response 26 of 118:

Aug 28 07:50 UTC 2002

Jamie, are you a lawyer or a journalist by training?

Grex has 2 reasons to acquire identification information: voting rights,
and internet access liability.  The former is defined by a combination
of Michigan State law, and the bylaws - we have to be able to show "due
diligence" in enforcing "one person, one vote", and we have to keep a
membership list that is available for inspection (by whom and under what
circumstance has been a matter of some controversy.) Full legal names &
address information would probably be part of that list; the raw
materials we used to verify that list would not be.

Internet access liability is a much more shadowy and less well defined
issue.  It's also evolving rapidly; there are more laws & court cases
today than there were when grex first got on the internet.  The
technology is also changing as well.  The fundamental issue remains the
same however, and that is we don't want grex to act as a legal shield
between a vandal and some victim out there on the internet.  Hence, if
somebody comes to grex upset about some vandal, we want to be able to do
one of 2 things: either (a) it's a service they publish or provide to
the public, and it's their business to secure that service (ie, smtp,
http), or (b) it's a private service, so only somebody known to us could
have gotten to it.  Ie, they're a member, and we have sufficient "stuff"
at our end to enable the person to be tracked down and held accountable
for what they did.

Now, somebody up to no good is not likely to willingly provide us with
their real name or address.  So, we need "something more", and something
that will latch into other people's resources.  If we merely wanted some
form of unique identification, a "tongue" print would likely suffice.
As far as I know, these are as characteristic as finger prints.
However, nobody else records these, so they're not useful for tracking
people down.  What we do instead is, if the person paid with some
financial instrument that leaves a paper trail, we keep a copy of that
financial instrument.  If we're paid with an anonymous instrument, such
as cash, we instead ask for some other form of ID, such as a driver's
license, and we keep a copy of the information on that.  Presumably, if
a member ever were to commit some sort of indiscretion, law enforcement
or a court could use the paper trail left by the money to track it back
to the actual person responsible, or at the very least would be able to
show that the person concerned also committed fraud against us (thus at
least giving us a good reason to shut that person's account down.)

In actual fact, requiring identification for internet access dissuades
vandals in quite a different way: few are willing to provide real money
or identification information in the first place.  So we've never had to
test the effectiveness of the information we collect.  So basically this
turns into an interesting shell game; we collect and store all this
data, so that we never have to use it.

I don't believe we have very much credit card information.  Paypal is
the only system we've ever used that worked, and since it doesn't give
such information to us, I believe we've treated it like any other
anonymous form of money; we require additional identification
information.  Most of the information we have is probably of the form of
photocopies of either driver's licenses, school IDs of various sorts, or
personal checks.  Clearly this is all "private" data; we treat it all as
confidential, and the only reason we'd turn it over to anyone else would
be in case of a court order.

I have never heard anybody suggest that it's illegal for a business
(even a non-profit) to keep such information--many businesses collect
and keep a lot more than we do.  The closest anyone has come before is
to suggest that it might be illegal in some states to photocopy a
driver's license.  This is far from proven; apparently even in states
where this is allegedly the case, it's still common to photocopy them.
The actual interpretation of the law seems to be that it's illegal to
*forge* a DL; since photocopies are generally obviously not forgeries;
nobody seems to care.  Besides, grex isn't in one of those states, and
we're not the ones making the photocopies; so it's not at all clear this
is our problem.

In the final analysis, of course, it's completely within Jamie's rights
to refuse to provide any identification information to grex, just as
it's completely within grex's rights to refuse to "make him a member".
Essentially, Jamie is saying "I don't trust you with my private data",
and "I refuse to be accountable for any actions I might take".  If Jamie
were applying for credit at at credit union, or attempting to purchase a
plane ticket, he'd be laughed out the door.  Our identification
requirements are awfully modest in comparison.

response 28 of 118:

Aug 28 15:53 UTC 2002

How is this data stored, and how far back does it go?  Is it destroyed 
after a specific period of time?

response 30 of 118:

Aug 28 21:55 UTC 2002

Regarding #29; I don't really want to enter into this specific debate,
but Marcus appears to make that error a lot.  After a while, it stops
looking like an error, and more like a tactic.

