The tech world is really becoming a surveillance nightmare.
Always for the same dubious straw men reasons of terrorism and co, they want to control everyone. Like for banks, the excuse is to ensure that no forbidden foreign actor is allowed the use of the service , but just for that the billion legitimate users will all have to provide their complete justificative info, IPs, and support documents to later be used by the org or gov for whatever reason they will want once they will have them.
Like for banks.
Imagine if the same thing was requested in the real world, like forced to prove your identity when you take gas, When you buy a computer, when you buy a condom.
> ... secret documents leaked from FinCEN, the Financial Crimes Enforcement Network, a unit of the U.S. Treasury. The documents “show that five global banks — JPMorgan, HSBC, Standard Chartered Bank, Deutsche Bank and Bank of New York Mellon — kept profiting from powerful and dangerous players even after U.S. authorities fined these financial institutions for earlier failures to stem flows of dirty money.”
> While the involvement of Chinese money-laundering rings in handling drug proceeds from Mexico is nothing new, a number of recent court cases in the United States have revealed crucial information about how these schemes work ... weekly pick-ups from representatives of Mexican criminal groups, made in cash ranging between $150,000 and $1 million, with an average of $500,000. These were made in large cities including Chicago, New York and Atlanta ... network of Chinese-owned businesses in the United States and Mexico ... transfer a correspondent amount of money through Chinese banking apps. This happened entirely through the Asian country’s domestic banking system ... “It’s the most sophisticated form of money laundering that’s ever existed,” one of the US sources told Reuters.
And yet my super regional bank will only allow me, a customer of over 20 years, to ACH $5000 per day or $25000 per month. I read that Citibank has ACH limits of $2000/$10000.
Ha they actually only say it’s for kyc aml or security measures but really it’s because they don’t have the money and can only stem a bankrun by gating withdrawals at all times
First republic bank imploded so fast because their niche was convenience in not having limits
All the banks have the same problem, they’re holding us treasuries with customer deposits at a huge loss right now. the regulations say they don’t have to disclose the current market value of government bonds like us treasuries, so as long as they never need the money they’ll get it all paid by the government over time, but if they ever do need the money sooner they’ll have to liquidate the bonds at their current market value and never have enough to pay everyone.
My advice, have accounts at minimum 2 banks at all times. Doubtful you will lose money, but you can lose access to your funds\paying bills for a short time, plus any bank, at any time can choose not to do business with you.
There are credit unions with higher Zelle limits, nevermind actual ACH limits.
Switch to a credit union that values your business, they are much more motivated to hook you up with high ACH limits, and I've repeatedly seen them issue loans at rates well below market.
The strongest incentives for surveillance are actually in the private sector: the need for internal KPIs, selling data, targeted advertising, product and sales funnel optimization, and now AI training data.
The government pushes surveillance too but in my experience it’s the secondary driver, at least in the US. Might be different in other countries.
I’m really pessimistic about privacy online given that every single incentive both public and private encourages maximum privacy invasion and centralization. I mean every single incentive. It’s almost impossible to resist.
We might have a chance if end users cared enough to pay for privacy and avoid things that invade it, but very few do. Most people care about convenience, features, and cost, and that’s it. Nothing else matters.
It's not that people don't care about privacy tbh. But they do indeed care about convenience, so when they're presented with the artificially created choice of corporate surveillance hell vs privacy-enabling options that are by and large put together by a few enthusiasts with meager resources, it's no surprise what the end result is.
But make no mistake - we could, as a society, invest heavily in developing privacy-first platforms and software, and have it all. I can't even say that we choose not to; it's more that representative democracy is not particularly representative in practice, and mostly works as a form of veto.
People pick ads, it is true. They do not explicitly pick "track you everywhere to build a hyper-accurate profile of you that can then push precisely tuned ads at you", though. That part is buried in the EULAs.
