Skimming through the article, it seems like the extent of this is to require IAAS (Infrastructure) providers to verify the identity of those who are using their services to train AI. It's an attempt to stymie sanctioned or malicious actors, from training AI and especially from hopping between services or using aliases to continue training on their model.
It seems a bit benign and I don't understand the parallels others on this HN discussion are making. Is it that it's a slippery slope or perhaps I'm being naïve in regards to the scope?
Skimming the regulations, this does not seem right. All IAAS providers (which is everyone who allows customers to run custom code, so it includes any web host like Dreamhost) to verify the identity of foreigners who open an account. This would seemingly entail the service provider needing to verify everyone's identity, in order to figure out who is a foreigner and who is not.
In other words, if you want to run your own Wordpress, or Mastodon node, or your own custom CMS web site or group chat or IRC or bitcoin node, you would need to reveal your identity to the hosting service that you want. This does seem quite bad and could obviously be used to identify political dissidents.
On top of that, the IAAS must report to the US Commerce department about foreigners who are using services to train large AI models.
AWS has my name and my credit card number. But they have never asked for a photocopy of my passport, my history of international travel, which nationalities I have and so on. Something tells me that for the goal of this law to be achieved, all those details would need to enter the database.
Amazon is certainly supposed to ensure that you are not a sanctioned person or a citizen of a sanctioned country. This was a concern decades ago when I was in shared web hosting.. don't know why it would have changed?
Not necessarily (although that doesn't necessarily mean I think this is OK). Payment-card-based verification is a longstanding method of doing prima-facie verification like this. When you give your credit card, you give your billing address and typically your phone number -- if the postal code is a US address and the phone number is a US area code and everything else is consistent with that, that might be all the KYC required. If you appear to be a foreign national operating outside the US, they can flag that and require additional paperwork only then.
This proposed rule looks to me like it basically requires providers to come up with their own verification plans, which may then differ from provider to provider, so as to be "flexible and minimally burdensome to their business operations".
[note for the following: I am not a lawyer. The following is not legal advice. Do not fold, spindle or multilate. Do not taunt Happy Fun Ball.]
The real danger, I think, with things like this is, there's an executive order that was issued, but it further specified a rulemaking process be conducted to determine the actual regulations that define compliance. The link in the title is to the proposed rule. There's nothing that says any amount of prior public input will necessarily influence the details of the final rule, or that rule can't change in the future through another rulemaking process, and if it does the only way to challenge it is either to sue the agency on the grounds that it exceeded its discretion (e.g. by making rules that require unconstitutional things) or that the enabling executive order is itself unconstitutional -- but these kinds of federal cases have a pretty high bar for what's called "standing" (the legal grounds to bring a particular lawsuit): you pretty much have to suffer concrete harm or be in obvious and imminent danger of suffering it to a grievous degree. (This is one reason you hear about "test cases" -- often somebody will agree to be the goat who is denied something, fined, or even arrested and convicted of a crime, so that standing to sue to overturn the law can be established.) Other times, if a lot of potential defendants already have standing, a particularly sympathetic defendant will be selected for the actual challenge. The US federal courts are also deferential to "agency discretion" by default, as a matter of doctrine.
What happens all too often with these things is, the initial rulemaking is pretty reasonable, and the public outrage (if there was any) dissipates. Then three years (or however long) on, the next rulemaking imposes onerous restrictions and strict criteria, and people suddenly (relatively speaking) wake up and find they're now in violation of federal regulations that they were in compliance with last week. (This is one reason public-interest groups are so critical -- they have the motivation and sustained attention to comb the Federal Register for announcements about upcoming rounds of rulemaking on various topics.)
I don't think that is a legal requirement in Germany. At least Hetzner lets you rent a German VPS or dedicated server without ID. Though Hetzner may require you to submit an ID if you are flagged by their automated systems upon registration.
It was actually Hetzner that didn't want to provision my VPS without Photo ID. I blanked out the SSN as our government tells us to do and they balked at that as well. After I showed them my government's website explaining how and why to do that they were OK with it but at that point the relationship was already soured and I started looking for alternatives.
Maybe they changed it now but they were asses about it then. I thought it was a legal requirement, they basically said as much though I don't recall the exact details, it was before the pandemic.
Eventually I just moved to Scaleway in France which is much nicer and cheaper and you can even talk to their support on slack.
PS: I don't do anything nefarious on my servers but I just don't want my ID on file anywhere it's not needed.
There are IaaS services out there that accept bitcoin, monero, or anonymous prepaid charge cards. They aren't an IaaS but Mullvad even accepts cash mailed to them in an envelope.
Is it fair to assume, that one can engage in a business relationship with these services outside the US? I'm not sure I see the effect that you are implying. AWS, GCP, Azure don't accept crypto. Mullvad is as you point out not an IaaS provider.
