This is about KYC for servers. There are plenty of reasons to think that this will be completely ineffective because foreign providers are under no such obligation. It's also incredibly misguided because the providers that generally harbor abuse are overwhelmingly in foreign countries - no one is starting a bulletproof host in the US. And given that providers will likely only implement the minimum required KYC, it is not even going to be as sophisticated as selfie verification. Which means in the event criminals do want to use a US hosting provider, they will use a $5 fake ID Photoshop template like they always have or pay $15 for a premade account. Even if more sophisticated verification like Onfido is used, that will raise the cost of getting an account with a fake ID to about $150 (that's the price of most crypto exchange accounts on fraud forums).
Also, little barriers to entry like this are the kind of things that discourage initiative and make our economy slightly less competitive. When I was a teenager I wrote Linux tutorials on vultr.com for $50 each to be credited to my account, which I used to pay for hosting before I had a debit card. I had no drivers license so if I encountered some dialog asking for an ID I would've just clicked away and been disappointed. There are 17 year olds running hosting businesses on lowendtalk.com - should their $1000 a month in revenue business be expected to consult with a lawyer to write a 40 page customer identification plan?
What happens with foreign financial institutions which don't implement KYC or otherwise play nice? I'm really asking; I remember when I was young that "swiss bank accounts" were famous for shielding account owners, but my understanding is that's no longer the case.
My first thought here was, what happens when the US decides that network providers doing business in the US must blackhole Hetzner or whatever because they aren't implementing KYC.
I mean, it's conceivable that could happen down the line but it would break most of the current Internet. Also the rule explicitly says its for US providers. However, the government really loves the extraterritorial enforcement angle as of late so I get the feeling they'll eventually try to apply it to foreign subsidiaries of US companies.
It’s typical native tech thinking that legal issues can be solved by technology.
USA has a lot of experience how they can influence foreign providers by making it increasingly difficult for them to do business with any USA entities. It’s not bulletproof, but nothing is. As long as USA has dominant position in the world, their influence is huge.
The penalties for violating that are also not very high at the scale of small internet businesses. Violations of the proposed rule are treated as violations of IEEPA which is far more serious.
Also, little barriers to entry like this are the kind of things that discourage initiative and make our economy slightly less competitive. When I was a teenager I wrote Linux tutorials on vultr.com for $50 each to be credited to my account, which I used to pay for hosting before I had a debit card. I had no drivers license so if I encountered some dialog asking for an ID I would've just clicked away and been disappointed. There are 17 year olds running hosting businesses on lowendtalk.com - should their $1000 a month in revenue business be expected to consult with a lawyer to write a 40 page customer identification plan?