I have never heard of an ad-free lockscreen on Kindle and I pay for Kindle Unlimited. So I have to pay even more to get ad-free, if that's even possible. And I'm sure that's just for Kindle. Need to cough up a few more dollars for ad-free Prime Video. And ad-free shopping on Amazon. And that's just one service. Can't wait to hear what I'd need to spend for the same if I used Facebook, Instagram, WhatsApp, and a Quest even though Meta owns all of them. And I can just imagine the hellscape Microsoft will create when you have to pay a subscription fee to use Windows 12 Home With Ads, as your baseline option.
The average American isn't exactly awash in cash to spend on privacy, you know.
It's not an artificially created choice. It's a market created choice. People won't pay for software, so the privacy-enabling options are put together by a few volunteers with no funding.
We are not talking about a lot of money in most cases. I usually compare it to coffee shops. People will pay $10 at a coffee shop for a latte and a snack, but they refuse to pay even $5 for a software app or game that they might use every day.
It doesn't have to be left to the market. Given the current state of affairs wrt market oligopolization, especially in tech, it probably shouldn't be, at least not for the kind of basic software and protocols that the majority of people use daily.
One of the leaders in dystopian social engineering, the United Kingdom, wants a KYC for watching porn so you're not far off. Oi mate you can't do that without a loicence!
> Imagine if the same thing was requested in the real world, like forced to prove your identity when you take gas, When you buy a computer, when you buy a condom.
There's no need, there's fifty security cameras and phone trackers already doing it that may not even require a warrant to access.
> The tech world is really becoming a surveillance nightmare.
Becoming?
Stalkerware, data brokers selling women's information to the Gilead apparatus, Palantir... none of this is new, and present much greater threats on a day to day basis than this.
What do you think central bank digital currencies are about? They can tie your identity to your wallet. Then you have to validate your identity to access the wallet.
(There’s worse stuff, like they could decide only 10% of your budget can be used on gas. Or force you to pay higher taxes as a carbon credit, etc etc)
KYC/AML is not some made up concept in order to further some conspiracy. There is genuine harm caused by money laundering and the fraudulent use of the financial system by bad actors.
Likewise anonymous use of shared infrastructure is a central part of the scam/spam/malware ecosystem which costs the global economy $10+ trillion a year.
At some point given the impacts to the most vulnerable in society we need to simply ask that people prove who they are.
This is about KYC for servers. There are plenty of reasons to think that this will be completely ineffective because foreign providers are under no such obligation. It's also incredibly misguided because the providers that generally harbor abuse are overwhelmingly in foreign countries - no one is starting a bulletproof host in the US. And given that providers will likely only implement the minimum required KYC, it is not even going to be as sophisticated as selfie verification. Which means in the event criminals do want to use a US hosting provider, they will use a $5 fake ID Photoshop template like they always have or pay $15 for a premade account. Even if more sophisticated verification like Onfido is used, that will raise the cost of getting an account with a fake ID to about $150 (that's the price of most crypto exchange accounts on fraud forums).
Also, little barriers to entry like this are the kind of things that discourage initiative and make our economy slightly less competitive. When I was a teenager I wrote Linux tutorials on vultr.com for $50 each to be credited to my account, which I used to pay for hosting before I had a debit card. I had no drivers license so if I encountered some dialog asking for an ID I would've just clicked away and been disappointed. There are 17 year olds running hosting businesses on lowendtalk.com - should their $1000 a month in revenue business be expected to consult with a lawyer to write a 40 page customer identification plan?
What happens with foreign financial institutions which don't implement KYC or otherwise play nice? I'm really asking; I remember when I was young that "swiss bank accounts" were famous for shielding account owners, but my understanding is that's no longer the case.
My first thought here was, what happens when the US decides that network providers doing business in the US must blackhole Hetzner or whatever because they aren't implementing KYC.
