I wanted to try out OVHcloud and signed up and paid for a small, cheap VPS. Then I get this email:<p><pre><code> Please provide full-color photos of the following using the OVHcloudShare app (see instructions below):
- A government-issued photo ID
- A picture of the credit card used in the transaction including:
1. The name matching the listed name in the Manager account, AND
2. The last 4 digits of the card number
- A photo of yourself holding the government-issued Photo ID provided above.
</code></pre>
I absolutely will not do this - it's incredibly invasive and this is just a hosting service, not a bank. And it's a terrible idea. If every company starts doing this the security implications are far worse than whatever problem they're trying to solve.<p>Am I crazy? Is this just the way the world works now because of KYC or credit card scams or something? Or is it a European thing? (This is a French company and I'm in the USA.)
KYC is already required at banks and they have the most complete - and global - view of <i>all transaction flows</i>.<p>Therefore we should insist that KYC be solely performed by banks - no other firms should be required to perform it.<p>Given the extraordinary privileges that banks enjoy, this would be a reasonable contribution to society - especially given that they are <i>doing it anyway</i>.
AFAIK there's a new law requiring KYC for IaaS providers serving the US. I'm assuming it covers their butts as well regarding malicious activity, they don't want to host a DoS attack, CP site, or similar. You might be hard pressed to find a hosting provider in the US that doesn't ask for these things.
Blur everything but your name and photo and then unblur pieces of it until they accept it. Also make sure to watermark it with repeating 10px red text saying “only for purposes of ID verification with OVH.”
Here are some vendors that care more about privacy <a href="https://kycnot.me/?t=service&q=vps" rel="nofollow">https://kycnot.me/?t=service&q=vps</a>
There are lots of VPS providers, why not just choose one that meets your expectations for privacy, security, etc?<p>The power of the market is when customers refuse to go along with unacceptable demands.
Well, for me being in UE with eIDAS docs I have just a response: implement eIDAS and I'll give you a certified ID out of my public docs, nothing else. If you want a proof of my identity you'll get the best proof. Otherwise you just want to scam me or you live in another world.<p>eIDAS could be simply described as "a smart-card in any documents" (so far some UE state have started with identity cards, some with drive permit as well, nothing different than classic/modern e-passports) you can use with a reader and a PIN to identify yourself. The main usage so far is almost only for public administration services but some example of private use are discussed and used ante-litteram for instance as a proof of majority for buying cigarettes on vending machines, some discuss the option of a public SSO identifying a citizen who allow send SOME (detailed in the redirect page) to a private party. Nothing exists AFAIK outside the public but it start to spread. The public became the guarantor of the citizen's identity.<p>Outside EU various countries have some form of e-IDs so... It's just about time to steamline them ALSO for contract signing instead of absurd SMS-based signature on third parties.
I'm pretty sure someone is selling all this private data in the deep web right now. It's not OVH you have to sorry about.<p>The cat is out of the bag. There's no way back.
Of course, you’re not crazy. The more the number of people who just give in, the larger and more widespread this problem becomes.<p>IMO, this is one of the ways governments get more ideas — to encourage companies or have them collect a lot of data so that they (the government agencies) can legally (or even illegally) demand them for mass surveillance and their expeditions. It’s like a fire hose that won’t stop.
Original poster here. I heard back from OVH that this was their automatic fraud detection system kicking in, and after manual review they removed this requirement. Apparently I made a mistake entering my CC info. Doh...<p>Now I feel like I jumped the gun posting, but I also feel relieved. In any case, thanks for all the support.
I have not had to do that and might not want to. But nothing on a US driver's license is private information anyway. Banks, credit reporting agencies, car dealerships, landlords, police, etc. all have access to your license info and much more. So I wouldn't call it "incredibly invasive."<p>Easy to blame the hosting company, or the government, but it's the bad actors and fraudsters and scammers who drive these kinds of rules. I'd rather have to show a hosting provider my ID than have all of their IPs blocked out of the blue one day because they rented a VPS to a scammer or botnet, maybe using my name and credit card number to do it.
Hosting providers get an obscene amount of fraudulent sign-up attempts, including attempts where they try to assume the identity of the person they have acquired the passport scan/photo of.<p>I don't like it, but it's very understandable.
Three ways of looking at this:<p>1. Maybe something about you is triggering their fraud system for step-up verification.<p>2. They might experience a lot of fraudulent (scammer) users, which is a net-negative for anyone who host there because ISP might black list that hosting providers IPs.<p>3. Maybe they are super serious and KYC all onboarding because they only what super vetted customers because that benefits everyone to have a “clean network” (basically the opposite of #2).<p>Given OVH super low pricing, my guess is #2.
I think KILT DIDs look to hold the tech answer to this type of problem.
<a href="https://www.bitdigest.io/posts/taking-control-secure-identity-management-with-kilt" rel="nofollow">https://www.bitdigest.io/posts/taking-control-secure-identit...</a>
It's a fraud detection thing.<p>Get in touch with their support directly. They did this to me but I contacted them and complained and said they approved it without the need for this.
10 years ago I registered a dot-ru and let’s just say the requirements were quite overreaching LOL. I’m embarrassed to admit to the documentation I provided to make it happen. My identity has probably been sold a thousand times by now ¯\_(ツ)_/¯
Why OVH? I've had awful experience using their services... Vultr, Linode, UpCloud, Hetzner are far better options... none of them require this nonsense.
the reason they're doing this is because of credit card fraud. the attacker takes a stolen credit card, signs up for their service, and then runs up a huge bill. when the credit card owner discovers this, they do a chargeback, which means the hosting provider is out the money. do this enough times and the hosting provider gets kicked off their credit card processor and can't take payments anymore.<p>so yeah, it sucks, especially for privacy aficionados. there are places online that will take your untraceable Moreno (XMR) for hosting, but they end up getting used to anonymously host CSAM until the feds take that and hopefully the people creating that down as well.
Yes.<p>Ultimately the internet is a lawless extremely low trust place, because it isn't limited by borders, so there is no effective law enforcement over a significant fraction of the people on it. Hosting providers bear a fair bit of the brunt of this because they're a staging ground for doing actually evil things.<p>I want to work with high trust places. I don't want an IP address that was just being used to hack people. I don't want to have to jump through hoops that verify I'm not doing evil things before doing things. I want to be offered things that can't be offered to people who are abusing trust, like generous free trials.<p>Verifying I'm an actual person in a place where they can pursue me through a functional legal system and functional law enforcement agencies is a step that allows the trust level to be stepped up slightly from "literally none". That's a good thing IMHO.<p>And I already have no privacy when I'm paying with a credit card under my real name. There's no actual cost here to me.<p>That said, I'd be very careful I was actually sending that information to a reputable hosting company, because the internet is a lawless place and there are definitely people who would try and pretend to be your hosting company.