Curious to see how the new administration will handle this. They will need to gather personal identity information to determine if you are a US citizen which is scary. Will certainly enable AWS/GCP/Azure to curtail all my free trial accounts I imagine.
On the other hand, they do not define US IaaS very well, so I am curious if GCP/AWS will be exempt since I think they are technically shell companies registered in Jersey or Isle of Man or offshored on paper.
> Curious to see how the new administration will handle this.
Probably just rescind the order. It directs the secretary of commerce to develop regs, and the new administration (even if it agrees with the general thrust) will probably want to direct the parameters for any regulations rather than leave them to the preferences of outgoing administration.
"Within 180 days of the date of this order, the Secretary of Commerce (Secretary) shall propose for notice and comment regulations that require United States IaaS providers to verify the identity of a foreign person that obtains an Account. These regulations shall, at a minimum: (a) set forth the minimum standards that United States IaaS providers must adopt to verify the identity of a foreign person in connection with the opening of an Account or the maintenance of an existing Account, including: [...] (A) the identity of such foreign person and the person’s information, including name, national identification number, and address.
[...]
(j) The term “United States Infrastructure as a Service Provider” means any United States Person that offers any Infrastructure as a Service Product."
Sure but Amazon (and all others) are not really US persons under the covers.
"In the United States, Amazon has been accused of transferring U.S. funds to the same shell company in Luxembourg, to avoid paying $234 million in U.S. taxes for 2005 and 2006. "
"Under the covers" as you put it refers to where the revenue is ultimately going. Amazon's datacenters in the US absolutely are owned and operated by US-incorporated corporations to which this order applies.
Err, I am not a fan of this. The identity requirements imply that that services will at the very least request enough information to identify that you are a US citizen.
It also seems to make IP logging a requirement: "Internet Protocol addresses used for access or administration and the date and time of each such access or administrative action, related to ongoing verification of such foreign person’s ownership of such an Account"
In the 80s and 90s, I imagined the ‘Net as borderless. That didn’t last long, and because it’s so long gone, this seems not to really add any scope to that creep. That said...
First point seems less worrisome until you see the intent to have access to access patterns (not just IPs, also timings) outside the US by non-US persons. Note the “or” and remember “corporations are people”, as well as remembering there are no loopholes to pick at here until after it’s drafted. The intent is clear:
The term “United States Infrastructure as a Service Product” means any Infrastructure as a Service Product owned by any United States person or operated within the territory of the United States of America;
On the second point, is there any reputable CSP that doesn’t have the IPs used for access or administration? Is there any that doesn’t already geo-check the edge accesses for proactive threat management? This language could also give legal air cover to enrich domestic CSP security practices.
The US is pretty cemented in as a leader in the cloud world.
This might be step one to extending these regulations to all cloud providers worldwide, with the threat that anyone who provides IT services to others without strong identity verification gets blocked financially.
There really should be a drastic limit to executive authority after an election and before a new administration takes office. I'm talking no new executive orders, no pardons, no judicial nominations, really hardly any executive action at all without congressional approval. This would limit the kind of sour grapes, last minute policy changes arguably enacted in bad faith to hamstring an incoming president.
I think thats an argument for reducing the time between elections and when people assume office, not for taking away administrative powers that can also be used for good things and for emergencies.
That would just worsen the “lame duck” issue we already have.[0] As @ac29 said, we should shorten the time between election and inauguration.
Aside: As it stands, the constitution sets when Inauguration Day is (20th Amendment), so the only option it to modify the US Code which sets Election Day (Tuesday, between November 2-8 inclusive)[1]
I wholeheartedly agree that the time between election and inauguration should be shortened. Really, the current administration's powers should be gone the minute the last tipping point state certifies its results.
It is an old tradition, and in fact contributed very much to making the US what it is. John Adams appointed John Marshall Chief Justice of the Supreme Court very late in his one term. With a different justice--one with a less expansive view of federal power, or just one without the personality to carry the court with him--the Supreme Court might have considerably less weight.
Apart from that, though, the worst I can remember from recent history are a pardon binge or two. But the outgoing president is not one to be constrained by custom.
There's really only so much you can do about a President acting in bad faith. If you elect a President who does that, you really messed yourself up already.
In this case we did -- though honestly, the last minute pardons and orders were far less bad than they could have been. It's hard to tell how much of that is incompetence, how much is grumpiness, and how much is having pissed off his own party so much that there just wasn't much point. Executive orders are easily reversed.
The Lame Duck period is actually pretty important. For those on the way out, it's the only time that they get to be truly free to vote their conscience. And even for those who will face re-election in 2 or 6 years, they have the maximum time to put any votes here into context (and to bury a lot of it in the flurry of lame duck work). It's one of the few times Congress can get around its deadlock and actually achieve what it's supposed to. And yeah, that includes the President.
So if you go in assuming that government actually does have a function (as opposed to the all-purpose "government never does anything good and only bad things" argument, which is very lazy), it's best to start with the assumption that they're not going to be completely malign, even if they could be -- and we have evidence that they sometimes are. But it's very rare, and there are already a lot of checks and balances in place.
It's true that there has become a lot of bad faith, and that is literally an existential crisis. But I don't think you'll fix it by putting even more restrictions on them doing their intended jobs. I'd much rather fix the bad faith problem -- which shouldn't be intractable. If we're going to be a country, and a democracy, we've got to find a way to have a certain faith in our fellow citizens. That's shattered now, but if it's unfixable, then it's the country that's unfixable, and no rules-tinkering will help.
From what I am reading here. This really targets VPS providers that allow payment through let’s say bitcoin and such which provide as proxy points to anonymize traffic.
This will impact I am sure the big players in some way, but see smaller operators hosting vps(iaas) impacted more.