I mean, it's conceivable that could happen down the line but it would break most of the current Internet. Also the rule explicitly says its for US providers. However, the government really loves the extraterritorial enforcement angle as of late so I get the feeling they'll eventually try to apply it to foreign subsidiaries of US companies.
It’s typical native tech thinking that legal issues can be solved by technology.
USA has a lot of experience how they can influence foreign providers by making it increasingly difficult for them to do business with any USA entities. It’s not bulletproof, but nothing is. As long as USA has dominant position in the world, their influence is huge.
The penalties for violating that are also not very high at the scale of small internet businesses. Violations of the proposed rule are treated as violations of IEEPA which is far more serious.
KYC and AML do very little to actually address any risks related to money laundering. But they’re very powerful tools that banks use to push their customers around and control how they use their money (somehow usually in ways that benefit the banks of course).
So customers can very easily move their money and business elsewhere if they feel like they are being somehow controlled. And as someone who has worked at two banks almost all of those restrictions derive from the government.
For retail and SME customers this is true. But for any customer that deals with large sums of money it is not. If you’ve never heard of an MT730, then you probably have good reason to think that moving money around is easy.
Where did I say anything about anonymous? I do some work with an AML consultancy, and I’ve never even heard of a customer who wanted to be anonymous.
But your reaction of “must be a criminal, let’s investigate you” to my complaints of banks abusing your power leads me to 100% believe your claim of having worked in banks before.
Banks don’t want you to do anything that reduces their deposits, because they directly lose money when that happens. If you had $1 billion in deposits at a bank that was getting 5% returns on investing its deposits, and you wanted to spend that money on buying some securities or something, then that bank would generate approx $1,000,000 in returns for every week that the AML process takes to complete.
Due to how fractional banking works, in reality they would be earning some multiple of that return rate, but that’s a bit more abstract and hard to quantify.
Because AML processes are completely opaque, often made up on the fly and operate without any due process, banks can and routinely do delay transactions worth multiple billions of dollars for many weeks or longer by asking lots of irrelevant questions, requesting new documents or minor changes, and taking their time in getting back to you about anything, ect... In the world of high value transactions these kafkaesque processes and delays are completely routine.
1) Float. Every dollar that is held in limbo 'for checking' is interest income to the bank.
2) Rabid identification requirements lower the risk of new account fraud (which is paid by the bank).
3) Information on who you're sending payments to is usable by the bank for prospecting and risk analysis.
4) If you read anything about regulatory capture, it explains how regulation is used by incumbents to discourage competition. i.e. No new banks have opened in the U.S. since 2009, when new regulations to prevent banks from getting bigger were passed. <- And now, the biggest banks are MUCH larger.
From 2009 to 2013 only 7 new banks were formed, fewer than 2 per year.
Many industry observers have suggested that the decline is primarily due to regulatory burden, including new FDIC regulations and the 2010 Dodd‐Frank Act. But other influences could have played a role, in particular, the current weak economy.
This reminds me of when people say, "those stories of street crime are exaggerated." It's content-free. And "any risks related to money laundering" is rather dismissive, isn't it?
Are you denying that actual criminals have a problem with moving money around except in $100 bills and other tangible assets?
I would say that PETTY criminals have difficulty moving money around electronically. Criminals with LOTS of money do not have any difficulty finding an investment bank to handle money movement. i.e. Epstein JPMorgan, WireCard, Lloyds
https://www.reuters.com/world/uk/lloyds-says-it-faces-money-...
AML laws are just a compliance cost of actual money launderers. All they do is increase the number of intermediaries involved in a transaction (who each collect their fees).
Embedded within our justice system and the values of our society we have the concept of the protection of the innocent. See William Blackstone's famous quotation: "It is better that ten guilty persons escape than that one innocent suffer."
If you want to imprison all the murderers, you can accomplish that goal by imprisoning everyone but we don't do this and most people would recognize that the idea is mad.
