Comment by dsign
1 year ago
AWS has my name and my credit card number. But they have never asked for a photocopy of my passport, my history of international travel, which nationalities I have and so on. Something tells me that for the goal of this law to be achieved, all those details would need to enter the database.
Amazon is certainly supposed to ensure that you are not a sanctioned person or a citizen of a sanctioned country. This was a concern decades ago when I was in shared web hosting.. don't know why it would have changed?
When has big tech had a good history of proactive compliance?
AWS has a denied party screening team and absolutely restricts access to services based on the BIS entity list and other sanctioned parties.
I've been in big tech for a while and oh wow is there a lot of proactive compliance.
Not necessarily (although that doesn't necessarily mean I think this is OK). Payment-card-based verification is a longstanding method of doing prima-facie verification like this. When you give your credit card, you give your billing address and typically your phone number -- if the postal code is a US address and the phone number is a US area code and everything else is consistent with that, that might be all the KYC required. If you appear to be a foreign national operating outside the US, they can flag that and require additional paperwork only then.
This proposed rule looks to me like it basically requires providers to come up with their own verification plans, which may then differ from provider to provider, so as to be "flexible and minimally burdensome to their business operations".
[note for the following: I am not a lawyer. The following is not legal advice. Do not fold, spindle or multilate. Do not taunt Happy Fun Ball.]
The real danger, I think, with things like this is, there's an executive order that was issued, but it further specified a rulemaking process be conducted to determine the actual regulations that define compliance. The link in the title is to the proposed rule. There's nothing that says any amount of prior public input will necessarily influence the details of the final rule, or that rule can't change in the future through another rulemaking process, and if it does the only way to challenge it is either to sue the agency on the grounds that it exceeded its discretion (e.g. by making rules that require unconstitutional things) or that the enabling executive order is itself unconstitutional -- but these kinds of federal cases have a pretty high bar for what's called "standing" (the legal grounds to bring a particular lawsuit): you pretty much have to suffer concrete harm or be in obvious and imminent danger of suffering it to a grievous degree. (This is one reason you hear about "test cases" -- often somebody will agree to be the goat who is denied something, fined, or even arrested and convicted of a crime, so that standing to sue to overturn the law can be established.) Other times, if a lot of potential defendants already have standing, a particularly sympathetic defendant will be selected for the actual challenge. The US federal courts are also deferential to "agency discretion" by default, as a matter of doctrine.
What happens all too often with these things is, the initial rulemaking is pretty reasonable, and the public outrage (if there was any) dissipates. Then three years (or however long) on, the next rulemaking imposes onerous restrictions and strict criteria, and people suddenly (relatively speaking) wake up and find they're now in violation of federal regulations that they were in compliance with last week. (This is one reason public-interest groups are so critical -- they have the motivation and sustained attention to comb the Federal Register for announcements about upcoming rounds of rulemaking on various topics.)
Thanks, this was useful clarification.
[flagged]
If you rent a VPS in supposedly privacy-conscious Germany they need photo id too :(
Luckily there's other cheap options in Europe like in France.
I don't think that is a legal requirement in Germany. At least Hetzner lets you rent a German VPS or dedicated server without ID. Though Hetzner may require you to submit an ID if you are flagged by their automated systems upon registration.
It was actually Hetzner that didn't want to provision my VPS without Photo ID. I blanked out the SSN as our government tells us to do and they balked at that as well. After I showed them my government's website explaining how and why to do that they were OK with it but at that point the relationship was already soured and I started looking for alternatives.
Maybe they changed it now but they were asses about it then. I thought it was a legal requirement, they basically said as much though I don't recall the exact details, it was before the pandemic.
Eventually I just moved to Scaleway in France which is much nicer and cheaper and you can even talk to their support on slack.
PS: I don't do anything nefarious on my servers but I just don't want my ID on file anywhere it's not needed.