We have 4 days to contest KYC being required by internet services

Skimming through the article, it seems like the extent of this is to require IAAS (Infrastructure) providers to verify the identity of those who are using their services to train AI. It&#x27;s an attempt to stymie sanctioned or malicious actors, from training AI and especially from hopping between services or using aliases to continue training on their model.<p>It seems a bit benign and I don&#x27;t understand the parallels others on this HN discussion are making. Is it that it&#x27;s a slippery slope or perhaps I&#x27;m being naïve in regards to the scope?

What an absolute nightmare. I would also be surprised if iaas providers arent in vehement opposition, i will instantly migrate all cloud resources away from AWS if they start requiring KYC docs. Theres close to zero effort for doing so

I work on KYC systems at a medium&#x2F;large sized financial institution. The trend of adding KYC requirements to more and more online services is troubling.<p>KYC adds a huge burden to anyone trying to offer a service. Implementing KYC imposes significant burdens on service providers due to the complexity of identifying users across different countries and understanding varied regional regulations. You end up outsourcing your KYC to another company. But most KYC vendors don&#x27;t support all the countries you want to support, so you either end up limiting your service to the service area of your KYC vendor. Or you end up integrating multiple vendors together, which is challenging since vendors generally prefer exclusivity.<p>If you didn&#x27;t have an engineering team working on KYC before, you will now. You will likely need to add to or expand your compliance team. Your company will shift either slightly or significantly from being an engineering or product driven company to being a compliance driven company.<p>KYC raises barriers and entrenches incumbents. Look at financial institutions and porn.<p>KYC is generally not evidence based policy either [1, 2]. Bad actors get around your KYC requirements, and your KYC system ends up being a hurdle for innocent users. A lot of KYC systems rely on data aggregators (aka the people who buy your personal data), and if you aren&#x27;t &quot;in the system&quot; either because you are young, poor, or privacy conscious, you are faced with suspicion.<p>My experience is that anti-fraud systems tend to weed out bad actors better than KYC systems that are mandated in a governmental top down manner.<p>1) <a href="https:&#x2F;&#x2F;www.economist.com&#x2F;finance-and-economics&#x2F;2021&#x2F;04&#x2F;12&#x2F;the-war-against-money-laundering-is-being-lost" rel="nofollow">https:&#x2F;&#x2F;www.economist.com&#x2F;finance-and-economics&#x2F;2021&#x2F;04&#x2F;12&#x2F;t...</a><p>2) <a href="https:&#x2F;&#x2F;www.tandfonline.com&#x2F;doi&#x2F;full&#x2F;10.1080&#x2F;25741292.2020.1725366" rel="nofollow">https:&#x2F;&#x2F;www.tandfonline.com&#x2F;doi&#x2F;full&#x2F;10.1080&#x2F;25741292.2020.1...</a>

For those who didn&#x27;t know, KYC stands for &quot;know your customer&quot;. It&#x27;s a good idea to spell out abbreviations the first time they&#x27;re used, especially since the abbreviation itself is not used in the linked article. It&#x27;s also worth noting that the proposal is about US infrastructure as a service (IaaS) products specifically, not &quot;internet services&quot; in general.

Submission Statement:<p>We have exactly 4 days to leave comments to the Federal Government of the United States of America contesting the requirement of KYC by internet service providers.<p>This law is not conducive to a free internet&#x2F;society.

The talking point we should be using is: if banks know their customers, we don’t have to.<p>The trail of knowing ones customers always leads to payments and finance.<p>If we are accepting payment for our services with standard bank card transactions or wire transfers, etc., then the knowing of the customer can be centralized at the banks.

Simple ID scans are already on their way out.<p>&quot;Liveness checks&quot; where we have to turn on our webcam and let some stranger make a full biometric model of our head to use basic internet infrastructure is the dystopia we deserve, and it&#x27;s the one we&#x27;re gonna get.<p>I hope the &quot;AI&quot; was worth it. Let&#x27;s see if you can fix this problem you created.

For those of us who don&#x27;t know what this is, an explanation is a bit down the page:<p>&gt; To address these threats, the President issued E.O. 13984, “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities,” which provides the Department with authority to require U.S. IaaS providers to verify the identity of foreign users of U.S. IaaS products, to issue standards and procedures that the Department may use to make a finding to exempt IaaS providers from such a requirement, to impose recordkeeping obligations with respect to foreign users of U.S. IaaS products, and to limit certain foreign actors&#x27; access to U.S. IaaS products in appropriate circumstances. The President subsequently issued E.O. 14110, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence,” which calls for the Department to require U.S. IaaS providers to ensure that their foreign resellers verify the identity of foreign users. E.O. 14110 also provides the Department with authority to require U.S. IaaS providers submit a report to the Department whenever a foreign person transacts with them to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity.

