All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
US Gov't wants invasive know-your-customer regulations for cloud providers
The U.S. Department of Commerce is pushing to require the IaaS industry to verify customer identities with bank-grade KYC:
The proposed rule would institute a CIP requirement for U.S. IaaS providers akin to the “know your customer” requirements applicable to banks, introducing a complex compliance protocol that will require resources and lead time.
( That's from the summary at NatLawReview, worth reading )
From the rule text, this would affect:
any product or service offered to a consumer, including complimentary or “trial” offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications
So basically any host offering virtual machines, dedicated machines, code platform as a service, etc would need to collect and verify identity information.
The information to be required includes name, address, phone number, etc. The rule doesn't prevent companies from using that KYC information for marketing or resale purposes.
The rule, though targeted at non-US customers, would also require US customers to comply:
The proposed rule seems to suggest that providers should assume all potential customers and beneficial owners are non-U.S. persons until the aforementioned identifying information is collected and assessed.
Customers outside US, or customers the provider thinks are suspicious, may require additional documentation (such as driver license scans, etc.)
This would cause regulatory burden for companies offering cloud hosting to comply with, and impact any customers who wants to use US hosting anonymously. With the verification, it would be very difficult to use an anonymous identity with US cloud providers.
The new regulations would be backed by the full force of law, and failure to comply could result in civil & criminal penalties.
My Thoughts
It is unlikely, in my opinion, that invasive KYC verification would actually do much to thwart cyber-crime. Bad actors could just host outside the US, or buy a stolen identity for cheap on the dark web. Meanwhile, the vast majority of good customers are penalized with having to fork over personal information which may just get leaked or intentionally sold. (If you've ever gotten your e-mail or phone number sold to one of those business spam lists, you know it's basically impossible to get off them).
They are requiring bank-grade KYC, but not providing even the bare minimum of bank-grade privacy protections. (Gramm-Leach-Bliley Act is not much, but it is at least something.)
Personally, I use a gov't ACP address & pen name due to some past personal safety issues in my life and I don't give out my home address to companies anymore. It is usually a fight with companies that do KYC to get them to accept my public-facing addresses because their systems are often coded to reject PO Boxes and CMRA's. KYC makes it hard to protect myself, so I hate seeing other branches of the gov't pushing for it.
Read & File a Formal Comment
There is only a week left to file a formal comment with US Department of Commerce with your opinion. You may read the full text of the rule and submit your comment here. Many of the submitted comments so far have been favoring the rule, so if you don't want it to be pushed through, now is the time to participate and submit your opinion.
Comments
So everything they already collect, but likely integrated with a third party identity/KYC service.
Ouch! So we are at that point already?
I fully agree with OP in that it won't do much in relation to the intended purpose and while companies might not care much (maybe they have strict signup procedures already or whatever) they seriously should. If this becomes a requirement and there'll be actual demands for copies of IDs (or really whatever type of formal KYC) such companies can be very sure that a lot of their customers are going to move to a place where they won't have the risk/hassle of sending sensitive documents over the net.
Edit: The Executive order of January 19, 2021, "Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities" directs... - National emergency... which emergency (from 2021...) is that exactly? Are they serious??
"But but but Russia does it too..." Angrystrom and Arkasshole (patents pending)
Commented under my full legal name so they know it isn't a foreigner 😊 my quickly wrote comment with likely lots of spelling and grammar issues:
These rules do little, if anything, to stop actual bad actors and just harm and annoy the average person who wants to make a web page quick and easy. Bad actors already do not follow the rules and making additional rules that are easily bypassed is a waste of everyone's time and resources. What is stopping the bad actors from using residential IPs of machines they have hacked in the US? What is to stop them from paying with cryptocurrency that is untraceable? If the rebute to the above is that it is suspicious so verify them then you are sweeping countless American citizens into this law. Additionally, since US customers will almost certainly be swept up in this issue this rule may violate several aspects of the First Amendment that must allow a US citizen to publish speech anonymously. If a US citizen wants to publish a web page full of criticism against the government from another U.S. Citizen who wants to stay anonymous through proxies but then the US government forces a business to record all their details does that not violate several principles of free speech protected in other instances? Can a journalist be forced to reveal their source? Can a news organization be banned from publishing anonymous tips they received via email or mail that could have very well come from a foreign individual ? Can a book or movie company be prohibited from publishing certain media based on their ability to verify that the person who wrote it is a US citizen? If any of the above is no meaning the government can't simply broadly limit the speech because its origin is anonymous. it must beg the question, can a company be banned from publishing an individual's speech online if it's anonymous?
