that claim?
I'm not writing this to argue against your position, but to help people craft effective comments to submit in response to the proposed regulation. Federal agencies are not responsive to comments about people disliking a proposed rule, but are very responsive to concrete examples of why it might be legally problematic.
The fourth amendment?
> “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things ...
How does verifying your identity in any way violate that, though? You have a physical address that you live at, and the government verifies that you are the person living at that address, and that is not violating the fourth amendment. This would be pretty similar to that.
Of course the words are open to interpretation but "unreasonable searches" seem to encompass this sort of thing. Usually it's taken case by case and reasons would need to be given for every individual being searched. This is a blanket excuse to search every interaction without a reason.
The fourth amendment requires probable cause of a crime prior to being forced to identify yourself. This rule is forcing companies to verify the identities of their customers on behalf of the government for vague national security reasons.
[dead]
Is it? How? Which bit of KYC for SaaS violates which right?
Isn't this a clear violation of the 4th amendment?
> “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things ...
Note it says "the people" and not "citizens of the United States". Everyone has this protection within U.S. borders, SCOTUS has ruled to this effect.
So the government forcing yet more private companies to do their unconstitutional bidding seems like something that should b opposed. I believe banks being required to collect KYC came about through The Patriot Act. If this trend continues, you'll need to verify your identity to use any service.
That isn’t just a trend, that’s actually this proposed rule change!
Banks collecting KYC actually started with the Banking Secrecy Act of 1970. This was tried in the Supreme Court case California Bankers Association v Schultz (1974). It holds that recordkeeping requirements do not constitute a privacy violation under the 4th amendment absent reporting requirements. Since this new rule (2024) applies only to foreign entities and OFAC controls provide penalties for domestic companies, there’s no fifth amendment issue either (which is a shame imo, the 5th amendment argument in Bankers v Schultz seems incredibly shaky).
There’s no reporting requirements or new crime being created here; the intention is to “”aid”” IaaS providers in complying with OFAC requirements, and, when a warrant is issued, the actual identities of the customers to be known.
> If this trend continues, you'll need to verify your identity to use any service.
Once we started to send "National Security Letters" to public libraries after PATRIOT to find out what people were reading, this future became an inevitability.
https://en.wikipedia.org/wiki/Commerce_Clause
If it imposed KYC on intra-state customers, or non-commercial services, then it would be a different story.
And who pays for it. Yet another compliance procedure to add to the stack.
I propose that any new regulation gets financed by the the regulators . And retro actively get all regulations to have their cost covered by the government.
Who pays the auditors. Who pays Accountants, who paid for data protections schemes, who pays for random sanctions making countless companies suddenly lose large part of their business . Regulations are great, it should be at the government charge though, so that we can continue to do business, prevent market entry costs which promotes monopolies/oligopolies, encourage compliance.
I would argue that for most use cases Internet Services are already collecting sufficient KYC data that it won't make a difference. Try signing up for anything infrastructure related without providing a credit card and/or billing address and/or cell phone number and see how far you get.
That said the system is only as strong as the weakest link in the chain, and while getting a credit card/cell phone number in the US requires a certain standard of identity verification, the same might not be true for other countries (or in cases of deliberate fraud). I think that is what the legislation seems to be targeting.
That doesn't mean it is good legislation or won't have unforeseen side effects.
This totally depends on what is collected, if the requirements are some form of national id submission, ie. licenses or passports, then it opens all handlers up to tremendous abuse possibilities. Or at the very least paints a big sign on their backs that they handle mass quantities of offical government forms of biometric id, something I think would do much more harm than good in the long run as each company would need to be bulletproof to avoid.