So the test here for any regulating authority should be, is your regulation harming the innocent in some way? If so, the imperative is on you to find a better way to go after the guilty, if you don't you have become an enemy of the public good and your moral authority is lost. We can get into specific regulations but I think with modern KYC and AML we are absolutely at the point where they contribute to the suppression of economic growth and individual liberties and need to be dialed back.
Very well said. It should also be said that criminals that want to launder money only exist because of government regulation. Sometimes that's totally justified, say with human trafficking, and sometimes not so much, like maybe a marijuana dispensary.
The point being, sometimes undercutting criminal activity can be done be legalizing the activity rather than introducing more types of illegal activities to try and detect the original ones. The cure is sometimes worse than the disease.
That parts fine, it's the collateral damage that's the problem. Laws don't know who're the bad guys and who are the good guys, and sometimes everyone else gets caught up in the dragnet. By all means, stop the bad guys, but unfortunately, they don't easily identify themselves, so we pass laws and apply them to everyone (in theory), but they can end up doing more harm than good.
The $10k rule by the Bank Secrecy Act wasn't indexed to inflation and would be closer to $80k today. So it should be amounts up to $80k that aren't considered worth monitoring, but instead, if you deal with, say, buying and selling cars, you get tripped up by that all the time. It's regulatory red tape overhead that costs a legitimate business extra time money that they could be better spent elsewhere.
what is that link supposed to demonstrate? Lloyds is facing an investigation. So?
As for "Criminals with LOTS of money do not have any difficulty finding an investment bank to handle money movement" what is your evidence for that? And what's the line between "petty" and "LOTS of money" ?
I have multiple ACAMS certifications (the trade group that certifies all of us Anti-Money Laundering personnel who work at banks). And no, the public can't apply for membership.
1) Search WallStreetOnParade.com and read all of the articles about laundering.
2) Read the Mary Erdoes and Jamie Dimon depositions about Epstein involvement. JPM was putting Epstein's bribes through to the Governor of USVI. JPM was 'forgetting' to file the mandatory SAR notices on the $5MM in cash that Epstein was withdrawing each year for victim payments.
3) The Yakuza (as written in Tokyo Vice - the book) use privacy laws to prevent any of their businesses from being tied to them.
4) Read Butler to the World: How Britain Helps the world's worst people launder money.
IaaS: running your own email server, your own cloud, your own vpn.
I'm vehemently against the idea of a KYC for iaas. This just feels like another swipe at destroying internet anonymity. "Foreign actors" already route traffic over every network in the US. Preventing them from getting an ec2 isnt necessary as senators can already request aws drop customers because they dont like them (joe lieberman personally pulled the plug on wikileaks)
Not really. With Tor, Protonmail, njal.la, Flokinet (or one of a hundred other competitors), and $100 in Bitcoin from an ATM that you convert to Monero, you have enough to host a website and domain that are completely disassociated from your real life identity for a year.
Think so? Want to review the number of times individuals who made their living off being "anonymous" online got de-anonymized by security consultants, ad agencies, pissed off gamers, or law enforcement agencies? If you really thought your opsec was that good you'd be laundering money for a cartel.
Krebs investigations' overwhelmingly rely on reused emails and phone numbers across services which he follows back to some account they registered in 2008 in their real name. This is very effective because he is investigating cybercriminals who 1) have been at it for a while and have left extensive trails and 2) don't really care that much if they are identified because they can just stay in Russia. In the Alphabay and Silk Road cases, they relied on similar techniques (AlphaBay welcome emails sent from Cazes's hotmail, "altoid"/Bitcointalk/Shroomery posts in the case of Silk Road). These kind of things can be prevented by making a new email with a service that doesn't require your phone number and your real name.
In the recent Monopoly Market case and seizures from the huge hacks, it was all chain analysis. Only the Bitfinex hackers even tried to conceal what they were doing (by using Alphabay as a mixer, which became their undoing once it was seized), the others went straight from crime -> accounts in their name. This can be obviated with Monero.