Namecheap, Vultr, BuyVm all operate in the U.S. and at times in the past (I don't know if they still do) have either accepted crypto or anonymous charge cards (available for cash at a convenience store), thus making it possible to get a dedicated server or VM totally anonymously. This new regulation would seem to prevent this.
Some hosts accept alternate payment systems, like gift cards or cryptocurrency. You can also have someone else pay for it with a credit card or bank transfer without giving your name, which can be quite important in some cases. The new rules would presumably make that a crime.
It would not. They're financially motivated to do what they want. They will find a way around it. i.e. scaming the elderly to sign up for cloud services and proxying their KYC requirements.
There are scamers who walk seniors to sign up through Coinbase, the KYC requirements, to order bitcoin.
It's really not benign as far as I can see. There is an implication that its purpose is to allow providers to start writing reports on foreign users training LLMs (which, incidentally, I'm not condoning either), but in the process it requires every American IaaS has to start implementing KYC folly.
No one wants to send in selfies and their passport just to start a Digital Ocean droplet.
I'm curious if the spammers will find a way around this. I would actually like to be ID'd by a provider if that also meant they had no un-ID'd customers. I'd expect their IP range would start to get a pretty good reputation.
The spammers are criminals. They'll just use ID scans and info from data breaches of other companies. Requiring more companies to collect them makes it even worse because now there are more places to exfiltrate them and it makes it easier for criminals to commit identity theft against financial institutions etc.
There are also non-"criminals" who are more than willing to use their actual ID for the sort of things that aren't strictly illegal but will still get your IP space on a bunch of block lists when they can make a buck doing it, so it wouldn't solve the problem even if it could actually identify all of the customers.
And now more people will have thier passports pinched as they'll be opening themselves up to more opportunities to have it stolen.
It'll be great to get ready for that overseas trip, or while returning, to find out you need to now visit an embassy as a forged version of it is now in use.
I think everyone has a sour taste left over from decades of half-baked laws written by politicians that don't understand the basics of the internet or technology in general.
With that said, I also don't understand the issues people are having with this.
I wonder how they deal with the (hopefully) constant abuse reports aimed at them from providers who are tired of their shady customers doing shady things from their IPs.
OK, I'll bite. How exactly are [US] domestic users of services supposed to prove they don't need to prove their identity?
EDIT: it reminds me of the Common Travel Area (between Ireland and of the United Kingdom of Great Britain and Northern Ireland), which has some glorious inconsistencies. For instance that nationals of Ireland and the UK travelling between those two countries do not need a passport, except when you take an international flight and rock up at IE/UK border control it's fairly hard to prove you are a national who doesn't need to provide a passport without having ... a passport (or equivalent ID).
Have you travelled between the UK and Ireland? You most definitely do not need a passport and do not need "equivalent ID". You can travel (by boat) with a student card, driving license, photographic travel pass (ie over-60s pass, young person rail pass), or photographic id from your work.
The check is very much "don't stop walking but hold your ID-looking thing in your hand so a nonchalant man can glance at it". You would attract very little attention with someone else's UK or Irish driving license, a bit more if you decided to test the waters with a weird form of ID.
Children can travel with a birth certificate (no photo).
You need more than this to get on an aeroplane, but that also applies to domestic flights in the UK.
If you get the boat and show eg. a Romanian student card, they might ask you where your passport is, somewhat reasonably since you would have needed it to travel to the UK or to Ireland. They would accept an ID card probably and might let you in with legit looking non-government ID.
That's the sea border. You can cross the land border between the Republic of Ireland and Northern Ireland without any form of ID at all, government-issued, photographic or otherwise. Lots of people do it every day by car or bus and it would not remotely occur to them to take ID with them.
So the Romanian student would have no problem travelling between London and Dublin without showing anything since they could get a boat Glasgow- Belfast and then get a bus to Dublin.
If this was your best example of governments lying and changing the rules, it's not a very good one (and is also kind of offensive to Irish and British people).
> You need more than this to get on an aeroplane, but that also applies to domestic flights in the UK.
Can you clarify what you mean by "more than this"?
I've travelled on many domestic flights within the UK, and ID is not routinely checked.
> If this was your best example of governments lying and changing the rules
Ouch.
The common travel area has its origins way back in 1923, the rules are clear, no-one is lying.
It's just that it's hard to prove you are entitled to its benefits without having an ID document with you that - if you're entitled - it says you don't have to have with you...
When did you last travel on a UK domestic flight? You definitely need government issued ID.
You are suggesting that having to show any photographic ID is the same as having to show a passport. That's obviously silly.
