Skimming through the article, it seems like the extent of this is to require IAAS (Infrastructure) providers to verify the identity of those who are using their services to train AI. It's an attempt to stymie sanctioned or malicious actors, from training AI and especially from hopping between services or using aliases to continue training on their model.
It seems a bit benign and I don't understand the parallels others on this HN discussion are making. Is it that it's a slippery slope or perhaps I'm being naïve in regards to the scope?
Skimming the regulations, this does not seem right. All IAAS providers (which is everyone who allows customers to run custom code, so it includes any web host like Dreamhost) to verify the identity of foreigners who open an account. This would seemingly entail the service provider needing to verify everyone's identity, in order to figure out who is a foreigner and who is not.
In other words, if you want to run your own Wordpress, or Mastodon node, or your own custom CMS web site or group chat or IRC or bitcoin node, you would need to reveal your identity to the hosting service that you want. This does seem quite bad and could obviously be used to identify political dissidents.
On top of that, the IAAS must report to the US Commerce department about foreigners who are using services to train large AI models.
It's really not benign as far as I can see. There is an implication that its purpose is to allow providers to start writing reports on foreign users training LLMs (which, incidentally, I'm not condoning either), but in the process it requires every American IaaS has to start implementing KYC folly.
No one wants to send in selfies and their passport just to start a Digital Ocean droplet.
I'm curious if the spammers will find a way around this. I would actually like to be ID'd by a provider if that also meant they had no un-ID'd customers. I'd expect their IP range would start to get a pretty good reputation.
I think everyone has a sour taste left over from decades of half-baked laws written by politicians that don't understand the basics of the internet or technology in general.
With that said, I also don't understand the issues people are having with this.
I wonder how they deal with the (hopefully) constant abuse reports aimed at them from providers who are tired of their shady customers doing shady things from their IPs.
You don't understand the issues me as a blind person has with it? OK I have to upload a government ID every time I want to use an internet service. That's stupid. It's also considered a general warrant, and I thought we did away with those long ago.
What laws are you talking about? The Internet has grown a lot that’s largely because we have smart politicians and strong institutions. I really think the regulation of the Internet has been amazingly good.
I'm going to need another intelligence to read the full text.
"U.S. IaaS providers and foreign resellers of U.S. IaaS products must exercise reasonable due diligence to ascertain the true identity of any customer or beneficial owner of an Account who claims to be a U.S. person."
So at a minimum, everyone's identity is verified by IaaS provider. If you claim to be a non-U.S. person, additional information is collected.
They mention looking at comments from a previous proposal in 2021, "Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities"
https://www.federalregister.gov/documents/2021/09/24/2021-20...
Who counts as IaaS besides Amazon, Azure, and GCS?
Given that top GPUs are sanctioned, I'm sure preventing access to them remotely is a part of this. But just generally speaking, doing any malicious crap out of an EC2 instance is an easy way for a foreign actor in China/Russia/Iran to look more legit.
This won't work. Foreign nations have enough skill and resources to pass KYC as a citizen (steal someone's documents, pay a homeless for verification etc). And as I understand, US doesn't have a central citizen database so it is difficult to verify a document.
From the executive order (Executive Order 14110) it seems to affect only massive compute infrastructure:
> (i) any model that was trained using a quantity of computing power greater than 10^26 integer or floating-point operations, or using primarily biological sequence data and using a quantity of computing power greater than 10^23 integer or floating-point operations; and
> (ii) any computing cluster that has a set of machines physically co-located in a single datacenter, transitively connected by data center networking of over 100 Gbit/s, and having a theoretical maximum computing capacity of 10^20 integer or floating-point operations per second for training AI.
Keep in mind that most consumer graphics cards are in the _teraflops_ range, which is 10^12. It's hard to imagine this affecting the average person, it seems that they are specifying KYC for people using clusters with thousands or tens of thousands of cards.
No, that is just one part of it. The proposed rules are intended to cover both EO13984, which addresses foreign entities using US IaaS for Cyber attacks, and EO14110 which addresses foreign entities using AI hardware.
They require all IaaS[1] to determine if customers are US persons, and if not to collect and retain certain identifying information[2], and provide annual reports describing their processes[3]. It grants the Secretary of Commerce extra-judicial power to force any IaaS to stop doing business with any foreign customer, or place restrictions on their use[4]. This section lists things that the Secretary should consider in doing so, but doesn't have any hard requirements. Finally, it requires the IaaS to report certain foreign use of AI[5].
> Is it that it's a slippery slope or perhaps I'm being naïve in regards to the scope?
This. Also, it won't stop malicious actors. Setting up a LLC to mask your true identity is cheap and easy. Not to mention that providing a fake identity or pretending your are not a "foreign person" is also cheap and easy.
> seems like the extent of this is to require IAAS (Infrastructure) providers to verify the identity of those who are using their services to train AI.
Only foriegners.
> It's an attempt to stymie sanctioned or malicious actors, from training AI and especially from hopping between services or using aliases to continue training on their model.
Unlikely, since it exempts non-foriegn malicious actors
>>"require U.S. IaaS providers to verify the identity of foreign users of U.S. IaaS products, ... which calls for the Department to require U.S. IaaS providers to ensure that their foreign resellers verify the identity of foreign users. E.O. 14110 also provides the Department with authority to require U.S. IaaS providers submit a report to the Department whenever a foreign person transacts with them to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity."
We damn well SHOULD be identifying foreign users of our services, particularly those which have high-powered potential to cause harm.
This knee-jerk [govt identifying anybody is bad] response prevalent here deeply undermines the cause of actually maintaining privacy. There are actually very bad actors out there, and if we fail to identify and contain them, things will be far worse. The reality is that some measures must be taken — let's focus on containing the real threats, not cry foul at every shadow of a hint that we might approach a slippery slope.
This seems, to me, an utterly malignant attack on anonymity, which is a protected constitutional right. It's the idea that every internet packet needs to be tied back to some verified identity. We're in frog-boiling territory with this garbage.
There is no absolute right to anonymity in the US constitution.
(The courts have "recognized relatively strong First Amendment presumptions on behalf of purveyors of anonymous speech, especially for those that are statements of opinions rather than obvious falsehoods, while recognizing that government sometimes has the right to identify such speakers when they have used their platforms to harass, engage in slander or sexual predation, make true threats, or allow foreign governments to influence U.S. elections")
> . It's the idea that every internet packet needs to be tied back to some verified identity
There's been multiple attempts to do this. Via KOSA and a few others lately in our Congress. PR friendly candidates like Duckworth have been trying to walk this through the system.
> You're calling a collection and storage of your personal information as "benign"?!
All major cloud services already collect this information. I filled in the bare minimum on AWS, and they've got my full name, address, phone number, email, and credit card details.
What an absolute nightmare. I would also be surprised if iaas providers arent in vehement opposition, i will instantly migrate all cloud resources away from AWS if they start requiring KYC docs. Theres close to zero effort for doing so
Wow, what layer of abstraction do you have that allows for that?
Even with typical IaC, Terraform, it's going to be a rewrite.
If you're leveraging anything beyond load balancers, compute, and containers I don't see how that approaches zero. Some of the services could end up with you having to build/run your own to get any equivalence.
Why is it so hard time for some of this site to understand that some of us are principled when it comes to choosing technologies? Or you know, actually learned from past trauma and make choice to avoid getting burned in the future.
