Ask HN: Would you send a photo holding your drivers license to rent a VPS?

[c64d81744074dfa]

I wanted to try out OVHcloud and signed up and paid for a small, cheap VPS. Then I get this email:

  Please provide full-color photos of the following using the OVHcloudShare app (see instructions below):
    - A government-issued photo ID
    - A picture of the credit card used in the transaction including:
          1. The name matching the listed name in the Manager account, AND
          2. The last 4 digits of the card number
    - A photo of yourself holding the government-issued Photo ID provided above.

I absolutely will not do this - it's incredibly invasive and this is just a hosting service, not a bank. And it's a terrible idea. If every company starts doing this the security implications are far worse than whatever problem they're trying to solve.

Am I crazy? Is this just the way the world works now because of KYC or credit card scams or something? Or is it a European thing? (This is a French company and I'm in the USA.)

[rsync]

KYC is already required at banks and they have the most complete - and global - view of all transaction flows.

Therefore we should insist that KYC be solely performed by banks - no other firms should be required to perform it.

Given the extraordinary privileges that banks enjoy, this would be a reasonable contribution to society - especially given that they are doing it anyway.

[codetrotter]

> we should insist that KYC be solely performed by banks

That sounds like a great way of preventing anyone who doesn’t have a bank account from being able to use services at all.

There are ~1.7 Billion people in the world that are unbanked.

Even in the US alone there are around 55 million unbanked adults. (2018 numbers)

I think we should push for the opposite. Less KYC all around.

[theturtletalks]

KYC is actually a clever trick by the government to pass the buck to the banks to verify if transactions are illegal or not. The main reason is that when you are dealing with the government, you are innocent until proven guilty. Using the banks to money launder? It’s up to the government to prove it and bring charges or its business as usual for you.

With banks having that power, you’re guilty until you prove innocence. Haven’t committed any crimes? Doesn’t matter, you’re banned by default and after you provide ID, we’ll let you bank. Oh and if for any reason, we can ban you and you have no recourse. We won’t tell you the reason either. It’s a great way for the government to not actually go after the money launderers and give the keys of doing business to a select few.

[Terr_]

Are you similarly against KYC rules when it comes to people trying to exchange scrap bundles of copper wire they "found lying around" into cash?

There's always room for reform, but it's not as if the concept of due-diligence was invented just recently for banking alone.

[lmm]

> Are you similarly against KYC rules when it comes to people trying to exchange scrap bundles of copper wire they "found lying around" into cash?

I'm against them if they're opaquely administered by private entities, yes. That's guaranteed to be abused. The problem isn't having rules, the problem is having no due process and no oversight or recourse.

[Terr_]

It seems to me you don't want less-legislation as much as different-legislation.

In a "hands off" scenario where the only only factor for companies becomes "avoid losing a civil lawsuit for Failing To Do Enough to stop a criminal you assisted", they will still create an opaque system with no due-process/oversight/recourse. They will do that by default, because it's cheaper.

[lmm]

> In a "hands off" scenario where the only only factor for companies becomes "avoid losing a civil lawsuit for Failing To Do Enough to stop a criminal you assisted", they will still create an opaque system with no due-process/oversight/recourse. They will do that by default, because it's cheaper.

I can understand the theoretical argument that they would. But in reality they didn't prior to the (relatively) recent AML laws, and other entities not subject to those laws largely don't.

[superkuh]

Are you similarly for KYC rules when it comes to people making DMCA and other legal claims?

It seems like KYC is always applied in situations that hurt the individual person and protect the incorporated person. Never the other way.

[Terr_]

I'm not sure what you mean. The DMCA is big piece of crap, but it does have penalties if someone files a DMCA claim regarding content they know isn't theirs to manage.

Alas, it does not extent to penalizing the (duly-authorized) filers who make claims they know are frivolous bullshit, but that's a 'nother can of worms.

[superkuh]

One of the biggest problems with the DMCA is that it is unaccountable for those submitting legal claims anonymously. They should have to identify themselves to submit a legal claim of ownership.

> https://taxpolicy.org.uk/2024/02/17/the-invisible-campaign-t... To remove something from google's search they copy the text, they create a fake website / company with a URL with copied text then submit a DMCA claim saying theirs is the original. Google automatically rubberstamp approves it and the URL/text they want removed from the search index is removed.