No one has to prove that "they are entitled to not show a passport" by showing British or Irish ID. This is a fantasy.
On the boat everyone, British, Irish or other, has to show ID of some kind. No one has to show a passport. At the land border no one has to show anything.
> When did you last travel on a UK domestic flight? You definitely need government issued ID
"a spokesperson for the CAA, said: “UK aviation security regulations do not require a passenger’s identity to be checked for security purposes prior to boarding a domestic flight, in the same way when travelling within the mainland on a train or bus. Any further requirement on behalf of the carrier to provide identification may be a condition of travel by the carrier itself.”"
You need government ID to get on a domestic flight in the UK. You also need government ID to get on a flight from the UK to Ireland.
As with the sea border and the land border, this completely invalidates your claim about what ID is required to travel between the UK and the Republic of Ireland.
You don't appear to have travelled between the UK and the Republic of Ireland, ever, or to have flown domestically in the UK since 9/11. You stated above that "they do not check ID on UK domestic flights", not "the CAA does not require ID but all airlines do". The first statement is untrue. Not sure why you are making stuff up in support of an urban legend about the UK/Irish border.
Even if there was a difference between the ID required to board a flight from the UK to the RoI and the ID required to board a UK domestic flight (there isn't - both require govt ID, not necessarily a passport), the situation at the boat and at the land border completely disproves your original claim.
KYC stands for Know Your Customer, and is a core regulation in banking. So we can pivot off that and work through what a bank does to verify your identity.
I signed up for a Mercury bank account a few months back for my Delaware corporation without talking to anyone, so I'll use that as a template.
I can't remember the exact steps, but tl;dr submit a passport photo / driver's license photo and a photo I take in the app itself. If it was a not-US passport, then they'd dig into a full verification, not just a quick manual check of "is that face the same as the passport/license, is the passport/license ID # valid, and are the photos edited"
True, I guess I wouldn't call it invading privacy, that's sounds a bit overwrought to me. Then banks invade my privacy, the DMV invades my privacy, etc. There's always tradeoffs, I respect people's concern about them, and I wish there was a gentler to say it.
> Then banks invade my privacy, the DMV invades my privacy, etc.
That is a reasonable and factually accurate statement.
> There's always tradeoffs, I respect people's concern about them, and I wish there was a gentler to say it.
The tradeoff here is astonishingly bad. Studies have shown that AML/KYC have an effectiveness of less than a fraction of one percent. They continue to proliferate because their largest costs fall on the users rather than the companies, so they're the thing that large corporations suggest as a "solution" when they're being pressured to do something. Because people have the perception that it will do some good, even though that perception is inaccurate.
In reality what they do is provide a means to satisfy "something must be done" in a way that dumps the costs on marginalized users instead of politicians and corporations.
I had to look up what "effective" means in this context, found a couple crypto blogs using it as a talking point citing a 2011 UN study, the study says less than <1% of money laundering proceeds are confiscated worldwide, nothing about the laws. Money laundering is defined as an estimate of any money from illegal activity, including tax evasion.
AML laws are completely ineffective. People can write long papers about why, but the underlying reason is simple. Money is fungible.
If Alice is selling heroin to Bob and the government knows this, they don't need AML laws to arrest them. If they don't know this, even if all of the financial records were 100% transparent and tied to the name on their birth certificates, they still wouldn't know this, because Alice and Bob would just claim the payment is for software licensing or personal grooming services or whatever they want to make up, and neither the bank nor the government has any way to know otherwise until they independently prove the underlying crime. Worse, Alice and Bob don't even have to pay each other. Bob can just buy whatever Alice asks him to with his money and then give that to Alice in exchange for the contraband. Then there is no financial transaction linking them at all.
The entire concept of it simply doesn't work. It's all cost and no benefit.
So what else did they pull off your phone? Location data, personal photos, personal files, wifi connections near by, microphone data, ongoing location data?
You don't understand the issues me as a blind person has with it? OK I have to upload a government ID every time I want to use an internet service. That's stupid. It's also considered a general warrant, and I thought we did away with those long ago.
What laws are you talking about? The Internet has grown a lot that’s largely because we have smart politicians and strong institutions. I really think the regulation of the Internet has been amazingly good.
For example: CAN-SPAM. If I want to send emails to a list, I have to burn $90 of my scarce dollars every year just for a PO box for the address at the bottom on the off chance someone sends a letter to unsubscribe. Unless I want to put my home address in every email, which I don't, and no one should. Unsubscribe links and highly effective spam filters were already completely standard when the law was passed in 2003. It doesn't matter if the email you send doesn't actually require it because every mailing list provider requires it.
The point is the rules are daft. A sensible rule would require a functioning unsubscribe process in the email, which every piece of software would then automate as an unsubscribe link. The actual rule requires people to be able to unsubscribe via a postal mailing address, which is unreasonable and ridiculous.