I think this is about preventing sanctioned countries or individuals using US technology we don't want them to have access too (like China not having modern GPUs). That goal seems reasonable though there's always a fear that the law is way broader than the high level intent. Why would it be "an absolute nightmare" if it's so easy to migrate?
That's the stated goal. The actual goal is more likely complete knowledge of any person using IaaS service whether domestic or foreign and what they're up to.
I meant an absolute nightmare of a bill in general and for the IaaS providers. The US is winning the AI race because of their open ecosystem and capability to execute and these types of things hurt that bad.
I work on KYC systems at a medium/large sized financial institution. The trend of adding KYC requirements to more and more online services is troubling.
KYC adds a huge burden to anyone trying to offer a service. Implementing KYC imposes significant burdens on service providers due to the complexity of identifying users across different countries and understanding varied regional regulations. You end up outsourcing your KYC to another company. But most KYC vendors don't support all the countries you want to support, so you either end up limiting your service to the service area of your KYC vendor. Or you end up integrating multiple vendors together, which is challenging since vendors generally prefer exclusivity.
If you didn't have an engineering team working on KYC before, you will now. You will likely need to add to or expand your compliance team. Your company will shift either slightly or significantly from being an engineering or product driven company to being a compliance driven company.
KYC raises barriers and entrenches incumbents. Look at financial institutions and porn.
KYC is generally not evidence based policy either [1, 2]. Bad actors get around your KYC requirements, and your KYC system ends up being a hurdle for innocent users. A lot of KYC systems rely on data aggregators (aka the people who buy your personal data), and if you aren't "in the system" either because you are young, poor, or privacy conscious, you are faced with suspicion.
My experience is that anti-fraud systems tend to weed out bad actors better than KYC systems that are mandated in a governmental top down manner.
For those who didn't know, KYC stands for "know your customer". It's a good idea to spell out abbreviations the first time they're used, especially since the abbreviation itself is not used in the linked article. It's also worth noting that the proposal is about US infrastructure as a service (IaaS) products specifically, not "internet services" in general.
Yeah that's a clever way to avoid having the rules struck down as unconstitutional. In practice though to avoid liability and possibly jail time, providers will have to assume that every customer is a foreigner until they "prove" their US citizenship (by uploading the same ID and other documentation required by foreigners).
The US government has shown over and over that these dragnet types of regulations are used to gobble up any information the TLAs want and hand wave it away as meta or "incidental" information "found in pursuit of foreign {$INVESTIGATION}"
It depends, but I'd say not usually. Many financial service applications, which have strict KYC requirements, just correlate different data sources to ensure everything matches up, and tries to determine some level of risk about the client making the application (i.e. match applicant name with DOB with SSN with known addresses, etc.) FWIW, given the huge number of data breaches I'm not sure why that info is sufficient, but it usually is. It's only when some backend risk engine determines "This data doesn't match up, or this client looks sketchy" is a photo ID requested.
I don't disagree with your premise that KYC enables governments to violate the 4th amendment, but in general, for certain industries this is just generally a really good idea. Banking is the first industry where I encountered KYC, and it strikes me as being obviously good there.
Isn't effectively the majority of what the Snowden leaks covered essentially violating the 4th amendment?
Yeah this is a very industry standard term in banking and anyone in that industry is going to immediately know what you are talking about, but outside of that industry, chances are high that a layman will not
Unfortunately, KYC has been bleeding into far more commercial interactions over time. I now deal with KYC multiple times per year in unrelated contexts and I don't work in finance. It has become quite intrusive.
We have exactly 4 days to leave comments to the Federal Government of the United States of America contesting the requirement of KYC by internet service providers.
This law is not conducive to a free internet/society.
I ask this 100% genuinely, since this isn't a subject I've ever given any mind to. Why should we oppose this? What are the potential negative outcomes if this goes through? Can you steelman the argument for why people support this, and explain why you find the arguments unconvincing?
I think that the biggest argument in favour is that it would remove anonymity on the internet, at least from governments, and that could enable law enforcement to more easily find people committing real crimes. CSAM, scams, etc.
I think the biggest argument against it is that this removes anonymity on the internet, at least from governments, and that would remove people's ability to freely voice their opinions without fears of repercussions (will the first amendment ever be modified? Will people who discuss what it's like to be an illegal immigrant/drug user/etc. be persecuted)? Also, it raises the question of what happens to users of VPN's, public internet, etc.
It is great that you ask a question, because we live in a world with the freedom to opine on things. What could be considered a massive issue to me may not be a massive issue to another; and if we feel the world will be better by debating our positions, we have the right to do so.
Today, anonymity and pseudonymity exist and allow people to speak freely without risk of backlash for having a different opinion as often times the right opinion may differ with that of social consensus.
If KYC is introduced, the ability to maintain freedom of speech, online, will likely diminish.
This is of negative consequence to the people of the world.
Further, with internet 'forever data', LLM NLP and so forth, character profiles are too easy to develop for people which can cause further harm as we begin segregating based on said profiles.
I believe this KYC requirement can even extend to blockchain node operators and so forth as well.
These are just a few reasons but there are many more.
One example I've seen is a less-than-savory company make a purposefully confusing KYC process after purchase of their service/product to prevent users from realizing they're being scammed and are kept in KYC hell hoping to get verified when they never will. Time to start an ISP...
This would make it illegal to anonymously run your own Wordpress install or Mattermost/groupchat server, you would have to reveal your identity to the web host. Do you trust the powers-that-be to never use this information to find and punish dissidents?
I know for me I'll have to stop using the internet. I can't take any chances. I can't upload government Ids everywhere I go, especially if the systems are not accessible with screen readers.
why recreate this important argument with coffee? The Berkman Center at Harvard or one hundred other places has decades of written policy work and case studies on these topics ..
The talking point we should be using is: if banks know their customers, we don’t have to.
The trail of knowing ones customers always leads to payments and finance.
If we are accepting payment for our services with standard bank card transactions or wire transfers, etc., then the knowing of the customer can be centralized at the banks.
Also, the banks have proven themselves fairly inept at it.
The problem is that KYC, being a cost centre with no upside other than "it's imposed on us by law", immediately turns into a box-checking exercise.
The industry will barf up some terrible "compliance in a box" solution, everyone will use it, it will eventually get databreached, and the people who brought us Bulletproof Hosting back in the Viagra Spam era will come back with Bulletproof Rack Full Of Quadros.
Exactly. What is the point of repeating KYC across every industry? I work on the KYC team of a banking/finance company. It takes a significant amount of resources.
Unless we create global governing initiatives similar to FATF for IaaS products, American IaaS offering will become less competitive.
"Liveness checks" where we have to turn on our webcam and let some stranger make a full biometric model of our head to use basic internet infrastructure is the dystopia we deserve, and it's the one we're gonna get.
I hope the "AI" was worth it. Let's see if you can fix this problem you created.
Already happening at the IRS. There's a reason government was so reticent in regulating facial recognition in any meaningful way: The government database of everyone's faces, purchased and cobbled together from private partners, isn't complete enough yet.
This has nothing to do with AI, but an out-of-control executive branch and intelligence agencies. AI is just another tool that will make it cheaper.
For those of us who don't know what this is, an explanation is a bit down the page:
> To address these threats, the President issued E.O. 13984, “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities,” which provides the Department with authority to require U.S. IaaS providers to verify the identity of foreign users of U.S. IaaS products, to issue standards and procedures that the Department may use to make a finding to exempt IaaS providers from such a requirement, to impose recordkeeping obligations with respect to foreign users of U.S. IaaS products, and to limit certain foreign actors' access to U.S. IaaS products in appropriate circumstances. The President subsequently issued E.O. 14110, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence,” which calls for the Department to require U.S. IaaS providers to ensure that their foreign resellers verify the identity of foreign users. E.O. 14110 also provides the Department with authority to require U.S. IaaS providers submit a report to the Department whenever a foreign person transacts with them to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity.