&gt; (e) The term “Infrastructure as a Service Product” means any product or service offered to a consumer, including complimentary or “trial” offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications. The consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications. The term is inclusive of “managed” products or services, in which the provider is responsible for some aspects of system configuration or maintenance, and “unmanaged” products or services, in which the provider is only responsible for ensuring that the product is available to the consumer. The term is also inclusive of “virtualized” products and services, in which the computing resources of a physical machine are split between virtualized computers accessible over the internet (e.g., “virtual private servers”), and “dedicated” products or services in which the total computing resources of a physical machine are provided to a single person (e.g., “bare-metal” servers);

This is a good overview <a href="https:&#x2F;&#x2F;www.akingump.com&#x2F;en&#x2F;insights&#x2F;alerts&#x2F;commerce-issues-proposed-rule-on-malicious-cyber-enabled-activities-and-artificial-intelligence" rel="nofollow">https:&#x2F;&#x2F;www.akingump.com&#x2F;en&#x2F;insights&#x2F;alerts&#x2F;commerce-issues-...</a>

I read the document a bit, it seems like this is essentially saying that services like AWS need to know the identity of their customer if they suspect they are a foreign entity.<p>I don&#x27;t think this would cover VPNs or internet access, mainly just people spending lots of $$ on compute. Is that correct? If so it seems reasonable. If a non US group is spending lots of money using US technology to develop an AI model I do think that falls under foreign trade and should be documented.

There&#x27;s a surprising amount of debate in this thread on the rights and wrongs of this topic.<p>As a matter of simple efficiency, what I suggest to you all is that you imagine this was being rolled out by the British government.<p>Because then you&#x27;d all be certain what it meant and what was necessary.

Can anyone glean from this wall of text what documents Uncle Sam is going to expect me, a dirty and potentially smelly foreigner, to submit in order to keep my AWS account?

I suppose VPN&#x27;s will become illegal next?

As if KYC for bank accounts was an astounding success on international crime, corruption and terrorism financing.

This will pass regardless of comments and KYC will only get more strict from here on out. What other end result could there have been when the combined gov-corp-tech behemoth is incredibly data-hungry, obsessed with draconian surveillance, and about to be deluged with malicious AI across the internet? It starts with &quot;suspected&quot; foreign actors and ends with everyone needing to prove their humanity for every little thing on the web. This is why we can&#x27;t have nice things..

This does not appear to affect domestic customers.

This is about foreign customers only, so as an attempt to abolish the constitution, it is severely flawed in respecting it enough to keep its distance.<p>I can&#x27;t think of any US service I am using that doesn&#x27;t already require KYC? None of the large providers will let you get far without a credit card, as far as I remember?<p>Since the discussion here will consider itself mostly with upright revolutionaries being disenfranchised by such insult to their liberties, it is worth noting that when the revolutionaries are foreigners, the US often doesn&#x27;t have the same incentive to disenfranchise them as it might have for domestic troublemakers.<p>In fact the US has quite a track record of granting rights to foreigners in excess of what they find at home, and even when it concerns allies: request by European courts and law enforcement are regularly rejected based on US norms when, for example, someone hosts their hat speech blog with an US-only provider.

&gt; verify the identity of their foreign customers<p>Makes you wonder how they are going to first determine which are foriegn...

This seems like the key section people should read through and where they should focus their submitted comments:<p><a href="https:&#x2F;&#x2F;www.federalregister.gov&#x2F;d&#x2F;2024-01580&#x2F;p-70" rel="nofollow">https:&#x2F;&#x2F;www.federalregister.gov&#x2F;d&#x2F;2024-01580&#x2F;p-70</a>

What can we do to actually contest it? I see this website lets you submit a “formal comment”. But is that enough? Who is in charge of the decision and who else can be pressured to stop it (certain legislators)?

So this is just to make it easier to ban non-US citizens from using US IaaS (or track them).<p>Just don&#x27;t use American IaaS in the first place. It&#x27;s not like computers are available only in the US.

A number of threads seem to assume that KYC (or identity check) implies that your biometrics or gov ID data is collected&#x2F;stored by the provider, but it does not have to be.<p>The identity check is typically done by a trusted 3rd party that can delete the data right after the identity check (and can be required to do so).<p>So you basically end up guaranteeing that the name, address and D.O.B that you provided to the IaaS provider is actually correct, nothing more and nothing less.

are they going to start requiring an ID to buy a GPU too

What can I do as a broke guy to stop this? Write a comment? Will it be read or considered?

