CDT filed comments on a “Know Your Customer” rule proposed by the Department of Commerce (DOC) earlier this week. The rule aims to help the federal government track, prevent, and prosecute malicious use of internet infrastructure in the United States. While supporting this goal, CDT emphasized the importance of privacy protections in the rule, particularly concerning the compelled disclosure provisions and record-keeping requirements.

The proposed rule targets providers of "infrastructure as a service" (IaaS), which offer essential computing resources to consumers. Examples of IaaS services include Google Cloud, Microsoft Azure, and Amazon Web Services. The rule would mandate IaaS providers to distinguish between domestic (U.S. persons) and foreign users, requiring extensive information collection from both categories.

CDT raised concerns about the data collection requirements for foreign users, especially in cases involving the training of large artificial intelligence models with potential malicious applications. The organization highlighted that the rule could compel IaaS providers to disclose information about foreign users that conflicts with the Stored Communications Act (SCA), which protects certain subscriber information from disclosure without legal processes such as subpoenas.

In response, CDT urged the Department of Commerce to reconsider the compelled disclosure provisions, suggesting limitations on entities not covered by the SCA or clarifications on how the provisions align with the existing legal framework. Additionally, CDT recommended restricting the scope of data collection and retention by IaaS providers to safeguard user privacy.