|
Grex > Coop12 > #127: Grex, once again, has pissed me off | |
|
| Author |
Message |
| 25 new of 184 responses total. |
other
|
|
response 44 of 184:
| 
Sep 4 21:26 UTC 2002 |
Too bad. Poor Jamie's just begging for one.
|
jp2
|
|
response 45 of 184:
|
Sep 4 21:33 UTC 2002 |
This response has been erased.
|
aruba
|
|
response 46 of 184:
|
Sep 4 21:51 UTC 2002 |
It seems to me we are balancing three ideals here, which I hope we can all
agree are good things:
1) Protecting the privacy of our members,
2) Being good netizens (which means discouraging illicit use of Grex and
having available the information needed to follow up when it happens),
and
3) Keeping Grex alive and healthy (which means, among other things, making
it as easy as possible to become a member and stay a member, and
keeping the treasurer's job reasonable so there will always be someone
willing to do it).
Obviously we can't achieve perfection in all three at the same time; we
have to find an acceptable compromise. I hear people (gull and cross in
particular) saying that they think the current system needs more of ideal
1). OK, fine; but before changing any policies, we should consider the
effect on all three ideals.
I'll repeat that I'm not trying to be a stick-in-the-mud here - if most
people think we should have a different compromise than we have now, then
I'll implement it.
|
cross
|
|
response 47 of 184:
|
Sep 4 21:58 UTC 2002 |
I think that shifting a smallish amount of the burden to the member is
acceptable; dropping a photocopy of a driver's license or other ID with
an address on it isn't terribly difficult; one is often required to do
so when, e.g., moving and getting a utility turned on (ie, a phone or
similar). Yeah, one detracts *slightly* from Mark's 3rd ideal, but in
practice, not much. Grex's treasurer then just has the job of saying,
``yup, this is the address they told me. Let me copy it down and destroy
my photocopy.'' I think that might increase (perhaps not the best word,
bear with me) Ideal 2, and certainly will enhance Ideal 1.
|
aruba
|
|
response 48 of 184:
|
Sep 4 22:11 UTC 2002 |
Quite often, actually, the address on someone's driver's license *doesn't*
match the address they want their handbook sent to. I assume it's because
they have moved, but I also assume that the police could track them down
more easily with the driver's license number than without it.
I'll submit that having me destroy the ID doesn't enhance ideal 1) any
more than simply having me store it in an encrypted form, which makes my
job a little harder but doesn't otherwise detract from ideal 3). And if
we come up with the right system, I think my job need not be much harder
at all. And I do think that destroying all record of the ID might
significantly detract from ideal 2); however, we would need the opinion of
a law-enforcment official to say for sure.
|
carson
|
|
response 49 of 184:
|
Sep 5 00:26 UTC 2002 |
(I think Dan's suggestion as presented in resp:47 is reasonable. plus, if
it's really necessary to hang on to the specific ID information in its
"original" [to Grex] form, I can't see a reason [aside from Mark's
suggestion of making it easier for expired members to renew] to hang on to
that information once the membership [and grace period] expires.)
|
gull
|
|
response 50 of 184:
|
Sep 5 01:07 UTC 2002 |
If the police have to track someone down based on an old address, they will.
It's not our job to do it for them. I'm not keen on Grex holding onto
information above and beyond what's legally necessary. In today's day and
age, with restrictions on search and seizure and privacy weakening by the
day, I don't think we should put ourselves in the position of holding
extra information that might be of interest to law enforcement.
|
tod
|
|
response 51 of 184:
|
Sep 5 03:08 UTC 2002 |
re #27
I think the tacky and unreasonably "thing" Grex might be questionable about
is whether a court order is required. I stated those acts directly in
relation to the repeated statements that ID for Grex membership would be used
to "find" someone at a police request. If there is a policy of court order
before disclosure, that is an entirely different matter. Unfortunately, I
have not seen an agreement on the mechanisms in place to determine when the
personal ID data may be disclosed. I'm seeing in some places that Passport
copies are okay, yet in other places I'm seeing that Grex would need to "find"
me. Did I goof by submitting my driver's license for a Grex membership, or
did I do what Grex requires to "find" me?