I'm just saying, your earlier comment would have been better without the sentence: "Unsubscribe links and highly effective spam filters were already completely standard when the law was passed in 2003."
The person you're replying to is not the person you're quoting.
But also, the people with unsubscribe links now but not in 2002 would still commonly send their messages from a consistent address, making it easy to block them if you wanted to, and making even primitive spam filters highly effective against them. Meanwhile the people who randomize their from address to prevent this are the people who still don't have a functioning unsubscribe link.
I'm going to need another intelligence to read the full text.
"U.S. IaaS providers and foreign resellers of U.S. IaaS products must exercise reasonable due diligence to ascertain the true identity of any customer or beneficial owner of an Account who claims to be a U.S. person."
So at a minimum, everyone's identity is verified by IaaS provider. If you claim to be a non-U.S. person, additional information is collected.
They mention looking at comments from a previous proposal in 2021, "Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities"
https://www.federalregister.gov/documents/2021/09/24/2021-20...
Who counts as IaaS besides Amazon, Azure, and GCS?
This is not the industry-standard or NIST definitions of these terms. Something like Google Workspace Suite is Software as a Service. Something like Heroku (or Dreamhost or Wordpress) is Platform as a Service. Something like EC2 and S3 are Intrastructure as a Service. The distinction is renting out undifferentiated server space that a customer installs their own software onto. If you rent a VPS from Linode and install self-hosted Wordpress, that's IaaS. If you buy Wordpress's managed hosting, that's PaaS.
Well, it may not be the industry standard definition, but it is the definition used in the actual regulation:
-------
Infrastructure as a Service product
or
IaaS product
means a product or service offered to a consumer, including complimentary or “trial” offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications. The consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications. The term is inclusive of “managed” products or services, in which the provider is responsible for some aspects of system configuration or maintenance, and “unmanaged” products or services, in which the provider is only responsible for ensuring that the product is available to the consumer. The term is also inclusive of “virtualized” products and services, in which the computing resources of a physical machine are split between virtualized computers accessible over the internet (
e.g.,
“virtual private servers”), and “dedicated” products or services in which the total computing resources of a physical machine are provided to a single person (
e.g.,
“bare-metal servers”).
---
So Dreamhost counts, any web host where you can run arbitrary PHP code would count. Wordpess.com -- where you cannot actually modify the PHP code yourself -- would not count as IaaS. But any web host that allows you to install applications on your own, or run any of your own code, would count as IaaS by this regulation.
> Wordpess.com -- where you cannot actually modify the PHP code yourself -- would not count as IaaS.
However, I am able to write a WP plug-in and install it on my Wordpress.com account. In that case, I am modifying PHP code and running it. Sure, it might not do "AI" stuff but it can do some stuff and I'm assuming that the law would transmute over time to include stuff other than "AI" stuff.
Wordpress clearly does not meet the definition of IaaS in the document.
> provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications
Services like Github Actions, Google Collab, and web-based IDEs likely meet this definition though as it lets users execute their own custom code on their cloud. So basically all developer stuff may require an ID check.
First, the rule applies to WordPress and all that kind of thing, and then providers would have to KYC WordPress users. Which is a reason not to pass it.
Second, the rule is completely pointless, because it doesn't, and then anyone could create an AI training WordPress plugin that uses whatever arbitrarily fast hardware the server has and thereby easily bypass the rule. Which is a reason not to pass it.
That's silly, no Wordpress hosting has H100 GPUs hooked up to it.
If you skim the full context of this proposal and the topics it focuses on (dedicated servers, virtual servers, AI acceleration), and you've been paying attention to current geopolitics in these areas (top chips being sanctioned), it is completely obvious that goal here is to prevent things like evading sanctions by renting hardware instead of buying it.
What stops them? You could have a WordPress plugin that uses Stable Diffusion to generate images, or encodes uploaded video, or provides an AI chatbot, and needs fast GPUs because there are a lot of users. Providers will supply anything the customer is willing to pay for. The expected AI plugins would be doing inference rather than training, but the user could use the same hardware for plugins that do something else.
> Providers will supply anything the customer is willing to pay for.
I suppose every company and every service should be in scope for KYC then. /s
But the reality is that Wordpress hosts are not in the business of renting people dedicated servers the price of a nice house. And if they were asked to do so, it wouldn't be a simple automated request without scrutiny.
In 2010 it wouldn't have been an automated request. Now there is plenty of demand for it to do inference and some providers are likely to start offering it if they don't already. You're also assuming the providers are interested in preventing foreigners from using their systems for AI training, rather than being interested in making as much money as possible without violating the letter of the law.