There's a simple and easy solution: there should be "know your customer" for claimaints for laws requiring companies to follow up on legal claims like DMCA reports. KYC is obviously socially accepted and easily implemented since it's being required for so many other things. The whole basis of an adversarial legal system is that you need two legal persons on either side. This is a context in which you have to wonder why it isn't already like that.

[gaadd33]

Have those penalties ever been widely implemented? My understanding is most wrong claims just result in the person making the claim say "whoops sorry my bad" and nothing happens.

[gregjor]

I don't think KYC laws keep people un-banked. According to the Federal Reserve only about 5% of adult Americans don't have a bank account. KYC is relatively easy to comply with, about the same as getting a library card. But if a person has a history of writing bad checks or running up overdrafts they can't get a bank account. And some percentage of Americans don't trust banks and remain un-banked by choice.

Source for your claim of 55 million unbanked American adults? That's 21% of the 2020 US adult population, and four times higher than what the Fed reports. If America had 55 million potential customers banks would be tripping over each other opening new accounts at McDonalds.

[codetrotter]

> I don't think KYC laws keep people un-banked.

That’s not what I’m saying.

What I mean is, if only banks do KYC then all payments will be required to go through banks.

That will be a disaster for the unbanked.

And instead of pushing for KYC being performed by banks only, we should push for less KYC in the first place.

[TrueGeek]

This is how it’s done in the Netherlands. You sign up for a bank account and they check your ID, your proof of residency, they do a video selfie, etc. It was impossible for me to get a Dutch bank account (as an American) until after I signed my apartment lease which was a bit of a catch-22 but not insurmountable.

But once that is all setup they have a system called digiID that is wonderful. Anytime your identification needs to be verified it’s done through your bank. I signed up for renters insurance, they did a little oauth thing with the bank, the bank asked which details I was willing to share (the insurance company asked for just last name, dob, and address) and I agreed. It took seconds.

[clintonb]

Is this sarcasm? Most banks don't write software, and the third-party software isn't that great. I don't want my bank involved in this at all.

[rsync]

I think my point was unclear ...

What I am saying is, there is no reason for other firms to perform KYC because it is totally redundant. The banks already have to do it and they have a better view of the transaction flow anyway.

Any KYC that your ISP might do would be both redundant and inferior to what your bank is already doing.

It is a waste of resources - and a drag on smaller businesses - to do this work twice.

[cowboylowrez]

I pay for a vps with a credit card, isn't this essentially the banking system doing the same thing?

[clintonb]

No. That's payment, not KYC (identity verification).

[pants2]

AFAIK there's a new law requiring KYC for IaaS providers serving the US. I'm assuming it covers their butts as well regarding malicious activity, they don't want to host a DoS attack, CP site, or similar. You might be hard pressed to find a hosting provider in the US that doesn't ask for these things.

[natejlong]

It's only a recent proposal in the US, not law, if you're talking about what I think you are:

https://torrentfreak.com/u-s-know-your-customer-proposal-wil...

>>> Late January, the U.S. Department of Commerce published a notice of proposed rulemaking for establishing new requirements for Infrastructure as a Service providers (IaaS) . The proposal boils down to a 'Know Your Customer' regime for companies operating cloud services...

[lolinder]

This is probably what you're thinking of [0]. The comments period is closed, but as far as I know it hasn't actually become a rule yet, and regardless:

* The rule would only apply to people living outside the US, so if you pay with a credit card with a billing address in the US from an IP in the US they probably wouldn't need to KYC you.

* KYC != "send me a photo of you holding your driver's license". I can open a bank account by just typing in my name, address, birthday, and SSN. That's enough KYC for a bank, it would be more than enough for a hosting provider even if that proposed rule became law.

What this company is asking for is beyond the pale even by full finance KYC standards. The most likely explanation is that an automated fraud detection system got set off and OP was selected for a much more rigorous review than they typically do.

[0] https://news.ycombinator.com/item?id=40158752

[pants2]

That is what I'm thinking of, thanks for the context

[arealaccount]

I’ve never seen this, maybe Im missing context? Amazon/Google/etc don’t require pictures of ID and CC?

