The Global Network Initiative (GNI) has submitted a comment on the proposed rulemaking on “Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities” (“Proposed Rule”) to the Bureau of Industry and Security at the U.S. Department of Commerce. Under the Executive Orders of 19 January 2021 and 30 October 2023, the Secretary of Commerce has proposed regulations requiring U.S. Infrastructure as a Service (IaaS) providers collect and disclose information about their users that will allow the government to more effectively prevent abuse or malicious cyber-enabled activity. GNI is concerned about the approach that collection and compelled disclosure of personal information is a necessary precondition for cybersecurity and believes the Proposed Rule sends the wrong message about the best way to secure a free and open Internet.
By requiring U.S. IaaS providers to gather and retain data about their customers as a condition for providing service, the Proposed Rule would result in large collections of personal data that are inconsistent with privacy rights. IaaS providers forced to keep troves of customer data are likely to be subject to government orders to turn over this data, and to cybersecurity attacks seeking to obtain and compromise this data. Failures to comply with specific provisions in the proposed rule may risk liability for individual employees at the level of senior management who are designated as responsible (Proposed Rule § 7.306).
Similarly, the requirement on U.S. IaaS services to report to the Commerce Department when a
foreign person transacts with them to train a large AI model directly conflicts with the Stored Communications Act of 1986 which, under U.S. Code § 2702, prohibits remote communications services from disclosing information “pertaining to a subscriber or customer [..] to any governmental entity” in the absence of legal process. The Proposed Rule currently does not offer an explanation of how the compelled disclosure requirement may be harmonized with the existing statutory provision.
As BIS works to reduce the abuse of IaaS services by malicious cyber actors, GNI urges caution in ensuring that the chosen approach does not have the unintended consequence of harming civil society organizations and marginalized individuals around the world.