[HN Gopher] We have 4 days to contest KYC being required by inte...
___________________________________________________________________
We have 4 days to contest KYC being required by internet services
Author : chadsix
Score : 419 points
Date : 2024-04-25 15:31 UTC (7 hours ago)
(HTM) web link (www.federalregister.gov)
(TXT) w3m dump (www.federalregister.gov)
| chadsix wrote:
| Submission Statement:
|
| We have exactly 4 days to leave comments to the Federal
| Government of the United States of America contesting the
| requirement of KYC by internet service providers.
|
| This law is not conducive to a free internet/society.
| plus wrote:
| I ask this 100% genuinely, since this isn't a subject I've ever
| given any mind to. Why should we oppose this? What are the
| potential negative outcomes if this goes through? Can you
| steelman the argument for why people support this, and explain
| why you find the arguments unconvincing?
| Takennickname wrote:
| Provides the prerequisites for an authoritarian regime when
| they inevitable coopt the internet
| IfOnlyYouKnew wrote:
| Well some authoritarian regime would otherwise just do it
| whenever it got started, and it would require maybe a week?
| mistrial9 wrote:
| why recreate this important argument with coffee? The Berkman
| Center at Harvard or one hundred other places has decades of
| written policy work and case studies on these topics ..
| plus wrote:
| I would also find a link to those arguments to be
| satisfactory.
| tomalpha wrote:
| I too would have asked the same question as GP, and also
| meant it genuinely. It feels like HN is a place where
| someone could summarise the (presumably strong) arguments
| against this? Or links to a good source as suggested by a
| sibling comment.
| CalRobert wrote:
| I think that the biggest argument in favour is that it would
| remove anonymity on the internet, at least from governments,
| and that could enable law enforcement to more easily find
| people committing real crimes. CSAM, scams, etc.
|
| I think the biggest argument against it is that this removes
| anonymity on the internet, at least from governments, and
| that would remove people's ability to freely voice their
| opinions without fears of repercussions (will the first
| amendment ever be modified? Will people who discuss what it's
| like to be an illegal immigrant/drug user/etc. be
| persecuted)? Also, it raises the question of what happens to
| users of VPN's, public internet, etc.
| ameister14 wrote:
| Does this actually remove anonymity on the internet?
|
| It seems to de-anonymize a set of IaaS customers, sure; but
| that's not nearly the same thing as removing anonymity
| completely. I've only just scanned this but it seems at
| first glance to mean that a foreign company can't
| anonymously spin up an AWS instance, that's all. Am I
| reading this incorrectly?
| generalizations wrote:
| It establishes the principle, so that later it can be
| expanded by degrees. The trick is to oppose the principle
| so that it can't be expanded later.
| kjkjadksj wrote:
| This can't be the only way to de anonymize an internet
| user today
| RAM-bunctious wrote:
| A set? Only US customers are unaffected, i.e. 96% of the
| planet would no longer be able to use AWS (or anything
| similar based in the US, all the way down to simple web
| hosting or e-mail services) without going through KYC.
|
| There are so many things that can fall under the IaaS
| bracket. Think anything 'cloud'. Maybe that's not how
| they'll apply it, but legally they are free to do so.
| It's a huge reach.
| joh6nn wrote:
| The only away for US citizens to prove that they are such
| would be for them to also submit their IDs. So it affects
| everyone.
|
| Basically, it forces providers of a very wide variety of
| tech related services to collect identifying info on
| anyone who uses their services, and then store that info
| to either eventually be exposed in a breach, subpoenaed
| by the government, or sold to the highest bidder (might
| as well monetize it if you're forced to collect it )
| throwup238 wrote:
| _> ...directs the Secretary of Commerce (Secretary) to
| propose regulations requiring U.S. Infrastructure as a
| Service (IaaS) providers of IaaS products to verify the
| identity of their foreign customers..._ (from TFA)
|
| This is about IaaS not "internet services". It doesn't
| remove anonymity from internet users, just _foreign_
| customers renting cloud servers and other infrastructure.
| mikegreenberg wrote:
| It seems the definition of IaaS Products could very well
| extend to ISPs:
| https://www.federalregister.gov/d/2024-01580/p-46
|
| > This proposed definition adopts the E.O. 13984
| definition for "Infrastructure as a Service product",
| which is any product or service offered to a consumer,
| including complimentary or "trial" offerings, that
| provides processing, storage, _networks_ , or other
| fundamental computing resources, and with which the
| consumer is able to deploy and run software that is not
| predefined, including operating systems and applications.
|
| How would an ISP not be misconstrued as a "managed
| network"? Deploy/run software could just as easily be
| running some protocol over the network connection?
|
| Sure, there are very few international ISPs which would
| be affected by this as physical infrastructure must be
| local to the user, but I wonder if this would be true
| always (e.g.: Starlink)
| pavon wrote:
| I can't see how an ISP (or VPN for that matter) would
| qualify for the second half " _and_ with which the
| consumer is able to deploy and run software that is not
| predefined, including operating systems and applications.
| "
|
| This would apply to all hosting providers, which is bad
| enough.
| ramenbytes wrote:
| Internet connections can be used to SSH into a box to
| deploy and run software. IANAL, but I could see that
| catching ISP's and VPN's.
| mikegreenberg wrote:
| Some counterexamples:
|
| - TCP is a spec delivered by a software implementation
| program. Maybe you disagree that TCP is being "deployed"
| as opposed to "used"?
|
| - What about peer-to-peer hosted webpages? Certainly this
| is deployed software served over the internet connection?
|
| The devil is in the details... details which are not
| specified in the order. It wouldn't be hard to imagine a
| lawyer arguing the finer details of "deployed" and
| "software" and falling on a definition which results in a
| less "open" Internet.
|
| Also, I think of the meaning of "that is not predefined"
| is not at all clear. Predefined at what point in time?
|
| IANAL.
| joh6nn wrote:
| how will US customers prove that they're not foreign
| customers?
| chadsix wrote:
| It is great that you ask a question, because we live in a
| world with the freedom to opine on things. What could be
| considered a massive issue to me may not be a massive issue
| to another; and if we feel the world will be better by
| debating our positions, we have the right to do so.
|
| Today, anonymity and pseudonymity exist and allow people to
| speak freely without risk of backlash for having a different
| opinion as often times the right opinion may differ with that
| of social consensus.
|
| If KYC is introduced, the ability to maintain freedom of
| speech, online, will likely diminish.
|
| This is of negative consequence to the people of the world.
|
| Further, with internet 'forever data', LLM NLP and so forth,
| character profiles are too easy to develop for people which
| can cause further harm as we begin segregating based on said
| profiles.
|
| I believe this KYC requirement can even extend to blockchain
| node operators and so forth as well.
|
| These are just a few reasons but there are many more.
| EGG_CREAM wrote:
| This doesn't seem to affect users of internet services,
| though. It's just IaaS, so things like AWS. With that
| limited scope, what is the adverse affect of KYC laws on
| freedom of speech?
| zamubafoo wrote:
| How much longer before IaaS platforms require their
| customers to also have similar KYC policies in their ToS
| to be able to shift liability downward in case anything
| goes down?
| carl_dr wrote:
| This law already includes platforms that resell IaaS. So
| about 4 days.
| chlodwig wrote:
| It affects all web hosts, so if you want to lease a
| server in order to install Wordpress or Mastodon you
| would need to submit your identification to the provider.
| rsync wrote:
| I think it effectively affects all web hosts... Certainly
| how we expect them to work in 2024...
|
| But remember that you can have a perfectly effective web
| host that simply accepts HTML uploads.
|
| Certainly a tremendous loss of convenience and features
| but speech itself could still be available under this
| regime...
| _tk_ wrote:
| I'm not in favor of this rule, but it seems to me you are
| conflating several issues into one without showing the
| effect of the rule. Can you explain how the rule that would
| be implemented causes these effects? I do not see the
| connection here.
| switch007 wrote:
| It's on the parties sponsoring and proposing the law to
| rigorously explain the benefits (and to discuss any
| negatives). Maybe go ask them?
| chlodwig wrote:
| This would make it illegal to anonymously run your own
| Wordpress install or Mattermost/groupchat server, you would
| have to reveal your identity to the web host. Do you trust
| the powers-that-be to never use this information to find and
| punish dissidents?
| yamazakiwi wrote:
| One example I've seen is a less-than-savory company make a
| purposefully confusing KYC process after purchase of their
| service/product to prevent users from realizing they're being
| scammed and are kept in KYC hell hoping to get verified when
| they never will. Time to start an ISP...
| drakythe wrote:
| This is not about Internet Service Providers. This is about
| Infrastructure as a Service providers, e.g. AWS, Linode, Azure,
| GoDaddy, etc.
|
| See https://www.federalregister.gov/d/2024-01580/p-46 for their
| definition.
|
| Misrepresenting what this is about is not helpful.
| spxneo wrote:
| im not sure i understand are customers of
| AWS/Linode/Digitalocean now required to submit
| passport/drivers license to host a blog or website?
| CalRobert wrote:
| I suppose VPN's will become illegal next?
| webdoodle wrote:
| Those in authority don't want us sharing information with
| anyone they can't track. So many of the websites I use are
| already blocking VPN access, and it's only getting worse.
| Codifying it as law will just be the last step to protect the
| censors from prosecution for violating the 1st Amendment.
| systemvoltage wrote:
| Unconstitutional.
| freeone3000 wrote:
| Is it? How? Which bit of KYC for SaaS violates which right?
| kolanos wrote:
| Isn't this a clear violation of the 4th amendment?
|
| > "The right of the people to be secure in their persons,
| houses, papers, and effects, against unreasonable searches
| and seizures, shall not be violated, and no Warrants shall
| issue, but upon probable cause, supported by Oath or
| affirmation, and particularly describing the place to be
| searched, and the persons or things ...
|
| Note it says "the people" and not "citizens of the United
| States". Everyone has this protection within U.S. borders,
| SCOTUS has ruled to this effect.
|
| So the government forcing yet more private companies to do
| their unconstitutional bidding seems like something that
| should b opposed. I believe banks being required to collect
| KYC came about through The Patriot Act. If this trend
| continues, you'll need to verify your identity to use any
| service.
| freeone3000 wrote:
| That isn't just a trend, that's actually this proposed rule
| change!
|
| Banks collecting KYC actually started with the Banking
| Secrecy Act of 1970. This was tried in the Supreme Court
| case California Bankers Association v Schultz (1974). It
| holds that recordkeeping requirements do not constitute a
| privacy violation under the 4th amendment absent reporting
| requirements. Since this new rule (2024) applies only to
| foreign entities and OFAC controls provide penalties for
| domestic companies, there's no fifth amendment issue either
| (which is a shame imo, the 5th amendment argument in
| Bankers v Schultz seems incredibly shaky).
|
| There's no reporting requirements or new crime being
| created here; the intention is to ""aid"" IaaS providers in
| complying with OFAC requirements, and, when a warrant is
| issued, the actual identities of the customers to be known.
| pessimizer wrote:
| > If this trend continues, you'll need to verify your
| identity to use any service.
|
| Once we started to send "National Security Letters" to
| public libraries after PATRIOT to find out what people were
| reading, this future became an inevitability.
| greyface- wrote:
| https://en.wikipedia.org/wiki/Commerce_Clause
|
| If it imposed KYC on intra-state customers, or non-commercial
| services, then it would be a different story.
| Zak wrote:
| What provision of the constitution does it violate? Do you know
| of court precedents that support that claim?
|
| I'm not writing this to argue against your position, but to
| help people craft effective comments to submit in response to
| the proposed regulation. Federal agencies are not responsive to
| comments about people disliking a proposed rule, but are very
| responsive to concrete examples of why it might be legally
| problematic.
| kolanos wrote:
| The fourth amendment?
