Reported by Andy Maxwell

It’s long been the case that access to certain services, whether on or offline, will only be granted when customers prove their identity. 

Often linked to financial products but in many cases basic money/goods transactions carried out online, handing over a name, address, date of birth and similar details, can increase confidence that a deal will more likely than not go according to plan. In some cases, especially when buying restricted products, proving identity can be a condition of sale.

Yet, for many years, companies operating in the online space have been happy to do business with customers without knowing very much about them at all. 

In some cases, where companies understand that a lack of friction is valuable to the customer, an email address has long been considered sufficient. If the credit or pre-payment card eventually used to pay for a product has enough credit and isn’t stolen, there seems very little to be concerned about. For many governments, however, any level of anonymity has the capacity to cause concern, and if that means unmasking everyone to identify a few bad actors, so be it.

Improving Detection and Prevention of Foreign Malicious Cyber Activity

Perceived and actual threats from shadowy overseas actors are something few countries can avoid. Whether in the West or the East, reports of relatively low-key meddling through to seriously malicious hacks, even attacks on key infrastructure, are becoming a fact of modern life. 

After being under discussion for years, late January the U.S. Department of Commerce published a notice of proposed rulemaking hoping to reduce threats to the United States. If adopted, the proposal will establish a new set of requirements for Infrastructure as a Service providers (IaaS), often known as cloud infrastructure providers, to deny access to foreign adversaries.

The premise is relatively simple. By having a more rigorous sign-up procedure for platforms such as Amazon’s AWS, for example, the risk of malicious actors using U.S. cloud services to attack U.S. critical infrastructure, or undermine national security in other ways, can be reduced. The Bureau of Industry and Security noted the following in its announcement late January.

The proposed rule introduces potential regulations that require U.S. cloud infrastructure providers and their foreign resellers to implement and maintain Customer Identification Programs (CIPs), which would include the collection of “Know Your Customer” (KYC) information. Similar KYC requirements already exist in other industries and seek to assist service providers in identifying and addressing potential risks posed by providing services to certain customers. Such risks include fraud, theft, facilitation of terrorism, and other activities contrary to U.S. national security interests.

While supposedly aimed at external threats, only positive identification of all customers can eliminate the possibility that an ‘innocent’ domestic user isn’t actually a foreign threat actor. Or, according to the proposal, anyone (or all people) from a specified jurisdiction at the government’s discretion. Upon notification by IaaS providers, that could include foreign persons training large artificial intelligence models “with potential capabilities that could be used in malicious cyber-enabled activity.”

Read full report: https://torrentfreak.com/u-s-know-your-customer-proposal-will-put-an-end-to-anonymous-cloud-users-240425/