A new Senate bill, the Preserving American Dominance in AI Act of 2024 (S.5616), has reignited debate over its provisions, particularly its push to impose “know-your-customer” (KYC) rules on cloud service providers and data centers. Critics warn that these measures could lead to sweeping surveillance practices and unprecedented invasions of privacy under the guise of regulating artificial intelligence.
We obtained a copy of the bill for you here.
KYC regulations require businesses to verify the identities of their users, and when applied to digital platforms, they could significantly impact privacy by linking individuals’ online activities to their real-world identities, effectively eliminating anonymity and enabling intrusive surveillance.
The legislation, spearheaded by outgoing Senator Mitt Romney (R-Utah) and co-sponsored by a bipartisan group of lawmakers, seeks to establish an AI oversight office within the Department of Commerce.
Among its many regulatory demands, the bill would require cloud providers—especially those offering Infrastructure-as-a-Service—to verify the identities of customers involved in transactions with foreign individuals.
Less concerningly, data centers training sophisticated AI models would also be mandated to disclose their ownership and facility locations to the Commerce Department’s AI office.
Supporters claim these measures are essential for addressing potential risks posed by frontier AI models and ensuring national security. Senator Romney emphasized the need for the US to maintain its competitive edge while mitigating risks such as cyber threats and misuse of AI by foreign adversaries. However, privacy advocates see these requirements as a direct threat to the anonymity and confidentiality of users.
The KYC provision, modeled on financial-sector regulations, would force cloud and infrastructure providers to implement identity verification systems, effectively turning these companies into de facto surveillance agents for the government. This could set a new precedent, where private companies are conscripted to monitor user activity.
Noncompliance with the legislation, should it pass, carries severe penalties, including fines of up to $1 million per day or imprisonment for up to 10 years. Such punitive measures could disproportionately affect smaller developers and startups who are unable to navigate the bureaucratic hurdles imposed by the KYC requirements.
KYC requirements, which mandate verifying users’ identities, when combined with the push for digital ID systems, risk creating a surveillance framework that fundamentally changes the nature of online privacy.
