Department of Commerce “Know Your AI Customer Rule” Must Protect Privacy

Earlier this week, CDT filed comments on a “Know Your Customer” rule that the Department of Commerce (DOC) proposed to help the federal government track, prevent and prosecute malicious use of internet infrastructure in the United States. While we voice our support for this goal, we cautioned the DOC that the compelled disclosure provisions of the rule it ultimately proposes must account for the privacy protections that the Stored Communications Act (SCA) has imposed, and that the record keeping requirements should be modified to protect the privacy of customer data.

The proposed rule applies to providers of “infrastructure as a service” or “IaaS providers.” They offer processing, storage, networks, or other fundamental computing resources on which consumers run software such as operating systems and applications. Examples of IaaS services include Google Cloud, Microsoft Azure and Amazon Web Services.

The proposed rule would require IaaS providers to determine which of their users are domestic (U.S. persons) and which are foreign. That requirement means that IaaS providers would have to demand of their U.S. users documents or other information so their U.S. person status could be confirmed. With respect to their foreign users, IaaS providers would have to collect, and maintain for lengthy periods of time, name, address, email address, account number, credit card number used for payment, virtual currency wallet or wallet address identifier used for payment, telephone number, IP address used for access and the date and time of each such access of the account. It would be made available to the DOC upon demand. This is inconsistent with best practices for data minimization and may run afoul IaaS providers’ obligations under the European Union’s GDPR.

Perhaps most importantly with respect to foreign users, when an IaaS provider gains knowledge that a transaction could result in the training of a large artificial intelligence model with potential capabilities that could be used in malicious cyber-enabled activity, the proposed rule would require IaaS providers to disclose to the DOC information about their foreign user that the SCA prohibits them from disclosing. The proposed rule is vague and broad enough to sweep in many such AI models. The information that would have to be disclosed includes subscriber information such as email address, phone numbers, credit card numbers, and virtual wallet address identifiers used for payment, for which the SCA prohibits disclosure in the absence of subpoena or other legal process. 

We urged the Department of Commerce to abandon the compelled disclosure requirements, limit them to entities not covered by the SCA, or to explain how they comport with the SCA. We also urged it to limit the data it would compel IaaS providers to examine, collect and maintain, and limit the retention of that data.