> (e) The term “Infrastructure as a Service Product” means any product or service offered to a consumer, including complimentary or “trial” offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications. The consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications. The term is inclusive of “managed” products or services, in which the provider is responsible for some aspects of system configuration or maintenance, and “unmanaged” products or services, in which the provider is only responsible for ensuring that the product is available to the consumer. The term is also inclusive of “virtualized” products and services, in which the computing resources of a physical machine are split between virtualized computers accessible over the internet (e.g., “virtual private servers”), and “dedicated” products or services in which the total computing resources of a physical machine are provided to a single person (e.g., “bare-metal” servers);
I read the document a bit, it seems like this is essentially saying that services like AWS need to know the identity of their customer if they suspect they are a foreign entity.
I don't think this would cover VPNs or internet access, mainly just people spending lots of $$ on compute. Is that correct? If so it seems reasonable. If a non US group is spending lots of money using US technology to develop an AI model I do think that falls under foreign trade and should be documented.
I can’t tell if you’re being sarcastic or not. I didn’t think the UK even provided IaaS services.
On the other hand it seems like half the business of The City is providing cover for dodgy foreign companies, which would be perfect for people trying to get around these laws.
Can anyone glean from this wall of text what documents Uncle Sam is going to expect me, a dirty and potentially smelly foreigner, to submit in order to keep my AWS account?
Those in authority don't want us sharing information with anyone they can't track. So many of the websites I use are already blocking VPN access, and it's only getting worse. Codifying it as law will just be the last step to protect the censors from prosecution for violating the 1st Amendment.
This will pass regardless of comments and KYC will only get more strict from here on out. What other end result could there have been when the combined gov-corp-tech behemoth is incredibly data-hungry, obsessed with draconian surveillance, and about to be deluged with malicious AI across the internet? It starts with "suspected" foreign actors and ends with everyone needing to prove their humanity for every little thing on the web. This is why we can't have nice things..
Next thing you know if you make one comment about Israel or certain coincidences you will be debanked, cut off from all Internet services, unable to make payments, blacklisted from all employers, your payment accounts frozen, ultimately resulting in eviction for non-payment, then shortly thereafter homeless, hungry, dead, or in prison.
That's the logical end-game of all this in case you don't have the foresight to see where this road leads.
Even foresight isn't enough to avoid it if you don't have the fortitude to avoid paths of least resistance, or the ability to oppose entrenched power structures.
Then surely all the good actors have to do KYC, and all the bad actors can just pretend to be American entities.
I don't agree with this on principle, but even just from a practical perspective it seems like they are leaving the door completely open by doing that. What's even the point?
This is about foreign customers only, so as an attempt to abolish the constitution, it is severely flawed in respecting it enough to keep its distance.
I can't think of any US service I am using that doesn't already require KYC? None of the large providers will let you get far without a credit card, as far as I remember?
Since the discussion here will consider itself mostly with upright revolutionaries being disenfranchised by such insult to their liberties, it is worth noting that when the revolutionaries are foreigners, the US often doesn't have the same incentive to disenfranchise them as it might have for domestic troublemakers.
In fact the US has quite a track record of granting rights to foreigners in excess of what they find at home, and even when it concerns allies: request by European courts and law enforcement are regularly rejected based on US norms when, for example, someone hosts their hat speech blog with an US-only provider.
> I can't think of any US service I am using that doesn't already require KYC? None of the large providers will let you get far without a credit card, as far as I remember?
There are several credit card vendors that do not require KYC that are easily available. I don't know of any banks that don't require KYC that you would use to pay those CC bills, but I wouldn't be surprised if they exist.
Providing a credit card is a far cry from KYC. But it also highlights that we probably don't need IAAS businesses to implement KYC as long as the payment providers already do.
What can we do to actually contest it? I see this website lets you submit a “formal comment”. But is that enough? Who is in charge of the decision and who else can be pressured to stop it (certain legislators)?
A number of threads seem to assume that KYC (or identity check) implies that your biometrics or gov ID data is collected/stored by the provider, but it does not have to be.
The identity check is typically done by a trusted 3rd party that can delete the data right after the identity check (and can be required to do so).
So you basically end up guaranteeing that the name, address and D.O.B that you provided to the IaaS provider is actually correct, nothing more and nothing less.
To be frank, I'd be more comfortable with this sort of thing more if there was a full-fat government-based ID platform. Some sort of SSO-style "Sign on with identity.gov" button, where it tells you clearly exactly what information is granted to the vendor, which should be pretty much "nation of citizenship" and nothing else, before you click through.
I trust a "trusted third party" far, far less. Inevitably it's a data hoarder like our credit-bureau overlords, which has commercial motivations to ask for more data than needed, and hold it longer than necessary, and will likely suffer only a slap on the wrist when they inevitably data-breach.
We really needed a coherent plan for national and digital ID 20 years ago, but as they say, the second best time would be now.
.This is what I wrote into the federal register.
Please do not allow KYC for the entire internet. This is in fact a miserable failure of an idea. You want to hand our data to AI companies, huh? I do not want to have anything to do with that, or you, if you don't come up with better data privacy regulations.
Under the fourth amendment, this would be an unconstitutional general warrant. I thought we did away with those long ago. It does not describe the particular things to be seized.
KYC is a ridiculous idea in the first place. It is not designed for the entire internet infrastructure. All the department is doing, is enabling more mass surveillance.
By trying to shoehorn KYC into the internet infrastructure, you will make the internet less convenient to use for blind people like me. I rely on it in my every day life. If you decide to make the worst mistake ever, I will have to stop using the internet in favor of my privacy.
Controversial point: if you run a Internet presence of any kind, this is like a property of land on which you run business. The property needs also a legal owner. For real businesses, this is normal. It is unregulated IT who does not understand this and is still in the wild West.
Obviously, modern data processing creates the rightful fear of surveillance. What we lack is a culture of privacy. In other countries if the state or anyone else wants to access the land registry or any other: good luck without a lawful reason.
A fast-moving emergency that can't be fixed by normal constitutional lawmaking processes, and must resort, exceptionally, to executive-branch emergency decrees—for expedience. Nevermind the executive order it's drawing authority from was written three years ago. It was a fast-moving emergency then, too, I suppose.
We're in a permanent emergency now. Which is no surprise - if a mere voluntary act of declaring emergency lets the government do what they otherwise can't - why not declare it over and over?
In the US we have 42 (!) ongoing national emergencies. The oldest dating back to 1979. I think most of US-based HN readers never lived in non-emergency US.
They are declared in an emergency (most of them are sanctions to freeze money and freedoms of foreigners). That does not mean you live in an emergency. That they are still active means only that the Parlament was too lazy or too blocked to put them in a law.
They're mostly sanctions regimes though it looks like which the Executive can largely implement on it's own (under current constitutional interpretations). It probably included other things that have since been ended and the sanctions are the only thing really left.
So national security trumps democracy and freedom? What do you have left to protect when you give it all up? Might as well just elect a king and be done with it.
Freedom has been on a steady decline since the establishment of the Federal Reserve in 1913 when established banking dynasties seized control over the currency of the country. The symbolic destruction of the constitution occurred on 9/11/2001 when the modern police state went into full force.
