response 53 of 118:

Sep 3 21:32 UTC 2002

The CC # is used to verify that the person is who they say they are,
correct?  At that point you have their name/address info, so why do you need
to keep the CC #?

response 55 of 118:

Sep 4 13:18 UTC 2002

Credit card numbers do not verify adress for us.  What's important to us
is that some law enforcement dude or lawyer can take that number, get
the appropriate court order, and extract not just the address we might
have, but a possibly updated trail leading to the bad guy.  Basically,
grex lacks the resources or ability to do the detective work to check
out a person's background, and later, vouch for that person's identity,
which is what people are asking for here.  Instead, the goal for grex is
to acquire sufficient raw data for such an inquiry, and retain it
against the hopefully extremely unlikely possibility of such an
investigation, and to do so in a manner that is least painful for all
concerned.  This is a subtle distinction, to be sure, but I hopeful
meaningful.

In fact, a credit card number would be totally useless for us for
identity purposes today; the only way it's useful is if we were able to
verify that we could apply a charge against it at least once and not
have it contested.  That is not absolute proof of identity (*nothing*
is) - all it does is raise the financial bar to fraud, which is the main
thing we're trying to discourage.

response 57 of 118:

Sep 4 14:51 UTC 2002

I was meaning verification to take the form of, e.g., comparing the
address that someone told you against what's written on their driver's
license or similar.  That said....  Are people who've given credit
card numbers *aware* that their credit cards are being used for
identification purposes, and not just financial purposes, as they
perhaps thought?  Maybe a better policy is to disallow the use of
credit cards as ID, and require a photocopy of a picture ID with
address on it.  Make a note of the address, and destroy the copy.
Why would grex need to do anything more than that?

response 59 of 118:

Sep 5 10:56 UTC 2002

I'm afraid even if we made a copy of the address we would still need to
retain other information on the ID that was presented to us - like what
sort of ID it was, if it had any serial number on it etc.  That's
because that ID is valuable not merely as direct proof of identity, but
because it in itself may have a paper trail that is additionally
valuable to someone (not us) doing detective work.  The serial number
shows we actually have a legitimate key into that person's database and
eliminates a lot of confusion over names and addresses, both of which
changed, and the history of which is not necessarily retained.  If the
ID was forged, then none of this information is valuable, but the
forgery in itself may have other evidence of its origin.  Unfortunately
we don't necessarily have the ability or resources to detect such a
forgery, but the more information we can record regarding such a forgery
the better.  If nothing else, having "proof" such a forgery existed
shows that we weren't ourselves being irresponsible, but exercised due
reasonable diligence.  Even if it wasn't a forgery, it still becomes
much easier for an evil-doer to claim "oh, that wasn't me at all".

An address we ourselves jot down retains none of this value.  It
becomes, in the most literal sense possible, our word against theirs;
and I think this puts us in a terrible spot should any such such a
situation ever arise.

response 61 of 118:

Sep 5 15:11 UTC 2002

Because we're providing them the means to do mischief on the internet, 
and by retaining proof of our reasonable attempts to validate them, we 
display due diligence which serves to shield us from liability for the 
actions of people who use our system.  Sure, as an attorney, you can 
understand that.  The law typically protects those who practice due 
diligence and not those who don't.  (At least somewhat.)

response 63 of 118:

Sep 5 16:36 UTC 2002

Sometimes I think that grex takes itself a little too seriously; CD's
that come in the mail advertising ``50 free hours on AOL'' provide a
much larger window of opportunity for those who wish to do ``mischief''
on the Internet (Re #61; in the context of the global network, Internet
should be capitalized.  ``internet'' is a general networking term.
Yeah, that's a quibble).  But that's one reason I like grex: it's very
professional, and commited to what it does; something ultimately to
be admired.  However, that's neither here nor there.

I don't understand what Marcus means when he says, ``it's their word
against ours.''  What, that they became a member?  That it was really them
who became a member?  How does knowing someone's driver's license number
improve the quality of the data you have on a potentially nefarious user,
over just having an address?  Don't the authorities that you might turn
such data over to already have the means to correlate a name, address,
and time with a person?