The latter is one of the reasons rules like this are simultaneously so expensive and ineffective. Provider A decides to KYC everybody because they're big and risk averse, so the rules inconvenience millions of innocent people. Provider B wants to make money selling GPUs to foreigners, so they implicitly choose a structure that allows that to happen if the rules contain any loopholes whatsoever. (This ignoring that foreign customers could just switch to foreign hosts and cost US companies business for no reason.)
And if the premise is the level of resources being consumed rather than the type of service then why don't the rules exempt anyone spending less than e.g. $50,000/month? That would be almost everyone while still not being anyone buying enough compute to do major AI training. It still wouldn't work but at least it would have much less overhead.
> It might be almost every individual developer. But that isn't really a huge cloud spend at all for an organization.
That's kind of the point. It excludes all of the individuals and small businesses and makes it unambiguous that it doesn't apply to someone paying $10/month for a VPS to use as a VPN endpoint for privacy.
> But speaking of loopholes, what do you think bad actors would do if you told them that they weren't subject to KYC under a certain dollar amount?
In some hypothetical world where the rules were actually effective? Spend $49,000 and then create a new account, which would be highly suspicious and still cause them to get caught.
In practice? Use a cooperative provider (Wells Fargo as a hosting company), or one in another country, the same as they would do regardless.
The whole SUV category of vehicles was spawned as a workaround for the 1975 Energy Policy and Conservation Act of 1975. Demand blocked by laws leads to weird mutations.
I'm thinking that this will simply promote cloud providers that operate outside America, sort of like Binance and FTX were "forced to exit" the US market. Not a bad result.
edit: Vultr info is wrong. They don't have anonymous use anymore.
Vultr, for example.
There are high-quality IaaS providers that accept bitcoin for payment, allowing someone to host a server on their platform without revealing their identity.
Given that top GPUs are sanctioned, I'm sure preventing access to them remotely is a part of this. But just generally speaking, doing any malicious crap out of an EC2 instance is an easy way for a foreign actor in China/Russia/Iran to look more legit.
IaaS is defined as a provider of computing resources the allows you to run software that is not predefined. So that would seem to include basically every web host. If you can install Wordpress or Mastodon on the servers they provide, they are an IaaS.
Definitely not in this case (unless you're using Digital Ocean as a VPN end point or something). EO 13984 (which is cited as the enabling act) has a narrow definition:
(e) The term ‘‘Infrastructure as a Service Product’’ means any product or service offered to a consumer, including complimentary or ‘‘trial’’ offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications. The consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications. The term is inclusive of ‘‘managed’’ products or services, in which the provider is responsible for some aspects of system configuration or maintenance, and ‘‘unmanaged’’ products or services, in which the provider is only responsible for ensuring that the product is available to the consumer. The term is also inclusive of ‘‘virtualized’’ products and services, in which the computing resources of a physical machine are split between virtualized computers accessible over the internet (e.g., ‘‘virtual private servers’’), and ‘‘dedicated’’ products or services in which the total computing resources of a physical machine are provided to a single person (e.g., ‘‘bare-metal’’ servers)
Do you have a basis for this claim or are you just throwing it out there to see if it catches on? The document linked refers to IaaS, which as an acronym definitely does not include ISPs.
In practice, as long as a definition can conceivably cover something, the DOJ or some agency will use it. Case in point from yesterday: money transmitter as applied to arresting the developers of a NON-CUSTODIAL wallet, as part of a wider war on crypto mixing:
Reading the definition https://www.federalregister.gov/d/2024-01580/p-46 and the paragraph following it, it's intentionally broad and i'd say it's not that much of a stretch to say ISPs provide services that match this.
Some AI services such as Synthesia
https://www.synthesia.io › ethics
" Your avatar can be created only with your explicit consent, following a thorough KYC-like procedure. Complete control: Our platform ensures you can decide"
There are probably very few ISPs that can fall outside of this standard. For example if your provider provides e-mail, it's providing infrastructure. And yet, the slope can get much more slippery than this.
Please read EO 13894 before proceeding further. Is the user able to run custom software directly with a customary ISP (because that's in the definition)? I agree with EGreg that they can possibly twist this, but as written it's actually narrower than you think.
This won't work. Foreign nations have enough skill and resources to pass KYC as a citizen (steal someone's documents, pay a homeless for verification etc). And as I understand, US doesn't have a central citizen database so it is difficult to verify a document.
From the executive order (Executive Order 14110) it seems to affect only massive compute infrastructure:
> (i) any model that was trained using a quantity of computing power greater than 10^26 integer or floating-point operations, or using primarily biological sequence data and using a quantity of computing power greater than 10^23 integer or floating-point operations; and
> (ii) any computing cluster that has a set of machines physically co-located in a single datacenter, transitively connected by data center networking of over 100 Gbit/s, and having a theoretical maximum computing capacity of 10^20 integer or floating-point operations per second for training AI.
