Please provide full-color photos of the following using the OVHcloudShare app (see instructions below):
- A government-issued photo ID
- A picture of the credit card used in the transaction including:
1. The name matching the listed name in the Manager account, AND
2. The last 4 digits of the card number
- A photo of yourself holding the government-issued Photo ID provided above.
Am I crazy? Is this just the way the world works now because of KYC or credit card scams or something? Or is it a European thing? (This is a French company and I'm in the USA.)
Therefore we should insist that KYC be solely performed by banks - no other firms should be required to perform it.
Given the extraordinary privileges that banks enjoy, this would be a reasonable contribution to society - especially given that they are doing it anyway.
That sounds like a great way of preventing anyone who doesn’t have a bank account from being able to use services at all.
There are ~1.7 Billion people in the world that are unbanked.
Even in the US alone there are around 55 million unbanked adults. (2018 numbers)
I think we should push for the opposite. Less KYC all around.
With banks having that power, you’re guilty until you prove innocence. Haven’t committed any crimes? Doesn’t matter, you’re banned by default and after you provide ID, we’ll let you bank. Oh and if for any reason, we can ban you and you have no recourse. We won’t tell you the reason either. It’s a great way for the government to not actually go after the money launderers and give the keys of doing business to a select few.
Source for your claim of 55 million unbanked American adults? That's 21% of the 2020 US adult population, and four times higher than what the Fed reports. If America had 55 million potential customers banks would be tripping over each other opening new accounts at McDonalds.
But once that is all setup they have a system called digiID that is wonderful. Anytime your identification needs to be verified it’s done through your bank. I signed up for renters insurance, they did a little oauth thing with the bank, the bank asked which details I was willing to share (the insurance company asked for just last name, dob, and address) and I agreed. It took seconds.
What I am saying is, there is no reason for other firms to perform KYC because it is totally redundant. The banks already have to do it and they have a better view of the transaction flow anyway.
Any KYC that your ISP might do would be both redundant and inferior to what your bank is already doing.
It is a waste of resources - and a drag on smaller businesses - to do this work twice.
https://torrentfreak.com/u-s-know-your-customer-proposal-wil...
>>> Late January, the U.S. Department of Commerce published a notice of proposed rulemaking for establishing new requirements for Infrastructure as a Service providers (IaaS) . The proposal boils down to a 'Know Your Customer' regime for companies operating cloud services...
* The rule would only apply to people living outside the US, so if you pay with a credit card with a billing address in the US from an IP in the US they probably wouldn't need to KYC you.
* KYC != "send me a photo of you holding your driver's license". I can open a bank account by just typing in my name, address, birthday, and SSN. That's enough KYC for a bank, it would be more than enough for a hosting provider even if that proposed rule became law.
What this company is asking for is beyond the pale even by full finance KYC standards. The most likely explanation is that an automated fraud detection system got set off and OP was selected for a much more rigorous review than they typically do.
The power of the market is when customers refuse to go along with unacceptable demands.
eIDAS could be simply described as "a smart-card in any documents" (so far some UE state have started with identity cards, some with drive permit as well, nothing different than classic/modern e-passports) you can use with a reader and a PIN to identify yourself. The main usage so far is almost only for public administration services but some example of private use are discussed and used ante-litteram for instance as a proof of majority for buying cigarettes on vending machines, some discuss the option of a public SSO identifying a citizen who allow send SOME (detailed in the redirect page) to a private party. Nothing exists AFAIK outside the public but it start to spread. The public became the guarantor of the citizen's identity.
Outside EU various countries have some form of e-IDs so... It's just about time to steamline them ALSO for contract signing instead of absurd SMS-based signature on third parties.
The cat is out of the bag. There's no way back.
IMO, this is one of the ways governments get more ideas — to encourage companies or have them collect a lot of data so that they (the government agencies) can legally (or even illegally) demand them for mass surveillance and their expeditions. It’s like a fire hose that won’t stop.
Now I feel like I jumped the gun posting, but I also feel relieved. In any case, thanks for all the support.
Easy to blame the hosting company, or the government, but it's the bad actors and fraudsters and scammers who drive these kinds of rules. I'd rather have to show a hosting provider my ID than have all of their IPs blocked out of the blue one day because they rented a VPS to a scammer or botnet, maybe using my name and credit card number to do it.
Your logic is used by bad teachers in kindergarten to justify group sanction because of a single person's misconduct. I have never seen a bad actor driving rules against his own actions (exceptions exist).
In a society, there will be bad actors. No matter what you do. You can decrease the likelihood of it happening, or mitigate the impact, e.g. by setting rules. Costs for executing these rules should be weighed against the benefits.
If a driver's license is public information, why would they ask for it? If it indeed is public, they don't need to ask for it, because sending it doesn't hold value. If it is not public information, they have to ask for it, and then the fact that you are able to send it to them holds value. Them having the ability to send that information again, can be perceived as, or is, invasive.
The rules we're talking about -- know your customer -- don't come from my logic. They got implemented specifically to fight terrorism and funding terrorism and money laundering (originally part of the Patriot Act, 2001). So yes, everyone got sanctioned because of the "misconduct" of a few people. Whether we agree with that approach or not governments often do exactly that kind of thing. It's the nature of governments and laws to apply rules to everyone at once, and frequently everyone gets "sanctioned" by laws that got written because of a few bad actors. I think about that every time I have to go through security to board a plane.