|
| > "The right of the people to be secure in their persons,
| houses, papers, and effects, against unreasonable searches
| and seizures, shall not be violated, and no Warrants shall
| issue, but upon probable cause, supported by Oath or
| affirmation, and particularly describing the place to be
| searched, and the persons or things ...
| EGG_CREAM wrote:
| How does verifying your identity in any way violate that,
| though? You have a physical address that you live at, and
| the government verifies that you are the person living at
| that address, and that is not violating the fourth
| amendment. This would be pretty similar to that.
| lcnPylGDnU4H9OF wrote:
| Of course the words are open to interpretation but
| "unreasonable searches" seem to encompass this sort of
| thing. Usually it's taken case by case and reasons would
| need to be given for every individual being searched.
| This is a blanket excuse to search every interaction
| without a reason.
| kolanos wrote:
| The fourth amendment requires probable cause of a crime
| prior to being forced to identify yourself. This rule is
| forcing companies to verify the identities of their
| customers on behalf of the government for vague national
| security reasons.
| ChikkaChiChi wrote:
| This does not appear to affect domestic customers.
| noodlesUK wrote:
| Then surely all the good actors have to do KYC, and all the bad
| actors can just pretend to be American entities.
|
| I don't agree with this on principle, but even just from a
| practical perspective it seems like they are leaving the door
| completely open by doing that. What's even the point?
| Izkata wrote:
| How would they know a customer is domestic or foreign without
| some level of identification on everyone?
| beaeglebeachh wrote:
| Bingo. They'll have to KYC everyone to avoid liability of
| missing a faking foreigner.
| charlie0 wrote:
| Yet.
| waihtis wrote:
| What an absolute nightmare. I would also be surprised if iaas
| providers arent in vehement opposition, i will instantly migrate
| all cloud resources away from AWS if they start requiring KYC
| docs. Theres close to zero effort for doing so
| viknod wrote:
| Wow, what layer of abstraction do you have that allows for
| that? Even with typical IaC, Terraform, it's going to be a
| rewrite. If you're leveraging anything beyond load balancers,
| compute, and containers I don't see how that approaches zero.
| Some of the services could end up with you having to build/run
| your own to get any equivalence.
| k8svet wrote:
| Why is it so hard time for some of this site to understand
| that some of us are principled when it comes to choosing
| technologies? Or you know, actually learned from past trauma
| and make choice to avoid getting burned in the future.
| Sxubas wrote:
| Not all of us are enlightened. Wouldn't you mind telling us
| what those technologies are?
| nadermx wrote:
| Ansible comes to mind. Used it to orchestrate hundreds of
| servers with migrations. Could also simply set up proxmox
| services beforehand if you're truly motivated, then just
| replicate the server to another instance.
| thedaly wrote:
| And all networking configuration and everything else is
| transferred with close to zero effort?
| zamalek wrote:
| You could roll your own SDN with the likes of wireguard.
| rabuse wrote:
| Exactly. At the startup I work for, we built from the old
| methods of bare metal, and integrate cloud services as
| needed. At any time though, if we are not satisfied with
| sed service, we're able to jump ship without headache
| pretty easily. As simple as spinning up a new container
| cluster elsewhere, migrating data, and ramping down the
| old. The founders were very clear on never being entrenched
| into a singular provider.
| patricklorio wrote:
| I think this is about preventing sanctioned countries or
| individuals using US technology we don't want them to have
| access too (like China not having modern GPUs). That goal seems
| reasonable though there's always a fear that the law is way
| broader than the high level intent. Why would it be "an
| absolute nightmare" if it's so easy to migrate?
| waihtis wrote:
| I meant an absolute nightmare of a bill in general and for
| the IaaS providers. The US is winning the AI race because of
| their open ecosystem and capability to execute and these
| types of things hurt that bad.
| AdamH12113 wrote:
| For those who didn't know, KYC stands for "know your customer".
| It's a good idea to spell out abbreviations the first time
| they're used, especially since the abbreviation itself is not
| used in the linked article. It's also worth noting that the
| proposal is about US infrastructure as a service (IaaS) products
| specifically, not "internet services" in general.
| SOLAR_FIELDS wrote:
| Yeah this is a very industry standard term in banking and
| anyone in that industry is going to immediately know what you
| are talking about, but outside of that industry, chances are
| high that a layman will not
| gdcbe wrote:
| In the past that would be true. But given most blockchain
| platforms require it, I imagine it is more widely known in
| the tech-savy hn-like realms?
|
| Then again I worked on blockchain tech around half a decade
| ago, so I might be knowledge biased here?
| rangerelf wrote:
| Definitely biased. I had no idea what KYC means. I don't
| think typing it out fully once at the beginning is too much
| to ask, is it?
| gdcbe wrote:
| No definitely not, I fully agree with you and others
| there. Just was a bit surprised by how many of you were
| there. But that's okay. Days where we learn are rich
| days. The richest of them all.
| reaperman wrote:
| In defense of the person who wrote the HN title, I've
| seen KYC discussed in front-page articles roughly weekly
| for the past several years straight. I've learned about
| as much of it as I care to know (and more, honestly) from
| HN comments on 1st and 2nd page posts in that time. In
| just the past year, I can see that there have been about
| 1,000 comments mentioning KYC, and about 21 1st/2nd page
| posts that are explicitly about KYC (nearly 2 per month).
| Honestly I don't expect all of HN to know what KYC is,
| but I did expect most HN readers to have a general idea
| of what it is and why it's a huge pain for a small % of
| people (but very large number, 1% of the USA is still >3
| million people).
|
| Once you're familiar with it, your brain/eyes key onto
| "KYC" much more strongly than "know your customer". I
| might have missed the latter, but "KYC" in the title
| grabbed my attention instantly and reading the title made
| my heart jump a bit, because generally KYC means a pain
| in my ass, and even moreso for friends here on visa.
|
| I have a Canadian friend visiting and staying with my
| girlfriend and I for a month or so. KYC causes actual
| headaches for her, to the point that she just decides not
| to get cellular service at all while she visits unless I
| get a pre-paid SIM under my name and hand it to her. When
| she pays for things like restaurants, I can't just
| Venmo/Paypal/Zelle/ApplePay her back on the spot, I have
| to withdraw cash at some point and coordinate giving it
| to her.
|
| The general concept of "KYC" makes sense for some
| situations, but actual implementations really fucking
| suck for a lot of people. It's very scary to me to see it
| be required for more and more categories of services
| because of the way it's currently implemented.
| cynusx wrote:
| Maybe less important than knowing what it stands for is
| knowing what the implications are for businesses.
|
| KYC is essentially about knowing who you are doing
| business with.
|
| For individuals that's relatively easy, just the name and
| identification is required but typically there is the
| need to verify that the identification actually belongs
| to the person signing up. In banking that's why you
| typically have some video call with a verification
| provider.
|
| For businesses it gets a lot more complex because it's
| not enough to know what business your client is, you also
| have to look through its corporate structure to figure
| out who the "ultimate beneficial owner" is. Essentially,
| who is actually controlling the business.
|
| Now it got a lot easier recently as many countries now
| require businesses to file who their ultimate beneficial
| owners (UBOs) are.
|
| The painful part is that it introduces friction in
| customer journeys as now you have to request the
| documentation.
|
| In the financial industry you also have to run checks on
| those UBO's so that they are not known terrorists or
| sanctioned individuals but it seems this regulation is
| just that IaaS providers need to know who actually
| operates a server. Presumably for forensic analysis after
| a cyber attack.
| AdamH12113 wrote:
| I posted my comment because the linked proposal itself
| never uses the abbreviation "KYC" and none of the early
| comments spelled it out, so if (like me) you didn't already
| know what it means a quick Ctrl-F wouldn't help.
|
| The proposal seems to use the term Customer Identification
| Program (CIP) instead, mentioning KYC (spelled out) only
| once, in the introduction:
|
| _> Section 1 of E.O. 13984 requires the Secretary to
| propose, for notice and comment, regulations that mandate
| that U.S. IaaS providers verify the identity of foreign
| persons that sign up for or maintain accounts that access
| or utilize U.S. IaaS providers ' IaaS products or services
| (Accounts or Account)--that is, a know-your-customer
| program or Customer Identification Program (CIP)._
| thomastjeffery wrote:
| A very significant percentage of us (I suspect a large
| majority) haven't really bothered with blockchain tech.
| Blockchain tech doesn't solve any problems that most of us
| actually need solving.
| ZephyrBlu wrote:
| KYC is that poorly known? I would have expected most white-
| collar professionals to have at least heard of it.
| kube-system wrote:
| If someone knows about KYC because of their profession,
| they are quite literally the opposite of a layperson.
| gedy wrote:
| I thought it was a zipper manufacturer tbh
| pwenzel wrote:
| I assumed this had something to do with fried chicken
| jandrewrogers wrote:
| Unfortunately, KYC has been bleeding into far more commercial
| interactions over time. I now deal with KYC multiple times
| per year in unrelated contexts and I don't work in finance.
| It has become quite intrusive.
| erie wrote:
| synthesia requires KYC:" Your avatar can be created only with
| your explicit consent, following a thorough KYC-like procedure.
| nightpool wrote:
| Google is your friend
| buildbuildbuild wrote:
| In practice this often means requiring a photo ID scan.
| hn_throwaway_99 wrote:
| It depends, but I'd say not usually. Many financial service
| applications, which have strict KYC requirements, just
| correlate different data sources to ensure everything matches
| up, and tries to determine some level of risk about the
| client making the application (i.e. match applicant name with
| DOB with SSN with known addresses, etc.) FWIW, given the huge
| number of data breaches I'm not sure why that info is
| sufficient, but it usually is. It's only when some backend
| risk engine determines "This data doesn't match up, or this
| client looks sketchy" is a photo ID requested.
| AnimalMuppet wrote:
| In fairness, though, HN has a limit on title length, so I'm not
| sure it was all that possible in the headline here.
| andybak wrote:
| > We have 4 days to contest "Know Your Customer"
|
| would have been a better title. The missing information is
| more easily guessed from skimming the article than the
| mystery acronym.
| lumb63 wrote:
| It also looks like it only applies to foreign peoples? That
| said, I don't know how you select for only foreigners without
| collecting identity.
| freedomben wrote:
| Yeah that's a clever way to avoid having the rules struck
| down as unconstitutional. In practice though to avoid
| liability and possibly jail time, providers will have to
| assume that every customer is a foreigner until they "prove"
| their US citizenship (by uploading the same ID and other
| documentation required by foreigners).
| ssaannmmaann wrote:
| Resulting in AT&T 2.0 data breach. Already dealing with the
| consequences of our SSN#s being leaked in AT&T 1.0 breach.
| ranger_danger wrote:
| Can you name some of those consequences?
| willmadden wrote:
| KYC in the context of internet services stands for "violating
| the 4th Amendment".
| ryanisnan wrote:
| I don't disagree with your premise that KYC enables
| governments to violate the 4th amendment, but in general, for
| certain industries this is just generally a _really_ good
| idea. Banking is the first industry where I encountered KYC,
| and it strikes me as being obviously good there.
|
| Isn't effectively the majority of what the Snowden leaks
| covered essentially violating the 4th amendment?
| willmadden wrote:
| What is being proposed here will be used as a tool of fear
| by the government to suppress speech it doesn't like.
|
| Comparing what one individual did in the past to a formal
| government policy doxxing away peoples' 4th amendment
| rights is a strawman argument.
| ryanisnan wrote:
| I think we don't understand each other. I'm not giving a
| moral or legal judgement on what Snowden in particular
| did. I'm saying, the information he disclosed showed a
| vast and total violation of American's 4th amendment
| rights on behalf of the US government.
|
| This KYC requirement seems to me, at a glance, as being a
| small erosion of our digital privacy.