Keep in mind that most consumer graphics cards are in the _teraflops_ range, which is 10^12. It's hard to imagine this affecting the average person, it seems that they are specifying KYC for people using clusters with thousands or tens of thousands of cards.
No, that is just one part of it. The proposed rules are intended to cover both EO13984, which addresses foreign entities using US IaaS for Cyber attacks, and EO14110 which addresses foreign entities using AI hardware.
They require all IaaS[1] to determine if customers are US persons, and if not to collect and retain certain identifying information[2], and provide annual reports describing their processes[3]. It grants the Secretary of Commerce extra-judicial power to force any IaaS to stop doing business with any foreign customer, or place restrictions on their use[4]. This section lists things that the Secretary should consider in doing so, but doesn't have any hard requirements. Finally, it requires the IaaS to report certain foreign use of AI[5].
> It grants the Secretary of Commerce extra-judicial power to force any IaaS to stop doing business with any foreign customer
This can backfire, as foreign customers of public clouds may switch to local providers, which erodes the US near-monopoly on cloud services. Ironically this can reduce the visibility and control the US government has over foreign nation states.
E.g.: most of the Australian government is hosted in either Azure or AWS. That kind of thing might stop if extrajudicial power is granted to pull the plug on any customer on any time.
If they’re inspecting what people are running on GPU instances to report that information back to the US government it’s going to give a lot of people pause for thought. It’s basically violating guarantees that many businesses have with cloud providers.
> Is it that it's a slippery slope or perhaps I'm being naïve in regards to the scope?
This. Also, it won't stop malicious actors. Setting up a LLC to mask your true identity is cheap and easy. Not to mention that providing a fake identity or pretending your are not a "foreign person" is also cheap and easy.
> seems like the extent of this is to require IAAS (Infrastructure) providers to verify the identity of those who are using their services to train AI.
Only foriegners.
> It's an attempt to stymie sanctioned or malicious actors, from training AI and especially from hopping between services or using aliases to continue training on their model.
Unlikely, since it exempts non-foriegn malicious actors
>>"require U.S. IaaS providers to verify the identity of foreign users of U.S. IaaS products, ... which calls for the Department to require U.S. IaaS providers to ensure that their foreign resellers verify the identity of foreign users. E.O. 14110 also provides the Department with authority to require U.S. IaaS providers submit a report to the Department whenever a foreign person transacts with them to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity."
We damn well SHOULD be identifying foreign users of our services, particularly those which have high-powered potential to cause harm.
This knee-jerk [govt identifying anybody is bad] response prevalent here deeply undermines the cause of actually maintaining privacy. There are actually very bad actors out there, and if we fail to identify and contain them, things will be far worse. The reality is that some measures must be taken — let's focus on containing the real threats, not cry foul at every shadow of a hint that we might approach a slippery slope.
This seems, to me, an utterly malignant attack on anonymity, which is a protected constitutional right. It's the idea that every internet packet needs to be tied back to some verified identity. We're in frog-boiling territory with this garbage.
There is no absolute right to anonymity in the US constitution.
(The courts have "recognized relatively strong First Amendment presumptions on behalf of purveyors of anonymous speech, especially for those that are statements of opinions rather than obvious falsehoods, while recognizing that government sometimes has the right to identify such speakers when they have used their platforms to harass, engage in slander or sexual predation, make true threats, or allow foreign governments to influence U.S. elections")
> I see controversy and a lot of dissent among Justices,
Precedent is set by the majority, not the dissent.
> but no decisions that explicitly declare a Constitutional right to anonymity.
Weird then that there are several decisions striking down laws that violate the right to anonymous speech?
> And the modern Court explicitly declared that a Constitutional right to privacy does not exist, and one cannot have anonymity without privacy
One cannot refuse to turn over one's papers and effects in the absence of probable cause without privacy either.
Consider the possibility that there could be a right to anonymous speech without a right to anonymous practice of medicine. A universal right to privacy would require both. Just because it isn't both doesn't mean it's neither.
>One cannot refuse to turn over one's papers and effects in the absence of probable cause without privacy either.
Yes. I believe a right to privacy once existed, but it was nullified as it formed the basis of the case for Roe V. Wade. As a result even the Fourth Amendment is weakened because it must be interpreted in the light of a right to privacy no longer existing.
What I'm trying to put forth is that the assumptions you're working under are no longer valid and we've thrown the baby out with the bathwater.
> I believe a right to privacy once existed, but it was nullified as it formed the basis of the case for Roe V. Wade.
