We have 4 days to contest KYC being required by internet services
Scope and Intent of the Rule
- Proposal targets U.S. “Infrastructure as a Service” (IaaS) providers and foreign users, derived from EOs 13984 and 14110.
- Official goals: prevent sanctioned/malicious foreign actors from using U.S. cloud/AI compute for cyber attacks or large‑scale AI training.
- Dispute over scope: some read it as limited to foreign high‑end AI usage; others note the draft text appears to cover all IaaS accounts, with extra obligations for foreign persons and AI training.
What Counts as IaaS
- Clear inclusions: virtual private servers, dedicated/bare‑metal servers, cloud VMs (AWS, Azure, etc.).
- Debate whether ISPs or VPNs fit the definition; some say “no” based on the “run non‑predefined software” clause, others say the wording is broad enough that regulators could later stretch it.
- Many argue most generic web hosts where you can run your own code (e.g., self‑hosted WordPress, Mastodon) are in scope.
Arguments in Favor
- Helps enforce sanctions and OFAC rules; harder for foreign attackers to anonymously rent U.S. infrastructure or GPUs.
- Seen as analogous to banking KYC: a reasonable tradeoff to curb cybercrime, CSAM hosting, scams, and hostile AI efforts.
- Some accept KYC as already de facto via credit cards and see this as formalizing existing practice.
Arguments Against
- Strong concern it functionally ends anonymity for self‑hosting: any blog, chat server, or node on U.S. IaaS would require ID, enabling identification of dissidents.
- Slippery‑slope fear: starts with “foreign AI misuse” and gradually expands to domestic users and other services.
- Privacy and security: more mandatory ID collection means more data breaches, identity theft, and potential government mass surveillance.
- Accessibility: blind users and others may be locked out by ID‑upload workflows.
- Economic/competition risk: foreign customers may leave U.S. clouds for non‑U.S. providers; compliance costs favor large incumbents.
Legal and Effectiveness Debates
- Some see a 4th Amendment problem (generalized, suspicionless identification), and an attack on anonymous speech; others argue existing precedents on bank recordkeeping suggest it will survive challenge.
- Several note AML/KYC regimes in finance appear empirically poor at stopping crime but very effective at burdening ordinary users.
Process and Activism
- Commenters highlight that this is a rulemaking with a formal comment period; effective comments should focus on scope, legal issues, costs, and unintended consequences rather than simple dislike.