You elect a executive branch to protect you. Sometimes that includes executive orders. And if these survive the check and balances, maybe it is for the greater good.
If you do not want that, the country has to work on a functional Parlament and switch away from a presidential system.
Its long been this way. Even in the 1950s the were fed justices commenting that if a nuclear bomb were to be stolen, its retrieval would be a reasonable predicate justifying suspension of the bill of rights until the warhead's retrieval.
Idea: let's make it so all emergency powers have to be re-authorized every week by Congress at midnight on Friday with a 90% quorum of physically-present representatives.
If "emergency" action is needed because Congress is too slow, then let's make sure they are working through the process to create real law. Or if they aren't, I guess it wasn't an emergency, and there's no reason for administrative law to "fill in" using a non-democratic process.
Great! I'm looking forward to seeing this requirement applied to also dissolve the judicial branch entirely so that Congress is entirely responsible for both enforcment and adjudication of the law. Let's work together to end separation of powers.
You seem to be suggesting that Congress making law is intruding on the power of an agency to make Administrative law? The latter is not (supposed to be) an actual branch of government. Congress has full power to rewrite all the administrative law as they see fit.
What provision of the constitution does it violate? Do you know of court precedents that support that claim?
I'm not writing this to argue against your position, but to help people craft effective comments to submit in response to the proposed regulation. Federal agencies are not responsive to comments about people disliking a proposed rule, but are very responsive to concrete examples of why it might be legally problematic.
> “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things ...
Isn't this a clear violation of the 4th amendment?
> “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things ...
Note it says "the people" and not "citizens of the United States". Everyone has this protection within U.S. borders, SCOTUS has ruled to this effect.
So the government forcing yet more private companies to do their unconstitutional bidding seems like something that should b opposed. I believe banks being required to collect KYC came about through The Patriot Act. If this trend continues, you'll need to verify your identity to use any service.
And who pays for it. Yet another compliance procedure to add to the stack.
I propose that any new regulation gets financed by the the regulators . And retro actively get all regulations to have their cost covered by the government.
Who pays the auditors. Who pays Accountants, who paid for data protections schemes, who pays for random sanctions making countless companies suddenly lose large part of their business . Regulations are great, it should be at the government charge though, so that we can continue to do business, prevent market entry costs which promotes monopolies/oligopolies, encourage compliance.
I would argue that for most use cases Internet Services are already collecting sufficient KYC data that it won't make a difference. Try signing up for anything infrastructure related without providing a credit card and/or billing address and/or cell phone number and see how far you get.
That said the system is only as strong as the weakest link in the chain, and while getting a credit card/cell phone number in the US requires a certain standard of identity verification, the same might not be true for other countries (or in cases of deliberate fraud). I think that is what the legislation seems to be targeting.
That doesn't mean it is good legislation or won't have unforeseen side effects.
This totally depends on what is collected, if the requirements are some form of national id submission, ie. licenses or passports, then it opens all handlers up to tremendous abuse possibilities. Or at the very least paints a big sign on their backs that they handle mass quantities of offical government forms of biometric id, something I think would do much more harm than good in the long run as each company would need to be bulletproof to avoid.
Skimming through the article, it seems like the extent of this is to require IAAS (Infrastructure) providers to verify the identity of those who are using their services to train AI. It's an attempt to stymie sanctioned or malicious actors, from training AI and especially from hopping between services or using aliases to continue training on their model.
It seems a bit benign and I don't understand the parallels others on this HN discussion are making. Is it that it's a slippery slope or perhaps I'm being naïve in regards to the scope?
Skimming the regulations, this does not seem right. All IAAS providers (which is everyone who allows customers to run custom code, so it includes any web host like Dreamhost) to verify the identity of foreigners who open an account. This would seemingly entail the service provider needing to verify everyone's identity, in order to figure out who is a foreigner and who is not.
In other words, if you want to run your own Wordpress, or Mastodon node, or your own custom CMS web site or group chat or IRC or bitcoin node, you would need to reveal your identity to the hosting service that you want. This does seem quite bad and could obviously be used to identify political dissidents.
On top of that, the IAAS must report to the US Commerce department about foreigners who are using services to train large AI models.
Aren't you basically revealing yourself anyway because you need to pay them?
17 replies →
Tbh this is fine by me. It's about time the US stop being the center of the world for internet infrastructure.
4 replies →
Post a comment to the federal register.
Good. It’s not 1999.
There are so many malicious actors putting human life at risk in some scenarios it should be possible to figure out who owns what.
Now, I would start with corporate ownership and focus on anonymous entities controlling things like Delaware and Nevada corporations. But that’s me.
1 reply →
It's really not benign as far as I can see. There is an implication that its purpose is to allow providers to start writing reports on foreign users training LLMs (which, incidentally, I'm not condoning either), but in the process it requires every American IaaS has to start implementing KYC folly.
No one wants to send in selfies and their passport just to start a Digital Ocean droplet.
I'm curious if the spammers will find a way around this. I would actually like to be ID'd by a provider if that also meant they had no un-ID'd customers. I'd expect their IP range would start to get a pretty good reputation.
2 replies →
It's absolutely folly! Foolishness by the department of commerce. What were they thinking?
I think everyone has a sour taste left over from decades of half-baked laws written by politicians that don't understand the basics of the internet or technology in general.
With that said, I also don't understand the issues people are having with this.
I wonder how they deal with the (hopefully) constant abuse reports aimed at them from providers who are tired of their shady customers doing shady things from their IPs.
1 reply →
> With that said, I also don't understand the issues people are having with this.
The regulation "requir[es] U.S. Infrastructure as a Service (IaaS) providers of IaaS products to verify the identity of their foreign customers"
Q: How would one propose to determine if a customer is foreign or not?
A checkbox, perhaps? <rolls eyes>
No bad actor would possibly pretend to be a domestic customer, of course... <rolls eyes again>
19 replies →
You don't understand the issues me as a blind person has with it? OK I have to upload a government ID every time I want to use an internet service. That's stupid. It's also considered a general warrant, and I thought we did away with those long ago.
What laws are you talking about? The Internet has grown a lot that’s largely because we have smart politicians and strong institutions. I really think the regulation of the Internet has been amazingly good.
10 replies →
AI is mentioned, but the scope is significantly larger if you read the fulltext.
I'm going to need another intelligence to read the full text.
"U.S. IaaS providers and foreign resellers of U.S. IaaS products must exercise reasonable due diligence to ascertain the true identity of any customer or beneficial owner of an Account who claims to be a U.S. person."
So at a minimum, everyone's identity is verified by IaaS provider. If you claim to be a non-U.S. person, additional information is collected.
They mention looking at comments from a previous proposal in 2021, "Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities" https://www.federalregister.gov/documents/2021/09/24/2021-20...
Who counts as IaaS besides Amazon, Azure, and GCS?
29 replies →
Given that top GPUs are sanctioned, I'm sure preventing access to them remotely is a part of this. But just generally speaking, doing any malicious crap out of an EC2 instance is an easy way for a foreign actor in China/Russia/Iran to look more legit.
3 replies →
It's still just for IaaS companies, though, right?
Not that that makes this all okay, but it is a much more limited proposal than "internet services" makes it sound.
11 replies →
This won't work. Foreign nations have enough skill and resources to pass KYC as a citizen (steal someone's documents, pay a homeless for verification etc). And as I understand, US doesn't have a central citizen database so it is difficult to verify a document.
