Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Cloud United States

US 'Know Your Customer' Proposal Will Put an End To Anonymous Cloud Users (torrentfreak.com) 44

An anonymous reader quotes a report from TorrentFreak: Late January, the U.S. Department of Commerce published a notice of proposed rulemaking for establishing new requirements for Infrastructure as a Service providers (IaaS) . The proposal boils down to a 'Know Your Customer' regime for companies operating cloud services, with the goal of countering the activities of "foreign malicious actors." Yet, despite an overseas focus, Americans won't be able to avoid the proposal's requirements, which covers CDNs, virtual private servers, proxies, and domain name resolution services, among others. [...] Under the proposed rule, Customer Identification Programs (CIPs) operated by IaaS providers must collect information from both existing and prospective customers, i.e. those at the application stage of opening an account. The bare minimum includes the following data: a customer's name, address, the means and source of payment for each customer's account, email addresses and telephone numbers, and IP addresses used for access or administration of the account.

What qualifies as an IaaS is surprisingly broad: "Any product or service offered to a consumer, including complimentary or "trial" offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications. The consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications. The term is inclusive of "managed" products or services, in which the provider is responsible for some aspects of system configuration or maintenance, and "unmanaged" products or services, in which the provider is only responsible for ensuring that the product is available to the consumer."

And it doesn't stop there. The term IaaS includes all 'virtualized' products and services where the computing resources of a physical machine are shared, such as Virtual Private Servers (VPS). It even covers 'baremetal' servers allocated to a single person. The definition also extends to any service where the consumer does not manage or control the underlying hardware but contracts with a third party for access. "This definition would capture services such as content delivery networks, proxy services, and domain name resolution services," the proposal reads. The proposed rule, National Emergency with Respect to Significant Malicious Cyber-Enabled Activities, will stop accepting comments from interested parties on April 30, 2024.

This discussion has been archived. No new comments can be posted.

US 'Know Your Customer' Proposal Will Put an End To Anonymous Cloud Users

Comments Filter:
  • I can't see how this isn't going to be challenged in court for violating peoples' privacy and anonymity.,
    • by quonset ( 4839537 ) on Thursday April 25, 2024 @05:16PM (#64425658)

      How? This is no different than a bank or brokerage needing the information. That same with a phone company or ISP. They ask for your information (burner phones excluded). When you buy a house, you have to provide this information. Want to start a business? Guess what, you'll never believe what information you have to provide.

      Hans Kristian Graebener = StoneToss

      • by mysidia ( 191772 ) on Thursday April 25, 2024 @07:26PM (#64425920)

        How? This is no different than a bank or brokerage needing the information.

        It's not the same at all.

        I would liken it more to having a service called a Library. Which is allowed to host books without disclosing the Name and Address of authors. Just as we have VPN, DNS, and Web hosting providers where it is possible to Buy service using an anonymous method of payment and never tell them your address.

        Furthermore, We have many of these services ask for information, But it is Not their practice to "Verify" or "Require proof" of information. For example, GoDaddy is not currently going to require you to submit a Photo ID in order to anonymously register a Protest website's domain, where you would have a high risk of reprisal and frivolous legal attacks from the powers that be, etc.

        It's pretty darned tyrannical here if the government is going to say that such an anonymous publication service, VPN, or reverse-proxy service (Cloudflare, etc), is not allowed to exist.

        A company does not inherently need the buyer's Name, Address, Etc, in order to Provide these services. Most companies use that type of information, but it is completely practical to provide an Anonymous web hosting company, or an Anonymous DNS zone hosting provider, And they ought to be able to.

        Brokers don't necessarily need the info either. If you look at crypto markets - there is an analog to a broker that doesn't need the information. You wouldn't need the information to broker an anonymous exchange between two parties on a blockchain.

        A broker traditionally executes transactions of major financial importance on your behalf where you are buying or selling real-estate or other property.

        They need the information to properly recordate who owns what. The security of your legal ownership to a piece of Real-Estate is only as good as your ability to Proof that the name it's properly Titled to is You.

        That same with a phone company or ISP.

        A Phone company or ISP needs the information to build a line to your house, and more importantly: In order to send you a bill and hold you accountable if you Don't pay (Very often they deliver a quantity of service before you are billed).

        There are Alternative billing models such as Pre-Payment where a Phone company would Not have to have your information. Burner phones are a great example.

      • Why does a free newspaper need to know this information about its readers.

      • How? This is no different than a bank or brokerage needing the information. That same with a phone company or ISP. They ask for your information (burner phones excluded).

        Er, except in this case, burner cloud accounts not excluded.

      • Let's also think about this for a split second. How many of these services do you use on a regular basis? Because we've included DNS resolvers, that means everyone has at least one. Have you ever submitted your personal info to your DNS provider? Do you even know who that provider is? I'd wager that most do not and have not.

        So where is this mandatory information supposed to come from then? Oh, that's right from the various data breeches, the dark web, and advertising "grey" market collections. I.e. The sa
    • by Tablizer ( 95088 )

      You mean like the PATRIOT act?