Yes, I'm aware that the US government used some sort of probabilistic attack on Monero in 2018 against North Korea, which has since been fixed.
I don't want to spend my whole life looking over my shoulder and IRL opsec is a whole other thing that I am not really familiar with. I don't use the techniques in my post because I'm not leading a double life or something like that, but I think it's entertaining to read about.
Edit: Also, is your contention that there is no Internet anonymity anymore, therefore it's fine to even further limit Internet anonymity?
My position is thus: anonymity is not credibly possible for average users ergo further discussion of the topic is either pointless rhetoric OR designed to provide cover for bad actors. The entire discussion becomes even more ludicrous when put in context with the extend of digital surveillance by private industry is compared against what we know about digital surveillance performed by western governments. As mentioned elsewhere in this thread, claims of concern over internet privacy will start being taken seriously shortly after the individuals making said claims have provably begun actively picketing Apple, Google, and MicroSoft's corporate headquarters (to start).
I wouldn't say easy but things are definitely easier now that it is possible to pay for things anonymously without having to use things like Liberty Reserve. On the other hand less of the web is usable now without Javascript and tracking than before.
This includes criminalizing having too much compute power:
"The proposed rule requires U.S. IaaS providers and their foreign resellers to report known instances of foreign persons training “large AI models with potential capabilities that could be used in malicious cyber-enabled activity” to Commerce.
Reporting known instances of transactions which could result in the training of a large AI model with potential capabilities that could be used in malicious cyber-enabled activity.
Which is to say: every language model and image generator with >100M params. In other words, IaaS providers must report nearly every transaction, since you can train a LoRA module for a small model on a few hundred ARM cores, or on nearly any datacenter GPU.
To be clear though, the rule doesn’t include prison time for you, the GPU user. The prison time and/or fines are for the noncompliant IaaS provider, which means that cloud GPUs (and possibly every other resource) will be much more expensive and harder to access.
"At minimum, U.S. IaaS providers must gather and retain specific identifying information from potential foreign customers and foreign beneficial owners to verify their identity, including their:
Name; Address; Means and source of payment; Email address; Telephone number; and
“IP address(es) used for access or administration and the date and time of each such access or administrative action.”
I'm pretty sure all IaaS providers already have all that (except maybe the phone number which is not mandatory
I doubt that they'd typically verify that the name and address are accurate. Unlike opening an account at a bank or getting a cell phone connection (at least where I live) which require ID in a form that the government approves of.
So, complete de-anonimization of internet infrastructure in the United States. If you have something to say on a platform we don't already control (Meta, etc) then you must provide your private data to the government to do so.
Watch the US say in a few years that they will block all international VPN connectivity for security reasons.
As a legal measure, this proposal will affect all IaaS platforms, so you can't just find another that doesn't do it
"Just build your own website" has rapidly turned into "just build your own data center, domain registrar, CDN and DDoS protection shield, T1 ISP, advertising network, search engine, and defeat the VISA/MasterCard duopoly if you want any income". The pro-deplatforming crowd has shown that they'll use every possible measure to make a site they don't like impossible to operate, rather than stopping at their claim that they just don't want the content on Facebook or whatever
My point is the status quo allows people for good and bad to operate networked compute anonymously, and US government organizations want to strip anonymity away from the Internet.
Judge’s Ruling Sets Back Law Meant to Fight Money Laundering
"An Alabama judge barred the government from collecting certain company ownership data to help the Treasury Department identify money launderers, and called the effort a case of congressional overreach."
> Related[0][1] news:
>
> Judge’s Ruling Sets Back Law Meant to Fight Money Laundering
>
> "An Alabama judge barred the government from collecting certain company ownership data to help the Treasury Department identify money launderers, and called the effort a case of congressional overreach."
>
> [0] https://www.nytimes.com/2024/03/03/us/politics/judge-ruling-...