| freedomben wrote:
| You're not wrong, but there is an important big
| difference between this and the Snowden revelations: The
| Snowden stuff was illegal and was being done in secret,
| and once exposed they had to stop. It was considered bad
| and embarrassing. This would be _legal_ , and will set a
| strong precedent.
| always2slow wrote:
| >Banking is the first industry where I encountered KYC, and
| it strikes me as being obviously good there.
|
| This is not obvious to me as my experience has been largely
| negative post-KYC/9-11 vs pre-KYC/9-11. I am a legal law
| abiding citizen [and voter!] and it's just added extra
| hassle on various occasions and then the background anxiety
| of knowing an institution with crappy security track
| records hold a photocopy of my ID. And yet all the things
| KYC was supposed to prevent still continue unabated: money
| laundering, terrorist financing, identity theft, and
| financial fraud.
|
| I'm curious to hear why you think it's obviously good and
| if you were using these services before KYC.
| willmadden wrote:
| The people who donated to the Canadian truckers' protest
| had their accounts frozen by the Trudeau regime because
| of KYC.
|
| The problem is that there are no checks and balances
| preventing banks from freezing assets because they want
| to or the government told them to.
|
| Banking needs to be a right, and unless someone is
| convicted of a crime involving the bank account's assets,
| banks and governments should not be able to freeze them.
| There can be exceptions for fraud like FTX where there
| will be a significant financial harm to other individuals
| if the assets aren't frozen, but what we have today is
| unchecked government financial terrorism against
| individuals they do not like, and now they want to extend
| that terrorism to speech.
| ryanisnan wrote:
| I am familiar with KYC from a banker's perspective (at
| least that of a close relative who was a bank manager).
|
| KYC helped them by deny-listing abusive clients between
| branches, or by allowing the bank to develop heuristics
| for things like allowing customers to bypass cheque
| clearing times.
|
| From an end-user perspective, I've had no hangups
| personally but I do share your grievances about yet-
| another-shoddy institution holding a photocopy of my ID.
| My bank truncates passwords when setting them, and when
| logging in, without telling the user. It boggles the
| mind.
| always2slow wrote:
| Thanks for replying I appreciate the insight, although as
| someone else mentioned the most obvious use (to me) for
| KYC is censorship / de-banking and I think that was it's
| intended purpose all along because there's nothing about
| KYC that specifically enables the two things you
| mentioned that couldn't be done by a bank on it's own.
| rangestransform wrote:
| KYC basically means that the job of collecting evidence to
| prosecute potential (read: non-existent yet) crimes has
| fallen to yourself and your bank/cloud provider/etc.,
| rather than forcing the government to collect evidence to
| prosecute a crime. Essentially an end-run around the 4th
| amendment and the whole idea of "innocent until proven
| guilty".
| oliv__ wrote:
| Thank God for the Constitution
| IfOnlyYouKnew wrote:
| This is about foreign customers only, so as an attempt to abolish
| the constitution, it is severely flawed in respecting it enough
| to keep its distance.
|
| I can't think of any US service I am using that doesn't already
| require KYC? None of the large providers will let you get far
| without a credit card, as far as I remember?
|
| Since the discussion here will consider itself mostly with
| upright revolutionaries being disenfranchised by such insult to
| their liberties, it is worth noting that when the revolutionaries
| are foreigners, the US often doesn't have the same incentive to
| disenfranchise them as it might have for domestic troublemakers.
|
| In fact the US has quite a track record of granting rights to
| foreigners in excess of what they find at home, and even when it
| concerns allies: request by European courts and law enforcement
| are regularly rejected based on US norms when, for example,
| someone hosts their hat speech blog with an US-only provider.
| axus wrote:
| And FISA was only about surveilling non-US persons.
| IfOnlyYouKnew wrote:
| No. With a court order, FISA always allowed surveillance of
| "agents of foreign powers", even if they were US citizens: ht
| tps://en.wikipedia.org/wiki/Foreign_Intelligence_Surveilla...
| .
| loeg wrote:
| Providing a credit card is a far cry from KYC. But it also
| highlights that we probably don't need IAAS businesses to
| implement KYC as long as the payment providers already do.
| eks391 wrote:
| > I can't think of any US service I am using that doesn't
| already require KYC? None of the large providers will let you
| get far without a credit card, as far as I remember?
|
| There are several credit card vendors that do not require KYC
| that are easily available. I don't know of any banks that don't
| require KYC that you would use to pay those CC bills, but I
| wouldn't be surprised if they exist.
| oshout wrote:
| Skimming through the article, it seems like the extent of this is
| to require IAAS (Infrastructure) providers to verify the identity
| of those who are using their services to train AI. It's an
| attempt to stymie sanctioned or malicious actors, from training
| AI and especially from hopping between services or using aliases
| to continue training on their model.
|
| It seems a bit benign and I don't understand the parallels others
| on this HN discussion are making. Is it that it's a slippery
| slope or perhaps I'm being naive in regards to the scope?
| chadsix wrote:
| AI is mentioned, but the scope is significantly larger if you
| read the fulltext.
| kube-system wrote:
| Given that top GPUs are sanctioned, I'm sure preventing
| access to them remotely is a part of this. But just generally
| speaking, doing any malicious crap out of an EC2 instance is
| an easy way for a foreign actor in China/Russia/Iran to look
| more legit.
| lolinder wrote:
| It's still just for IaaS companies, though, right?
|
| Not that that makes this all okay, but it is a much more
| limited proposal than "internet services" makes it sound.
| chadsix wrote:
| Legally speaking, internet service providers are
| infrastructure providers.
| lolinder wrote:
| Do you have a basis for this claim or are you just
| throwing it out there to see if it catches on? The
| document linked refers to IaaS, which as an acronym
| definitely does _not_ include ISPs.
| erie wrote:
| Some AI services such as Synthesia
| https://www.synthesia.io > ethics " Your avatar can be
| created only with your explicit consent, following a
| thorough KYC-like procedure. Complete control: Our
| platform ensures you can decide"
| chadsix wrote:
| There are probably very few ISPs that can fall outside of
| this standard. For example if your provider provides
| e-mail, it's providing infrastructure. And yet, the slope
| can get much more slippery than this.
| zinekeller wrote:
| Please read EO 13894 before proceeding further. Is the
| user able to run custom software directly with a
| customary ISP (because that's in the definition)? I agree
| with EGreg that they can possibly twist this, but as
| written it's actually narrower than you think.
| EGreg wrote:
| In practice, as long as a definition can conceivably
| cover something, the DOJ or some agency will use it. Case
| in point from yesterday: money transmitter as applied to
| arresting the developers of a NON-CUSTODIAL wallet, as
| part of a wider war on crypto mixing:
|
| https://www.coindesk.com/policy/2024/04/24/samourai-
| wallet-f...
|
| This comes amid a war on end-to-end encryption, and so
| on. It's not like they are going to stop here.
| devonbleak wrote:
| Reading the definition
| https://www.federalregister.gov/d/2024-01580/p-46 and the
| paragraph following it, it's intentionally broad and i'd
| say it's not that much of a stretch to say ISPs provide
| services that match this.
| zinekeller wrote:
| Definitely not in this case (unless you're using Digital
| Ocean as a VPN end point or something). EO 13984 (which
| is cited as the enabling act) has a narrow definition:
|
| (e) The term ''Infrastructure as a Service Product''
| means any product or service offered to a consumer,
| including complimentary or ''trial'' offerings, that
| provides processing, storage, networks, or other
| fundamental computing resources, _and with which the
| consumer is able to deploy and run software that is not
| predefined, including operating systems and
| applications_. The consumer typically does not manage or
| control most of the underlying hardware but has control
| over the operating systems, storage, and any deployed
| applications. The term is inclusive of ''managed''
| products or services, in which the provider is
| responsible for some aspects of system configuration or
| maintenance, and ''unmanaged'' products or services, in
| which the provider is only responsible for ensuring that
| the product is available to the consumer. The term is
| also inclusive of ''virtualized'' products and services,
| in which the computing resources of a physical machine
| are split between virtualized computers accessible over
| the internet (e.g., ''virtual private servers''), and
| ''dedicated'' products or services in which the total
| computing resources of a physical machine are provided to
| a single person (e.g., ''bare-metal'' servers)
|
| (https://www.govinfo.gov/content/pkg/FR-2021-01-25/pdf/20
| 21-0...)
| chlodwig wrote:
| IaaS is defined as a provider of computing resources the
| allows you to run software that is not predefined. So that
| would seem to include basically every web host. If you can
| install Wordpress or Mastodon on the servers they provide,
| they are an IaaS.
| axus wrote:
| I'm going to need another intelligence to read the full text.
|
| "U.S. IaaS providers and foreign resellers of U.S. IaaS
| products must exercise reasonable due diligence to ascertain
| the true identity of any customer or beneficial owner of an
| Account who claims to be a U.S. person."
|
| So at a minimum, everyone's identity is verified by IaaS
| provider. If you claim to be a non-U.S. person, additional
| information is collected.
|
| They mention looking at comments from a previous proposal in
| 2021, "Taking Additional Steps To Address the National
| Emergency With Respect to Significant Malicious Cyber-Enabled
| Activities" https://www.federalregister.gov/documents/2021/09
| /24/2021-20...
|
| Who counts as IaaS besides Amazon, Azure, and GCS?
| OgsyedIE wrote:
| Dreamhost, Wordpress, etc
| EGreg wrote:
| Literally every software that you can host.
|
| This effort will end anonymity on the internet. For
| everyone.
|
| Crypto was just the beginning. Next is end-to-end
| encryption. And it's going on worldwide, not just in USA:
|
| https://community.qbix.com/t/the-coming-war-on-end-to-
| end-en...
| nonameiguess wrote:
| This is not the industry-standard or NIST definitions of
| these terms. Something like Google Workspace Suite is
| Software as a Service. Something like Heroku (or
| Dreamhost or Wordpress) is Platform as a Service.
| Something like EC2 and S3 are Intrastructure as a
| Service. The distinction is renting out undifferentiated
| server space that a customer installs their own software
| onto. If you rent a VPS from Linode and install self-
| hosted Wordpress, that's IaaS. If you buy Wordpress's
| managed hosting, that's PaaS.
| chlodwig wrote:
| Well, it may not be the industry standard definition, but
| it is the definition used in the actual regulation:
|
| -------
|
| Infrastructure as a Service product
|
| or
|
| IaaS product
|
| means a product or service offered to a consumer,
| including complimentary or "trial" offerings, that
| provides processing, storage, networks, or other
| fundamental computing resources, and with which the
| consumer is able to deploy and run software that is not
| predefined, including operating systems and applications.
| The consumer typically does not manage or control most of
| the underlying hardware but has control over the
| operating systems, storage, and any deployed
| applications. The term is inclusive of "managed" products
| or services, in which the provider is responsible for
| some aspects of system configuration or maintenance, and
| "unmanaged" products or services, in which the provider
| is only responsible for ensuring that the product is
| available to the consumer. The term is also inclusive of
| "virtualized" products and services, in which the
| computing resources of a physical machine are split
| between virtualized computers accessible over the
| internet (
|
| e.g.,
|
| "virtual private servers"), and "dedicated" products or
| services in which the total computing resources of a
| physical machine are provided to a single person (
|
| e.g.,
|
| "bare-metal servers").
|
| ---
|
| So Dreamhost counts, any web host where you can run
| arbitrary PHP code would count. Wordpess.com -- where you
| cannot actually modify the PHP code yourself -- would not
| count as IaaS. But any web host that allows you to
| install applications on your own, or run any of your own
| code, would count as IaaS by this regulation.
| kube-system wrote:
| Wordpress clearly does not meet the definition of IaaS in
| the document.
