|
Grex > Coop11 > #255: Should we change Grex's ID policy? |  |
|
| Author |
Message |
| 25 new of 140 responses total. |
other
|
|
response 5 of 140:
| 
Apr 16 14:41 UTC 2001 |
Personally, I'm not concerned what anyone's point might be in that case.
I'm happy to let them do it anyway.
|
cmcgee
|
|
response 6 of 140:
|
Apr 16 17:20 UTC 2001 |
I don't think we need to change our policy at all. Corporations currently
have two options: a donation with all the rights of any anonymous user, or
a membership with all the rights of any paying member except voting.
We have very clear and very easy to comply with policies for both options.
This whole controversy is a result of someone trying to avoid complying with
the membership policy.
So several grexers spend hours detecting the available public information,
that was NEVER SUPPLIED to us, and then making arguments that, because the
information is public, we should change our policy. I don't think so.
Let's not complicate our simple to understand, and simple to apply policies
to create some new category that this person could then fall under, if they
wanted to. Remember, all the work has been done by grexers. This
person/corporation has not done anything except write rude emails to our
treasurer, implying that he doesnt know what he is doing, and is doing
something that Grex doesn't want done.
There is no reason to think that by changing our policies we would create a
better, larger Grex community.
|
aruba
|
|
response 7 of 140:
|
Apr 16 17:20 UTC 2001 |
Adding a requirement that institutions must submit a letter with their check
is undoubtrdly adding a headache for the treasurer, because I have no doubt
that people will forget to do it, which means I'll have to bug them until
they do. Our policy could say, however, that institutional members don't
get full internet access, and that wouldn't make more work.
|
carson
|
|
response 8 of 140:
|
Apr 16 17:56 UTC 2001 |
resp:3
(actually, the part of Russ's suggestion I liked was eliminating
outbound telnet for institutional memberships, period.)
|
keesan
|
|
response 9 of 140:
|
Apr 17 00:39 UTC 2001 |
Members also get FTP and access to ports suchas the one that the Ann Arbor
library uses to renew books and the ones used by many Russian sites.
|
mdw
|
|
response 10 of 140:
|
Apr 17 01:29 UTC 2001 |
I think there are some significant differences between us digging
out information on a corporation, and someone submitting information
to us:
(1) it takes a bunch more of our time to dig information out
(2) if the information turns out to be wrong, we end up
responsible not the person who submitted it.
|
aruba
|
|
response 11 of 140:
|
Apr 17 13:19 UTC 2001 |
Got this from usgov:
From usgov@cyberspace.org Tue Apr 17 09:13:06 2001
Date: Tue, 17 Apr 2001 02:19:09 -0400 (EDT)
From: ~~ <usgov@cyberspace.org>
To: aruba@grex.cyberspace.org
Subject: Re: Money Received
Please post the following to your classification BBS Item #255:
1. Corporations are not second class citizens. They pay their taxes just
like individuals. They can be criminally and civilly liable just like
an individual can. Any restrictions on corporations is not supportable by
any possible logic. As a corporation, if an organization were to
discriminate against us by restricting our rights or voting, our Board
would vote not to join the organization. Period.
2. A checking account should be the only requirement for any membership.
As indicated in #254, let the financial institutions worry about ID's. If
they are satisfied to open a checking, Grex should accept it. Grex, as a
non-profit corporation, should not go into the verification business.
3. As indicated in #254, the only other reasonable request to a
corporation is an address and the NAME (only) of a contact person.
PERIOD.
4. Once Grex starts obtaining and/or retaining and/or collecting ANY
personal information, it then becomes legally liable for any damage to the
individual if Grex is negligent and someone obtains it (from or through
Grex's possession) and uses it for theft of I.D., etc. Is Grex ready to
assume legal liability in such an event?