It's funny they don't need ID to vote but they'll need one for a VPS.
EDIT: I know it's about IaSS.
That isn't even the first reason it won't work.
Computing is a global commodity. There are providers in other countries. They would just use one of those.
It's not meant to work.
1 reply →
From the executive order (Executive Order 14110) it seems to affect only massive compute infrastructure:
> (i) any model that was trained using a quantity of computing power greater than 10^26 integer or floating-point operations, or using primarily biological sequence data and using a quantity of computing power greater than 10^23 integer or floating-point operations; and
> (ii) any computing cluster that has a set of machines physically co-located in a single datacenter, transitively connected by data center networking of over 100 Gbit/s, and having a theoretical maximum computing capacity of 10^20 integer or floating-point operations per second for training AI.
Keep in mind that most consumer graphics cards are in the _teraflops_ range, which is 10^12. It's hard to imagine this affecting the average person, it seems that they are specifying KYC for people using clusters with thousands or tens of thousands of cards.
No, that is just one part of it. The proposed rules are intended to cover both EO13984, which addresses foreign entities using US IaaS for Cyber attacks, and EO14110 which addresses foreign entities using AI hardware.
They require all IaaS[1] to determine if customers are US persons, and if not to collect and retain certain identifying information[2], and provide annual reports describing their processes[3]. It grants the Secretary of Commerce extra-judicial power to force any IaaS to stop doing business with any foreign customer, or place restrictions on their use[4]. This section lists things that the Secretary should consider in doing so, but doesn't have any hard requirements. Finally, it requires the IaaS to report certain foreign use of AI[5].
[1]§7.301 https://www.federalregister.gov/d/2024-01580/p-189
[2]§7.302 https://www.federalregister.gov/d/2024-01580/p-219
[3]§7.304 https://www.federalregister.gov/d/2024-01580/p-266
[4]§7.307 https://www.federalregister.gov/d/2024-01580/p-377
[5]§7.308 https://www.federalregister.gov/d/2024-01580/p-403
2 replies →
> Keep in mind that most consumer graphics cards are in the _teraflops_ range, which is 10^12.
Something like 40 of them, or 100-300 if you're looking at FP16. So well over 2^14.
And that's per second, give it your idle cycles for four months and that's 10^7 seconds.
It gets pretty close to 10^23.
> Is it that it's a slippery slope or perhaps I'm being naïve in regards to the scope?
This. Also, it won't stop malicious actors. Setting up a LLC to mask your true identity is cheap and easy. Not to mention that providing a fake identity or pretending your are not a "foreign person" is also cheap and easy.
I'll certainly get one, or two, if this goes through.
> seems like the extent of this is to require IAAS (Infrastructure) providers to verify the identity of those who are using their services to train AI.
Only foriegners.
> It's an attempt to stymie sanctioned or malicious actors, from training AI and especially from hopping between services or using aliases to continue training on their model.
Unlikely, since it exempts non-foriegn malicious actors
On top of that, it is to identify FOREIGN users
>>"require U.S. IaaS providers to verify the identity of foreign users of U.S. IaaS products, ... which calls for the Department to require U.S. IaaS providers to ensure that their foreign resellers verify the identity of foreign users. E.O. 14110 also provides the Department with authority to require U.S. IaaS providers submit a report to the Department whenever a foreign person transacts with them to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity."
We damn well SHOULD be identifying foreign users of our services, particularly those which have high-powered potential to cause harm.
This knee-jerk [govt identifying anybody is bad] response prevalent here deeply undermines the cause of actually maintaining privacy. There are actually very bad actors out there, and if we fail to identify and contain them, things will be far worse. The reality is that some measures must be taken — let's focus on containing the real threats, not cry foul at every shadow of a hint that we might approach a slippery slope.
> It seems a bit benign
This seems, to me, an utterly malignant attack on anonymity, which is a protected constitutional right. It's the idea that every internet packet needs to be tied back to some verified identity. We're in frog-boiling territory with this garbage.
There is no absolute right to anonymity in the US constitution.
(The courts have "recognized relatively strong First Amendment presumptions on behalf of purveyors of anonymous speech, especially for those that are statements of opinions rather than obvious falsehoods, while recognizing that government sometimes has the right to identify such speakers when they have used their platforms to harass, engage in slander or sexual predation, make true threats, or allow foreign governments to influence U.S. elections")
10 replies →
> . It's the idea that every internet packet needs to be tied back to some verified identity
There's been multiple attempts to do this. Via KOSA and a few others lately in our Congress. PR friendly candidates like Duckworth have been trying to walk this through the system.
the more information they keep, the more they will expose it in data breaches, or sell/share it with others.
This is a terrible idea!
[dead]
[flagged]
> You're calling a collection and storage of your personal information as "benign"?!
All major cloud services already collect this information. I filled in the bare minimum on AWS, and they've got my full name, address, phone number, email, and credit card details.
13 replies →
> propose regulations requiring U.S. Infrastructure as a Service (IaaS) providers of IaaS products to verify the identity of their foreign customers,
Sounds like solid policy to me.
5 replies →
What an absolute nightmare. I would also be surprised if iaas providers arent in vehement opposition, i will instantly migrate all cloud resources away from AWS if they start requiring KYC docs. Theres close to zero effort for doing so
Wow, what layer of abstraction do you have that allows for that? Even with typical IaC, Terraform, it's going to be a rewrite. If you're leveraging anything beyond load balancers, compute, and containers I don't see how that approaches zero. Some of the services could end up with you having to build/run your own to get any equivalence.
Why is it so hard time for some of this site to understand that some of us are principled when it comes to choosing technologies? Or you know, actually learned from past trauma and make choice to avoid getting burned in the future.
10 replies →
I think this is about preventing sanctioned countries or individuals using US technology we don't want them to have access too (like China not having modern GPUs). That goal seems reasonable though there's always a fear that the law is way broader than the high level intent. Why would it be "an absolute nightmare" if it's so easy to migrate?
That's the stated goal. The actual goal is more likely complete knowledge of any person using IaaS service whether domestic or foreign and what they're up to.
1 reply →
I meant an absolute nightmare of a bill in general and for the IaaS providers. The US is winning the AI race because of their open ecosystem and capability to execute and these types of things hurt that bad.
I work on KYC systems at a medium/large sized financial institution. The trend of adding KYC requirements to more and more online services is troubling.
KYC adds a huge burden to anyone trying to offer a service. Implementing KYC imposes significant burdens on service providers due to the complexity of identifying users across different countries and understanding varied regional regulations. You end up outsourcing your KYC to another company. But most KYC vendors don't support all the countries you want to support, so you either end up limiting your service to the service area of your KYC vendor. Or you end up integrating multiple vendors together, which is challenging since vendors generally prefer exclusivity.
If you didn't have an engineering team working on KYC before, you will now. You will likely need to add to or expand your compliance team. Your company will shift either slightly or significantly from being an engineering or product driven company to being a compliance driven company.
KYC raises barriers and entrenches incumbents. Look at financial institutions and porn.
KYC is generally not evidence based policy either [1, 2]. Bad actors get around your KYC requirements, and your KYC system ends up being a hurdle for innocent users. A lot of KYC systems rely on data aggregators (aka the people who buy your personal data), and if you aren't "in the system" either because you are young, poor, or privacy conscious, you are faced with suspicion.
My experience is that anti-fraud systems tend to weed out bad actors better than KYC systems that are mandated in a governmental top down manner.
1) https://www.economist.com/finance-and-economics/2021/04/12/t...
