Comment by oshout
1 year ago
Skimming through the article, it seems like the extent of this is to require IAAS (Infrastructure) providers to verify the identity of those who are using their services to train AI. It's an attempt to stymie sanctioned or malicious actors, from training AI and especially from hopping between services or using aliases to continue training on their model.
It seems a bit benign and I don't understand the parallels others on this HN discussion are making. Is it that it's a slippery slope or perhaps I'm being naïve in regards to the scope?
Skimming the regulations, this does not seem right. All IAAS providers (which is everyone who allows customers to run custom code, so it includes any web host like Dreamhost) to verify the identity of foreigners who open an account. This would seemingly entail the service provider needing to verify everyone's identity, in order to figure out who is a foreigner and who is not.
In other words, if you want to run your own Wordpress, or Mastodon node, or your own custom CMS web site or group chat or IRC or bitcoin node, you would need to reveal your identity to the hosting service that you want. This does seem quite bad and could obviously be used to identify political dissidents.
On top of that, the IAAS must report to the US Commerce department about foreigners who are using services to train large AI models.
Aren't you basically revealing yourself anyway because you need to pay them?
AWS has my name and my credit card number. But they have never asked for a photocopy of my passport, my history of international travel, which nationalities I have and so on. Something tells me that for the goal of this law to be achieved, all those details would need to enter the database.
10 replies →
There are IaaS services out there that accept bitcoin, monero, or anonymous prepaid charge cards. They aren't an IaaS but Mullvad even accepts cash mailed to them in an envelope.
3 replies →
Some hosts accept alternate payment systems, like gift cards or cryptocurrency. You can also have someone else pay for it with a credit card or bank transfer without giving your name, which can be quite important in some cases. The new rules would presumably make that a crime.
1 reply →
Tbh this is fine by me. It's about time the US stop being the center of the world for internet infrastructure.
i’m reading through the contrarian takes here and thinking, “yeah i’m kind of ok with that?”
this would make it much trickier for bad actors to get away with everything from online ai scams to swatting. i could live with that.
1 reply →
It's fine to make me, a blind person have to upload a government ID. Cool dude.
1 reply →
Post a comment to the federal register.
Good. It’s not 1999.
There are so many malicious actors putting human life at risk in some scenarios it should be possible to figure out who owns what.
Now, I would start with corporate ownership and focus on anonymous entities controlling things like Delaware and Nevada corporations. But that’s me.
You guys are stupid. That's exactly what they want to use it for is to train AI.
It's really not benign as far as I can see. There is an implication that its purpose is to allow providers to start writing reports on foreign users training LLMs (which, incidentally, I'm not condoning either), but in the process it requires every American IaaS has to start implementing KYC folly.
No one wants to send in selfies and their passport just to start a Digital Ocean droplet.
I'm curious if the spammers will find a way around this. I would actually like to be ID'd by a provider if that also meant they had no un-ID'd customers. I'd expect their IP range would start to get a pretty good reputation.
The spammers are criminals. They'll just use ID scans and info from data breaches of other companies. Requiring more companies to collect them makes it even worse because now there are more places to exfiltrate them and it makes it easier for criminals to commit identity theft against financial institutions etc.
There are also non-"criminals" who are more than willing to use their actual ID for the sort of things that aren't strictly illegal but will still get your IP space on a bunch of block lists when they can make a buck doing it, so it wouldn't solve the problem even if it could actually identify all of the customers.
1 reply →
It's absolutely folly! Foolishness by the department of commerce. What were they thinking?
I think everyone has a sour taste left over from decades of half-baked laws written by politicians that don't understand the basics of the internet or technology in general.
With that said, I also don't understand the issues people are having with this.
I wonder how they deal with the (hopefully) constant abuse reports aimed at them from providers who are tired of their shady customers doing shady things from their IPs.
They wouldn't.
> With that said, I also don't understand the issues people are having with this.
The regulation "requir[es] U.S. Infrastructure as a Service (IaaS) providers of IaaS products to verify the identity of their foreign customers"
Q: How would one propose to determine if a customer is foreign or not?
A checkbox, perhaps? <rolls eyes>
No bad actor would possibly pretend to be a domestic customer, of course... <rolls eyes again>
That's a strawman. <rolls eyes> It won't be a checkbox, of course... <rolls eyes again>
18 replies →
You don't understand the issues me as a blind person has with it? OK I have to upload a government ID every time I want to use an internet service. That's stupid. It's also considered a general warrant, and I thought we did away with those long ago.