[pctTCRZ52y]

agreed, I don't recall any large cloud or VPS provider asking for an ID.. maybe a French thing?

[KomoD]

Source? OVH has had this for years.

[chatmasta]

Blur everything but your name and photo and then unblur pieces of it until they accept it. Also make sure to watermark it with repeating 10px red text saying “only for purposes of ID verification with OVH.”

[jimmydorry]

Places that require this level of identification will generally insist on no watermark or edits. If this is the make-or-break for you, you will end up not proceeding and having given away your ID for naught.

[perihelions]

Not in a thousand years.

[monero-xmr]

Here are some vendors that care more about privacy https://kycnot.me/?t=service&q=vps

[GianFabien]

There are lots of VPS providers, why not just choose one that meets your expectations for privacy, security, etc?

The power of the market is when customers refuse to go along with unacceptable demands.

[kkfx]

Well, for me being in UE with eIDAS docs I have just a response: implement eIDAS and I'll give you a certified ID out of my public docs, nothing else. If you want a proof of my identity you'll get the best proof. Otherwise you just want to scam me or you live in another world.

eIDAS could be simply described as "a smart-card in any documents" (so far some UE state have started with identity cards, some with drive permit as well, nothing different than classic/modern e-passports) you can use with a reader and a PIN to identify yourself. The main usage so far is almost only for public administration services but some example of private use are discussed and used ante-litteram for instance as a proof of majority for buying cigarettes on vending machines, some discuss the option of a public SSO identifying a citizen who allow send SOME (detailed in the redirect page) to a private party. Nothing exists AFAIK outside the public but it start to spread. The public became the guarantor of the citizen's identity.

Outside EU various countries have some form of e-IDs so... It's just about time to steamline them ALSO for contract signing instead of absurd SMS-based signature on third parties.

[gtirloni]

I'm pretty sure someone is selling all this private data in the deep web right now. It's not OVH you have to sorry about.

The cat is out of the bag. There's no way back.

[newscracker]

Of course, you’re not crazy. The more the number of people who just give in, the larger and more widespread this problem becomes.

IMO, this is one of the ways governments get more ideas — to encourage companies or have them collect a lot of data so that they (the government agencies) can legally (or even illegally) demand them for mass surveillance and their expeditions. It’s like a fire hose that won’t stop.

[c64d81744074dfa]

Original poster here. I heard back from OVH that this was their automatic fraud detection system kicking in, and after manual review they removed this requirement. Apparently I made a mistake entering my CC info. Doh...

Now I feel like I jumped the gun posting, but I also feel relieved. In any case, thanks for all the support.

[gregjor]

I have not had to do that and might not want to. But nothing on a US driver's license is private information anyway. Banks, credit reporting agencies, car dealerships, landlords, police, etc. all have access to your license info and much more. So I wouldn't call it "incredibly invasive."

Easy to blame the hosting company, or the government, but it's the bad actors and fraudsters and scammers who drive these kinds of rules. I'd rather have to show a hosting provider my ID than have all of their IPs blocked out of the blue one day because they rented a VPS to a scammer or botnet, maybe using my name and credit card number to do it.

[memen]

> it's the bad actors and fraudsters and scammers who drive these kinds of rules.

Your logic is used by bad teachers in kindergarten to justify group sanction because of a single person's misconduct. I have never seen a bad actor driving rules against his own actions (exceptions exist).

In a society, there will be bad actors. No matter what you do. You can decrease the likelihood of it happening, or mitigate the impact, e.g. by setting rules. Costs for executing these rules should be weighed against the benefits.

If a driver's license is public information, why would they ask for it? If it indeed is public, they don't need to ask for it, because sending it doesn't hold value. If it is not public information, they have to ask for it, and then the fact that you are able to send it to them holds value. Them having the ability to send that information again, can be perceived as, or is, invasive.

[gregjor]

> Your logic is used by bad teachers in kindergarten to justify group sanction because of a single person's misconduct.