The arguments of due diligence are flawed.  Are you demonstrating due
diligence in protecting the privacy of that data?  I think that Mark
certainly is; he promptly deleted all the credit card data he had from
his system, but the larger issue does come up.  There's more than one
issue here, yet it's easy to become sidetracked and see only one.

response 65 of 118:

Sep 5 18:10 UTC 2002

Grex's entire networking software base has been developed and modified 
with significantly more than usual "due care" to prevent when possible 
and track when not any abuses originating from our machine.  Unless you 
are truly ignorant of this (and I grant that you may be), any suggestion 
that this obligation has been unattended is entirely specious.

response 67 of 118:

Sep 5 19:28 UTC 2002

We have a simple system, with voluntary participation.  We do our best to 
keep it secure and to keep the tools we offer from being abused.  In 
order to both discourage abuse of our democratic management system and to 
responsibly provide Internet services, we keep minimal information 
(voluntarily provided in exchange for use of those services) on the 
people to whom we provide access.  That information is kept by the 
treasurer, and is not provided to anyone else except as needed for the 
purposes listed above.  It is only given to anyone not functioning in an 
administrative capacity on Grex's machines under court order.  Period.  
Very simple.  A complete non-issue.  

Try to understand that the questions you are asking may be valid, but 
that our system wasn't spawned overnight by thoughtless or malicious 
individuals and that it functions very well as is, and poses no 
significant threat to the privacy or security of anyone who does not 
abuse the resources we provide.  I do not know what your intent is in 
raising these concerns, and it may very well be legitimate concern, but 
given the stated purpose of certain individuals to go to whatever lengths 
they will to undermine and confuse Grex for their own entertainment, try 
to understand that persistent, public, microscopic review of our 
carefully implemented practices may be viewed with some annoyance and 
skepticism.  And, try to understand that Grex management has nothing to 
hide in our policies and practices, and that such skepticism and 
annoyance under these circumstances is both entirely justified and 
completely unreflective of any wrongdoing or malintent on the part of 
Grex or its board or staff.

response 69 of 118:

Sep 5 20:15 UTC 2002

The "find" reference was unspecific.  Our policy is (and this has been 
stated at least once already, recently, in this or another current co-op 
item) that identifying information (other than real names) we collect 
from people will only be given out under court order.  Real names of 
voting members are excepted, as required by law.  

We collect the information both to prevent the same individual from 
controlling multiple votes on our system, and to discourage abuse by 
requiring the provision of information which can be used to track down 
the individual providing it.  We do not track down the individuals, and 
we do not claim the responsibility for doing so.  In fact, we are so 
intentionally protective of the privacy of this information that we 
require judicial action as proof of the legitimacy of an investigation 
before we will surrender it to anyone.  How much plainer an answer could 
you want?  NOTHING I have said here has not been said multiple times 
elsewhere in public postings or on fixed pages on our website.  And no, 
I'm not going to waste my time pointing you to them, because I'd have to 
search, and you can do it as well as I.

response 71 of 118:

Sep 5 20:24 UTC 2002

Heaven forbid a member "wastes your time" presenting legitimate concerns.
I would feel much more satisfied if your answer had been sincere rather than
tinted with accusatory tones and disdain.  Perhaps you could quench my
curiosity by showing a commitment to put your stated standards in #69 in
writing as a corporate policy rather than responding with "find it yourself
amongst the numerous other stated opinions on the system."
BTW, you suck at PR. How did you get the chair?

response 73 of 118:

Sep 5 20:37 UTC 2002

I can't imagine that

response 75 of 118:

Sep 5 21:14 UTC 2002

I believe all the facts Eric quoted are correct, and I have quoted the same
ones either in this item or the next.  I apologize if it was me who caused
confusion about the conditions under which an ID would be used.  I may have
said it could be used to "track someone down", and what I meant was not that
*we* would use it for that, but that we could hand it over to
law-enforcement for them to use to to find someone.  I'm not sure th exact
conditions under which we would turn over ID to law enforcement have ever
been codified (like I said, we've never been asked to do it, since just
asking for ID scares off most potential vandals), but I know I have seen it
written that we wouldn't do so without a court order in some official
document.  It might not hurt for the board to nail that down.