That's what the whole issue boils down to, imo.
|
aruba
|
|
response 52 of 184:
|
Sep 5 05:20 UTC 2002 |
I'm not sure I followed that, Todd, but: yes, Grex has a policy of requiring
a court order before turning over ID information. To date we've never
turned ID over to anyone, ever.
It's not Grex that would want to find someone who had done something
illegal, it's law enforcement. We just want to have the "raw material",
as Marcus put it, to help them. So either a passport or driver's license
is fine, and you didn't goof.
|
mdw
|
|
response 53 of 184:
|
Sep 5 11:22 UTC 2002 |
I don't believe SSN numbers are any more or less of an issue than DL#'s.
Either works as a sufficient key into credit databases, and is
sufficient for identity theft, and I don't believe there is any
meaningful difference in the law's treatment of the two forms of
identification information to matter to us. If we were a public
institution, there are more strigent requirements regarding SSN's in
particular, but what we're doing would still be allowed.
I think Todd is confusing 2 issues: what we accept as sufficient
identification information, and when we might disclose such information.
For the latter, #52 is right on the spot, althought there are some
nagging little details about the Patriot law that nobody really
understands (it loosened some features of federal law, but didn't create
new structure, so there is more grey area that nobody really wants to
explore, at least not yet.) For forms of what we *accept*, we don't
actually have 100% fast rules about this. We have things we *generally*
accept, but we reserve the right to refuse them if in any individual
case we think something fishy is up. Our responsibilty is to avoid
fraud; so even though we generally accept school ID, if you *mail* us
your school ID (and not just a photocopy), and don't want it back, we
*are* going to think something is up, and we will *not* accept it.
(Believe it not, this really happened, and yes it turned out it had been
stolen.)
|
scott
|
|
response 54 of 184:
|
Sep 5 12:57 UTC 2002 |
(I think there's a bit of a pattern, with M-Net people like Tod and Jamie
used to *not* being able to trust the leadership.)
|
jmsaul
|
|
response 55 of 184:
|
Sep 5 13:28 UTC 2002 |
(I could turn that around, by suggesting instead that there's a pattern of
Grex people like yourself having blind faith in the leadership. I don't
think it would make for productive discussion, though. And incidentally,
Tod was part of M-Net's leadership for quite some time.)
|
scott
|
|
response 56 of 184:
|
Sep 5 13:33 UTC 2002 |
(I suppose if I had had some experience with Grex leadership deliberately
acting in bad faith I'd be less trusting. In my, um, 8 years (?!?) on Grex
that's never happened. Dunno how M-Net's record has been; I do recall there
having been a number of mishaps with money but I don't recall if there was
any malice involved)
|
cmcgee
|
|
response 57 of 184:
|
Sep 5 14:11 UTC 2002 |
I think that Grex and aruba are doing a fine, minimalist job of verifying
people's identity, and holding on to sufficient information to show we were
acting reasonably if a court sees fit to issue an order involving us and our
information.
Remember that this information is only divulged to anyone other than the
treasurer if there is a court order in place. Many of you would be surprized
to know that my Grex membership is not under cmcgee, but another login ID.
But aruba knows how to link that login to a real person, if he is required
to by our court system. Short of that, my identity is "safe".
For active participants in conferences, there are far more revealing
details about our identities and whereabouts than an old driver's license
would reveal. And that information is available to _anyone_.
I don't see any reason to change how much information we collect, nor how we
retain it. Mark has gone far beyound reasonable in taking the credit card
stuff off his computer.
And the people complaining the loudest have left a permanent, public
record of their profesions, physical locations, photos and other
identifying information
han Grex would
_ever_ ask for.
|
tod
|
|
response 58 of 184:
|
Sep 5 16:49 UTC 2002 |
re #53
I feel like there are two issues that need to be addressed:
1) Authentication
2) Liability
Authentication is usually something instituted for access control purposes.