We believe that Grex's ID policy needs to be revised--and eliminated. If
it doesn't make sense, eliminate it. If it has no connection with any
reasonable goal of Grex, then it should not be made a requirement. Grex
does not have as one of its goals, that of protecting the entire Internet
from ANY potential and/or possible harm by anyone! All members, whether
corporations or individuals, should have equal rights and privileges. Any
policy must be reasonably related to the purpose for which it is intended.
|
cmcgee
|
|
response 12 of 140:
|
Apr 17 14:31 UTC 2001 |
>I move that we reaffirm our current Grex policy on corporate memberships.
|
carson
|
|
response 13 of 140:
|
Apr 17 14:38 UTC 2001 |
(I concur.)
|
robh
|
|
response 14 of 140:
|
Apr 17 15:02 UTC 2001 |
#12 - Agreed here.
|
eeyore
|
|
response 15 of 140:
|
Apr 17 15:58 UTC 2001 |
Here here.
|
gull
|
|
response 16 of 140:
|
Apr 17 19:16 UTC 2001 |
Re #11:
Corporations *are* second-class citizens, though. They can't vote, for
example. The analogy to a real individual only goes so far.
|
scg
|
|
response 17 of 140:
|
Apr 17 23:00 UTC 2001 |
I'm curious about why people are so passionate about Grex's seven year old
ID policy. I'm somewhat ambivalent on the specific case that touched this
off -- our current policy is our current policy and we have to follow it, but
the hostility being expressed towards the potential donor amazes me -- but
that's a very small part of the question of what Grex's membership policies
should be.
Grex's current membership policy was introduced in 1993 or 94, and last
modified to permit some additional types of IDs in 1995. It was designed to
protect the Internet of that era, at the time mostly an academic research
network, from the random members of the public we were going to unleash on
it. The Internet, and what is expected of its users, has changed
considerably in the last several years since the last time the policy was
looked at, so it doesn't make much sense not to reexamine the policy
occasionally.
I'm hoping we can use this item to first figure out what requirements we are
dealing with, what results we want to accomplish, and what the best way of
accomplishing those results is, preferably in that order. Perhaps we'll end
up with something that looks a lot like the current policy, or perhaps we
won't.
|
russ
|
|
response 18 of 140:
|
Apr 17 23:58 UTC 2001 |
Corporations cannot hold office either. A corporation is a legal
individual, not a real individual.
|
mary
|
|
response 19 of 140:
|
Apr 18 00:11 UTC 2001 |
Steve, Grex's policy on organizational memberships was reviewed and
updated just about a month ago. It was reviewed with the current state of
the Internet in mind. You may disagree with the policy but it isn't there
out of administrative neglect.
|
aruba
|
|
response 20 of 140:
|
Apr 18 00:26 UTC 2001 |
Steve, what do you mean by "what requirements we are dealing with"?
|
scg
|
|
response 21 of 140:
|
Apr 18 05:04 UTC 2001 |
I'm not talking about organizational memberships, but about memberships in
general. I'm hoping we can think beyond this specific case.
I'm also not sure I disagree with the current policy. I'm hoping that with
an open discussion of it, we can reasonably evaluate whether it is what the
policy should be. If so, we should keep it. If not, we should change it.
If others refuse to discuss it at all, beyond hurling insults at somebody
who is attempting to become a member and disagreeing with it, that's not the
way to make good decisions.
What requirements we are dealing with is the fairly basic question beyond any
membership ID verification policy we might come up with. It's been claimed
probably accurately, that the state requires us to have a list of names and
addresses of members. Is that the case? If so, what does the state require
from us in terms of collecting that information? Can we ask for it and accept
the information we are given? Are we required to verify it? If so, how are
we required to verify it? Do we need to ask for identification? How many
pieces of identification, and of what sort? Are there any requirements that
we as an organization feel we have for knowing how accurate our membership
list is beyond those required by the state? As for Internet access, what
acceptable use policies have we agreed to from our ISP regarding the
identities of our users? What are practices with regard to ID collection of
other companies and organizations providing access to the Internet? What does
the law require us to provide to law enforcement if they come looking for one
of our users? What does the law forbid us to supply to law enforcement? What
protocols are we required to collect identifying information before allowing
the use of, if any?
|
russ
|
|
response 22 of 140:
|
Apr 18 12:49 UTC 2001 |
Re #17: I'm sure you are far more familiar with the ID policy
than I am, but the changes in the Internet since 1994 have not
made it less important to be careful about who we let onto our
outbound connection. Arguably, we should be more careful.
