Consumer Choice Center’s comment on the US government’s proposed KYC regulations for cloud servers

Earlier this year, the US Department of Commerce proposed a sweeping regulatory rule that would force cloud service providers to collect and retain personal information on their users, particularly those based outside the United States.

This regulation, prompted by President Joe Biden’s Executive Orders on the “National Emergency With Respect to Significant Malicious Cyber-Enabled Activities,” would require extensive record keeping and collection of user data for all Infrastructure as a Service (IaaS) providers, firms that offer what is commonly known as virtual machines, web servers, cloud computing and storage, Virtual Private Networks (VPNs), Bitcoin and cryptocurrency nodes, artificial intelligence models, and much more.

The intended targets are services that have customers based abroad, in order to stop malicious foreign actors and hackers, but the rule is written broadly enough that any cloud provider that doesn’t capture this information from its domestic US users would be liable for civil and criminal penalties.

The Consumer Choice Center submitted comments to oppose the Commerce Department’s proposed rule, requesting several changes and modifications to better protect data and consumer privacy.

It is found below:

Overbearing KYC Identity Requirements for Cloud Providers Put Consumers at Risk and Threaten Online Free Speech and Commerce

Dear Under Secretary Alan F. Estevez,

The Consumer Choice Center is an independent, non-partisan consumer advocacy group championing the benefits of freedom of choice, innovation, and abundance in everyday life. 

As an organization representing consumers around the country, we are deeply concerned with the proposed rule to require significant Know Your Customer (KYC) procedures for any and all Infrastructure as a Service (IaaS) providers, as detailed in Docket No. DOC-2021-0007

If these rules as they stand are brought into effect, they will have immediate consequences on consumers and online users who create, use, and deploy all manners of online services, servers, cloud systems, and virtual machines. This includes services that allow users to deploy servers to host their own private document and photo content, Bitcoin and cryptocurrency nodes, artificial intelligence models, Virtual Private Networks (VPNs), and more, in accordance with the terms of service offered by IaaS providers.

While these rules are intended to provide more immediate access to information and data on malicious foreign actors using American cloud infrastructure, they will instead result in significant risk to individual privacy, facilitate the loss or malicious use of data, and grant extraordinary powers to government agencies that are inconsistent with the US Constitution and the Bill of Rights.

We understand the intention is to target foreign hostile actors, but the requirement placed upon US service providers will inevitably require that every American provide this information as well.

The requirement that service providers maintain exhaustive personal and financial information on their customers presents not only a gross violation of privacy, but a significant risk, as the thousands of IaaS providers will be in possession of vast amounts of personal data liable to be hacked or leaked.

What’s more, law enforcement agencies already possess enough tools and authority to follow legal processes to acquire warrants and conduct information.

We believe this proposed rule goes much too far in restricting the ability for Americans to use online services they want to choose, and would limit their ability to use servers and cloud services without significant risk to their privacy and personal data.

In addition, the exhaustive information required by a service that wishes to offer users the ability to run a virtual machine, server, AI model, or more, will necessarily push most Americans to opt out of using domestic services entirely, creating economic consequences not calculated in the proposed rule’s costs of compliance.

We would recommend that this rule be revised entirely, removing the significant privacy risks that KYC collection on IaaS providers would require for domestic users, as well as the duplicative and extralegal authority that would be granted to law enforcement officers, in contravention of constitutional law.

Below, we list the two main areas of concern for US consumers.

KYC Requirements For Foreign Users Applied to Domestic Users

As noted in the Background provided in the Supplementary Information of the rule, these new powers would require service providers to segment users based upon their country of origin:

To address these threats, the President issued E.O. 13984, “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities,” which provides the Department with authority to require U.S. IaaS providers to verify the identity of foreign users of U.S. IaaS products, to issue standards and procedures that the Department may use to make a finding to exempt IaaS providers from such a requirement, to impose recordkeeping obligations with respect to foreign users of U.S. IaaS products, and to limit certain foreign actors’ access to U.S. IaaS products in appropriate circumstances.