When authentication is being utilized, you want to have identification,
authentication, authorization, and finally accountability(liability).
So yes, I'm curious what is sufficient identification/authentication method.
I am also curious about the administrative, physical controls, technical
controls, and policies that encompass the liability/accountability portion.
Examples: administrative(supervisory structure), physical(copies),
techical(auditing trail), and policies(self evident).
re #54
Finding a pattern between myself and others that are also users on M-Net is
a nice spin, but a wasted effort. I'm a Grex member. I've been a Grex user
off and on since its inception. I've even donated hardware in the past.
Try not to dismiss my sincerity with simple prejudgice.
Contrary, I'm actually creating "trust" with "leadership" by examining the
necessary controls to ensure that the intended security of Grex is not
compromised. My background is very extensive with security so you can imagine
my concerns are legitimate when I am providing copies of my identification
and want to know the depths that it will be used.
re #55
Thanks Joe. I sympathize with Scott's defensiveness. Maybe, he'll take off
the M-Netter goggles and lower the hostility, maybe not. ;)
|
aruba
|
|
response 59 of 184:
|
Sep 5 21:34 UTC 2002 |
Re #58: Administrative: it's just me. I am responsible to the board and the
members, if that's what you mean. But we are all volunteers.
physical controls: I lock the door when I leave the house.
policies: We've talked about that a lot already; I think all the relevant
policies have been stated.
Is that what you mean? I am happy to be subject to scrutiny, if it will
help build trust and serve the goals I stated around here someplace. Like
you, Todd, I prefer it when the discussion is civil.
|
jmsaul
|
|
response 60 of 184:
|
Sep 5 22:53 UTC 2002 |
I've served in leadership positions on M-Net myself, including President, and
I don't enjoy feeling hassled either -- but it's important to separate out
the personal emotional reaction ("get off my ass, you never do anything for
the system") from the possible genuine issues that may be behind the hassle.
It isn't easy to do, speaking from personal experience.
There really is an issue here with retention of personal information, though.
Actually a couple: (1) does everyone know what information Grex is retaining
about them, and (2) should Grex be retaining that information. Based on this
and parallel discussions, I couldn't answer "yes" with confidence to either
question. Could you?
|
scott
|
|
response 61 of 184:
|
Sep 5 23:14 UTC 2002 |
The FAQ seems to cover those questions, Joe.
|
tod
|
|
response 62 of 184:
|
Sep 6 00:06 UTC 2002 |
Other has answered any questions I've posted. Whether those results are acted
on is an entirely different ball of wax, but I do appreciate that everyone
has shown some interest.
|
jp2
|
|
response 63 of 184:
|
Sep 6 00:10 UTC 2002 |
This response has been erased.
|
tod
|
|
response 64 of 184:
|
Sep 6 00:15 UTC 2002 |
It shouldn't.
|
other
|
|
response 65 of 184:
|
Sep 6 02:19 UTC 2002 |
Grex and M-Net have only the slimmest of relevant similarities.
|
jmsaul
|
|
response 66 of 184:
|
Sep 6 02:32 UTC 2002 |
I disagree, but the only reason I'm mentioning it is to say that I know what
it feels like to get criticized when running a volunteer organization.
Re #61: I suspect most people aren't aware you retain credit card numbers
(though who knows), and I personally wouldn't answer yes to the
question about whether you should be retaining the information.
But whatever. I'll take this up when and if I donate.
|
cmcgee
|
|
response 67 of 184:
|
Sep 6 02:39 UTC 2002 |
For donations you don't need to give us ID. For a membership (which
includes outbound telnet access) you do.
|
jmsaul
|
|
response 68 of 184:
|
Sep 6 13:49 UTC 2002 |
Ooh. Outbound telnet access. That's scary, and impossible to get anywhere
else, especially on a college campus where hundreds of students run illicit
servers connected to UM's network. You're right to lock it up as tightly as
possible.
|