2) https://www.tandfonline.com/doi/full/10.1080/25741292.2020.1...
I know i'll be done with the internet completely if this rule goes through. I will not want to upload government IDs with inaccessible systems.
For those who didn't know, KYC stands for "know your customer". It's a good idea to spell out abbreviations the first time they're used, especially since the abbreviation itself is not used in the linked article. It's also worth noting that the proposal is about US infrastructure as a service (IaaS) products specifically, not "internet services" in general.
In fairness, though, HN has a limit on title length, so I'm not sure it was all that possible in the headline here.
> We have 4 days to contest "Know Your Customer"
would have been a better title. The missing information is more easily guessed from skimming the article than the mystery acronym.
It also looks like it only applies to foreign peoples? That said, I don’t know how you select for only foreigners without collecting identity.
Yeah that's a clever way to avoid having the rules struck down as unconstitutional. In practice though to avoid liability and possibly jail time, providers will have to assume that every customer is a foreigner until they "prove" their US citizenship (by uploading the same ID and other documentation required by foreigners).
4 replies →
The US government has shown over and over that these dragnet types of regulations are used to gobble up any information the TLAs want and hand wave it away as meta or "incidental" information "found in pursuit of foreign {$INVESTIGATION}"
In practice this often means requiring a photo ID scan.
It depends, but I'd say not usually. Many financial service applications, which have strict KYC requirements, just correlate different data sources to ensure everything matches up, and tries to determine some level of risk about the client making the application (i.e. match applicant name with DOB with SSN with known addresses, etc.) FWIW, given the huge number of data breaches I'm not sure why that info is sufficient, but it usually is. It's only when some backend risk engine determines "This data doesn't match up, or this client looks sketchy" is a photo ID requested.
KYC in the context of internet services stands for "violating the 4th Amendment".
I don't disagree with your premise that KYC enables governments to violate the 4th amendment, but in general, for certain industries this is just generally a really good idea. Banking is the first industry where I encountered KYC, and it strikes me as being obviously good there.
Isn't effectively the majority of what the Snowden leaks covered essentially violating the 4th amendment?
13 replies →
Yes! If they put it into the entire internet infrastructure, it's considered a general warrant. Hmm... I thought we did away with those in 1789.
Thank God for the Constitution
synthesia requires KYC:" Your avatar can be created only with your explicit consent, following a thorough KYC-like procedure.
Yeah this is a very industry standard term in banking and anyone in that industry is going to immediately know what you are talking about, but outside of that industry, chances are high that a layman will not
Unfortunately, KYC has been bleeding into far more commercial interactions over time. I now deal with KYC multiple times per year in unrelated contexts and I don't work in finance. It has become quite intrusive.
In the past that would be true. But given most blockchain platforms require it, I imagine it is more widely known in the tech-savy hn-like realms?
Then again I worked on blockchain tech around half a decade ago, so I might be knowledge biased here?
7 replies →
KYC is that poorly known? I would have expected most white-collar professionals to have at least heard of it.
2 replies →
I've studied crypto currency. I know exactly what KYC means.
[flagged]
1 reply →
[dead]
Google is your friend
Submission Statement:
We have exactly 4 days to leave comments to the Federal Government of the United States of America contesting the requirement of KYC by internet service providers.
This law is not conducive to a free internet/society.
I ask this 100% genuinely, since this isn't a subject I've ever given any mind to. Why should we oppose this? What are the potential negative outcomes if this goes through? Can you steelman the argument for why people support this, and explain why you find the arguments unconvincing?
I think that the biggest argument in favour is that it would remove anonymity on the internet, at least from governments, and that could enable law enforcement to more easily find people committing real crimes. CSAM, scams, etc.
I think the biggest argument against it is that this removes anonymity on the internet, at least from governments, and that would remove people's ability to freely voice their opinions without fears of repercussions (will the first amendment ever be modified? Will people who discuss what it's like to be an illegal immigrant/drug user/etc. be persecuted)? Also, it raises the question of what happens to users of VPN's, public internet, etc.
12 replies →
It is great that you ask a question, because we live in a world with the freedom to opine on things. What could be considered a massive issue to me may not be a massive issue to another; and if we feel the world will be better by debating our positions, we have the right to do so.
Today, anonymity and pseudonymity exist and allow people to speak freely without risk of backlash for having a different opinion as often times the right opinion may differ with that of social consensus.
If KYC is introduced, the ability to maintain freedom of speech, online, will likely diminish.
This is of negative consequence to the people of the world.
Further, with internet 'forever data', LLM NLP and so forth, character profiles are too easy to develop for people which can cause further harm as we begin segregating based on said profiles.
I believe this KYC requirement can even extend to blockchain node operators and so forth as well.
These are just a few reasons but there are many more.
6 replies →
One example I've seen is a less-than-savory company make a purposefully confusing KYC process after purchase of their service/product to prevent users from realizing they're being scammed and are kept in KYC hell hoping to get verified when they never will. Time to start an ISP...
Provides the prerequisites for an authoritarian regime when they inevitable coopt the internet
1 reply →
This would make it illegal to anonymously run your own Wordpress install or Mattermost/groupchat server, you would have to reveal your identity to the web host. Do you trust the powers-that-be to never use this information to find and punish dissidents?
I know for me I'll have to stop using the internet. I can't take any chances. I can't upload government Ids everywhere I go, especially if the systems are not accessible with screen readers.
It's on the parties sponsoring and proposing the law to rigorously explain the benefits (and to discuss any negatives). Maybe go ask them?
why recreate this important argument with coffee? The Berkman Center at Harvard or one hundred other places has decades of written policy work and case studies on these topics ..
2 replies →
This is not about Internet Service Providers. This is about Infrastructure as a Service providers, e.g. AWS, Linode, Azure, GoDaddy, etc.
See https://www.federalregister.gov/d/2024-01580/p-46 for their definition.
Misrepresenting what this is about is not helpful.
im not sure i understand are customers of AWS/Linode/Digitalocean now required to submit passport/drivers license to host a blog or website?
1 reply →
Yes please do! I did.
The talking point we should be using is: if banks know their customers, we don’t have to.
The trail of knowing ones customers always leads to payments and finance.
If we are accepting payment for our services with standard bank card transactions or wire transfers, etc., then the knowing of the customer can be centralized at the banks.
Also, the banks have proven themselves fairly inept at it.
The problem is that KYC, being a cost centre with no upside other than "it's imposed on us by law", immediately turns into a box-checking exercise.
The industry will barf up some terrible "compliance in a box" solution, everyone will use it, it will eventually get databreached, and the people who brought us Bulletproof Hosting back in the Viagra Spam era will come back with Bulletproof Rack Full Of Quadros.
Exactly. What is the point of repeating KYC across every industry? I work on the KYC team of a banking/finance company. It takes a significant amount of resources.
Unless we create global governing initiatives similar to FATF for IaaS products, American IaaS offering will become less competitive.
Simple ID scans are already on their way out.
"Liveness checks" where we have to turn on our webcam and let some stranger make a full biometric model of our head to use basic internet infrastructure is the dystopia we deserve, and it's the one we're gonna get.
I hope the "AI" was worth it. Let's see if you can fix this problem you created.
Already happening at the IRS. There's a reason government was so reticent in regulating facial recognition in any meaningful way: The government database of everyone's faces, purchased and cobbled together from private partners, isn't complete enough yet.
This has nothing to do with AI, but an out-of-control executive branch and intelligence agencies. AI is just another tool that will make it cheaper.