|
| > provides processing, storage, networks, or other
| fundamental computing resources, and with which the
| consumer is able to deploy and run software that is not
| predefined, including operating systems and applications
| dannyobrien wrote:
| Can you not add plugins to Wordpress?
| kube-system wrote:
| You cannot install Debian or Windows 11 on Wordpress.
| pavon wrote:
| It applies to any "software that is not predefined". An
| OS is just an non-exhaustive example of one type of
| software that applies.
| kube-system wrote:
| The next sentence is:
|
| > The consumer [...] has control over the operating
| systems, storage, and any deployed applications.
|
| That was just a snippet of the full definition here:
|
| https://www.federalregister.gov/d/2024-01580/p-46
| AnthonyMouse wrote:
| There are two possibilities here.
|
| First, the rule applies to WordPress and all that kind of
| thing, and then providers would have to KYC WordPress
| users. Which is a reason not to pass it.
|
| Second, the rule is completely pointless, because it
| doesn't, and then anyone could create an AI training
| WordPress plugin that uses whatever arbitrarily fast
| hardware the server has and thereby easily bypass the
| rule. Which is a reason not to pass it.
| kube-system wrote:
| That's silly, no Wordpress hosting has H100 GPUs hooked
| up to it.
|
| If you skim the full context of this proposal and the
| topics it focuses on (dedicated servers, virtual servers,
| AI acceleration), and you've been paying attention to
| current geopolitics in these areas (top chips being
| sanctioned), it is completely obvious that goal here is
| to prevent things like evading sanctions by renting
| hardware instead of buying it.
| AnthonyMouse wrote:
| What stops them? You could have a WordPress plugin that
| uses Stable Diffusion to generate images, or encodes
| uploaded video, or provides an AI chatbot, and needs fast
| GPUs because there are a lot of users. Providers will
| supply anything the customer is willing to pay for. The
| expected AI plugins would be doing inference rather than
| training, but the user could use the same hardware for
| plugins that do something else.
| kube-system wrote:
| > Providers will supply anything the customer is willing
| to pay for.
|
| I suppose every company and every service should be in
| scope for KYC then. /s
|
| But the reality is that Wordpress hosts are not in the
| business of renting people dedicated servers the price of
| a nice house. And if they were asked to do so, it
| wouldn't be a simple automated request without scrutiny.
| AnthonyMouse wrote:
| In 2010 it wouldn't have been an automated request. Now
| there is plenty of demand for it to do inference and some
| providers are likely to start offering it if they don't
| already. You're also assuming the providers are
| interested in preventing foreigners from using their
| systems for AI training, rather than being interested in
| making as much money as possible without violating the
| letter of the law.
|
| The latter is one of the reasons rules like this are
| simultaneously so expensive and ineffective. Provider A
| decides to KYC everybody because they're big and risk
| averse, so the rules inconvenience millions of innocent
| people. Provider B wants to make money selling GPUs to
| foreigners, so they implicitly choose a structure that
| allows that to happen if the rules contain any loopholes
| whatsoever. (This ignoring that foreign customers could
| just switch to foreign hosts and cost US companies
| business for no reason.)
|
| And if the premise is the level of resources being
| consumed rather than the type of service then why don't
| the rules exempt anyone spending less than e.g.
| $50,000/month? That would be almost everyone while still
| _not_ being anyone buying enough compute to do major AI
| training. It still wouldn 't work but at least it would
| have much less overhead.
| kube-system wrote:
| I don't think anyone is under the presumption that these
| requirements are bulletproof. The point is to just target
| one big glaring loophole.
|
| > $50,000/month? That would be almost everyone
|
| It might be almost every individual developer. But that
| isn't really a huge cloud spend at all for an
| organization.
|
| https://www.cloudzero.com/wp-
| content/uploads/2023/10/flexera...
|
| But speaking of loopholes, what do you think bad actors
| would do if you told them that they weren't subject to
| KYC under a certain dollar amount? lol
| AnthonyMouse wrote:
| > It might be almost every individual developer. But that
| isn't really a huge cloud spend at all for an
| organization.
|
| That's kind of the point. It excludes all of the
| individuals and small businesses and makes it unambiguous
| that it doesn't apply to someone paying $10/month for a
| VPS to use as a VPN endpoint for privacy.
|
| > But speaking of loopholes, what do you think bad actors
| would do if you told them that they weren't subject to
| KYC under a certain dollar amount?
|
| In some hypothetical world where the rules were actually
| effective? Spend $49,000 and then create a new account,
| which would be highly suspicious and still cause them to
| get caught.
|
| In practice? Use a cooperative provider (Wells Fargo as a
| hosting company), or one in another country, the same as
| they would do regardless.
| axus wrote:
| The whole SUV category of vehicles was spawned as a
| workaround for the 1975 Energy Policy and Conservation
| Act of 1975. Demand blocked by laws leads to weird
| mutations.
|
| I'm thinking that this will simply promote cloud
| providers that operate outside America, sort of like
| Binance and FTX were "forced to exit" the US market. Not
| a bad result.
| sokoloff wrote:
| I think it's most reasonable to read that as "includes
| [all of these examples]" not "excludes if it can't [any
| of these examples]"
|
| AWS Lambda would clearly (IMO) be in-scope as IaaS by
| this definition, as an example, even though I can't
| install another OS.
| kube-system wrote:
| AWS Lambda qualifies because it is part of AWS and an AWS
| account gives you access to EC2 which _definitely_
| qualifies.
| Izkata wrote:
| "and applications", not just operating systems.
| mysteria wrote:
| Services like Github Actions, Google Collab, and web-
| based IDEs likely meet this definition though as it lets
| users execute their own custom code on their cloud. So
| basically all developer stuff may require an ID check.
| kube-system wrote:
| That was just part of the definition that I quoted.
|
| In the full context, it is quite clear it is targeting
| things like EC2, dedicated hosting, etc.
|
| https://www.federalregister.gov/d/2024-01580/p-46
|
| I don't think it's reasonable to read this as if MS Excel
| qualifies as an IaaS.
| whywhywhywhy wrote:
| Does Scratch count?
| unethical_ban wrote:
| edit: Vultr info is wrong. They don't have anonymous use
| anymore.
|
| Vultr, for example.
|
| There are high-quality IaaS providers that accept bitcoin
| for payment, allowing someone to host a server on their
| platform without revealing their identity.
| rattlesnakedave wrote:
| Vultur requires a card linked for ID verification even if
| paying for BTC. Or at least they did in the past when I
| tried.
| unethical_ban wrote:
| Interesting. I can't even create an account with a
| privacy address (passmail.net forwarding). Wankers.
|
| You are correct. "Account must be funded by credit card
| or PayPal before making a Bitcoin deposit." No more
| anonymity on Vultr.
| justaman wrote:
| I think everyone has a sour taste left over from decades of
| half-baked laws written by politicians that don't understand
| the basics of the internet or technology in general.
|
| With that said, I also don't understand the issues people are
| having with this.
| newaccount7hhhf wrote:
| What laws are you talking about? The Internet has grown a lot
| that's largely because we have smart politicians and strong
| institutions. I really think the regulation of the Internet
| has been amazingly good.
| Kye wrote:
| For example: CAN-SPAM. If I want to send emails to a list,
| I have to burn $90 of my scarce dollars every year just for
| a PO box for the address at the bottom on the off chance
| someone sends a letter to unsubscribe. Unless I want to put
| my home address in every email, which I don't, and no one
| should. Unsubscribe links and highly effective spam filters
| were already completely standard when the law was passed in
| 2003. It doesn't matter if the email you send doesn't
| actually require it because every mailing list provider
| requires it.
| loeg wrote:
| Eh, unsubscribe links were definitely not universal in
| 2003 and they barely are today. But the situation has
| definitely improved in the last 20 years.
| AnthonyMouse wrote:
| The point is the rules are daft. A sensible rule would
| require a functioning unsubscribe process in the email,
| which every piece of software would then automate as an
| unsubscribe link. The actual rule requires people to be
| able to unsubscribe via a _postal mailing address_ ,
| which is unreasonable and ridiculous.
| loeg wrote:
| I'm just saying, your earlier comment would have been
| better without the sentence: "Unsubscribe links and
| highly effective spam filters were already completely
| standard when the law was passed in 2003."
| jovial_cavalier wrote:
| https://en.wikipedia.org/wiki/Stop_Online_Piracy_Act
|
| https://en.wikipedia.org/wiki/PROTECT_IP_Act
|
| https://en.wikipedia.org/wiki/Anti-
| Counterfeiting_Trade_Agre...
|
| https://en.wikipedia.org/wiki/Digital_Millennium_Copyright_
| A...
|
| https://en.wikipedia.org/wiki/Patriot_Act
|
| https://en.wikipedia.org/wiki/PRISM
| logifail wrote:
| > With that said, I also don't understand the issues people
| are having with this.
|
| The regulation "requir[es] U.S. Infrastructure as a Service
| (IaaS) providers of IaaS products to verify the identity of
| their foreign customers"
|
| Q: How would one propose to determine if a customer is
| foreign or not?
|
| A checkbox, perhaps? <rolls eyes>
|
| No bad actor would possibly pretend to be a domestic
| customer, of course... <rolls eyes again>
| refulgentis wrote:
| That's a strawman. <rolls eyes> It won't be a checkbox, of
| course... <rolls eyes again>
| logifail wrote:
| > That's a strawman [..]
|
| OK, I'll bite. How exactly are [US] domestic users of
| services supposed to prove they don't need to prove their
| identity?
|
| EDIT: it reminds me of the Common Travel Area (between
| Ireland and of the United Kingdom of Great Britain and
| Northern Ireland), which has some glorious
| inconsistencies. For instance that nationals of Ireland
| and the UK travelling between those two countries do not
| need a passport, except when you take an international
| flight and rock up at IE/UK border control it's fairly
| hard to prove you are a national who doesn't need to
| provide a passport without having ... a passport (or
| equivalent ID).
| refulgentis wrote:
| KYC stands for Know Your Customer, and is a core
| regulation in banking. So we can pivot off that and work
| through what a bank does to verify your identity.
|
| I signed up for a Mercury bank account a few months back
| for my Delaware corporation without talking to anyone, so
| I'll use that as a template.
|
| I can't remember the exact steps, but tl;dr submit a
| passport photo / driver's license photo and a photo I
| take in the app itself. If it was a not-US passport, then
| they'd dig into a full verification, not just a quick
| manual check of "is that face the same as the
| passport/license, is the passport/license ID # valid, and
| are the photos edited"
| AnthonyMouse wrote:
| You seem to be conceding the point that they would be
| forced to invade the privacy of their US customers in
| addition to just foreign ones.
| refulgentis wrote:
| True, I guess I wouldn't call it invading privacy, that's
| sounds a bit overwrought to me. Then banks invade my
| privacy, the DMV invades my privacy, etc. There's always
| tradeoffs, I respect people's concern about them, and I
| wish there was a gentler to say it.
| AnthonyMouse wrote:
| > Then banks invade my privacy, the DMV invades my
| privacy, etc.
|
| That is a reasonable and factually accurate statement.
|
| > There's always tradeoffs, I respect people's concern
| about them, and I wish there was a gentler to say it.
|
| The tradeoff here is astonishingly bad. Studies have
| shown that AML/KYC have an effectiveness of less than a
| fraction of one percent. They continue to proliferate
| because their largest costs fall on the _users_ rather
| than the _companies_ , so they're the thing that large
| corporations suggest as a "solution" when they're being
| pressured to do something. Because people have the
| perception that it will do some good, even though that
| perception is inaccurate.
|
| In reality what they do is provide a means to satisfy
| "something must be done" in a way that dumps the costs on
| marginalized users instead of politicians and
| corporations.