>
> [1] https://archive.is/6gOMl
I don't know why there has not been more uproar over this. By the end of the year over 33 million business owners in the US will be required to give FinCen identifying info including a photo ID for owners of 25% of their business. In addition those just filling out the application must do the same.
Where to direct the uproar? It doesn't matter which partisan puppet sits in the Oval Office or any other office -- they will continue to sell you out to Big Surveillance, as their predecessors have done. The only real difference among them is the culture war window dressing, and that's tiresome.
this is a "ratchet" mechanism; once implemented, there is no going back. Everything is gravy when you are making the money and all your ID is accepted, but the first day you are fired and locked out for it, or the election in your country goes a way that someone does not like.. you may change your mind.
Is there a way forward? yes, penalties for abuse, not "papers please" life for every peon on Earth.
This is an absolutely Big Brother mandate. Bad actors and foreign threats will always exist, implying that privacy will always be criminalized under this paradigm whereby the presence of a threat justifies invading people's privacy.
It's true, our society is well on it's way to mastering sitting on it's hands when problems present themselves because there's always someone who's figured out how to make money off the issue and rolling up a blob of useful idiots to astroturf on their behalf has become so efficient it borders on overt weaponization of human stupidity.
There -is- no privacy, why does this still keep coming up in conversations literally decades after it became trivial for AD AGENCIES much less sovereign governments to identify an individual online? Are you part of an astroturf campaign or something?
It's a spectrum. There can be greater or smaller degrees of privacy. And there can be giving up privacy voluntarily, or being mandated to give it up. These are fundamentally different propositions.
No one is claiming absolute privacy is possible. It cannot all be reduced to an indistinguishable mass of surveillance. There is an enormous amount of nuance in the privacy picture, and laws like the one described in the OP are a meaningful step in the wrong direction for that picture.
For the same reasons I'm against flat earthers as a concept. The premise is nonsensical from a practical standpoint, you'd have to completely dismantle the internet economy AND re-engineer the network from the ground up. Furthermore, continued rhetoric on this point provides cover for bad actors without meaningfully impacting the privacy landscape for run of the mill users.
Classifying all erosion of privacy as equivalent is dangerously reductionist. Being able to track someone's internet activity by buying information from commercial data brokers is not the same as a government forcing everyone to follow a regimented disclosure process, under pain of imprisonment.
In the former, there is considerably more consent, some level of flexibility in how data is disclosed and some possibility of user mitigation. In the latter, none of these things are possible. It's a straight jacket for society, with the net effect being massively less fundamental liberty and more centralization of power around the state.
Just look at mandated KYC processes in finance, and the enormous costs they impose — in time wasted and intimate private information involuntarily exposed — on hundreds of millions of law-abiding consumers and businesses, while massively constraining the space for innovation in finance, by mandating a regimented PII disclose process that precludes the development of better processes for providing safety and accountability.
This is not the same as people's voluntarily disclosed financial data being available to buy from commercial data brokers, that incurs none of these costs on society.
Ok so now we're proposing that financial regulations that hamper funneling resources to terrorist organizations and make money laundering and tax evasion a massive pain in the ass are "time wasted"? Weird take but ok.
And miss me with that "consent" fig leaf. You damn well know ToS (what would the plural be there?) that notionally establish consent are intentionally designed to be impenetrable walls of legal verbiage designed specifically to provoke end users to click through without reading a damn thing. Furthermore, to truly opt out of all forms of digital tracking, which I think we agree most people would do if given the option, would require completely disengaging from the economy as brokerable electronic records are produced every time you use a cellphone, view anything on the internet, or perform a financial transaction with anything besides cash.
There is zero evidence that financial mass-surveillance, in the form of KYC/AML mandates, hampers the flow of funds to terrorist and criminal groups.
There has been no demonstrable reduction of criminal and terrorist activity since the G7 embarked on widespread financial surveillance in 1989.