It was kind of the other way around. There is clearly no explicit right to abortion in the constitution, so to find one it would have to be implicit, but the Court in Roe wanted to find one, so they made one up. The reasoning was something like, the constitution implies there is a general right to privacy and laws against abortion violate it. The people who liked the result were then stuck trying to defend its inconsistent reasoning for 50 years, because the same logic would cause all kinds of other laws to be a violation of the same right. Obvious example would be drug prohibition; government invading your privacy by trying to control what you put into your own body. Same logic as Roe.
But Roe was never actually extended to any of that stuff, so overturning it didn't re-enable drug prohibition after it was struck down, since it was (inconsistently) never struck down to begin with.
The cases having to do with anonymous speech are independent and use entirely different logic. The general idea is that people are deterred from speaking (chilling effects) if people can associate what they have to say with a physical person who can then be harassed for expressing an unpopular opinion. It doesn't have any of the same problems because there is no First Amendment right to morphine, which they could ban outright under the same justification as they ban heroin, so having to show your ID to get morphine isn't deterring you from exercising your right to free speech.
The converse would have to be true then, that the government has the legitimate power to intimidate people to not express their opinion. This does not seem like a legitimate power for government to have, but now I need to be careful whether I express it at all.
Laws against slander, libel, intimidation, conspiracy, perjury, etc are based upon the government's power to intimidate people from expressing opinions. It is a felony in the US to express the opinion that the President should be killed. Speech in the US has never been a free for all.
Those are not opinions, they're provably false statements or threats. Conspiracy is essentially committing a crime as a group rather than an individual, and the statements are the evidence of the crime rather than the crime in itself.
The closest the government comes to prohibiting an opinion is copyright, but even then you can restate the opinion in your own words, and when an exact quote is necessary to make your point it's fair use specifically because it would otherwise violate free speech.
> . It's the idea that every internet packet needs to be tied back to some verified identity
There's been multiple attempts to do this. Via KOSA and a few others lately in our Congress. PR friendly candidates like Duckworth have been trying to walk this through the system.
> You're calling a collection and storage of your personal information as "benign"?!
All major cloud services already collect this information. I filled in the bare minimum on AWS, and they've got my full name, address, phone number, email, and credit card details.
You should really read patio11's article on KYC [0]. A relevant paragraph:
> Many people believe that the law requires a bank to see your government-issued ID in person to open a bank account. Again, this is incorrect; the law very rarely requires any particular action. The most prescriptive the US gets is that the sort of KYC information required about a customer include their true identity, including a name (not, incidentally, their “true” name because governments actually have some glimmer of understanding that that is not a thing which exists), a residential address, their date of birth, and an identifying number.
Looks like his argument is that randomized and client to client based rules are better. To some extent I agree.
However, it's inconsistent and we have a government that is punitive, which is why I see that these KYC approaches are reactive to that. There's not punitive measures for violating privacy concerns and storing/profiting from this data.
In practice, to buy crypto, you have to give a disreputable private entity (crypto exchanges have a terrible history of not being scummy.. is cryptobase good? only time will tell) very sensitive documents.
Your biometrics and gov ID data don't have to be collected or stored by the provider.
They can be used during the identity check and deleted right after, without ever entering the provider's infrastructure (assuming they are using a trusted 3rd party).
> They can be used during the identity check and deleted right after, without ever entering the provider's infrastructure
You trust them to delete it right after? What about the human reviewers in other countries that are working at home taking pictures of their laptops with your id on it?
> trusted 3rd party
You trust that 3rd party's intent and word? It's pretty weird to bring another company to steal your data and details.
At a quick reading, it doesn't sound like those are requirements. It also doesn't look like any documentation is technically required. One of the methods permitted is "Verification through non-documentary methods".
> * gives them a "reasonable belief that it knows the true identity of each customer"
> * and "a sound basis to verify the true identity of their customer and beneficial owners and reflect reasonable due diligence efforts".
I'm reading in to that in a conservative manner where it's "internally justified" that going the full privacy abusive route is justified. "Reasonable due diligence" is respective to the organization that could be punished, not a public sense.
Given that it's on the company's discretion of diligent checks, I can completely see that their more aggressive requirements of: "your biometrics, copies of your official documents, 20 years of criminal background checks, a polygraph, approval by the Democratic National Party for appropriate speech, history of pornography consumption" being the standard.
We're not getting a solution from the government that's a secure "is this person a US citizen?"/"Valid for IaaS service?" data point. The business is receiving all of the data to ask that question and are not trustable entities.
Going down the argument of "don't use anyone you don't trust" brings up the argument of.. well why are you paying Experian?
