US 'Know Your Customer' Proposal Will Put an End To Anonymous Cloud Users (torrentfreak.com) 44
An anonymous reader quotes a report from TorrentFreak: Late January, the U.S. Department of Commerce published a notice of proposed rulemaking for establishing new requirements for Infrastructure as a Service providers (IaaS) . The proposal boils down to a 'Know Your Customer' regime for companies operating cloud services, with the goal of countering the activities of "foreign malicious actors." Yet, despite an overseas focus, Americans won't be able to avoid the proposal's requirements, which covers CDNs, virtual private servers, proxies, and domain name resolution services, among others. [...] Under the proposed rule, Customer Identification Programs (CIPs) operated by IaaS providers must collect information from both existing and prospective customers, i.e. those at the application stage of opening an account. The bare minimum includes the following data: a customer's name, address, the means and source of payment for each customer's account, email addresses and telephone numbers, and IP addresses used for access or administration of the account.
What qualifies as an IaaS is surprisingly broad: "Any product or service offered to a consumer, including complimentary or "trial" offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications. The consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications. The term is inclusive of "managed" products or services, in which the provider is responsible for some aspects of system configuration or maintenance, and "unmanaged" products or services, in which the provider is only responsible for ensuring that the product is available to the consumer."
And it doesn't stop there. The term IaaS includes all 'virtualized' products and services where the computing resources of a physical machine are shared, such as Virtual Private Servers (VPS). It even covers 'baremetal' servers allocated to a single person. The definition also extends to any service where the consumer does not manage or control the underlying hardware but contracts with a third party for access. "This definition would capture services such as content delivery networks, proxy services, and domain name resolution services," the proposal reads. The proposed rule, National Emergency with Respect to Significant Malicious Cyber-Enabled Activities, will stop accepting comments from interested parties on April 30, 2024.
What qualifies as an IaaS is surprisingly broad: "Any product or service offered to a consumer, including complimentary or "trial" offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications. The consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications. The term is inclusive of "managed" products or services, in which the provider is responsible for some aspects of system configuration or maintenance, and "unmanaged" products or services, in which the provider is only responsible for ensuring that the product is available to the consumer."
And it doesn't stop there. The term IaaS includes all 'virtualized' products and services where the computing resources of a physical machine are shared, such as Virtual Private Servers (VPS). It even covers 'baremetal' servers allocated to a single person. The definition also extends to any service where the consumer does not manage or control the underlying hardware but contracts with a third party for access. "This definition would capture services such as content delivery networks, proxy services, and domain name resolution services," the proposal reads. The proposed rule, National Emergency with Respect to Significant Malicious Cyber-Enabled Activities, will stop accepting comments from interested parties on April 30, 2024.
So much for any pretense of 'privacy' (Score:2)
Re:So much for any pretense of 'privacy' (Score:5, Informative)
How? This is no different than a bank or brokerage needing the information. That same with a phone company or ISP. They ask for your information (burner phones excluded). When you buy a house, you have to provide this information. Want to start a business? Guess what, you'll never believe what information you have to provide.
Hans Kristian Graebener = StoneToss
Re:So much for any pretense of 'privacy' (Score:5, Informative)
Some US states sell incorporation with secret ownership.
The feds are trying to make that Illegal as well.
It is soon to be mandatory [fincen.gov] to register with the federal government to tell them who is REALLY behind your secret companies (Not just your secret companies.. all businesses registered with a state now have a new mandate that they register with the Feds the full information for EVERY party with a financial interest in every registered business entity).
Although there is currently a court challenge to the BOI registration. Outside the Alabama circuit it is still the law
Re:So much for any pretense of 'privacy' (Score:5, Interesting)
How? This is no different than a bank or brokerage needing the information.
It's not the same at all.
I would liken it more to having a service called a Library. Which is allowed to host books without disclosing the Name and Address of authors. Just as we have VPN, DNS, and Web hosting providers where it is possible to Buy service using an anonymous method of payment and never tell them your address.
Furthermore, We have many of these services ask for information, But it is Not their practice to "Verify" or "Require proof" of information. For example, GoDaddy is not currently going to require you to submit a Photo ID in order to anonymously register a Protest website's domain, where you would have a high risk of reprisal and frivolous legal attacks from the powers that be, etc.
It's pretty darned tyrannical here if the government is going to say that such an anonymous publication service, VPN, or reverse-proxy service (Cloudflare, etc), is not allowed to exist.
A company does not inherently need the buyer's Name, Address, Etc, in order to Provide these services. Most companies use that type of information, but it is completely practical to provide an Anonymous web hosting company, or an Anonymous DNS zone hosting provider, And they ought to be able to.
Brokers don't necessarily need the info either. If you look at crypto markets - there is an analog to a broker that doesn't need the information. You wouldn't need the information to broker an anonymous exchange between two parties on a blockchain.
A broker traditionally executes transactions of major financial importance on your behalf where you are buying or selling real-estate or other property.
They need the information to properly recordate who owns what. The security of your legal ownership to a piece of Real-Estate is only as good as your ability to Proof that the name it's properly Titled to is You.
That same with a phone company or ISP.
A Phone company or ISP needs the information to build a line to your house, and more importantly: In order to send you a bill and hold you accountable if you Don't pay (Very often they deliver a quantity of service before you are billed).