However, in order for IaaS providers to effectively determine the location of a user, they will be required by the force of law – and risk of civil and criminal penalties – to log, categorize, and document a user’s location and accompanying personal information regardless of their location, all in efforts of determining whether a potential user would be considered a “foreign user” or beneficial person.

This will lead to increased collection of information akin to bank accounts and financial transactions, leading to widespread “Know Your Customer” (KYC) requirements which have never been applied at this level to online services.

Beyond congressional approval, we believe this proposed regulation far exceeds the bounds of agency authority, whether from the Department of Commerce or via the mentioned Executive Orders, and would create significant areas of risk for ordinary users and customers location both abroad and within the United States.

In addition, the broad application and definition of a covered service – “any product or service offered to a consumer, including complimentary or “trial” offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications” – essentially means any cloud service would be within the scope of this regulation.

The Risk of Privacy Breaches

As service providers would be required to maintain a robust Customer Identification Program, as outlined in § 7.302, this would therefore place liability on all cloud providers to collect and retain the full name, address, credit card number, virtual currency numbers, email, telephone numbers, IP addresses, and more on any potential customer of their service.

While we appreciate that private cloud providers and IaaS firms would have the latitude to determine how they structure their Customer Identification Programs, we believe that the requirement to collect this information and store it locally will constitute a high potential for that information to be accessed without authorization, either by hacks, leaks, or other malicious activity. 

Because service providers will be required to catalog this information for years on end, this will inevitably prove to be a high-value target for malicious actors, while providing minimal benefit to the law enforcement agencies that can already legally obtain this information via lawfully executed warrants.

Extraordinary and Duplicative Powers

Law enforcement agencies at the federal, state, and local level already possess the legal tools to subpoena or request data cloud providers or VPN providers with lawfully obtained warrants. 

That IaaS providers would be required to not only retain this information, but also to preemptively “notify” law enforcement without any judicial order or suspicion of a crime, violates the Fourth Amendment and the Due Process Clause as interpreted from the Fifth and Fourteenth Amendments.

Section § 7.306(d) lays out the stipulation for being exempted from the requirements as “voluntary cooperation” with law enforcement agencies, then forcing providers to enable access to “forensic information for investigations of identified malicious cyber-enabled activities”. 

We believe this would be easily abused, as it would provide a legal path for companies to divulge customer information to government authorities beyond what is necessary and lawful, and provide incentives for firms and companies to voluntarily submit information on their customers to government agencies, law enforcement agents, and more.

As written, we believe this proposed rule has been offered in haste, and will likely lead to significant harms and risks to consumers’ data, privacy, and their liberty to engage in free commerce. We would urge this rule to be rewritten with these concerns in mind.

Sincerely yours,

Yaël Ossowski

Deputy Director,

Consumer Choice Center

A new federal privacy bill overdoses on empowering agencies over helping consumers

Late last week, a discussion draft of a new federal privacy bill was uploaded to the cloud server of the US Senate Commerce Committee and made public.

The bill, known as the American Privacy Rights Act, is the latest serious attempt by a bipartisan cohort of congressional legislators to address Americans’ privacy rights online, as well as the obligation of companies, nonprofits, and organizations that cater to them.

There are been numerous attempts at national privacy bills, but this is the first version that seemingly has bipartisan agreement across both the US House and Senate.

At the Consumer Choice Center, we have long championed the idea of a national privacy law, putting forth what we believe are the important principles such a law should have:

  • Champion Innovation
  • Defend Portability
  • Allow Interoperability
  • Embrace Technological Neutrality
  • Avoid patchwork legislation
  • Promote and allow strong encryption

Now that a serious bill has been put forward, authored by Sen. Maria Cantwell (D-WA) and Rep. Cathy McMorris Rogers (R-WA), both chairs of the Commerce Committee in their respective congressional chambers, we’ll address what we consider to be helpful but perhaps also harmful to both consumer choice and future tech innovation if this bill remains in its current form.

Granted, this is a working draft of the bill, and will (hopefully) be updated after feedback. For those who are interested, here’s the latest primer on the bill from the bill authors.