As for the ToS, they provide some level of accountability, which can, for example, take the form of a mass exodus of users when a company changes its ToS to make them more invasive.
And people can ultimately choose what data they share with web services, whereas mandates like the ones being promoted by the Commerce Department eliminate that choice altogether.
There is undoubtedly a lot of space for improvement in the privacy realm but clearly we're not going to go in that direction if we institute overt mass surveillance programs that criminalize privacy.
Evil, I guess that means I need to dump AWS and Digital Ocean now.
I think it's worth contacting your support rep if you don't like this and letting them know you're going looking to take your business elsewhere if this happens.
Yes, any oversight of compute jobs is evil, full stop.
And really, once you start using a lot of resources at a cloud company they start asking about you and your workloads because they want to up sell you more services. I'm sure they're also thinking about what kind of credit risk you might be since the industry generally operates on a post-payment basis. They will also require further information if you're doing things that have potential to harm their services such as email sending.
There is no good reason to demand the identity of people spending 1000 bucks a month on virtual machines that nobody is complaining about, it's outright totalitarian.
That's fucking ridiculous. 30 years ago, before literally every aspect of our existences were wired together and anonymizing your identity online was no more complicated than bouncing through a few shells, yeah, you might have had a point. Fast forward to today and it's credibly possible to brick portions of the power grid, water treatment and delivery facilities, emergency services, hospitals, communications, banking, etc. with a computer. So yeah, given society's threat surface has changed over the decades, changes in oversight are absolutely warranted.
Respectfully, I completely disagree with your view on this. We need to secure that stuff, or take it off the internet, not use it as an excuse to spy on everyone. I also view the requirement for ID to fly domestic as something that is 100% bad and needs to be eliminated.
When the folks who are screeching about this start organizing protests outside google's offices I'll start taking their claims of concern about user privacy seriously.
Fair enough. I still believe it's wise to be skeptical of government overreach, and call me old fashioned, but I believe that government's ability to hurt us with unchecked abuses of power exceeds that of any corporate giant.
Weird take given it was private industry that engineered the global digital panopticon we all live in today same as private industry has intentionally stifled progress on climate change and caused the now planetary PFAS contamination.
AI safetyists have already called for airstriking """rouge""" data centers, don't play coy and pretend that your worldview stops at KYC for infrastructure.
I have literally no idea wtf you're talking about but now that you bring it up being able to quickly eliminate the source point(s) for targeted attacks on critical infrastructure seems pretty uncontroversial.
The executive branch should not be allowed to do an end run around Congress for something this significant. If enacted, this would give foreign hosting companies like Hetzner a huge efficiency advantage over domestic suppliers. (Data center customers aren't presently unknown to law enforcement, because banks will help trace payments. However this could, due to the per-user burden, make it impractical for smaller hosts to offer free tiers, or even to serve small accounts.)
I sit in the middle. Imposing seems a bit strict, but we absolutely do need a better default digital identity layer than “I have an inbox”, no matter what the anons say. With Persona you can IDV using mDL. It’s already happening. What hasn’t happened yet is the “pay with apple/google wallet” UX for situations when someone needs to verify your identity. Passkeys with a VC presentation extension would be really cool.
"I have an inbox" is the principle behind Internet Freedom, where services can be accessed permissionlessly and people can interact freely without government restrictions.
This takes us down a road to a centralized internet with government agencies acting as gatekeepers. Not only is this dangerous, in making political repression orders of magnitude easier, it is inefficient, as it replaces the apolitical efficiency of the permissionless internet with a bureaucratic and friction-laden process for internet interactions.
Centralized identity also arguably weakens security. The assumption that you can rely on this identity to disincetivize this actor from behaving badly means you'll be less strict about implementing robust protocols or policies to detect or mitigate bad behaviour. Identities will be forged or circumvented at some point, and this laxer security will make the consequences of the breach so much larger as a result.