> I have never seen a bad actor driving rules against his own actions (exceptions exist).
I didn't write that the bad actors make the rules. Their actions lead to the rules, e.g. the rules get driven by the bad actors.
> You can decrease the likelihood of it happening, or mitigate the impact, e.g. by setting rules.
Rules tend to work both ways. Laws against drunk driving, to take just one example, seek to both decrease the likelihood of drunk drivers, and to mitigate the impact through enforcement and punishment, and through legal liability. KYC laws seek to do the same thing: prevent money laundering in the first place, and enable enforcement and punishment.
> Costs for executing these rules should be weighed against the benefits.
We could debate how the world should work all day long, but I'll stick with how it actually works.
> If a driver's license is public information, why would they ask for it?
I didn't write that licenses are public information. I wrote "nothing on a US driver's license is private information." See the difference? The opposite of "private" is not "public." Lots of people and businesses have access to that information. My photo and address may as well be public, anyone with a computer can find those. Driver's licenses are issued by states, with your implied consent to give all of that information and let them print it on a card. The invasion, if you want to call it that, happened when you voluntarily obtained the license. As you might expect, the US has laws around privacy of driver's license information:
https://en.wikipedia.org/wiki/Driver%27s_Privacy_Protection_...
So while not exactly public, that information isn't really private, either. Note provision 3 of the Driver's Privacy Act: "For use in the normal course of business by a legitimate business or its agents, employees, or contractors, but only to ... verify the accuracy of personal information." So a VPS provider or any other business needing or wanting to verify a person's identity can ask to see a license as a form of identification. You don't have to show it to them, but they don't have to take your business either.
My license has this information, none of which I think of as particularly private:
- State of issue
- Date of issue and expiration
- License number assigned by the state
- Photo of my face
- My full legal name from my birth certificate (a public record)
- My address at the time I obtained the license
- My date of birth
- My height, weight, hair, and eye color
- My signature - What kinds of vehicles I can legally operate
Anyone could find out almost all of that with Google. People put more private personal information in their Facebook and LinkedIn profiles.
> If it indeed is public, they don't need to ask for it, because sending it doesn't hold value.
Do you understand the difference between looking up someone's license information in a database, and doing what bar bouncers and banks and apparently French hosting companies do -- asking to see the license in your hands alongside your face? Do you think passports would work if you could just write down your passport number and tell the immigration agents to look it up, because they potentially can do that? The license has value as identification when someone can visually compare it to the person it belongs to, see that the person is in possession of the identification, and confirm at least some of the information on the license -- already vetted in some way by the state -- matches information the person gave. It's a kind of physical two-factor authentication.
> Them having the ability to send that information again, can be perceived as, or is, invasive.
Collecting driver's licenses and then "sending that information again" would violate the law I cited above. If I gave a photo of my license to a hosting company and could then prove they gave or sold that to some other company without my consent, I would have a cause of action in court.
I don't like it, but it's very understandable.
1. Maybe something about you is triggering their fraud system for step-up verification.
2. They might experience a lot of fraudulent (scammer) users, which is a net-negative for anyone who host there because ISP might black list that hosting providers IPs.
3. Maybe they are super serious and KYC all onboarding because they only what super vetted customers because that benefits everyone to have a “clean network” (basically the opposite of #2).
Given OVH super low pricing, my guess is #2.
Get in touch with their support directly. They did this to me but I contacted them and complained and said they approved it without the need for this.
[0] https://hn.algolia.com/?query=hetzner%20passport&type=commen...
so yeah, it sucks, especially for privacy aficionados. there are places online that will take your untraceable Moreno (XMR) for hosting, but they end up getting used to anonymously host CSAM until the feds take that and hopefully the people creating that down as well.
This is not the norm yet for hosting providers, and you don't have to pay with Monero to avoid having to send a photo of the credit card you used to pay for a service. Just pick almost any other hosting provider and they'll happily accept your credit card via an online checkout flow and be done with it until they get an abuse report.
Ultimately the internet is a lawless extremely low trust place, because it isn't limited by borders, so there is no effective law enforcement over a significant fraction of the people on it. Hosting providers bear a fair bit of the brunt of this because they're a staging ground for doing actually evil things.
I want to work with high trust places. I don't want an IP address that was just being used to hack people. I don't want to have to jump through hoops that verify I'm not doing evil things before doing things. I want to be offered things that can't be offered to people who are abusing trust, like generous free trials.
Verifying I'm an actual person in a place where they can pursue me through a functional legal system and functional law enforcement agencies is a step that allows the trust level to be stepped up slightly from "literally none". That's a good thing IMHO.
And I already have no privacy when I'm paying with a credit card under my real name. There's no actual cost here to me.
That said, I'd be very careful I was actually sending that information to a reputable hosting company, because the internet is a lawless place and there are definitely people who would try and pretend to be your hosting company.
Then don't use OVH :)
OK, so get off the Internet. Don't fuck it up for the rest of us.