| outop wrote:
| Have you travelled between the UK and Ireland? You most
| definitely do not need a passport and do not need
| "equivalent ID". You can travel (by boat) with a student
| card, driving license, photographic travel pass (ie
| over-60s pass, young person rail pass), or photographic
| id from your work.
|
| The check is very much "don't stop walking but hold your
| ID-looking thing in your hand so a nonchalant man can
| glance at it". You would attract very little attention
| with someone else's UK or Irish driving license, a bit
| more if you decided to test the waters with a weird form
| of ID.
|
| Children can travel with a birth certificate (no photo).
|
| You need more than this _to get on an aeroplane_ , but
| that also applies to domestic flights in the UK.
|
| If you get the boat and show eg. a Romanian student card,
| they might ask you where your passport is, somewhat
| reasonably since you would have needed it to travel to
| the UK or to Ireland. They would accept an ID card
| probably and might let you in with legit looking non-
| government ID.
|
| That's the sea border. You can cross the land border
| between the Republic of Ireland and Northern Ireland
| without any form of ID at all, government-issued,
| photographic or otherwise. Lots of people do it every day
| by car or bus and it would not remotely occur to them to
| take ID with them.
|
| So the Romanian student would have no problem travelling
| between London and Dublin without showing anything since
| they could get a boat Glasgow- Belfast and then get a bus
| to Dublin.
|
| If this was your best example of governments lying and
| changing the rules, it's not a very good one (and is also
| kind of offensive to Irish and British people).
| logifail wrote:
| > You need more than this to get on an aeroplane, but
| that also applies to domestic flights in the UK.
|
| Can you clarify what you mean by "more than this"?
|
| I've travelled on many domestic flights within the UK,
| and ID is not routinely checked.
|
| > If this was your best example of governments lying and
| changing the rules
|
| Ouch.
|
| The common travel area has its origins way back in 1923,
| the rules are clear, no-one is lying.
|
| It's just that it's hard to prove you are entitled to its
| benefits without having an ID document with you that - if
| you're entitled - it says you don't have to have with
| you...
| outop wrote:
| When did you last travel on a UK domestic flight? You
| definitely need government issued ID.
|
| You are suggesting that having to show _any photographic
| ID_ is the same as having to show _a passport_. That 's
| obviously silly.
|
| No one has to prove that "they are entitled to not show a
| passport" by showing British or Irish ID. This is a
| fantasy.
|
| On the boat everyone, British, Irish or other, has to
| show ID of some kind. No one has to show a passport. At
| the land border no one has to show anything.
| ranger_danger wrote:
| I wonder how they deal with the (hopefully) constant abuse
| reports aimed at them from providers who are tired of their
| shady customers doing shady things from their IPs.
| f38zf5vdt wrote:
| From the executive order (Executive Order 14110) it seems to
| affect only massive compute infrastructure:
|
| > (i) any model that was trained using a quantity of computing
| power greater than 10^26 integer or floating-point operations,
| or using primarily biological sequence data and using a
| quantity of computing power greater than 10^23 integer or
| floating-point operations; and
|
| > (ii) any computing cluster that has a set of machines
| physically co-located in a single datacenter, transitively
| connected by data center networking of over 100 Gbit/s, and
| having a theoretical maximum computing capacity of 10^20
| integer or floating-point operations per second for training
| AI.
|
| Keep in mind that most consumer graphics cards are in the
| _teraflops_ range, which is 10^12. It's hard to imagine this
| affecting the average person, it seems that they are specifying
| KYC for people using clusters with thousands or tens of
| thousands of cards.
| Dylan16807 wrote:
| > Keep in mind that most consumer graphics cards are in the
| _teraflops_ range, which is 10^12.
|
| Something like 40 of them, or 100-300 if you're looking at
| FP16. So well over 2^14.
|
| And that's per second, give it your idle cycles for four
| months and that's 10^7 seconds.
|
| It gets pretty close to 10^23.
| pavon wrote:
| No, that is just one part of it. The proposed rules are
| intended to cover both EO13984, which addresses foreign
| entities using US IaaS for Cyber attacks, and EO14110 which
| addresses foreign entities using AI hardware.
|
| They require _all_ IaaS[1] to determine if customers are US
| persons, and if not to collect and retain certain identifying
| information[2], and provide annual reports describing their
| processes[3]. It grants the Secretary of Commerce extra-
| judicial power to force any IaaS to stop doing business with
| any foreign customer, or place restrictions on their use[4].
| This section lists things that the Secretary should consider
| in doing so, but doesn 't have any hard requirements.
| Finally, it requires the IaaS to report certain foreign use
| of AI[5].
|
| [1]SS7.301 https://www.federalregister.gov/d/2024-01580/p-189
|
| [2]SS7.302 https://www.federalregister.gov/d/2024-01580/p-219
|
| [3]SS7.304 https://www.federalregister.gov/d/2024-01580/p-266
|
| [4]SS7.307 https://www.federalregister.gov/d/2024-01580/p-377
|
| [5]SS7.308 https://www.federalregister.gov/d/2024-01580/p-403
| jiggawatts wrote:
| > It grants the Secretary of Commerce extra-judicial power
| to force any IaaS to stop doing business with any foreign
| customer
|
| This can backfire, as foreign customers of public clouds
| may switch to local providers, which erodes the US near-
| monopoly on cloud services. Ironically this can reduce the
| visibility and control the US government has over foreign
| nation states.
|
| E.g.: most of the Australian government is hosted in either
| Azure or AWS. That kind of thing might stop if
| _extrajudicial_ power is granted to pull the plug on any
| customer on any time.
| chlodwig wrote:
| Skimming the regulations, this does not seem right. All IAAS
| providers (which is everyone who allows customers to run custom
| code, so it includes any web host like Dreamhost) to verify the
| identity of foreigners who open an account. This would
| seemingly entail the service provider needing to verify
| everyone's identity, in order to figure out who is a foreigner
| and who is not.
|
| In other words, if you want to run your own Wordpress, or
| Mastodon node, or your own custom CMS web site or group chat or
| IRC or bitcoin node, you would need to reveal your identity to
| the hosting service that you want. This does seem quite bad and
| could obviously be used to identify political dissidents.
|
| On top of that, the IAAS must report to the US Commerce
| department about foreigners who are using services to train
| large AI models.
| Raidion wrote:
| Aren't you basically revealing yourself anyway because you
| need to pay them?
| chlodwig wrote:
| There are IaaS services out there that accept bitcoin,
| monero, or anonymous prepaid charge cards. They aren't an
| IaaS but Mullvad even accepts cash mailed to them in an
| envelope.
| _tk_ wrote:
| Is it fair to assume, that one can engage in a business
| relationship with these services outside the US? I'm not
| sure I see the effect that you are implying. AWS, GCP,
| Azure don't accept crypto. Mullvad is as you point out
| not an IaaS provider.
| chlodwig wrote:
| Namecheap, Vultr, BuyVm all operate in the U.S. and at
| times in the past (I don't know if they still do) have
| either accepted crypto or anonymous charge cards
| (available for cash at a convenience store), thus making
| it possible to get a dedicated server or VM totally
| anonymously. This new regulation would seem to prevent
| this.
| _tk_ wrote:
| Interesting, I did not know this. The actual anonymity of
| crypto currencies aside, it's good to see these kind of
| businesses do still exist.
| dsign wrote:
| AWS has my name and my credit card number. But they have
| never asked for a photocopy of my passport, my history of
| international travel, which nationalities I have and so on.
| Something tells me that for the goal of this law to be
| achieved, all those details would need to enter the
| database.
| dingnuts wrote:
| Amazon is certainly supposed to ensure that you are not a
| sanctioned person or a citizen of a sanctioned country.
| This was a concern decades ago when I was in shared web
| hosting.. don't know why it would have changed?
| bcrl wrote:
| When has big tech had a good history of proactive
| compliance?
| bostonpete wrote:
| AWS has a denied party screening team and absolutely
| restricts access to services based on the BIS entity list
| and other sanctioned parties.
| brookst wrote:
| I've been in big tech for a while and oh wow is there a
| lot of proactive compliance.
| kensey wrote:
| Not necessarily (although that doesn't necessarily mean I
| think this is OK). Payment-card-based verification is a
| longstanding method of doing prima-facie verification
| like this. When you give your credit card, you give your
| billing address and typically your phone number -- if the
| postal code is a US address and the phone number is a US
| area code and everything else is consistent with that,
| that might be all the KYC required. If you appear to be a
| foreign national operating outside the US, they can flag
| that and require additional paperwork only then.
|
| This proposed rule looks to me like it basically requires
| providers to come up with their _own_ verification plans,
| which may then differ from provider to provider, so as to
| be "flexible and minimally burdensome to their business
| operations".
|
| [note for the following: I am not a lawyer. The following
| is not legal advice. Do not fold, spindle or multilate.
| Do not taunt Happy Fun Ball.]
|
| The real danger, I think, with things like this is,
| there's an executive order that was issued, but it
| further specified a rulemaking process be conducted to
| determine the actual regulations that define compliance.
| The link in the title is to the proposed rule. There's
| nothing that says any amount of prior public input will
| necessarily influence the details of the final rule, or
| that rule can't change in the future through another
| rulemaking process, and if it does the only way to
| challenge it is either to sue the agency on the grounds
| that it exceeded its discretion (e.g. by making rules
| that require unconstitutional things) or that the
| enabling executive order is itself unconstitutional --
| but these kinds of federal cases have a pretty high bar
| for what's called "standing" (the legal grounds to bring
| a particular lawsuit): you pretty much have to suffer
| concrete harm or be in obvious and imminent danger of
| suffering it to a grievous degree. (This is one reason
| you hear about "test cases" -- often somebody will agree
| to be the goat who is denied something, fined, or even
| arrested and convicted of a crime, so that standing to
| sue to overturn the law can be established.) Other times,
| if a lot of potential defendants already have standing, a
| particularly sympathetic defendant will be selected for
| the actual challenge. The US federal courts are also
| deferential to "agency discretion" by default, as a
| matter of doctrine.
|
| What happens all too often with these things is, the
| initial rulemaking is pretty reasonable, and the public
| outrage (if there was any) dissipates. Then three years
| (or however long) on, the _next_ rulemaking imposes
| onerous restrictions and strict criteria, and people
| suddenly (relatively speaking) wake up and find they 're
| now in violation of federal regulations that they were in
| compliance with last week. (This is one reason public-
| interest groups are so critical -- they have the
| motivation and sustained attention to comb the Federal
| Register for announcements about upcoming rounds of
| rulemaking on various topics.)
| jofla_net wrote:
| Thanks, this was useful clarification.
| wkat4242 wrote:
| If you rent a VPS in supposedly privacy-conscious Germany
| they need photo id too :(
|
| Luckily there's other cheap options in Europe like in
| France.
| Stagnant wrote:
| I don't think that is a legal requirement in Germany. At
| least Hetzner lets you rent a German VPS or dedicated
| server without ID. Though Hetzner may require you to
| submit an ID if you are flagged by their automated
| systems upon registration.
| wkat4242 wrote:
| It was actually Hetzner that didn't want to provision my
| VPS without Photo ID. I blanked out the SSN as our
| government tells us to do and they balked at that as
| well. After I showed them my government's website
| explaining how and why to do that they were OK with it
| but at that point the relationship was already soured and
| I started looking for alternatives.
|
| Maybe they changed it now but they were asses about it
| then. I thought it was a legal requirement, they
| basically said as much though I don't recall the exact
| details, it was before the pandemic.
|
| Eventually I just moved to Scaleway in France which is
| much nicer and cheaper and you can even talk to their
| support on slack.
|
| PS: I don't do anything nefarious on my servers but I
| just don't want my ID on file anywhere it's not needed.
| AnthonyMouse wrote:
| Some hosts accept alternate payment systems, like gift
| cards or cryptocurrency. You can also have someone else pay
| for it with a credit card or bank transfer without giving
| _your_ name, which can be quite important in some cases.