For those of us who don't know what this is, an explanation is a bit down the page:
> To address these threats, the President issued E.O. 13984, “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities,” which provides the Department with authority to require U.S. IaaS providers to verify the identity of foreign users of U.S. IaaS products, to issue standards and procedures that the Department may use to make a finding to exempt IaaS providers from such a requirement, to impose recordkeeping obligations with respect to foreign users of U.S. IaaS products, and to limit certain foreign actors' access to U.S. IaaS products in appropriate circumstances. The President subsequently issued E.O. 14110, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence,” which calls for the Department to require U.S. IaaS providers to ensure that their foreign resellers verify the identity of foreign users. E.O. 14110 also provides the Department with authority to require U.S. IaaS providers submit a report to the Department whenever a foreign person transacts with them to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity.
> (e) The term “Infrastructure as a Service Product” means any product or service offered to a consumer, including complimentary or “trial” offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications. The consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications. The term is inclusive of “managed” products or services, in which the provider is responsible for some aspects of system configuration or maintenance, and “unmanaged” products or services, in which the provider is only responsible for ensuring that the product is available to the consumer. The term is also inclusive of “virtualized” products and services, in which the computing resources of a physical machine are split between virtualized computers accessible over the internet (e.g., “virtual private servers”), and “dedicated” products or services in which the total computing resources of a physical machine are provided to a single person (e.g., “bare-metal” servers);
This is a good overview https://www.akingump.com/en/insights/alerts/commerce-issues-...
I read the document a bit, it seems like this is essentially saying that services like AWS need to know the identity of their customer if they suspect they are a foreign entity.
I don't think this would cover VPNs or internet access, mainly just people spending lots of $$ on compute. Is that correct? If so it seems reasonable. If a non US group is spending lots of money using US technology to develop an AI model I do think that falls under foreign trade and should be documented.
There's a surprising amount of debate in this thread on the rights and wrongs of this topic.
As a matter of simple efficiency, what I suggest to you all is that you imagine this was being rolled out by the British government.
Because then you'd all be certain what it meant and what was necessary.
I can’t tell if you’re being sarcastic or not. I didn’t think the UK even provided IaaS services.
On the other hand it seems like half the business of The City is providing cover for dodgy foreign companies, which would be perfect for people trying to get around these laws.
Can anyone glean from this wall of text what documents Uncle Sam is going to expect me, a dirty and potentially smelly foreigner, to submit in order to keep my AWS account?
I suppose VPN's will become illegal next?
Those in authority don't want us sharing information with anyone they can't track. So many of the websites I use are already blocking VPN access, and it's only getting worse. Codifying it as law will just be the last step to protect the censors from prosecution for violating the 1st Amendment.
As if KYC for bank accounts was an astounding success on international crime, corruption and terrorism financing.
No it wasn't. The terrorism and cartels just got their aunts to register account.
This will pass regardless of comments and KYC will only get more strict from here on out. What other end result could there have been when the combined gov-corp-tech behemoth is incredibly data-hungry, obsessed with draconian surveillance, and about to be deluged with malicious AI across the internet? It starts with "suspected" foreign actors and ends with everyone needing to prove their humanity for every little thing on the web. This is why we can't have nice things..
Next thing you know if you make one comment about Israel or certain coincidences you will be debanked, cut off from all Internet services, unable to make payments, blacklisted from all employers, your payment accounts frozen, ultimately resulting in eviction for non-payment, then shortly thereafter homeless, hungry, dead, or in prison.
That's the logical end-game of all this in case you don't have the foresight to see where this road leads.
Even foresight isn't enough to avoid it if you don't have the fortitude to avoid paths of least resistance, or the ability to oppose entrenched power structures.
This does not appear to affect domestic customers.
How would they know a customer is domestic or foreign without some level of identification on everyone?
Bingo. They'll have to KYC everyone to avoid liability of missing a faking foreigner.
Then surely all the good actors have to do KYC, and all the bad actors can just pretend to be American entities.
I don't agree with this on principle, but even just from a practical perspective it seems like they are leaving the door completely open by doing that. What's even the point?
Yet.
This is about foreign customers only, so as an attempt to abolish the constitution, it is severely flawed in respecting it enough to keep its distance.
I can't think of any US service I am using that doesn't already require KYC? None of the large providers will let you get far without a credit card, as far as I remember?
Since the discussion here will consider itself mostly with upright revolutionaries being disenfranchised by such insult to their liberties, it is worth noting that when the revolutionaries are foreigners, the US often doesn't have the same incentive to disenfranchise them as it might have for domestic troublemakers.
In fact the US has quite a track record of granting rights to foreigners in excess of what they find at home, and even when it concerns allies: request by European courts and law enforcement are regularly rejected based on US norms when, for example, someone hosts their hat speech blog with an US-only provider.
> I can't think of any US service I am using that doesn't already require KYC? None of the large providers will let you get far without a credit card, as far as I remember?
There are several credit card vendors that do not require KYC that are easily available. I don't know of any banks that don't require KYC that you would use to pay those CC bills, but I wouldn't be surprised if they exist.
And FISA was only about surveilling non-US persons.
No. With a court order, FISA always allowed surveillance of "agents of foreign powers", even if they were US citizens: https://en.wikipedia.org/wiki/Foreign_Intelligence_Surveilla....
Providing a credit card is a far cry from KYC. But it also highlights that we probably don't need IAAS businesses to implement KYC as long as the payment providers already do.
> verify the identity of their foreign customers
Makes you wonder how they are going to first determine which are foriegn...
This seems like the key section people should read through and where they should focus their submitted comments:
https://www.federalregister.gov/d/2024-01580/p-70
What can we do to actually contest it? I see this website lets you submit a “formal comment”. But is that enough? Who is in charge of the decision and who else can be pressured to stop it (certain legislators)?
[dead]
So this is just to make it easier to ban non-US citizens from using US IaaS (or track them).
Just don't use American IaaS in the first place. It's not like computers are available only in the US.
Computers outside of the US sure, but the latest chips used for AI training have export controls so not so much.
A number of threads seem to assume that KYC (or identity check) implies that your biometrics or gov ID data is collected/stored by the provider, but it does not have to be.
The identity check is typically done by a trusted 3rd party that can delete the data right after the identity check (and can be required to do so).
So you basically end up guaranteeing that the name, address and D.O.B that you provided to the IaaS provider is actually correct, nothing more and nothing less.
To be frank, I'd be more comfortable with this sort of thing more if there was a full-fat government-based ID platform. Some sort of SSO-style "Sign on with identity.gov" button, where it tells you clearly exactly what information is granted to the vendor, which should be pretty much "nation of citizenship" and nothing else, before you click through.
I trust a "trusted third party" far, far less. Inevitably it's a data hoarder like our credit-bureau overlords, which has commercial motivations to ask for more data than needed, and hold it longer than necessary, and will likely suffer only a slap on the wrist when they inevitably data-breach.
We really needed a coherent plan for national and digital ID 20 years ago, but as they say, the second best time would be now.
are they going to start requiring an ID to buy a GPU too
What can I do as a broke guy to stop this? Write a comment? Will it be read or considered?
There is literally nothing you can do. The intelligence agencies are building the top of the funnel for the gulags to host us in the near future.
It will be read and considered - you can safely assume that it will affect your social credit score accordingly.
Is this more onerous than verifying the name of the person or company you're serving does not appear on the OFAC list?
This is generally not difficult for anyone concerned, unless they happen to share a name with somebody on that list.