Is this more onerous than verifying the name of the person or company you&#x27;re serving does not appear on the OFAC list?<p>This is generally not difficult for anyone concerned, unless they happen to share a name with somebody on that list.

If you&#x27;re going to editoralize the title, could you possibly tell us what KYC stands for?

This seems like a slippery slope.

If I host a site that is vulnerable to XSS, is it inadvertant Iaas?

.This is what I wrote into the federal register. Please do not allow KYC for the entire internet. This is in fact a miserable failure of an idea. You want to hand our data to AI companies, huh? I do not want to have anything to do with that, or you, if you don&#x27;t come up with better data privacy regulations. Under the fourth amendment, this would be an unconstitutional general warrant. I thought we did away with those long ago. It does not describe the particular things to be seized. KYC is a ridiculous idea in the first place. It is not designed for the entire internet infrastructure. All the department is doing, is enabling more mass surveillance. By trying to shoehorn KYC into the internet infrastructure, you will make the internet less convenient to use for blind people like me. I rely on it in my every day life. If you decide to make the worst mistake ever, I will have to stop using the internet in favor of my privacy.

Controversial point: if you run a Internet presence of any kind, this is like a property of land on which you run business. The property needs also a legal owner. For real businesses, this is normal. It is unregulated IT who does not understand this and is still in the wild West.<p>Obviously, modern data processing creates the rightful fear of surveillance. What we lack is a culture of privacy. In other countries if the state or anyone else wants to access the land registry or any other: good luck without a lawful reason.

&gt; We have 4 days to contest KYC being required by internet services<p>The acronym &quot;KYC&quot; doesn&#x27;t appear in the linked article. What is this even about?

Thanks. Just commented in support.

&quot;I&#x27;m from the government, and I&#x27;m here to help&quot;

- <i>&quot;To Address the National Emergency&quot;</i><p>A fast-moving emergency that can&#x27;t be fixed by normal constitutional lawmaking processes, and must resort, exceptionally, to executive-branch emergency decrees—for expedience. Nevermind the executive order it&#x27;s drawing authority from was written three years ago. It was a fast-moving emergency then, too, I suppose.<p><a href="https:&#x2F;&#x2F;www.federalregister.gov&#x2F;documents&#x2F;2021&#x2F;01&#x2F;25&#x2F;2021-01714&#x2F;taking-additional-steps-to-address-the-national-emergency-with-respect-to-significant-malicious" rel="nofollow">https:&#x2F;&#x2F;www.federalregister.gov&#x2F;documents&#x2F;2021&#x2F;01&#x2F;25&#x2F;2021-01...</a> (<i>&quot;Taking Additional Steps To Address the National Emergency</i> [sic] <i>With Respect to Significant Malicious Cyber-Enabled Activities&quot;</i> (2021))

Idea: let&#x27;s make it so all emergency powers have to be re-authorized every week by Congress at midnight on Friday with a 90% quorum of physically-present representatives.<p>If &quot;emergency&quot; action is needed because Congress is too slow, then let&#x27;s make sure they are working through the process to create real law. Or if they aren&#x27;t, I guess it wasn&#x27;t an emergency, and there&#x27;s no reason for administrative law to &quot;fill in&quot; using a non-democratic process.

if you are all just going to vote for Biden again anyway, stop complaining

Unconstitutional.

And who pays for it. Yet another compliance procedure to add to the stack.<p>I propose that any new regulation gets financed by the the regulators . And retro actively get all regulations to have their cost covered by the government.<p>Who pays the auditors. Who pays Accountants, who paid for data protections schemes, who pays for random sanctions making countless companies suddenly lose large part of their business . Regulations are great, it should be at the government charge though, so that we can continue to do business, prevent market entry costs which promotes monopolies&#x2F;oligopolies, encourage compliance.

I would argue that for most use cases Internet Services are already collecting sufficient KYC data that it won&#x27;t make a difference. Try signing up for anything infrastructure related without providing a credit card and&#x2F;or billing address and&#x2F;or cell phone number and see how far you get.<p>That said the system is only as strong as the weakest link in the chain, and while getting a credit card&#x2F;cell phone number in the US requires a certain standard of identity verification, the same might not be true for other countries (or in cases of deliberate fraud). I think that is what the legislation seems to be targeting.<p>That doesn&#x27;t mean it is good legislation or won&#x27;t have unforeseen side effects.