| The new rules would presumably make that a crime.
| jiggawatts wrote:
| "Say you host spammers and scammers without saying you
| host them."
| behringer wrote:
| Tbh this is fine by me. It's about time the US stop being the
| center of the world for internet infrastructure.
| karmajunkie wrote:
| i'm reading through the contrarian takes here and thinking,
| "yeah i'm kind of ok with that?"
|
| this would make it much trickier for bad actors to get away
| with everything from online ai scams to swatting. i could
| live with that.
| Spooky23 wrote:
| Good. It's not 1999.
|
| There are so many malicious actors putting human life at risk
| in some scenarios it should be possible to figure out who
| owns what.
|
| Now, I would start with corporate ownership and focus on
| anonymous entities controlling things like Delaware and
| Nevada corporations. But that's me.
| RAM-bunctious wrote:
| It's really not benign as far as I can see. There is an
| implication that its purpose is to allow providers to start
| writing reports on foreign users training LLMs (which,
| incidentally, I'm not condoning either), but in the process it
| requires every American IaaS has to start implementing KYC
| folly.
|
| No one wants to send in selfies and their passport just to
| start a Digital Ocean droplet.
| BenjiWiebe wrote:
| I'm curious if the spammers will find a way around this. I
| would actually like to be ID'd by a provider if that also
| meant they had no un-ID'd customers. I'd expect their IP
| range would start to get a pretty good reputation.
| AnthonyMouse wrote:
| The spammers are criminals. They'll just use ID scans and
| info from data breaches of other companies. Requiring more
| companies to collect them makes it even worse because now
| there are more places to exfiltrate them and it makes it
| easier for criminals to commit identity theft against
| financial institutions etc.
|
| There are also non-"criminals" who are more than willing to
| use their actual ID for the sort of things that aren't
| strictly illegal but will still get your IP space on a
| bunch of block lists when they can make a buck doing it, so
| it wouldn't solve the problem even if it could actually
| identify all of the customers.
| NoMoreNicksLeft wrote:
| > It seems a bit benign
|
| This seems, to me, an utterly malignant attack on anonymity,
| which is a protected constitutional right. It's the idea that
| every internet packet needs to be tied back to some verified
| identity. We're in frog-boiling territory with this garbage.
| spiralpolitik wrote:
| There is no absolute right to anonymity in the US
| constitution.
|
| (The courts have "recognized relatively strong First
| Amendment presumptions on behalf of purveyors of anonymous
| speech, especially for those that are statements of opinions
| rather than obvious falsehoods, while recognizing that
| government sometimes has the right to identify such speakers
| when they have used their platforms to harass, engage in
| slander or sexual predation, make true threats, or allow
| foreign governments to influence U.S. elections")
| AnthonyMouse wrote:
| How is one supposed to exercise their right to anonymously
| express political opinions if anonymity is prohibited by
| law?
| krapp wrote:
| There is no right to anonymously express political
| opinions.
|
| There is a right to express political opinions, but
| anonymity is a privilege, not a right.
| AnthonyMouse wrote:
| Then how do you explain these?
|
| https://cs.stanford.edu/people/eroberts/cs181/projects/an
| ony...
| krapp wrote:
| I see controversy and a lot of dissent among Justices,
| but no decisions that explicitly declare a Constitutional
| right to anonymity.
|
| And the modern Court explicitly declared that a
| Constitutional right to _privacy_ does not exist, and one
| cannot have anonymity without privacy, so no.
| AnthonyMouse wrote:
| > I see controversy and a lot of dissent among Justices,
|
| Precedent is set by the majority, not the dissent.
|
| > but no decisions that explicitly declare a
| Constitutional right to anonymity.
|
| Weird then that there are several decisions striking down
| laws that violate the right to anonymous speech?
|
| > And the modern Court explicitly declared that a
| Constitutional right to _privacy_ does not exist, and one
| cannot have anonymity without privacy
|
| One cannot refuse to turn over one's papers and effects
| in the absence of probable cause without privacy either.
|
| Consider the possibility that there could be a right to
| anonymous speech without a right to anonymous practice of
| medicine. A universal right to privacy would require
| both. Just because it isn't both doesn't mean it's
| neither.
| krapp wrote:
| >One cannot refuse to turn over one's papers and effects
| in the absence of probable cause without privacy either.
|
| Yes. I believe a right to privacy once existed, but it
| was nullified as it formed the basis of the case for Roe
| V. Wade. As a result even the Fourth Amendment is
| weakened because it must be interpreted in the light of a
| right to privacy no longer existing.
|
| What I'm trying to put forth is that the assumptions
| you're working under are no longer valid and we've thrown
| the baby out with the bathwater.
| AnthonyMouse wrote:
| > I believe a right to privacy once existed, but it was
| nullified as it formed the basis of the case for Roe V.
| Wade.
|
| It was kind of the other way around. There is clearly no
| explicit right to abortion in the constitution, so to
| find one it would have to be implicit, but the Court in
| _Roe_ wanted to find one, so they made one up. The
| reasoning was something like, the constitution implies
| there is a general right to privacy and laws against
| abortion violate it. The people who liked the result were
| then stuck trying to defend its inconsistent reasoning
| for 50 years, because the same logic would cause all
| kinds of other laws to be a violation of the same right.
| Obvious example would be drug prohibition; government
| invading your privacy by trying to control what you put
| into your own body. Same logic as _Roe_.
|
| But _Roe_ was never actually extended to any of that
| stuff, so overturning it didn 't re-enable drug
| prohibition after it was struck down, since it was
| (inconsistently) never struck down to begin with.
|
| The cases having to do with anonymous speech are
| independent and use entirely different logic. The general
| idea is that people are deterred from speaking (chilling
| effects) if people can associate what they have to say
| with a physical person who can then be harassed for
| expressing an unpopular opinion. It doesn't have any of
| the same problems because there is no First Amendment
| right to morphine, which they could ban outright under
| the same justification as they ban heroin, so having to
| show your ID to get morphine isn't deterring you from
| exercising your right to free speech.
| NoMoreNicksLeft wrote:
| The converse would have to be true then, that the
| government has the legitimate power to intimidate people
| to not express their opinion. This does not seem like a
| legitimate power for government to have, but now I need
| to be careful whether I express it at all.
| krapp wrote:
| Laws against slander, libel, intimidation, conspiracy,
| perjury, etc are based upon the government's power to
| intimidate people from expressing opinions. It is a
| felony in the US to express the opinion that the
| President should be killed. Speech in the US has never
| been a free for all.
| AnthonyMouse wrote:
| Those are not opinions, they're provably false statements
| or threats. Conspiracy is essentially committing a crime
| as a group rather than an individual, and the statements
| are the evidence of the crime rather than the crime in
| itself.
|
| The closest the government comes to prohibiting an
| _opinion_ is copyright, but even then you can restate the
| opinion in your own words, and when an exact quote is
| necessary to make your point it 's fair use specifically
| because it would otherwise violate free speech.
| monksy wrote:
| > . It's the idea that every internet packet needs to be tied
| back to some verified identity
|
| There's been multiple attempts to do this. Via KOSA and a few
| others lately in our Congress. PR friendly candidates like
| Duckworth have been trying to walk this through the system.
| chrisjj wrote:
| > seems like the extent of this is to require IAAS
| (Infrastructure) providers to verify the identity of those who
| are using their services to train AI.
|
| Only foriegners.
|
| > It's an attempt to stymie sanctioned or malicious actors,
| from training AI and especially from hopping between services
| or using aliases to continue training on their model.
|
| Unlikely, since it exempts non-foriegn malicious actors
| codedokode wrote:
| This won't work. Foreign nations have enough skill and
| resources to pass KYC as a citizen (steal someone's documents,
| pay a homeless for verification etc). And as I understand, US
| doesn't have a central citizen database so it is difficult to
| verify a document.
| White_Wolf wrote:
| It's funny they don't need ID to vote but they'll need one
| for a VPS.
|
| EDIT: I know it's about IaSS.
| AnthonyMouse wrote:
| That isn't even the first reason it won't work.
|
| Computing is a global commodity. There are providers in other
| countries. They would just use one of those.
| atentaten wrote:
| It's not meant to work.
| toss1 wrote:
| On top of that, it is to identify _FOREIGN_ users
|
| >>"require U.S. IaaS providers to verify the identity of
| foreign users of U.S. IaaS products, ... which calls for the
| Department to require U.S. IaaS providers to ensure that their
| foreign resellers verify the identity of foreign users. E.O.
| 14110 also provides the Department with authority to require
| U.S. IaaS providers submit a report to the Department whenever
| a foreign person transacts with them to train a large AI model
| with potential capabilities that could be used in malicious
| cyber-enabled activity."
|
| We damn well _SHOULD_ be identifying foreign users of our
| services, particularly those which have high-powered potential
| to cause harm.
|
| This knee-jerk [govt identifying anybody is bad] response
| prevalent here deeply undermines the cause of actually
| maintaining privacy. There are actually very bad actors out
| there, and if we fail to identify and contain them, things will
| be far worse. The reality is that some measures must be taken
| -- let's focus on containing the real threats, not cry foul at
| every shadow of a hint that we might approach a slippery slope.
| olalonde wrote:
| > Is it that it's a slippery slope or perhaps I'm being naive
| in regards to the scope?
|
| This. Also, it won't stop malicious actors. Setting up a LLC to
| mask your true identity is cheap and easy. Not to mention that
| providing a fake identity or pretending your are not a "foreign
| person" is also cheap and easy.
| Izkata wrote:
| For those of us who don't know what this is, an explanation is a
| bit down the page:
|
| > To address these threats, the President issued E.O. 13984,
| "Taking Additional Steps To Address the National Emergency With
| Respect to Significant Malicious Cyber-Enabled Activities," which
| provides the Department with authority to require U.S. IaaS
| providers to verify the identity of foreign users of U.S. IaaS
| products, to issue standards and procedures that the Department
| may use to make a finding to exempt IaaS providers from such a
| requirement, to impose recordkeeping obligations with respect to
| foreign users of U.S. IaaS products, and to limit certain foreign
| actors' access to U.S. IaaS products in appropriate
| circumstances. The President subsequently issued E.O. 14110,
| "Safe, Secure, and Trustworthy Development and Use of Artificial
| Intelligence," which calls for the Department to require U.S.
| IaaS providers to ensure that their foreign resellers verify the
| identity of foreign users. E.O. 14110 also provides the
| Department with authority to require U.S. IaaS providers submit a
| report to the Department whenever a foreign person transacts with
| them to train a large AI model with potential capabilities that
| could be used in malicious cyber-enabled activity.
| blackeyeblitzar wrote:
| What can we do to actually contest it? I see this website lets
| you submit a "formal comment". But is that enough? Who is in
| charge of the decision and who else can be pressured to stop it
| (certain legislators)?
| martingalex2 wrote:
| This is a good overview
| https://www.akingump.com/en/insights/alerts/commerce-issues-...
| perihelions wrote:
| - _" To Address the National Emergency"_
|
| A fast-moving emergency that can't be fixed by normal
| constitutional lawmaking processes, and must resort,
| exceptionally, to executive-branch emergency decrees--for
| expedience. Nevermind the executive order it's drawing authority
| from was written three years ago. It was a fast-moving emergency
| then, too, I suppose.
|
| https://www.federalregister.gov/documents/2021/01/25/2021-01... (
| _" Taking Additional Steps To Address the National Emergency_
| [sic] _With Respect to Significant Malicious Cyber-Enabled
| Activities "_ (2021))
| greyface- wrote:
| Fun fact: we've got active national emergencies dating back to
| 1979!
| https://en.wikipedia.org/wiki/List_of_national_emergencies_i...