But I'm willing to even concede that a highly controlled internet will lead to less internet crime. But it'll be a Devil's Bargain where the price of less internet crime will be less economic activity and wealth. Repression of the general population to reduce the threat posed by bad actors is counter-productive to the larger goal of a safer and more prosperous world.
Less prosperous as repression inhibits productivity and less safe because less prosperity makes people less able to reduce the risks that they face. To give a concrete example: the people of a city that has access to Uber or an Uber-like service (more prosperity) are safer than those of a city relying on older taxi technology involving flagging down cabs with no ratings (less prosperity).
The former have greater freedom of movement which has a huge number of positive second order effects, many of which improve personal safety. The emergence and rapid evolution of services like Uber is largely because of Internet Freedom giving internet projects space for deployment and iteration outside the confines of regimented safety processes.
Curious, why are we okay with this when it’s your job securing trade secrets and IP but not when it’s your nation securing its citizens and preventing spam and fraud?
Is there evidence it would prevent spam and fraud? Is there evidence that it would "secure its citizens"?
Also, plenty of people on this forum are not OK with securing IP either, seeing it as a serious impediment to the free flow of ideas and the advancement of human knowledge. Basically the same argument the OP just described.
Sorry, can you elaborate? You mean why are we okay with employers imposing restrictions on employees to protect trade secrets, but not with governments imposing restrictions on citizens to protect people from being spammed and defrauded?
OFAC only applies to financial institutions, and maintains a centralized list yhat is checked on every transaction. If any of the endpoint data matches an individual on that list, money is allowed only to flow in to an account, never to leave. It's essentially a "you are banned from evonomic activity button".
But that's only a small part of the AML/KYC package. The other part is the active surveillance obligations on behalf of law enforcement that a financial has to engage in. I.e., the filing of SAR (suspicious activity reports), and reports whenever large amounts of cash are withdrawn from their custody. These are the AML side of things, that basically turns the financial system into an extension of paw enforcement.
This proposed KYC program from Commerce is applying the same template of obligations to U.S. cloud providers. Maybe it'll only be them for a few years, but much like FATCA ended up expanding OFAC's influence worldwide, so to likely will this be propagated worldwide.
Got it, in other words going beyond just a moment of someone signing up or putting in a credit card to actually continuously evaluating whether or not it looks like a user of the service may be on the list.. tricky indeed
I think Hetzner does that to combat fraudulent signups, not because they're required to do so by law. But in general Germany is quite hostile to online privacy, it's not a role model other countries should follow.
I’m disappointed none of the top comments here mention Commerce’s years-long effort to restrict Chinese access to leading-edge GPUs. The origin of this policy is the simple realization that those restrictions are meaningless if an AWS account gets around them. Argue against that if you’d like, but argue against the correct thing.
Yes, that is another thing that Commerce is doing. And your assumption of the motivation for this proposal is probably accurate. But the two things are not the same. Here, the wording of the proposed rule doesn’t appear to limit it in scope to H100s and GroqRacks. That makes this a separate issue. It also imposes entirely separate restrictions and reporting requirements on an entirely different class of provider. I’m not sure why you’re insisting that we treat them as the same issue.
I don't think I've seen a single comment along the lines of "I don't like this rule but it would be reasonable for only A100 and H100 equipped instances" (which would be my personal stance FWIW). Instead, it's just binary opposition to any form of KYC on compute.
Always for the same dubious straw men reasons of terrorism and co, they want to control everyone. Like for banks, the excuse is to ensure that no forbidden foreign actor is allowed the use of the service , but just for that the billion legitimate users will all have to provide their complete justificative info, IPs, and support documents to later be used by the org or gov for whatever reason they will want once they will have them.
Like for banks.
Imagine if the same thing was requested in the real world, like forced to prove your identity when you take gas, When you buy a computer, when you buy a condom.