We have 4 days to contest KYC being required by internet services

Scope and Intent of the Rule

  • Proposal targets U.S. “Infrastructure as a Service” (IaaS) providers and foreign users, derived from EOs 13984 and 14110.
  • Official goals: prevent sanctioned/malicious foreign actors from using U.S. cloud/AI compute for cyber attacks or large‑scale AI training.
  • Dispute over scope: some read it as limited to foreign high‑end AI usage; others note the draft text appears to cover all IaaS accounts, with extra obligations for foreign persons and AI training.

What Counts as IaaS

  • Clear inclusions: virtual private servers, dedicated/bare‑metal servers, cloud VMs (AWS, Azure, etc.).
  • Debate whether ISPs or VPNs fit the definition; some say “no” based on the “run non‑predefined software” clause, others say the wording is broad enough that regulators could later stretch it.
  • Many argue most generic web hosts where you can run your own code (e.g., self‑hosted WordPress, Mastodon) are in scope.

Arguments in Favor

  • Helps enforce sanctions and OFAC rules; harder for foreign attackers to anonymously rent U.S. infrastructure or GPUs.
  • Seen as analogous to banking KYC: a reasonable tradeoff to curb cybercrime, CSAM hosting, scams, and hostile AI efforts.
  • Some accept KYC as already de facto via credit cards and see this as formalizing existing practice.

Arguments Against

  • Strong concern it functionally ends anonymity for self‑hosting: any blog, chat server, or node on U.S. IaaS would require ID, enabling identification of dissidents.
  • Slippery‑slope fear: starts with “foreign AI misuse” and gradually expands to domestic users and other services.
  • Privacy and security: more mandatory ID collection means more data breaches, identity theft, and potential government mass surveillance.
  • Accessibility: blind users and others may be locked out by ID‑upload workflows.
  • Economic/competition risk: foreign customers may leave U.S. clouds for non‑U.S. providers; compliance costs favor large incumbents.

Legal and Effectiveness Debates

  • Some see a 4th Amendment problem (generalized, suspicionless identification), and an attack on anonymous speech; others argue existing precedents on bank recordkeeping suggest it will survive challenge.
  • Several note AML/KYC regimes in finance appear empirically poor at stopping crime but very effective at burdening ordinary users.

Process and Activism

  • Commenters highlight that this is a rulemaking with a formal comment period; effective comments should focus on scope, legal issues, costs, and unintended consequences rather than simple dislike.