    • I registered a name in the .us TLD a few months ago just to share some photos and videos of a party. I learned why it was cheap to register.
      I had to provide real information to demonstrate I'm affiliated with the United States.
      Well! I must have received over a hundred calls from Indian developers wanting to take over designing and programming my site. They were polite, but there were just so many.
      The lesson learned was why the .us domain is so unpopular.

    • by coofercat ( 719737 ) on Friday April 26, 2024 @07:57AM (#64426880) Homepage Journal

      The US does seem to like a good court case, so yes, it'll probably go to court.

      However, the rest of the world has worked out that "dark money" runs an awful lot of any national economy. You can very quickly find yourself being the country that is actually funding terrorism or aggressors that you're trying to fight, or in the case of 'virtualised stuff', is actually running the cyber attacks against the countries you're trying to protect.

      Finding out who *really* owns and runs things is probably as valuable as sending billions in aid to countries you support. It certainly makes those billions at lot more effective.

      • Well, in the case of the US, there's been no question as to who's funding terrorism or aggressors for decades......
  • >National Emergency with Respect to Significant Malicious Cyber-Enabled Activities

    How do you pronounce NERSMCEA?
  • Just run the cloud on an AK47 bought at a gun show as the bare metal and no KYC required under the 2nd Amendment. Just kidding.
    • by Anonymous Coward

      no KYC required

      I keep reading this as KFC. Really must eat more.

    • by Tablizer ( 95088 )

      I can just see it now: GOP will bleep with it to require a birth certificate to watch a free cat video, but not to buy an AR15.

  • ...helpful in tracing criminals and terrorists as too many use zombied computers and/or accounts under a regular user's name. They're gonna arrest Grandpa for stealing nuclear secrets.

  • by Sloppy ( 14984 ) on Thursday April 25, 2024 @06:27PM (#64425832) Homepage Journal

    Hasn't it occurred to anyone that the The Foreign VPS Incentive Act will cause domestic VPS vendors to lose business?

    • by Creepy ( 93888 )

      Yep, like 99% of these things, I can set up a server in Canada (for example) and bypass the US rules. Same with porn servers and whatever. The US can't make international law, so things like COPA and newer variants are useless. Blocking kind of works, but yeah, basically we get the Great Firewall of China or Iran. VPNs and proxies can bypass, so it is only a false protection.

    • Hasn't it occurred to anyone that the The Foreign VPS Incentive Act will cause domestic VPS vendors to lose business?

      Lose business to whom? The reason so many foreigners are using American VPSes is because the number 1, 2, and 3 services for it are American. (presumably the whole top 10 is but I haven't looked that far).

  • You would think TorrentFreak would comment on whether this applies to VPN services?
  • "National Emergency" (Score:4, Interesting)

    by Qwertie ( 797303 ) on Thursday April 25, 2024 @06:45PM (#64425856) Homepage

    Over 5 years ago it was reported that 31 "national emergencies" were in effect including "The National Emergency With Respect to Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities" (April 1, 2015, related to Chinese cyber attacks [go.com]).

    I'm as concerned about Chinese cyberattacks as anyone, but the U.S. is supposed to be a free country and leader of the free world. If China were launching huge cyberattacks or at least a military buildup to invade Taiwan (and if we were still committed to containing "communism", which nowadays just seems to be capitalist dictatorship, but containing dictatorship is more important to me anyhow)... then I could understand taking some "emergency" measures. But I'm not seeing any emergency yet.

    What are the other "national emergencies"? Let's see...

    • Nov 14, 1979: The National Emergency With Respect to Iran, in response to the Iran hostage crisis.
    • Jan. 2, 1995: The National Emergency With Respect to Prohibiting Transactions with Terrorists Who Threaten to Disrupt the Middle East Peace Process (the peace process where the US enabled Netanyahu to destroy both the two-state and one-state solutions and now people are being killed by the tens of thousands? That peace process?)
    • March 1, 1996: The National Emergency With Respect to Regulations of the Anchorage and Movement of Vessels with Respect to Cuba
    • Sept 23, 2001: The National Emergency With Respect to Persons who Commit, Threaten to Commit, or Support Terrorism was in response to the terrorist attacks of 9/11
    • March 6, 2003: The National Emergency With Respect to Blocking Property of Persons Undermining Democratic Processes or Institutions in Zimbabwe (an effort to punish associates of Robert Mugabe.)

    you keep using that word. I do not think it means what the rest of us think it means.

  • by sinkskinkshrieks ( 6952954 ) on Thursday April 25, 2024 @07:25PM (#64425916)
    Privacy for me but not for thee.
  • by Todd Knarr ( 15451 ) on Thursday April 25, 2024 @10:42PM (#64426250) Homepage

    Most IaaS providers need to collect most of that information anyway because they like getting paid for their services. The only thing they normally don't need is the customer's physical address, and that's the easiest one for customers to get an anonymous form of. The rest, anyone who's concerned about it already has methods of dealing with it. I suspect it won't be more than a mild annoyance for most people and will be completely ineffective at stopping the abuse it's aimed at.

  • The issue isn't the obligation to record that basic customer information.

    The issue is what the IaaS provider is supposed to do to verify that the information supplied by the customer is accurate. Depending on how extensive that is, this rule could range from basically meaningless to incredibly intrusive and hugely burdensome.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...