There are Alternative billing models such as Pre-Payment where a Phone company would Not have to have your information. Burner phones are a great example.
Re: (Score:2)
Why does a free newspaper need to know this information about its readers.
Re: (Score:2)
How? This is no different than a bank or brokerage needing the information. That same with a phone company or ISP. They ask for your information (burner phones excluded).
Er, except in this case, burner cloud accounts not excluded.
Re: (Score:2)
So where is this mandatory information supposed to come from then? Oh, that's right from the various data breeches, the dark web, and advertising "grey" market collections. I.e. The sa
Re: (Score:1)
You mean like the PATRIOT act?
Re: (Score:1)
I registered a name in the .us TLD a few months ago just to share some photos and videos of a party. I learned why it was cheap to register. .us domain is so unpopular.
I had to provide real information to demonstrate I'm affiliated with the United States.
Well! I must have received over a hundred calls from Indian developers wanting to take over designing and programming my site. They were polite, but there were just so many.
The lesson learned was why the
Re: So much for any pretense of 'privacy' (Score:2)
Trust me. They do that for .com domain owners as well.
Re: (Score:1)
At least with a .com you can apply something like Whoisguard to put a layer between your information so it isn't as easy to find..
Re:So much for any pretense of 'privacy' (Score:4, Insightful)
The US does seem to like a good court case, so yes, it'll probably go to court.
However, the rest of the world has worked out that "dark money" runs an awful lot of any national economy. You can very quickly find yourself being the country that is actually funding terrorism or aggressors that you're trying to fight, or in the case of 'virtualised stuff', is actually running the cyber attacks against the countries you're trying to protect.
Finding out who *really* owns and runs things is probably as valuable as sending billions in aid to countries you support. It certainly makes those billions at lot more effective.
Re: (Score:2)
Terrible initialism. (Score:2)
How do you pronounce NERSMCEA?
Re: Terrible initialism. (Score:3)
Re: (Score:1)
Ners McSee ???
Re: (Score:3, Informative)
nervous merica
Re:Terrible initialism. (Score:4, Funny)
Re: (Score:2)
Setec Astronomy
"too many secrets"
Re:How do U pronounce NERSMCEA? (Score:1)
"NewScummyIdea"
Re: (Score:2)
How do you pronounce NERSMCEA?
Nurse Mcgee? Hello, Nurse!
Re: (Score:3)
Dunno.
But I have a cream to stop the itching in case you get it.
2nd Amendment (Score:1)
Re: (Score:1)
no KYC required
I keep reading this as KFC. Really must eat more.
Re: (Score:1)
I can just see it now: GOP will bleep with it to require a birth certificate to watch a free cat video, but not to buy an AR15.
I don't see how this would be very (Score:1)
...helpful in tracing criminals and terrorists as too many use zombied computers and/or accounts under a regular user's name. They're gonna arrest Grandpa for stealing nuclear secrets.
The Foreign VPS Incentive Act (Score:3)
Hasn't it occurred to anyone that the The Foreign VPS Incentive Act will cause domestic VPS vendors to lose business?
Re: (Score:2)
Yep, like 99% of these things, I can set up a server in Canada (for example) and bypass the US rules. Same with porn servers and whatever. The US can't make international law, so things like COPA and newer variants are useless. Blocking kind of works, but yeah, basically we get the Great Firewall of China or Iran. VPNs and proxies can bypass, so it is only a false protection.
Re: (Score:2)
Hasn't it occurred to anyone that the The Foreign VPS Incentive Act will cause domestic VPS vendors to lose business?
Lose business to whom? The reason so many foreigners are using American VPSes is because the number 1, 2, and 3 services for it are American. (presumably the whole top 10 is but I haven't looked that far).
Obvious question (Score:2)
Re: (Score:2)
Or TOR. I could see the DOJ trying to say it does. What do they have to lose?
"National Emergency" (Score:4, Interesting)
Over 5 years ago it was reported that 31 "national emergencies" were in effect including "The National Emergency With Respect to Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities" (April 1, 2015, related to Chinese cyber attacks [go.com]).
I'm as concerned about Chinese cyberattacks as anyone, but the U.S. is supposed to be a free country and leader of the free world. If China were launching huge cyberattacks or at least a military buildup to invade Taiwan (and if we were still committed to containing "communism", which nowadays just seems to be capitalist dictatorship, but containing dictatorship is more important to me anyhow)... then I could understand taking some "emergency" measures. But I'm not seeing any emergency yet.
What are the other "national emergencies"? Let's see...
you keep using that word. I do not think it means what the rest of us think it means.
Clipper chips will be next (Score:3)
Will this actually change much in practice? (Score:3)
Most IaaS providers need to collect most of that information anyway because they like getting paid for their services. The only thing they normally don't need is the customer's physical address, and that's the easiest one for customers to get an anonymous form of. The rest, anyone who's concerned about it already has methods of dealing with it. I suspect it won't be more than a mild annoyance for most people and will be completely ineffective at stopping the abuse it's aimed at.
Verification (Score:2)
The issue isn't the obligation to record that basic customer information.
The issue is what the IaaS provider is supposed to do to verify that the information supplied by the customer is accurate. Depending on how extensive that is, this rule could range from basically meaningless to incredibly intrusive and hugely burdensome.