I'm off to hum now.

response 34 of 118:

Aug 29 13:18 UTC 2002

Why don't all try to get along, children?  This is neither court nor an 
interrogation room, and we are not trying to find anyone guilty.  I do 
not appreciate the air of suspicion that is being created in this 
item.  It completely detracts from the discussion and makes everyone 
less inclined to listen and discuss this situation like adults. For the 
sake of clarity, can we keep this on task as much as possible?  There 
are issues under discussion here that have absolutely nothing to do 
with the original topic.  Please create another item for these side 
arguments that do not directly pertain to this issue.

response 36 of 118:

Aug 29 19:59 UTC 2002

Oh dear.

response 38 of 118:

Aug 30 23:27 UTC 2002

(having re-read this item, I find myself agreeing with the sentiments 
expressed in resp:1.  further, I'm not compelled to believe that the 
change proposed in resp:0 is necessary, nor am I compelled to believe 
that such a change would necessarily be beneficial.)

(although it's merely a side issue, I should point out that, while 
well-intentioned, other's description of what membership information 
is handled by the treasurer doesn't jibe with my recollection.  
perhaps aruba [or danr or flem] could clarify what's actually handled 
and what's retained?)

response 40 of 118:

Sep 2 23:02 UTC 2002

I have been out of town, so am only now able to respond to this item.

First of all, I don't have a strong opinion about Jamie's idea.  It would
be fine with me if the board were allowed to appoint a non-board member as
an officer.

But I do agree with Colleen that it's good for the jobs to change hands
periodically.  In the case of treasurer, the problem is finding someone
willing to put in the time to do a good job at it.  (Colleen is mistaken,
BTW about how often the job must currently turn over; board members are
allowed up to 2 consecutive 2-year terms, so one person may be treasurer
for 4 consecuive years.  Both danr and I have done that.  But in the 5th
year, we were forced to turn it over to someone else.)

I found Eric's description of "anonymous members" confusing; we've never
had anyone we called that during my time as treasurer.  What he means, I
think, is this: while we publish the logins of our members, we do not
publish their real names if they request that we not do so.  This has no
effect on whether they can vote or not, so I'm not sure what Eric was
referring to there.

We also require ID from each member, which is always kept confidential. 
That means a bank name/account number from a personal check, or a
photocopy of a driver's license, or something like that.  It's stored on
my computer, which is not a server and is not permanently attached to the
net.  As far as I know there's no way anyone could steal that information
without physical access to my machine, but I am not a security expert, and
I would welcome a discussion by those who are on how to make sure no one
has a chance to see that info. 

During the first part of 2000, while flem was treasurer, we had a system
set up to process credit cards.  We received the credit card numbers via a
secure server, and the board agreed that a CC# should count as someone's
ID, just like a driver's license would.  This made it a lot easier for
people to become members via credit cards; they didn't need to send us a
separate ID. 

So Greg recorded credit card numbers for ID purposes.  He saved
approximately 32 credit card numbers.  Of those 32 people, one is still a
member and another was until recently (and may be again soon); the rest
are no longer members.

It's always been my standard practice to save ID information even after
someone is no longer a member, because that makes it easier for them to
become a member again.  (I.e., they can just send money, and not bother to
re-send ID.)  So I still have the credit card numbers that Greg saved.

Now frankly, I've always been a little uncomfortable having those numbers
on my computer, but if they are our only way to identify members, then I
figure it's necessary.  I would certainly be willing, though, to delete
them for people who are no longer members, if most people think I should.

Since the fall of 2000, we have only received credit card money via
Paypal, which does not pass CC#s on to us.  That's why people who become
members via Paypal have to send separate ID.  This is kind of a pain for
them, and I'm sure it probably discourages some people from becoming
members.  But I believe there's still a consensus that we need to have ID
from our members.

response 42 of 118:

Sep 2 23:55 UTC 2002

Well, I don't buy that - there was no "time limit" on the information when
it was given to us; I could as easily say that you have no right to
remember my login if I don't want you to write to me any more.  But I
can't revoke your right to your memory. 

That said, I would certainly respect a request from anyone to delete
his/her personal information from my computer if we no longer needed it
for ID purposes.  No one has ever requested that.

Let me say again that we still have one member whose only ID is a credit
card number, so I can't delete that one.  But the more I think about it,
there really isn't any reason to save the numbers from people who are long
gone, so I'll go ahead and delete them now.  OK, I did it.  I deleted all
the numbers except the one who is currently a member and the one who may
be reinstated soon.

response 44 of 118:

Sep 3 02:15 UTC 2002

Why do you need the number, if the person's identity has already been
proven?  Keeping it around seems like an unnecessary risk.

response 48 of 118:

Sep 3 12:48 UTC 2002

It's not intentionally posted.  It *is* on a machine that's sometimes
exposed on the Internet.  You may think that's a minor risk, but have
you looked at the number of security patches that have come out for
Internet Explorer and Outlook Express in the last year?  Have you
installed every single one?

I won't even keep my *own* credit card numbers on my computer, much less
other people's.  You may think it can't happen to you; that's what I
thought until a machine I was running got hacked.