The rules we're talking about -- know your customer -- don't come from my logic. They got implemented specifically to fight terrorism and funding terrorism and money laundering (originally part of the Patriot Act, 2001). So yes, everyone got sanctioned because of the "misconduct" of a few people. Whether we agree with that approach or not governments often do exactly that kind of thing. It's the nature of governments and laws to apply rules to everyone at once, and frequently everyone gets "sanctioned" by laws that got written because of a few bad actors. I think about that every time I have to go through security to board a plane.

> I have never seen a bad actor driving rules against his own actions (exceptions exist).

I didn't write that the bad actors make the rules. Their actions lead to the rules, e.g. the rules get driven by the bad actors.

> You can decrease the likelihood of it happening, or mitigate the impact, e.g. by setting rules.

Rules tend to work both ways. Laws against drunk driving, to take just one example, seek to both decrease the likelihood of drunk drivers, and to mitigate the impact through enforcement and punishment, and through legal liability. KYC laws seek to do the same thing: prevent money laundering in the first place, and enable enforcement and punishment.

> Costs for executing these rules should be weighed against the benefits.

We could debate how the world should work all day long, but I'll stick with how it actually works.

> If a driver's license is public information, why would they ask for it?

I didn't write that licenses are public information. I wrote "nothing on a US driver's license is private information." See the difference? The opposite of "private" is not "public." Lots of people and businesses have access to that information. My photo and address may as well be public, anyone with a computer can find those. Driver's licenses are issued by states, with your implied consent to give all of that information and let them print it on a card. The invasion, if you want to call it that, happened when you voluntarily obtained the license. As you might expect, the US has laws around privacy of driver's license information:

https://en.wikipedia.org/wiki/Driver%27s_Privacy_Protection_...

So while not exactly public, that information isn't really private, either. Note provision 3 of the Driver's Privacy Act: "For use in the normal course of business by a legitimate business or its agents, employees, or contractors, but only to ... verify the accuracy of personal information." So a VPS provider or any other business needing or wanting to verify a person's identity can ask to see a license as a form of identification. You don't have to show it to them, but they don't have to take your business either.

My license has this information, none of which I think of as particularly private:

- State of issue

- Date of issue and expiration

- License number assigned by the state

- Photo of my face

- My full legal name from my birth certificate (a public record)

- My address at the time I obtained the license

- My date of birth

- My height, weight, hair, and eye color

- My signature - What kinds of vehicles I can legally operate

Anyone could find out almost all of that with Google. People put more private personal information in their Facebook and LinkedIn profiles.

> If it indeed is public, they don't need to ask for it, because sending it doesn't hold value.

Do you understand the difference between looking up someone's license information in a database, and doing what bar bouncers and banks and apparently French hosting companies do -- asking to see the license in your hands alongside your face? Do you think passports would work if you could just write down your passport number and tell the immigration agents to look it up, because they potentially can do that? The license has value as identification when someone can visually compare it to the person it belongs to, see that the person is in possession of the identification, and confirm at least some of the information on the license -- already vetted in some way by the state -- matches information the person gave. It's a kind of physical two-factor authentication.

> Them having the ability to send that information again, can be perceived as, or is, invasive.

Collecting driver's licenses and then "sending that information again" would violate the law I cited above. If I gave a photo of my license to a hosting company and could then prove they gave or sold that to some other company without my consent, I would have a cause of action in court.

[einichi]

Hosting providers get an obscene amount of fraudulent sign-up attempts, including attempts where they try to assume the identity of the person they have acquired the passport scan/photo of.

I don't like it, but it's very understandable.

[lbotos]

I once saw a scammer upload Jason Bourne’s passport to try and validate their VPS account at the provider I worked for lol

[lanstin]

Not the actor but Bourne's passport from the movie? Interesting.

[tiffanyh]

Three ways of looking at this:

1. Maybe something about you is triggering their fraud system for step-up verification.

2. They might experience a lot of fraudulent (scammer) users, which is a net-negative for anyone who host there because ISP might black list that hosting providers IPs.

3. Maybe they are super serious and KYC all onboarding because they only what super vetted customers because that benefits everyone to have a “clean network” (basically the opposite of #2).

Given OVH super low pricing, my guess is #2.

[orbit7]

I think KILT DIDs look to hold the tech answer to this type of problem. https://www.bitdigest.io/posts/taking-control-secure-identit...