| highcountess wrote:
| Geez ... those are some long emerging occurrences.
| rtkwe wrote:
| They're mostly sanctions regimes though it looks like which
| the Executive can largely implement on it's own (under
| current constitutional interpretations). It probably included
| other things that have since been ended and the sanctions are
| the only thing really left.
| sschueller wrote:
| So national security trumps democracy and freedom? What do you
| have left to protect when you give it all up? Might as well
| just elect a king and be done with it.
| ryandrake wrote:
| Don't worry--we seem to be actively working on this one, too.
| unboxingelf wrote:
| Why elect a king when you already have a private group of
| bankers running the show
| robocat wrote:
| Systems run the show, not people.
|
| "What important truth do very few people agree with you
| on?": I believe that nobody is running the show. The
| systems we have created are more complex than we
| understand. I think a few people individually understand a
| few aspects of the different systems (we are not at the
| complete mercy to these systems).
|
| I also believe that we have a psycological need to know our
| social heirachies therefore we create stories about who we
| think is in control. That need creates conspiracy theories!
| That need creates narratives that certain people are
| running the world (but when you look closy at those people
| they are not running things - they don't understand how
| everything works even though they put much effort into
| trying to).
| greenavocado wrote:
| Banking is the foundation of all so-called systems. Take
| away the financing and nothing gets done.
| plasticchris wrote:
| A point very eloquently made by Rick and Morty
| robocat wrote:
| People's desires are the foundation of all so-called
| systems. Take away the people and nothing gets done.
|
| Or were atoms the foundation? Or thinking? Or maths? Or
| law? Or take away black holes and nothing gets done?
|
| Ranking interdependent systems is nonsense. Reductionism
| and false arguments don't help much either.
| greenavocado wrote:
| You can make people do just about anything for money.
| Nothing else even comes close except ideology in a
| distant second place.
| robocat wrote:
| Are you trying to argue that money is more important than
| banking? But that banking was the most important thing?
| Your logic elludes me.
|
| Or maybe you have a manipulative world view? What is more
| important - money or power? If you have power do you need
| money? Is power equivalent to money?
|
| "Money" is a means of exchange, and in some contexts it
| is a status signal.
|
| Money is a measure, not an ends in itself. People want
| the money to do something with: the something is faaaar
| more important than money. Find me a person with money,
| and I will easily find ten things they would prefer.
|
| Anecdotally:
|
| My friends don't value money above other things. Other
| friends could easily take nearly all my money if they
| chose to (I put myself into very submissive situations).
| I don't work because I don't need more money.
|
| Perhaps I live in a different world than you.
|
| The people I know all have complex desires, and few of my
| friends are concentrating on making money (and the
| smartest friends I know don't make money their central
| goal). I do have a couple of friends who try to make
| money and they seem to do it quite well without too much
| difficulty.
|
| Have you tried to offer money to people? If it is so
| critical then people would take it. My experience is that
| a few do but many don't. I've offered large amounts to
| acquaintances that haven't taken it (perhaps with or
| without hooks).
|
| (Slight edits for clarity).
| greenavocado wrote:
| Yes, I pay people do to work on difficult and annoying
| computer systems. Nobody would want to do this job for
| free.
| MaxfordAndSons wrote:
| I agree with this. I this misunderstanding is the root
| cause of, well a lot of shit, but particularly the
| increase in belief in conspiracy theories by members of
| the public. Most people lack a conceptual understanding
| of emergent behavior in complex systems, and instead rely
| on linear narrativization to understand the world (which
| by the way is not an insult to the public's intelligence,
| it's just the way our brains work unless you make a
| concerted effort to step outside of that default). And if
| you aren't considering multivariate, emergent behavior as
| a possible explanation for unpredictable and inscrutable
| world events, the next and really only reasonable
| explanation is intricate conspiracies by powerful agents.
| packetlost wrote:
| I mean, a monarchy is also a system, but I also recognize
| that's not what you're talking about.
|
| I'm inclined to agree, though I do think there's a
| disproportionate amount of influence in some groups. I
| also worry that the true danger of an artificial super-
| intelligence is not in a SkyNet-like scenario, but a more
| subtle and slower influence over global societies via
| trade and economics. It already more or less runs the
| world in abstract, so a _thing_ that can understand all
| the complexities and manipulate them with capital has the
| potential to be very dangerous.
| smsm42 wrote:
| And lose the profits on electoral show every 2 years? Do you
| know how much money can one make on an election? That's be
| silly to give up all that.
| oaiey wrote:
| You elect a executive branch to protect you. Sometimes that
| includes executive orders. And if these survive the check and
| balances, maybe it is for the greater good.
|
| If you do not want that, the country has to work on a
| functional Parlament and switch away from a presidential
| system.
| _DeadFred_ wrote:
| This level of lack of understanding the basics of our
| system of government is why we used to have civics classes.
|
| If someone is using infomercial level
| logic/details/understanding to get you riled up, step one
| is to step back and get a better understanding, not to grab
| a pitchfork and get bitter.
|
| An post highlighting that the government is soliciting
| comments shows we don't actually have a king that can do
| whatever they want. You personally can comment on this
| proposal, and if you have a compelling argument, can stop
| it or in the future force your comment to be addressed.
| Remember the standard is that the Federal government's
| actions can not be arbitrary and capricious.
| oaiey wrote:
| I am not a US resident. I take here a pragmatic
| perspective. Laws, the level of bureaucracy etc is a
| choice we do in our societies.
|
| > Remember the standard is that the Federal government's
| actions can not be arbitrary and capricious.
|
| That assumes that everything is regulated by law
| (unrealistic) and that you have a working parlament
| (currently not the case in the US). Imagine Russia is
| invading Canada. Would you prefer a US president with the
| power of declaring war or the parlament starting to
| debate over it. A war has 100x more consequence than this
| KYC thingy here.
| anjel wrote:
| Its long been this way. Even in the 1950s the were fed
| justices commenting that if a nuclear bomb were to be stolen,
| its retrieval would be a reasonable predicate justifying
| suspension of the bill of rights until the warhead's
| retrieval.
| plasticchris wrote:
| Ironically enough, we'd already lost one by then:
| https://nationalinterest.org/blog/reboot/us-military-
| missing...
| greenavocado wrote:
| Freedom has been on a steady decline since the establishment
| of the Federal Reserve in 1913 when established banking
| dynasties seized control over the currency of the country.
| The symbolic destruction of the constitution occurred on
| 9/11/2001 when the modern police state went into full force.
| tadfisher wrote:
| We established the Fed (and later, the FDIC) because people
| were sick and tired of bankers controlling monetary policy
| and wiping out their life savings. How the Fed turned into
| the ancap Boogeyman is the real destructive force in our
| society.
| gottorf wrote:
| > We established the Fed (and later, the FDIC) because
| people were sick and tired of bankers controlling
| monetary policy and wiping out their life savings
|
| The Great Depression, the savings and loan crisis, and
| the GFC all happened after the establishment of the
| Federal Reserve. Sure, I guess you could claim that all
| of those would have been worse without the Fed, but
| reasonable minds can differ on that without being an
| "ancap".
| greenavocado wrote:
| "We" didn't establish anything. An elite few met at The
| Meeting at Jekyll Island to discuss the matter and the
| public had zero say in it. Just like we continue to have
| no say in government today. Bills are rammed through
| congress and the president's desk and they just rubber
| stamp everything put out by the deep state or they risk
| getting CP'd by the intelligence apparatus. The main
| group of opposition to the Fed was 9/11'd in the sinking
| of the "unsinkable" Titanic because internal defenses
| against sinking were deliberately sabotaged just like the
| power went out for "maintenance" in the Twin Towers for
| 24 hours before 9/11 when anybody was allowed in to go
| anywhere inside whereas the building security was tightly
| controlled since the day it opened without fail up to
| that point.
| beaeglebeachh wrote:
| And not long after we got the great depression, and more
| recently the destruction of the housing market by pinning
| interest rates near zero bidding property into infinity
| and then jacking rates up to disenfranchise the youth
| while everyone else sits on negative real rates mortgages
| for 30 years that they'll only give up for a kings
| ransom.
|
| The only thing worse than a bunch private bankers
| controlling monetary policy, is a central bank
| controlling monetary policy.
| willmadden wrote:
| There's an argument to be made that we would be far better
| off with a benevolent monarchy than whatever this is.
| krapp wrote:
| There is no such thing as a benevolent monarchy, if that
| monarchy exists as anything more than a figurehead. No
| position of absolute and uncheckable power, least of all
| derived from a claim of divine right or racial purity, can
| be considered benevolent.
|
| Yes, an argument can be made. And such an argument can and
| should be quickly discarded with a glance at the last
| thousand years or so of human history. We tried it. Rolling
| the dice that the next king or tsar or emperor to own the
| people will at least treat them kindly. And we decided that
| being owned by a government in which we have no franchise
| is a bad idea. A very bad idea.
| smsm42 wrote:
| If we ever could find a Superman who would agree to be a
| benevolent monarch, sure. The only problem is that Superman
| is actually a work of fiction (and even a fictional one
| would refuse the role) and real people have, let's say, not
| so stellar record of being benevolent. It's one of those
| nice ideal arguments that works very well as long as you
| are allowed to assume magical entities that can't actually
| exist in the real world.
| TY812 wrote:
| Dynastic monarchies have one advantage over liberal
| democracies: If you want your bloodline to stay in power,
| you are incentivised to leave the country off better than
| you inherited it - if you act out too much, there's a good
| chance your offspring will follow you not on the throne,
| but on the guillotine. This immediately makes 'fuck you, I
| got mine' style politics unfeasable.
| logicchains wrote:
| In a monarchy at least there's a chance of getting a good
| ruler by the genetic lottery. In a political system almost
| inevitably the people who get to the top are the best liars
| and manipulators, not good people.
| smsm42 wrote:
| We're in a permanent emergency now. Which is no surprise - if a
| mere voluntary act of declaring emergency lets the government
| do what they otherwise can't - why not declare it over and
| over?
|
| Check this out:
| https://en.wikipedia.org/wiki/List_of_national_emergencies_i...
|
| In the US we have 42 (!) ongoing national emergencies. The
| oldest dating back to 1979. I think most of US-based HN readers
| never lived in non-emergency US.
| sakjur wrote:
| That'd be September 1978 - November 1979 and before then
| during the roaring twenties if I read this right.
|
| Maybe POTUS should declare an emergency to reduce the number
| of emergencies?
| smsm42 wrote:
| Looks like that's exactly how they got a full non-emergency
| year: https://en.wikipedia.org/wiki/Report_of_the_Special_C
| ommitte...
|
| Of course, it didn't last long - as soon as the focus moved
| on, emergencies started popping back up.
| oaiey wrote:
| They are declared in an emergency (most of them are sanctions
| to freeze money and freedoms of foreigners). That does not
| mean you live in an emergency. That they are still active
| means only that the Parlament was too lazy or too blocked to
| put them in a law.
| smsm42 wrote:
| Legally, it means exactly that - the government wasn't
| allowed to do X, but they said the magic word "emergency",
| and now they are allowed to do X as much as they want,
| until they decide they are done. Of course, this means they
| were always allowed to do X, it's just that the public will
| eat it more easily if instead of saying "the government can
| take your freedoms anytime" they'd say "the government
| can't take you freedom ever - except if there's a real
| dangerous emergency". Functionally, those are exactly the
| same, but the latter sounds much more "reasonable".
| oaiey wrote:
| What you describe is the abuse of the power. In the list
| of US emergencies 80% are sanctions (which qualify as
| emergencies I would say bc they would not work), 15% real
| emergencies and the there are the ones which start to be
| controversial. All what I am saying is: it is a tool for
| an government. Governments do things wrong. They
| wrongfully arrest, invade countries, collaterally murder,
| take bribes, etc. That is daily happening. And the courts
| and Parlament habe the job to fix , prevent or correct
| that.