Sounds no different than the states doing to porn sites.
Maybe but courts have long held that one can require age restrictions on porn since they generally serve no political, educational, or art value. The question is can the state regulate a service that can serve content that often does provide political, educational, or artistic value made by a US citizen?
This is awful and like OP said it doesn't actually stop bad actors because so many already use servers hosted outside of the US and... wait until one of these cloud providers or hosting providers get hacked and so many people data gets leaked. So many people were affected by the AT&T data breach not too long ago.
Just thinking about it... in my case, the US providers that I am currently using are OVH US and Hetzner and they already have my information.
Also would this apply if a hosting provider is located outside US but only has servers in US?
damn... Time to incorporate again somewhere else i guess.
Sounds like the US wants a GFW.
Similar laws already exist in many countries. The USA and "Western" countries have always claimed that protecting privacy, freedom of speech, and other human rights are their main goals, and that this is the way they distinguish "clean", democratic countries from others - authoritative, dictatorial, etc.
However, in fact, the USA's January 6 case and the Canadian Freedom Convoy incident perfectly illustrate that their own citizens' human rights are not protected by the government. This was what Snowden said over ten years ago.
I am skeptical about this approach to solving the problem because, as more personal data is stored in information systems, more data is leaked, stolen, and used for criminal and illegal activities.I don't have any idea how this problem can be solved, but I believe that it is exactly not by collecting more and more personal information.
Unfortunately, most politicians and "siloviks" (the FBI, KGB, etc.) use the traditional way to solve social problems and believe that if they know who a person is sleeping with, this will help stop criminal activity.
Depends on the provider. Most do, because they want to "stop fraud". Oh well... It's bad that the US plans this though since many high quality hosts are there, other than occasional from countrys which seemingly only have jenkkis who are similarly unknowing in anything other than their Motherland like most amurcians. Rant end.
As an American, the US needs more regulations when it comes to the hosting industry.
Hosts need to start being held accountable for intentionally looking the other way. We have foreigners like @Francisco coming here to open anonymous LLCs in Wyoming and take advantage of our laws to fatten their own pockets and make the world worse in the process.
Other guys like @MannDude who advertise "not knowing their customer" attract the exact type of shitters you would expect. Phishing, copyright infringement, hate speech.
Real businesses don't give a single fuck about showing KYC because they don't do anything illegal.
Actually the bigger threat is foreigners like @Francisco and @MannDude who sell to Europeans but don’t collect and remit VAT as required per law. This is a threat to Europe’s economic security - time for the EU to declare war on VAT evaders!
Shit, did I start these stupid derails?
🤓🤓🤓🤓🤓
"Legal" doesn't equal moral, and even if the law and the government were perfect, laws and governments change. The rights to privacy and anonymity are our ONLY bulwarks against complete totalitarian control. Absolutely, there are bad apples who take advantage of anonymous services, and that isn't right. But the cost of stamping them by introducing ridiculous KYC requirements out would also effectively stamp out the rights to freedom of thought and freedom of speech, while doing little to actually stop the bad actors. (Scammers are generally a low-level threat, so even if their identity is known, they are rarely prosecuted.)
And as for the ad hominems against @Francisco and @MannDude, I have to ask 1) how has Francisco "made the world worse"? BuyVM, Namecrane, Frantech...all offer quality service for incredibly affordable prices. My only critique is that his products are often out-of-stock, but that's from my consumer POV; it's actually a responsible business decision on his end, since it's better to maintain his good service and keep his stock in order, than to try and expand and compromise quality in the process. And 2) yeah, some of MannDude's customers are phishers, scammers, extremists, etc., but shitty racist forums like Stormfront are hosted on mainstream services like Cloudflare, and most scammers go for the lowest hanging fruits, AKA cheap hosting, which is basically never anonymous.