TL;DR: "If you want hosting in the US, you can show strongly identity-linked US bank/card information, or, if you don't have one of those, strongly identity-linked ID documents."
It somehow doesn't feel like he's ramming this through on the last day of his presidency because he cares deeply about the safety and security of the citizens of the USA.
Publishing anonymously should be something the government is actively trying to protect, not criminalize.
> It somehow doesn't feel like he's ramming this through on the last day of his presidency because he cares deeply about the safety and security of the citizens of the USA.
No, but it doesn't feel like it is being done out of spite either. I mean, there is nothing here that can't be ignored or negated by the incoming administration when any proposed regs are eventually drafted, so someone lobbied for this EO, but I don't see who this benefits enough to have been worth expending financial or political capital just to get draft legislation that they will have to expend more capital on to actually get enacted, and perhaps then a bit more to have enforced (it is a characteristic of such efforts to enact legislation or regulation that if you are clever enough, enforcement is something that the lobbying entity largely gets "for free" when their pet legislation is enacted).
Although it does seem plain that the amount of capital expended right now is likely smaller than if trying to get the incoming administration to get the ball rolling, but that just answers "why today" rather than "why".
19 comments
[ 3.3 ms ] story [ 56.3 ms ] threadOn the other hand, they do not define US IaaS very well, so I am curious if GCP/AWS will be exempt since I think they are technically shell companies registered in Jersey or Isle of Man or offshored on paper.
Probably just rescind the order. It directs the secretary of commerce to develop regs, and the new administration (even if it agrees with the general thrust) will probably want to direct the parameters for any regulations rather than leave them to the preferences of outgoing administration.
[...]
(j) The term “United States Infrastructure as a Service Provider” means any United States Person that offers any Infrastructure as a Service Product."
"In the United States, Amazon has been accused of transferring U.S. funds to the same shell company in Luxembourg, to avoid paying $234 million in U.S. taxes for 2005 and 2006. "
-https://www.forbes.com/sites/parmyolson/2017/10/04/europe-cr...
It also seems to make IP logging a requirement: "Internet Protocol addresses used for access or administration and the date and time of each such access or administrative action, related to ongoing verification of such foreign person’s ownership of such an Account"
First point seems less worrisome until you see the intent to have access to access patterns (not just IPs, also timings) outside the US by non-US persons. Note the “or” and remember “corporations are people”, as well as remembering there are no loopholes to pick at here until after it’s drafted. The intent is clear:
The term “United States Infrastructure as a Service Product” means any Infrastructure as a Service Product owned by any United States person or operated within the territory of the United States of America;
On the second point, is there any reputable CSP that doesn’t have the IPs used for access or administration? Is there any that doesn’t already geo-check the edge accesses for proactive threat management? This language could also give legal air cover to enrich domestic CSP security practices.
So long as I don’t need servers in the USA why should I choose a USA based cloud provider?
I feel like I’m missing a point here.
This might be step one to extending these regulations to all cloud providers worldwide, with the threat that anyone who provides IT services to others without strong identity verification gets blocked financially.
Aside: As it stands, the constitution sets when Inauguration Day is (20th Amendment), so the only option it to modify the US Code which sets Election Day (Tuesday, between November 2-8 inclusive)[1]
[0]: https://en.wikipedia.org/wiki/Lame_duck_(politics)
[1]: https://en.wikipedia.org/wiki/Election_Day_(United_States)
Apart from that, though, the worst I can remember from recent history are a pardon binge or two. But the outgoing president is not one to be constrained by custom.
In this case we did -- though honestly, the last minute pardons and orders were far less bad than they could have been. It's hard to tell how much of that is incompetence, how much is grumpiness, and how much is having pissed off his own party so much that there just wasn't much point. Executive orders are easily reversed.
The Lame Duck period is actually pretty important. For those on the way out, it's the only time that they get to be truly free to vote their conscience. And even for those who will face re-election in 2 or 6 years, they have the maximum time to put any votes here into context (and to bury a lot of it in the flurry of lame duck work). It's one of the few times Congress can get around its deadlock and actually achieve what it's supposed to. And yeah, that includes the President.
So if you go in assuming that government actually does have a function (as opposed to the all-purpose "government never does anything good and only bad things" argument, which is very lazy), it's best to start with the assumption that they're not going to be completely malign, even if they could be -- and we have evidence that they sometimes are. But it's very rare, and there are already a lot of checks and balances in place.
It's true that there has become a lot of bad faith, and that is literally an existential crisis. But I don't think you'll fix it by putting even more restrictions on them doing their intended jobs. I'd much rather fix the bad faith problem -- which shouldn't be intractable. If we're going to be a country, and a democracy, we've got to find a way to have a certain faith in our fellow citizens. That's shattered now, but if it's unfixable, then it's the country that's unfixable, and no rules-tinkering will help.
This will impact I am sure the big players in some way, but see smaller operators hosting vps(iaas) impacted more.
It somehow doesn't feel like he's ramming this through on the last day of his presidency because he cares deeply about the safety and security of the citizens of the USA.
Publishing anonymously should be something the government is actively trying to protect, not criminalize.
No, but it doesn't feel like it is being done out of spite either. I mean, there is nothing here that can't be ignored or negated by the incoming administration when any proposed regs are eventually drafted, so someone lobbied for this EO, but I don't see who this benefits enough to have been worth expending financial or political capital just to get draft legislation that they will have to expend more capital on to actually get enacted, and perhaps then a bit more to have enforced (it is a characteristic of such efforts to enact legislation or regulation that if you are clever enough, enforcement is something that the lobbying entity largely gets "for free" when their pet legislation is enacted).
Although it does seem plain that the amount of capital expended right now is likely smaller than if trying to get the incoming administration to get the ball rolling, but that just answers "why today" rather than "why".
Cui bono?