I also provided some additional comments on this bill in a recent Q&A with Reason Magazine, which I’d encourage you to read here if you’re interested.

Off we go.

What’s to like:

A national privacy law is both necessary and welcomed. Not only because it would override the overly stringent state-level privacy laws in places like California and Virginia, but because it would provide uniform policy for consumers and companies that wish to offer them goods and services. 

And also because, as compared to the European Union and other countries, our privacy rights as Americans differ widely depending on the services or sectors we interact with, our IP address, and where we happen to live. And considering the hundreds of privacy policies and terms of service we accept each and everyday, there are vastly different frameworks each of these contracts import.

Here are some positives on the American Privacy Rights Act:

  • Preemption of state privacy laws is a good measure introduced in the bill, particularly when it comes to the strict and overbearing California privacy law, which has become a standard bearer due to California’s huge population and company base.
    • This provides legal stability and regulatory certainty, so that consumers can know their particular rights nationwide, those who interact with these laws can begin to learn and implement them, and there is universality that protects everyone.

  • Data portability is an important principle and could conceivably become an easily enforceable section of privacy legislation. This should be both reasonable and accessible. This would include the exporting of information collected by a particular service or app, as well as any key account details, so that information can be ported over to competing services if consumers want to change things up.
    • Examples: open banking, exportable social profiles, info, etc.
    • Ideally, this information would be exportable using non-proprietary data formats.

  • Transparency on what data is collected and by whom (mostly data brokers) is also a good measure included in the bill. Most tech services and app stores have made this a key feature of what they provide because it’s important to consumers.
    • A registry of data brokers, which would be required, seems inoffensive and would be a good measure of transparency, as would a privacy policy requirement, which most sites already provide and which major app stores require.
    • However, as we’ll mention later, government agencies (particularly law enforcement) are not barred from interacting with data brokers to circumvent warrants, which puts a lot of data of Americans at risk.
      • Sen. Ron Wyden (D-OR) introduced S.2576, the Fourth Amendment Is Not For Sale Act, to deal with this issue and its counterpart in the House successfully passed yesterday.

These three points found throughout the bill do measure up to the principles we’ve outlined in the past. Data portability, avoiding patchwork legislation, and transparency over what data is collected and what isn’t. Most online services already offer this information in privacy policies, and when mediated through cell phone or computer app stores, consumers have direct insight into what is collected.

This is a good starting point, and does demonstrate that the legislators are working in good faith to try to protect Americans’ privacy.

But while those are important, these should also be balanced with consumer access to innovative goods and services, which are cornerstone to our ability to choose the technology we want.

What’s not to like:

While a strong national privacy law is vital, we should also make certain that it is balanced, appropriate, and fair. Consumer protection is an overarching concern, but so should responsible stewardship of data if consumers want it, as well as the ability to access innovation to improve our lives.

These aspects of the bill are more troublesome, as they would likely invite more problems than they would solve.

  • An outright veto on targeted advertising is unworkable and would ultimately work against consumers. It would also basically cut off an important revenue source for most online services that consumers appreciate and use everyday.
    • This algorithmic style of reaching out to willing users implements geo-targeting and personalization, which are key to the consumer experience, and are a willing trade-off for consumers who want to use free or otherwise heavily discounted services.
    • They are also a prime concern for small businesses who rely on targeted ads to reach their customers, whether that be through ads online
    • At the same time, the prohibition on large social media companies offering paid subscription plans to those who don’t want to participate in targeted advertising seems counterintuitive and goes against the spirit of what is trying to be achieved here.
    • A privacy bill is supposed to be about giving consumers ultimate autonomy and decision rights, not outlawing a particular business model.

  • Inventing a right of “opt-out” would necessarily create several tiers of consumers, and would complicate virtually any business’ attempt to collect necessary information on their consumers. It would be a de-facto ban on targeted advertising, as social media services specifically would also be unable to offer “paid” versions to their users, and small businesses would not be able to use social networks to advertise to consumers who they believe would like to buy their goods or use their services.