Where I'm getting to this is: We often times don't have a choice, that choice that looks like we have it is untrustable in the future, and we're being aggressively pushed into a situation where you have people of questionable interests. This rule/law encourages them to collect it, but there's no aggressive lifestyle ending punishments for crossing the line.
The TL;DR is that the must collect name, address, email, phone number, IP address, and payment information and use that information for "verifying the identity of each foreign customer to the extent it enables the U.S. IaaS provider or foreign reseller of U.S. IaaS products to form a reasonable belief that it knows the true identity of each customer."
AWS already has all of this information on my account.
It doesn't correspond to location any more than "name" does. But it is useful, in conjunction with other things, for determining identity, which is what those requirements are about.
Data is submitted voluntarily - I'm curious how thorough the submitted data is and which jurisdictions opt not to report.
I imagine it's not in the interest of public officials to submit data which weakens their authority, undermines or invalidates their positions - and that opposite holds true too.
The data seems less than substantial because it's not thorough nor potentially accurate, even when collected. Perhaps there's substance in comparing data here to data elsewhere to highlight official intent.
I realize you're making a direct reference but scare-quotes seem more applicable.
https://en.wikipedia.org/wiki/Five_Eyes
"documents of the FVEY have shown that they are intentionally spying on one another's citizens and sharing the collected information with each other"
They're extremely versatile with loads of first & third party apps, protocols, integrations, and possible connections.
You can use the cloud as a backup or hybrid, or even stick another NAS elsewhere and make your own cloud of sorts. I don't have experience with load balancing to different sites but it's probably possible.
The backup features are tough to beat cost and function-wise, especially for m.365, g.workspace and hypervisor/vm.
They connect to both enterprise and personal cloud stuff (azure, OneDrive, Google drive, etc.)
They also provide iscsi, replication and so much more.
And yes there are mail and calendar apps provided by Synology. You can also find and install third party apps for it, as well as use docker to host anything.
Oh and some of the apps like "photos" can replace, for example, Google photos both the service and phone app. It will do face recognition and automatic scene recognition all on-device.
I've probably only barely touched on what they can do, all without a steep learning curve.
I wonder if he purchased the license through a vendor which supports o365, or from Microsoft directly.
It sounds like he's the sole user on an o365 account. I wonder if his account was compromised leading to the loss of access. Seems kind of negligent on his behalf if he's the sole (admin) user. If his company has compliance requirements, meeting them would have likely addressed this issue.
Quick temporary fix would be to change public-facing DNS records: MX and likely (hopefully) SPF & DKIM, pointing them to a different mail host. At least that way he could get his email.
It’s pretty easy to blame the user, but Microsoft guides users into some terrible decisions, especially for small businesses. My biggest complaint is how they encourage using a day-to-day account (ex: me@example.com) as a global admin. That’s a massive risk for small businesses.
I always set us dedicated, unlicensed admin accounts for small businesses. Having a dedicated admin account should be a top priority, but MS keeps streamlining the process of making the first user a global admin.
I wouldn’t want to change my mail provider in this situation. It would be disruptive and splitting mail between two systems creates a mess that’s a pain to clean up.
I hope this guy wins and I hope a regulator brings the hammer down on Microsoft if he’s relying on them to meet his data retention obligations.
Education and resources for things to that end are potentially being directed and filtered by and through a self-perpetuating "bureaucracy of thought" product and marketers, which, allegedly, demands strict adherence and conformity with their dogma, beliefs, and potentially facts if some topics are taboo.
The article & discussion is relevant to hackernews in many respects: subversion is often construed with hacking. education and hacking.
If you believe the topic taboo, then your taboo is being 'hacked'.
I concede that the primary goal is likely to foster discussion of individuals found on hackernews opposed to inform the hackernews audience, though it's not without merit either way.
(An admx is for adding group policy templates but group policy is essentially a nice list of registry changes.
You (reader) can find the reg entry and enter it manually or might can download and install the admx package and make the change through your computers local group policy (gpedit.msc)
Well yes, sure there is a registry setting to disable this behavior, but why? Why is this not opt-in by default? When did I ever consent to having an Edge shortcut on my desktop? Why are we expected to just passively accept this kind of stupid behavior?
Raindrop snapshots and indexes most things you bookmark with it.
It also has an API and integrations with ITTT.
There are desktop and mobile apps as well.
I used to live by chromes syncing bookmark feature but it wasn't always easy to get content bookmarked in chrome on my phone especially.
Now, anything which can be shared on my phone (with the share button) I can send to bookmark and be done with it.
My biggest gripe is that the search is direct and doesn't provide much wiggle room in finding what you're looking for. Super handy though if you can remember a key phrase from the article.
It seems a bit benign and I don't understand the parallels others on this HN discussion are making. Is it that it's a slippery slope or perhaps I'm being naïve in regards to the scope?