What laws are you talking about? The Internet has grown a lot that’s largely because we have smart politicians and strong institutions. I really think the regulation of the Internet has been amazingly good.
For example: CAN-SPAM. If I want to send emails to a list, I have to burn $90 of my scarce dollars every year just for a PO box for the address at the bottom on the off chance someone sends a letter to unsubscribe. Unless I want to put my home address in every email, which I don't, and no one should. Unsubscribe links and highly effective spam filters were already completely standard when the law was passed in 2003. It doesn't matter if the email you send doesn't actually require it because every mailing list provider requires it.
6 replies →
https://en.wikipedia.org/wiki/Stop_Online_Piracy_Act
https://en.wikipedia.org/wiki/PROTECT_IP_Act
https://en.wikipedia.org/wiki/Anti-Counterfeiting_Trade_Agre...
https://en.wikipedia.org/wiki/Digital_Millennium_Copyright_A...
https://en.wikipedia.org/wiki/Patriot_Act
https://en.wikipedia.org/wiki/PRISM
1 reply →
[flagged]
AI is mentioned, but the scope is significantly larger if you read the fulltext.
I'm going to need another intelligence to read the full text.
"U.S. IaaS providers and foreign resellers of U.S. IaaS products must exercise reasonable due diligence to ascertain the true identity of any customer or beneficial owner of an Account who claims to be a U.S. person."
So at a minimum, everyone's identity is verified by IaaS provider. If you claim to be a non-U.S. person, additional information is collected.
They mention looking at comments from a previous proposal in 2021, "Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities" https://www.federalregister.gov/documents/2021/09/24/2021-20...
Who counts as IaaS besides Amazon, Azure, and GCS?
Dreamhost, Wordpress, etc
24 replies →
edit: Vultr info is wrong. They don't have anonymous use anymore.
Vultr, for example.
There are high-quality IaaS providers that accept bitcoin for payment, allowing someone to host a server on their platform without revealing their identity.
2 replies →
In their definition, everything does, HN included.
Given that top GPUs are sanctioned, I'm sure preventing access to them remotely is a part of this. But just generally speaking, doing any malicious crap out of an EC2 instance is an easy way for a foreign actor in China/Russia/Iran to look more legit.
As if they won't just use a stolen identity. And like usual the victim will never even find out because it won't show up on their credit report.
2 replies →
It's still just for IaaS companies, though, right?
Not that that makes this all okay, but it is a much more limited proposal than "internet services" makes it sound.
IaaS is defined as a provider of computing resources the allows you to run software that is not predefined. So that would seem to include basically every web host. If you can install Wordpress or Mastodon on the servers they provide, they are an IaaS.
Legally speaking, internet service providers are infrastructure providers.
9 replies →
This won't work. Foreign nations have enough skill and resources to pass KYC as a citizen (steal someone's documents, pay a homeless for verification etc). And as I understand, US doesn't have a central citizen database so it is difficult to verify a document.
It's funny they don't need ID to vote but they'll need one for a VPS.
EDIT: I know it's about IaSS.
That isn't even the first reason it won't work.
Computing is a global commodity. There are providers in other countries. They would just use one of those.
It's not meant to work.
True that!
From the executive order (Executive Order 14110) it seems to affect only massive compute infrastructure:
> (i) any model that was trained using a quantity of computing power greater than 10^26 integer or floating-point operations, or using primarily biological sequence data and using a quantity of computing power greater than 10^23 integer or floating-point operations; and
> (ii) any computing cluster that has a set of machines physically co-located in a single datacenter, transitively connected by data center networking of over 100 Gbit/s, and having a theoretical maximum computing capacity of 10^20 integer or floating-point operations per second for training AI.
Keep in mind that most consumer graphics cards are in the _teraflops_ range, which is 10^12. It's hard to imagine this affecting the average person, it seems that they are specifying KYC for people using clusters with thousands or tens of thousands of cards.
No, that is just one part of it. The proposed rules are intended to cover both EO13984, which addresses foreign entities using US IaaS for Cyber attacks, and EO14110 which addresses foreign entities using AI hardware.
They require all IaaS[1] to determine if customers are US persons, and if not to collect and retain certain identifying information[2], and provide annual reports describing their processes[3]. It grants the Secretary of Commerce extra-judicial power to force any IaaS to stop doing business with any foreign customer, or place restrictions on their use[4]. This section lists things that the Secretary should consider in doing so, but doesn't have any hard requirements. Finally, it requires the IaaS to report certain foreign use of AI[5].