  • Data minimization is a good principle, but it’s an unworkable legal standard because it would vary so widely depending on any app, nonprofit, or company.
    • Data needs change depending on how firms and organizations evolve, and whatever standard this law would enforce would likely make it more difficult for companies to scale and offer better and more affordable services to consumers in the future.

  • One of the more offensive parts of the bill would be the private right of action, which would be more encompassing than any privacy bill in the world. It would also not allow suits to be settled in arbitration, meaning every lawsuit – no matter its merits – will have to be reviewed by a judge.
    • Private right of action would empower plaintiff attorneys and deter innovation on the part of firms, vastly bloating our justice system.
    • This wouldn’t be positive for consumers, as it would likely raise the cost of goods and services, and would generally add to the overall litigious nature of the US judicial system.
    • At the Consumer Choice Center, we’ve long campaigned on rolling back the excesses of our tort law system and introducing simple legal reforms to better serve those who are legitimately harmed by companies.

  • 🚨The bill exempts government agencies at every level from any privacy obligations. This is a glaring red flag, especially considering the amount of sensitive data that has been routinely leaked, hacked, or made available to the public when it shouldn’t have been. Exempting government agencies from privacy rules is an egregious mistake.
    • If a state’s database of say, gun owners, is leaked (as happened in California). No crime, no foul. The same if a local or city government leaks your income information, Social Security number, healthcare data, or any other type of information. This should be immediately addressed in the bill to introduce parity.

  • Prior restraint for algorithms, which gives the Federal Trade Commission and other agencies veto power on all “computer processes” before they can be used by the public. This means the FTC would need access to all algorithms and AI innovations before launch, which would absolutely have a chilling effect on innovation and restrict entrepreneurial data projects and development of AI models.
    • This would be a huge VETO on American free enterprise and the future of tech innovation in our country, and risk exporting our best and brightest abroad.

  • The FTC would be responsible for the enforcement of these rules, as well as state attorneys generals, but a lot would be litigated in private rights of action (torts, etc.), which would generally favor incumbents who have the resources to comply. So while much of this bill is aimed at trying to reign in “Big Tech,” they paradoxically will likely be the only firms with the significant power to comply.
    • In addition, the Department of Justice and the FTC have built a reputation as anti-tech forces in our federal government. Would this newfound power lead to better goods and services for consumers, or more limited options that would bode well with regulatory authorities for ideological purposes. This is a difficult pill to swallow in either case.

Is there another way forward?

Assuming most of the glaring issues with this bill are fixed – the soft ban on targeted advertising, exempting of government agencies, empowerment of bogus lawsuits by private right of action, the inability to bring cases to arbitration, FTC’s powerful veto power over algorithmic innovation – there are elements that are favorable to those who want a good balance of consumer choice and innovation in our economy while protecting our privacy.

While all these are measures that a national privacy bill could address, there is still much more that we as individuals can do ourselves, using tools that entrepreneurs, developers, and firms have provided to us to be both more private and free. We hope legislators will take these concerns seriously, and amend some of these provisions in the draft bill.

The normalization of end-to-end encryption in messaging, data, and software has been a great counterbalance to the endless series of leaks, hacks, and unnecessary disclosures of private data that have caused objective harm to citizens and customers. We hope this is encouraged and becomes default for digital services, as well as remains protected for use by both firms and consumers.

For another view, the International Center on Law and Economics has an interesting paper on the idea of “choice of law” as the better approach for privacy rights, opening up selection of a particular privacy regime to market choice rather than top-down legislation, similar to private commercial courts in the United Arab Emirates. This would allow states to compete for business by offering the most balanced privacy law, which could spurn a lot of innovative thinking about better ways to approach this.

That said, this is technically how it has been de facto practiced in the country today, and California has won by default owing to its large population. I’m not sure we would be able to trust too many other states to craft balanced but effective privacy laws that wouldn’t create more trouble than it would solve. But I would be happy to be proven wrong.

While this privacy bill is ambitious, and covers a lot of ground that is vital for privacy concerns, there are still many elements that would require sweeping changes before it should be palatable for consumers who desire choice, prefer innovation, and what to ensure that our society remains both free and prosperous.

Scroll to top