|
| It is not easy to run your life, company or government
| org without doing once in a while something wrong. It is
| how you behave afterwards and overall which matters.
| smsm42 wrote:
| Well, yes it is - but it's completely legal abuse and the
| society seems to be willing to tolerate it (and much
| worse abuses, evidently - like total warrantless
| surveillance absent any proof it's actually useful for
| anything except partisan political squabbles). I wish the
| courts and the parliament would be willing to do
| something about it, but they aren't, and they aren't,
| because most of the society seems to be fine with it.
| Sad.
| megous wrote:
| So this is just to make it easier to ban non-US citizens from
| using US IaaS (or track them).
|
| Just don't use American IaaS in the first place. It's not like
| computers are available only in the US.
| patricklorio wrote:
| Computers outside of the US sure, but the latest chips used for
| AI training have export controls so not so much.
| djoldman wrote:
| > (e) The term "Infrastructure as a Service Product" means any
| product or service offered to a consumer, including complimentary
| or "trial" offerings, that provides processing, storage,
| networks, or other fundamental computing resources, and with
| which the consumer is able to deploy and run software that is not
| predefined, including operating systems and applications. The
| consumer typically does not manage or control most of the
| underlying hardware but has control over the operating systems,
| storage, and any deployed applications. The term is inclusive of
| "managed" products or services, in which the provider is
| responsible for some aspects of system configuration or
| maintenance, and "unmanaged" products or services, in which the
| provider is only responsible for ensuring that the product is
| available to the consumer. The term is also inclusive of
| "virtualized" products and services, in which the computing
| resources of a physical machine are split between virtualized
| computers accessible over the internet (e.g., "virtual private
| servers"), and "dedicated" products or services in which the
| total computing resources of a physical machine are provided to a
| single person (e.g., "bare-metal" servers);
| spiralpolitik wrote:
| I would argue that for most use cases Internet Services are
| already collecting sufficient KYC data that it won't make a
| difference. Try signing up for anything infrastructure related
| without providing a credit card and/or billing address and/or
| cell phone number and see how far you get.
|
| That said the system is only as strong as the weakest link in the
| chain, and while getting a credit card/cell phone number in the
| US requires a certain standard of identity verification, the same
| might not be true for other countries (or in cases of deliberate
| fraud). I think that is what the legislation seems to be
| targeting.
|
| That doesn't mean it is good legislation or won't have unforeseen
| side effects.
| jofla_net wrote:
| This totally depends on what is collected, if the requirements
| are some form of national id submission, ie. licenses or
| passports, then it opens all handlers up to tremendous abuse
| possibilities. Or at the very least paints a big sign on their
| backs that they handle mass quantities of offical government
| forms of biometric id, something I think would do much more
| harm than good in the long run as each company would need to be
| bulletproof to avoid.
| patricklorio wrote:
| I read the document a bit, it seems like this is essentially
| saying that services like AWS need to know the identity of their
| customer if they suspect they are a foreign entity.
|
| I don't think this would cover VPNs or internet access, mainly
| just people spending lots of $$ on compute. Is that correct? If
| so it seems reasonable. If a non US group is spending lots of
| money using US technology to develop an AI model I do think that
| falls under foreign trade and should be documented.
| boppo1 wrote:
| What can I do as a broke guy to stop this? Write a comment? Will
| it be read or considered?
| greenavocado wrote:
| There is literally nothing you can do. The intelligence
| agencies are building the top of the funnel for the gulags to
| host us in the near future.
| chrisjj wrote:
| > verify the identity of their foreign customers
|
| Makes you wonder how they are going to first determine which are
| foriegn...
| 2OEH8eoCRo0 wrote:
| Thanks. Just commented in support.
| rsync wrote:
| The talking point we should be using is: if banks know their
| customers, we don't have to.
|
| The trail of knowing ones customers always leads to payments and
| finance.
|
| If we are accepting payment for our services with standard bank
| card transactions or wire transfers, etc., then the knowing of
| the customer can be centralized at the banks.
| MmmKayWhySee wrote:
| Exactly. What is the point of repeating KYC across every
| industry? I work on the KYC team of a banking/finance company.
| It takes a significant amount of resources.
|
| Unless we create global governing initiatives similar to FATF
| for IaaS products, American IaaS offering will become less
| competitive.
| hirako2000 wrote:
| And who pays for it. Yet another compliance procedure to add to
| the stack.
|
| I propose that any new regulation gets financed by the the
| regulators . And retro actively get all regulations to have their
| cost covered by the government.
|
| Who pays the auditors. Who pays Accountants, who paid for data
| protections schemes, who pays for random sanctions making
| countless companies suddenly lose large part of their business .
| Regulations are great, it should be at the government charge
| though, so that we can continue to do business, prevent market
| entry costs which promotes monopolies/oligopolies, encourage
| compliance.
| wumeow wrote:
| This seems like the key section people should read through and
| where they should focus their submitted comments:
|
| https://www.federalregister.gov/d/2024-01580/p-70
| justin66 wrote:
| Is this more onerous than verifying the name of the person or
| company you're serving does not appear on the OFAC list?
|
| This is generally not difficult for anyone concerned, unless they
| happen to share a name with somebody on that list.
| LivenessModel wrote:
| Simple ID scans are already on their way out.
|
| "Liveness checks" where we have to turn on our webcam and let
| some stranger make a full biometric model of our head to use
| basic internet infrastructure is the dystopia we deserve, and
| it's the one we're gonna get.
|
| I hope the "AI" was worth it. Let's see if you can fix this
| problem you created.
| pessimizer wrote:
| Already happening at the IRS. There's a reason government was
| so reticent in regulating facial recognition in any meaningful
| way: The government database of everyone's faces, purchased and
| cobbled together from private _partners_ , isn't complete
| enough yet.
|
| This has nothing to do with AI, but an out-of-control executive
| branch and intelligence agencies. AI is just another tool that
| will make it cheaper.
| rangestransform wrote:
| are they going to start requiring an ID to buy a GPU too
| elzbardico wrote:
| As if KYC for bank accounts was an astounding success on
| international crime, corruption and terrorism financing.
| andybak wrote:
| If you're going to editoralize the title, could you possibly tell
| us what KYC stands for?
| kiernanmcgowan wrote:
| Know Your Customer - it's a term describing how organizations
| like banks want to know what you're doing so they can avoid
| enabling criminal activity.
| oaiey wrote:
| Controversial point: if you run a Internet presence of any kind,
| this is like a property of land on which you run business. The
| property needs also a legal owner. For real businesses, this is
| normal. It is unregulated IT who does not understand this and is
| still in the wild West.
|
| Obviously, modern data processing creates the rightful fear of
| surveillance. What we lack is a culture of privacy. In other
| countries if the state or anyone else wants to access the land
| registry or any other: good luck without a lawful reason.
| whiplash451 wrote:
| A number of threads seem to assume that KYC (or identity check)
| implies that your biometrics or gov ID data is collected/stored
| by the provider, but it does not have to be.
|
| The identity check is typically done by a trusted 3rd party that
| can delete the data right after the identity check (and can be
| required to do so).
|
| So you basically end up guaranteeing that the name, address and
| D.O.B that you provided to the IaaS provider is actually correct,
| nothing more and nothing less.
| chmod600 wrote:
| Idea: let's make it so all emergency powers have to be re-
| authorized every week by Congress at midnight on Friday with a
| 90% quorum of physically-present representatives.
|
| If "emergency" action is needed because Congress is too slow,
| then let's make sure they are working through the process to
| create real law. Or if they aren't, I guess it wasn't an
| emergency, and there's no reason for administrative law to "fill
| in" using a non-democratic process.
| throwway120385 wrote:
| Great! I'm looking forward to seeing this requirement applied
| to also dissolve the judicial branch entirely so that Congress
| is entirely responsible for both enforcment and adjudication of
| the law. Let's work together to end separation of powers.
| chmod600 wrote:
| You seem to be suggesting that Congress making law is
| intruding on the power of an agency to make Administrative
| law? The latter is not (supposed to be) an actual branch of
| government. Congress has full power to rewrite all the
| administrative law as they see fit.
| throw5345346 wrote:
| There's a surprising amount of debate in this thread on the
| rights and wrongs of this topic.
|
| As a matter of simple efficiency, what I suggest to you all is
| that you imagine this was being rolled out by the British
| government.
|
| Because then you'd all be certain what it meant and what was
| necessary.
| martinbaun wrote:
| This seems like a slippery slope.
| gwbas1c wrote:
| > We have 4 days to contest KYC being required by internet
| services
|
| The acronym "KYC" doesn't appear in the linked article. What is
| this even about?
| eks391 wrote:
| Know Your Customer. It's when you are asked for legal docs so a
| business can verify your identity. Like what banks do
| zarzavat wrote:
| Can anyone glean from this wall of text what documents Uncle Sam
| is going to expect me, a dirty and potentially smelly foreigner,
| to submit in order to keep my AWS account?
| CatWChainsaw wrote:
| This will pass regardless of comments and KYC will only get more
| strict from here on out. What other end result could there have
| been when the combined gov-corp-tech behemoth is incredibly data-
| hungry, obsessed with draconian surveillance, and about to be
| deluged with malicious AI across the internet? It starts with
| "suspected" foreign actors and ends with everyone needing to
| prove their humanity for every little thing on the web. This is
| why we can't have nice things..
| greenavocado wrote:
| Next thing you know if you make one comment about Israel or
| certain coincidences you will be debanked, cut off from all
| Internet services, unable to make payments, blacklisted from
| all employers, your payment accounts frozen, ultimately
| resulting in eviction for non-payment, then shortly thereafter
| homeless, hungry, dead, or in prison.
|
| That's the logical end-game of all this in case you don't have
| the foresight to see where this road leads.
| CatWChainsaw wrote:
| Even foresight isn't enough to avoid it if you don't have the
| fortitude to avoid paths of least resistance, or the ability
| to oppose entrenched power structures.
| xbar wrote:
| If I host a site that is vulnerable to XSS, is it inadvertant
| Iaas?
| MmmKayWhySee wrote:
| I work on KYC systems at a medium/large sized financial
| institution. The trend of adding KYC requirements to more and
| more online services is troubling.
|
| KYC adds a huge burden to anyone trying to offer a service.
| Implementing KYC imposes significant burdens on service providers
| due to the complexity of identifying users across different
| countries and understanding varied regional regulations. You end
| up outsourcing your KYC to another company. But most KYC vendors
| don't support all the countries you want to support, so you
| either end up limiting your service to the service area of your
| KYC vendor. Or you end up integrating multiple vendors together,
| which is challenging since vendors generally prefer exclusivity.
|
| If you didn't have an engineering team working on KYC before, you
| will now. You will likely need to add to or expand your
| compliance team. Your company will shift either slightly or
| significantly from being an engineering or product driven company
| to being a compliance driven company.
|
| KYC raises barriers and entrenches incumbents. Look at financial
| institutions and porn.
|
| KYC is generally not evidence based policy either [1, 2]. Bad
| actors get around your KYC requirements, and your KYC system ends
| up being a hurdle for innocent users. A lot of KYC systems rely
| on data aggregators (aka the people who buy your personal data),
| and if you aren't "in the system" either because you are young,
| poor, or privacy conscious, you are faced with suspicion.
|
| My experience is that anti-fraud systems tend to weed out bad
| actors better than KYC systems that are mandated in a
| governmental top down manner.
|
| 1) https://www.economist.com/finance-and-
| economics/2021/04/12/t...
|
| 2)
| https://www.tandfonline.com/doi/full/10.1080/25741292.2020.1...
___________________________________________________________________
(page generated 2024-04-25 23:01 UTC)