[1]§7.301 https://www.federalregister.gov/d/2024-01580/p-189
[2]§7.302 https://www.federalregister.gov/d/2024-01580/p-219
[3]§7.304 https://www.federalregister.gov/d/2024-01580/p-266
[4]§7.307 https://www.federalregister.gov/d/2024-01580/p-377
[5]§7.308 https://www.federalregister.gov/d/2024-01580/p-403
> It grants the Secretary of Commerce extra-judicial power to force any IaaS to stop doing business with any foreign customer
This can backfire, as foreign customers of public clouds may switch to local providers, which erodes the US near-monopoly on cloud services. Ironically this can reduce the visibility and control the US government has over foreign nation states.
E.g.: most of the Australian government is hosted in either Azure or AWS. That kind of thing might stop if extrajudicial power is granted to pull the plug on any customer on any time.
1 reply →
> Keep in mind that most consumer graphics cards are in the _teraflops_ range, which is 10^12.
Something like 40 of them, or 100-300 if you're looking at FP16. So well over 2^14.
And that's per second, give it your idle cycles for four months and that's 10^7 seconds.
It gets pretty close to 10^23.
> Is it that it's a slippery slope or perhaps I'm being naïve in regards to the scope?
This. Also, it won't stop malicious actors. Setting up a LLC to mask your true identity is cheap and easy. Not to mention that providing a fake identity or pretending your are not a "foreign person" is also cheap and easy.
I'll certainly get one, or two, if this goes through.
> seems like the extent of this is to require IAAS (Infrastructure) providers to verify the identity of those who are using their services to train AI.
Only foriegners.
> It's an attempt to stymie sanctioned or malicious actors, from training AI and especially from hopping between services or using aliases to continue training on their model.
Unlikely, since it exempts non-foriegn malicious actors
On top of that, it is to identify FOREIGN users
>>"require U.S. IaaS providers to verify the identity of foreign users of U.S. IaaS products, ... which calls for the Department to require U.S. IaaS providers to ensure that their foreign resellers verify the identity of foreign users. E.O. 14110 also provides the Department with authority to require U.S. IaaS providers submit a report to the Department whenever a foreign person transacts with them to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity."
We damn well SHOULD be identifying foreign users of our services, particularly those which have high-powered potential to cause harm.
This knee-jerk [govt identifying anybody is bad] response prevalent here deeply undermines the cause of actually maintaining privacy. There are actually very bad actors out there, and if we fail to identify and contain them, things will be far worse. The reality is that some measures must be taken — let's focus on containing the real threats, not cry foul at every shadow of a hint that we might approach a slippery slope.
> It seems a bit benign
This seems, to me, an utterly malignant attack on anonymity, which is a protected constitutional right. It's the idea that every internet packet needs to be tied back to some verified identity. We're in frog-boiling territory with this garbage.
There is no absolute right to anonymity in the US constitution.
(The courts have "recognized relatively strong First Amendment presumptions on behalf of purveyors of anonymous speech, especially for those that are statements of opinions rather than obvious falsehoods, while recognizing that government sometimes has the right to identify such speakers when they have used their platforms to harass, engage in slander or sexual predation, make true threats, or allow foreign governments to influence U.S. elections")
How is one supposed to exercise their right to anonymously express political opinions if anonymity is prohibited by law?
9 replies →
> . It's the idea that every internet packet needs to be tied back to some verified identity
There's been multiple attempts to do this. Via KOSA and a few others lately in our Congress. PR friendly candidates like Duckworth have been trying to walk this through the system.
the more information they keep, the more they will expose it in data breaches, or sell/share it with others.
This is a terrible idea!
[dead]
[flagged]
> You're calling a collection and storage of your personal information as "benign"?!
All major cloud services already collect this information. I filled in the bare minimum on AWS, and they've got my full name, address, phone number, email, and credit card details.
They collect biometric data (selfie) plus a copy of your drivers license? That's a big part of KYC/AML.
That's a huge difference from address, email, CC number.
12 replies →
> propose regulations requiring U.S. Infrastructure as a Service (IaaS) providers of IaaS products to verify the identity of their foreign customers,
Sounds like solid policy to me.
And how do you know that one customer is a foreign one and one is not?
4 replies →