If you're going to editoralize the title, could you possibly tell us what KYC stands for?
Know Your Customer - it’s a term describing how organizations like banks want to know what you’re doing so they can avoid enabling criminal activity.
This seems like a slippery slope.
If I host a site that is vulnerable to XSS, is it inadvertant Iaas?
.This is what I wrote into the federal register. Please do not allow KYC for the entire internet. This is in fact a miserable failure of an idea. You want to hand our data to AI companies, huh? I do not want to have anything to do with that, or you, if you don't come up with better data privacy regulations. Under the fourth amendment, this would be an unconstitutional general warrant. I thought we did away with those long ago. It does not describe the particular things to be seized. KYC is a ridiculous idea in the first place. It is not designed for the entire internet infrastructure. All the department is doing, is enabling more mass surveillance. By trying to shoehorn KYC into the internet infrastructure, you will make the internet less convenient to use for blind people like me. I rely on it in my every day life. If you decide to make the worst mistake ever, I will have to stop using the internet in favor of my privacy.
Controversial point: if you run a Internet presence of any kind, this is like a property of land on which you run business. The property needs also a legal owner. For real businesses, this is normal. It is unregulated IT who does not understand this and is still in the wild West.
Obviously, modern data processing creates the rightful fear of surveillance. What we lack is a culture of privacy. In other countries if the state or anyone else wants to access the land registry or any other: good luck without a lawful reason.
> We have 4 days to contest KYC being required by internet services
The acronym "KYC" doesn't appear in the linked article. What is this even about?
Know Your Customer. It's when you are asked for legal docs so a business can verify your identity. Like what banks do
Thanks. Just commented in support.
"I'm from the government, and I'm here to help"
- "To Address the National Emergency"
A fast-moving emergency that can't be fixed by normal constitutional lawmaking processes, and must resort, exceptionally, to executive-branch emergency decrees—for expedience. Nevermind the executive order it's drawing authority from was written three years ago. It was a fast-moving emergency then, too, I suppose.
https://www.federalregister.gov/documents/2021/01/25/2021-01... ("Taking Additional Steps To Address the National Emergency [sic] With Respect to Significant Malicious Cyber-Enabled Activities" (2021))
We're in a permanent emergency now. Which is no surprise - if a mere voluntary act of declaring emergency lets the government do what they otherwise can't - why not declare it over and over?
Check this out: https://en.wikipedia.org/wiki/List_of_national_emergencies_i...
In the US we have 42 (!) ongoing national emergencies. The oldest dating back to 1979. I think most of US-based HN readers never lived in non-emergency US.
That’d be September 1978 – November 1979 and before then during the roaring twenties if I read this right.
Maybe POTUS should declare an emergency to reduce the number of emergencies?
1 reply →
They are declared in an emergency (most of them are sanctions to freeze money and freedoms of foreigners). That does not mean you live in an emergency. That they are still active means only that the Parlament was too lazy or too blocked to put them in a law.
3 replies →
Fun fact: we've got active national emergencies dating back to 1979! https://en.wikipedia.org/wiki/List_of_national_emergencies_i...
They're mostly sanctions regimes though it looks like which the Executive can largely implement on it's own (under current constitutional interpretations). It probably included other things that have since been ended and the sanctions are the only thing really left.
Geez … those are some long emerging occurrences.
So national security trumps democracy and freedom? What do you have left to protect when you give it all up? Might as well just elect a king and be done with it.
Freedom has been on a steady decline since the establishment of the Federal Reserve in 1913 when established banking dynasties seized control over the currency of the country. The symbolic destruction of the constitution occurred on 9/11/2001 when the modern police state went into full force.
7 replies →
You elect a executive branch to protect you. Sometimes that includes executive orders. And if these survive the check and balances, maybe it is for the greater good.
If you do not want that, the country has to work on a functional Parlament and switch away from a presidential system.
3 replies →
Why elect a king when you already have a private group of bankers running the show
10 replies →
Its long been this way. Even in the 1950s the were fed justices commenting that if a nuclear bomb were to be stolen, its retrieval would be a reasonable predicate justifying suspension of the bill of rights until the warhead's retrieval.
1 reply →
Don't worry--we seem to be actively working on this one, too.
And lose the profits on electoral show every 2 years? Do you know how much money can one make on an election? That's be silly to give up all that.
There's an argument to be made that we would be far better off with a benevolent monarchy than whatever this is.
4 replies →
Idea: let's make it so all emergency powers have to be re-authorized every week by Congress at midnight on Friday with a 90% quorum of physically-present representatives.
If "emergency" action is needed because Congress is too slow, then let's make sure they are working through the process to create real law. Or if they aren't, I guess it wasn't an emergency, and there's no reason for administrative law to "fill in" using a non-democratic process.
Great! I'm looking forward to seeing this requirement applied to also dissolve the judicial branch entirely so that Congress is entirely responsible for both enforcment and adjudication of the law. Let's work together to end separation of powers.
You seem to be suggesting that Congress making law is intruding on the power of an agency to make Administrative law? The latter is not (supposed to be) an actual branch of government. Congress has full power to rewrite all the administrative law as they see fit.
[dead]
[dead]
if you are all just going to vote for Biden again anyway, stop complaining
You're suffering from Biden Derangement Syndrome.
Unconstitutional.
What provision of the constitution does it violate? Do you know of court precedents that support that claim?
I'm not writing this to argue against your position, but to help people craft effective comments to submit in response to the proposed regulation. Federal agencies are not responsive to comments about people disliking a proposed rule, but are very responsive to concrete examples of why it might be legally problematic.
The fourth amendment?
> “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things ...
3 replies →
[dead]
Is it? How? Which bit of KYC for SaaS violates which right?
Isn't this a clear violation of the 4th amendment?
> “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things ...
Note it says "the people" and not "citizens of the United States". Everyone has this protection within U.S. borders, SCOTUS has ruled to this effect.
So the government forcing yet more private companies to do their unconstitutional bidding seems like something that should b opposed. I believe banks being required to collect KYC came about through The Patriot Act. If this trend continues, you'll need to verify your identity to use any service.
2 replies →
https://en.wikipedia.org/wiki/Commerce_Clause
If it imposed KYC on intra-state customers, or non-commercial services, then it would be a different story.
And who pays for it. Yet another compliance procedure to add to the stack.
I propose that any new regulation gets financed by the the regulators . And retro actively get all regulations to have their cost covered by the government.
Who pays the auditors. Who pays Accountants, who paid for data protections schemes, who pays for random sanctions making countless companies suddenly lose large part of their business . Regulations are great, it should be at the government charge though, so that we can continue to do business, prevent market entry costs which promotes monopolies/oligopolies, encourage compliance.
I would argue that for most use cases Internet Services are already collecting sufficient KYC data that it won't make a difference. Try signing up for anything infrastructure related without providing a credit card and/or billing address and/or cell phone number and see how far you get.
That said the system is only as strong as the weakest link in the chain, and while getting a credit card/cell phone number in the US requires a certain standard of identity verification, the same might not be true for other countries (or in cases of deliberate fraud). I think that is what the legislation seems to be targeting.
That doesn't mean it is good legislation or won't have unforeseen side effects.
This totally depends on what is collected, if the requirements are some form of national id submission, ie. licenses or passports, then it opens all handlers up to tremendous abuse possibilities. Or at the very least paints a big sign on their backs that they handle mass quantities of offical government forms of biometric id, something I think would do much more harm than good in the long run as each company would need to be bulletproof to avoid.