There are a number of state laws, in force or making their way
through the sausage-grinding process, which require ISP's to be
able to identify the people they let onto the Internet. If Grex's
hardware happens to become the subject of a search warrant because
of the activities of someone we couldn't point to, bye-bye Grex.
There are also extra-legal issues. If someone uses Grex to perform
computer trespass or IRC shenanigans, other people are bound to take
exception to this. Some of them may try to shut Grex down, e.g. with
a DDoS attack. This is extremely easy, and the only thing that protects
us is that nobody's doing anything here that makes it worthwhile.
Because of this, I think we have every right to be suspicious of people
whose claimed motives don't match with their actions. Even (especially?)
if they are waving money at us. Don't the words of "usgov" smack of a
social-engineering attack to you? They sure do to me.
My response: either straighten up, fly right and come clean, or get lost.
|
aruba
|
|
response 23 of 140:
|
Apr 18 13:14 UTC 2001 |
Steve asks a lot of good questions in #22, that no one on Grex has really
explored, as far as I know. I think we might need to ask a lawyer about
them in order to get good answers. Though someone could probably search the
MCL and find what ID requirements the State makes.
|
gull
|
|
response 24 of 140:
|
Apr 18 14:40 UTC 2001 |
I think the requirement for ID has become obsolete. I think it's good
to ask for contact information, but I see no reason to verify it with
an ID that's of dubious quality anyway.
Realistically, if an account is misused, we're going to disable it.
Yes, someone can create a new account, but if they want outgoing
Internet access again they'll have to pay Grex another $6. I don't see
a potential hacker doing this repeatedly when they can more easily make
mischief via Netzero or Bluelight, or by using nether.net or another
free shell server. If we're asked to provide information for a legal
investigation, we provide what we were given -- that's all we can do,
anyway.
It's my opinion that the ID verification requirement should be
dropped. We can always revisit this decision if Michigan law changes
to require us to verify people's identities. Our current method
probably wouldn't stand up to such a law anyway.
|
scott
|
|
response 25 of 140:
|
Apr 18 15:33 UTC 2001 |
This response has been erased.
|
flem
|
|
response 26 of 140:
|
Apr 18 19:59 UTC 2001 |
I'm dubious that we should drop our id requirement. It may not be legally
necessary, or completely effective, but it seems like a good idea to me.
The question of whether or not a checking account constitutes good ID is a
good one, though. For individuals, we recognize a personal check as good ID,
provided it contains the name and address of the individual in question. I
don't think anyone would argue that this isn't a good idea. For institutional
memberships... that's a more difficult question. I imagine I could be talked
into accepting a corporate check as ID, provided 1) it had the company's
address printed on it, and 2) the name of a contact person (preferably the
check signer) were clearly printed on it.
|
dpc
|
|
response 27 of 140:
|
Apr 19 20:36 UTC 2001 |
There is presently *no* state legal ID requirement for access
to the Internet. A while ago a state representative held
a news conference saying he was going to introduce legislation
requiring ID, but so far I don't even think the bill has
been introduced.
I support our present ID policy.
|
other
|
|
response 28 of 140:
|
Apr 19 22:30 UTC 2001 |
If our policy is more stringent that current law, that does not mean we
want to change our policy. If our policy is in violation of current law,
then we need to change it.
|
jp2
|
|
response 29 of 140:
|
Apr 20 03:36 UTC 2001 |
This response has been erased.
|