[ephimetheus]

I think Hetzner is doing this as well now. I’m assuming they’re required to.

[yashg]

Yes, I recently signed up and they asked for a photo id. Just a photo id, not this ridiculous request.

[Tblue468]

I ran into this with Hetzner recently, but instead of ID, they also accepted a pre-payment of 20€ instead (will be used as credit for further purchases).

[bomewish]

It's a fraud detection thing.

Get in touch with their support directly. They did this to me but I contacted them and complained and said they approved it without the need for this.

[cft]

A second passport is an increasingly common answer to these attacks

[bagels]

Like... a fake one, or someone else's?

[xupybd]

I'm with OVH and I've not had to do this.

[xupybd]

In thinking about this, I think the email is fake and this is an attempt at scamming you.

[delduca]

Go for Hetzner. I am using and it is great.

[rcstank]

Don’t do it

[kevinsync]

10 years ago I registered a dot-ru and let’s just say the requirements were quite overreaching LOL. I’m embarrassed to admit to the documentation I provided to make it happen. My identity has probably been sold a thousand times by now ¯\_(ツ)_/¯

[pelagicAustral]

Why OVH? I've had awful experience using their services... Vultr, Linode, UpCloud, Hetzner are far better options... none of them require this nonsense.

[perihelions]

Hetzner has asked some HN'ers for passport scans [0], and in my case, they asked me to consent to a video scan of my face, with some of ersatz machine vision [1]. Their loss.

[0] https://hn.algolia.com/?query=hetzner%20passport&type=commen...

[1] https://www.idenfy.com/identity-verification-service/

[BOOSTERHIDROGEN]

Hetzner requires me to provide a photographed government ID.

[fragmede]

the reason they're doing this is because of credit card fraud. the attacker takes a stolen credit card, signs up for their service, and then runs up a huge bill. when the credit card owner discovers this, they do a chargeback, which means the hosting provider is out the money. do this enough times and the hosting provider gets kicked off their credit card processor and can't take payments anymore.

so yeah, it sucks, especially for privacy aficionados. there are places online that will take your untraceable Moreno (XMR) for hosting, but they end up getting used to anonymously host CSAM until the feds take that and hopefully the people creating that down as well.

[lolinder]

The issue OP has here isn't that they want anonymity, it's that the demands that this particular hosting provider is making are bizarre.

This is not the norm yet for hosting providers, and you don't have to pay with Monero to avoid having to send a photo of the credit card you used to pay for a service. Just pick almost any other hosting provider and they'll happily accept your credit card via an online checkout flow and be done with it until they get an abuse report.

[lbotos]

A decade ago at the provider I worked at we’d routinely ask for id verification like this for accounts that tripped our fraud signal system.

[fragmede]

it's not bizarre and totally makes sense from the perspective of the hosting company being used for nefarious purposes and not wanting to get shut down. tragedy of the commons and all.

[gpm]

Yes.

Ultimately the internet is a lawless extremely low trust place, because it isn't limited by borders, so there is no effective law enforcement over a significant fraction of the people on it. Hosting providers bear a fair bit of the brunt of this because they're a staging ground for doing actually evil things.

I want to work with high trust places. I don't want an IP address that was just being used to hack people. I don't want to have to jump through hoops that verify I'm not doing evil things before doing things. I want to be offered things that can't be offered to people who are abusing trust, like generous free trials.

Verifying I'm an actual person in a place where they can pursue me through a functional legal system and functional law enforcement agencies is a step that allows the trust level to be stepped up slightly from "literally none". That's a good thing IMHO.

And I already have no privacy when I'm paying with a credit card under my real name. There's no actual cost here to me.

That said, I'd be very careful I was actually sending that information to a reputable hosting company, because the internet is a lawless place and there are definitely people who would try and pretend to be your hosting company.

[Repulsion9513]

> I want to work with high trust places. I don't want an IP address that was just being used to hack people

Then don't use OVH :)

[gpm]

Maybe, I don't have any real opinions on them, but wherever they are this is a step in the right direction with regards to that.

[Hizonner]

> I want to work with high trust places.

OK, so get off the Internet. Don't fuck it up for the rest of us.