Check Stormfront's hosting:
https://hosting-checker.net/websites/www.stormfront.org
Many scammers use Namecheap, Godaddy, Cloudflare, etc. and other mainstream hosting providers (also worth noting that even supposedly anonymous providers like Shinjiru only accept BTC for crypto, not a truly anonymous coin like XMR or bitcoin cash, meaning that the identities of particularly egregious scammers could still be traced in theory):
https://www.cybercrimeinfocenter.org/top-20-hosting-providers-by-phishing-domains
Like I said before: KYC doesn't stop bad actors from acting, and you can't expect hateful people to disappear just because you ask for a phone number, either. Your point about hate speech also begs me to ask: how do you define hate speech? My definition might look entirely different, and the gray area that exists between our two points of view is where the necessity for anonymous, non-KYC services and platforms emerges. Because if you think that hate speech specifically "incites violent actions against a certain demographic", and I think that hate speech is something that just "makes someone of a certain demographic feel bad", then if either of us got into power alongside a bloc of likeminded people, either of us could decide that the other's opinions about what constitutes "hate speech" must be made illegal, and its perpetrators, fined, imprisoned, or otherwise punished. A website contesting that legislative decision would thus jeopardize its creator's safety, and you wouldn't want that to be you, would you?
Yes definitely it is the beginning
It is not about the incorporation of a company, it is about having the USA as a hosting location
99% of the legit customers will not do kyc for privacy reasons ( maybe the remaining 1% will keep using the USA as a location ) and criminals will do fake kyc ( where the burden is on hosts how to verify those ). For criminals, they will just use any other country and keep doing what they are doing, but most of the USA hosts will Deadpool doing KYC of the remaining customers.
I would recommend importing GFW from China so that the US gov could save the cost and make more profit
I cannot agree more. Privacy is a right and of course as privacy provider we do deal with a lot of shit. But honestly it is worth it. Just knowing that we are able to give normal people a right to get service without giving away private information which can be leaked, hacked, sold etc.. It feels like we are actually trying to make a difference.
Kyc don't stop abuse, bad actors will always find a way to do bad stuffs.
Ironically most abuse we received are forwarded from cloudflare, people rotate vps behind cloudflare. Which is one of the most reputable company but providing services for the worst people.
It's both.
Edit: sorry somehow I made two comments. Instead of puting everything in one.
This is also an important point--anonymity isn't just about hiding one's identity from a tyrannical government; it's also about preventing the information from being made available to data brokers, hackers, etc. It's really shocking how lackadaisical companies can be about ensuring the security of their customers' info. The best (and only bulletproof) way to prevent data leaks is simply to not solicit the data in the first place. This, in my opinion, is a much better industry standard than "collect everyone's info for their own safety!"
if govt force you via law, that will be only way
Like in Russia.
What? They never did a KYC, not even for a .ru domain, neither did any Chinese provider if outside of China.
They don't even ask for your address.
On this thread, I see a bunch of foreigners and kids like @BruhGamer12 with anime girl profile pictures asking for internships. It's hardly worth a response, but I'll bite.
I don't mind providing my ID for a VPS at all if it's going to stop the next school shooting etc. from happening. The United States government needs to do more immediately (less thoughts and prayers) in an increasingly divided and radicalized country.
The idea of making criminals easier to identify won't help prevent crimes is simply not true, you're welcome to feel otherwise.
And when guys like Francisco or Curtis choose to host another hate speech forum for money, they are contributing to this. Accepting money to look the other way to things like hate speech and copyright infringement is simply not something I would allow myself to do ethically.
These people have choices every day. These businesses have an ethical responsibility for everything they platform, and saying it's not your place to judge is 100% a cop-opt.
You need to know your customer. This is especially true in the hosting industry.
Outside China may be but there are strong requirements for the hosting, domains, sites in China as I know.
America ' Land OF The Free'
yes it is both, I missed one word " not only " which would have changed the meaning
The newest regulation is stricter for services provided in Russia. However, the law is divided into two main parts: unverified customers and verified customers. Verified customers can access government resources in Russia, while unverified ones cannot. The law is still being drafted, so it may change to a more or less strict version in the future.
Seems that i have a really good compass to flame just the persons, which actually deserve it, after all
I'm quite amazed by myself.