|
Grex > Coop12 > #123: Proposal to modify selection of corporate officers | |
|
| Author |
Message |
| 25 new of 118 responses total. |
mary
|
|
response 94 of 118:
| 
Sep 6 20:04 UTC 2002 |
That puts the responsibility on PayPal to keep the information
for as long as we need it. I'd say no, that if we need the info,
then we should collect it and be responsible for safeguarding it.
Again, nobody has to give us any information they are uncomfortable
having us hold. It's that easy.
|
tod
|
|
response 95 of 118:
|
Sep 6 20:12 UTC 2002 |
What is the expected data retention period? The length of the membership?
What will be the field of data expected from each member?
|
cross
|
|
response 96 of 118:
|
Sep 6 20:20 UTC 2002 |
Regarding the idea that grex needs to maintain information after a user
has let his or her membership expire; why? They're gone; what they did on
grex is history, and if you haven't heard about it by the time they leave,
you're probably never going to hear about it. What right does Cyberspace
Communications, Inc. have to retain that data beyond a reasonable grace
period, say 6 months? We were talking about people who's data was still
around after a couple of years, if I understood Mark correctly.
The issue here is identity theft, more than anything. Some folks are
trying to raise questions about grex's propriety, but I think that's a
non-issue. It's clear that grex isn't interested in ``tracking'' people
so much as being able to tell a cop or fed, ``Joe Smith is a member;
here's a copy of his driver's license that he sent us.'' However, it's
a fact of probability theory that the longer grex retains that data, the
greater the chance that someone might be able to steal it. It's another
fact that grex might be retaining more data than it needs; I don't see how
you need anything other than a name, address, and maybe a phone number.
A sufficient argument that more is required hasn't been made, either.
Unfortunately, identity theft is real, and a serious problem. Ask anyone
who's ever had their social security card stolen.
I don't think that anyone is arguing gthat grex doesn't need to know
who its users *are*, but what's in question is the manner in which grex
finds that out, and then what they do with it, and when they get rid
of it. Six months I can see. But two years? Come on.
ps- it's been stated that only one person has access to the ID data: the
treasurer. However, that position turns over periodically, presumably
the data migrates along with the position, so it's not strictly true
that only one person can see it. Rather, only one position within the
corporation is authorized to see it.
|
mary
|
|
response 97 of 118:
|
Sep 6 21:05 UTC 2002 |
You are right, we don't need anything more than a name, address and maybe
a phone number. It's all voluntary. Nobody is forced to submit ID. You
could send in a library card photocopy and be granted membership
privileges. We'll keep whatever information you give us on file for
probably longer than you'll be living at the address, mostly because the
treasurer's job is hard enough without having to go back and find out who
left when and keep track of when their ID should be destroyed.
I'd come up with a number but I'm sure you won't like it.
I'm far more worried about the treasurer's job getting over-the-top
complex than with the information Mark holds being lost or abused.
|
tod
|
|
response 98 of 118:
|
Sep 6 21:18 UTC 2002 |
I agree, Mark's job should be simple and painless with little effort as
possible. It's also the reason I'm posing questions..not to make any red
herrings, but just to see where the buck stops. ;)
|
other
|
|
response 99 of 118:
|
Sep 7 03:11 UTC 2002 |
I think that the fear that member validation data stored by Grex poses a
threat is vastly out of proportion to the reality of that threat. Our
data is not being handled by a profit-driven bureaucracy or large scale
data management systems with security-ignorant or no oversight at all.
What with the simple steps being taken to protect the electronic records
maintained by the treasurer, the risk is tremendously overshadowed by the
value to Grex in assuring the integrity of its membership and disouraging
abuse of its access and resources.
|
jp2
|
|
response 100 of 118:
|
Sep 7 16:56 UTC 2002 |
This response has been erased.
|
aruba
|
|
response 101 of 118:
|
Sep 7 17:28 UTC 2002 |
Yup.
|
jp2
|
|
response 102 of 118:
|
Sep 7 19:45 UTC 2002 |
This response has been erased.
|
polytarp
|
|
response 103 of 118:
|
Sep 7 21:51 UTC 2002 |
I thought you didn't like socialism; but why do you have a library, PUBLIC,
card?
|
gull
|
|
response 104 of 118:
|
Sep 7 21:59 UTC 2002 |
Re #94: You can request that Paypal give you the name and verified
shipping address of the person. That should be sufficient data for Grex
to hang on to.
|
mary
|
|
response 105 of 118:
|
Sep 7 21:59 UTC 2002 |
Re: #102 It doesn't give us much information but that's okay.
It's still worth something on the black market. They're especially
big with soccer mom's needing to be someone else, for just a day.
|
jp2
|
|
response 106 of 118:
|
Sep 7 22:46 UTC 2002 |
This response has been erased.
|
flem
|
|
response 107 of 118:
|
Sep 8 00:23 UTC 2002 |
Just catching up on this discussion. A while ago, someone asked if Grex ever
did any kind of verification with the credit card numbers provided. Grex
didn't, but the credit card processing service we paid for did include
verifying that the address provided matched the billing address. fwiw.
|
cross
|
|
response 108 of 118:
|
Sep 9 21:54 UTC 2002 |
Regarding #105; Cool, my library card just says, ``The New York Public
Library'' on it, with no other visible identification information. Does
that count? If so, what's the point? And do soccer mom's really use
*library cards* for nefarious activities? Well, I suppose that fits....
Regarding #106; Please don't feed the troll.
Regarding #99; I think the value of the data to grex is greatly
overstated. This is empirically backed up; no one's ever asked for
it. (Of course, that neglects the argument that no one's ever asked
for it because it exists in the first place.)
Regarding #97; Earlier you said it was important to keep the data
around to provide law enforcement with useful information should a
member use grex for some illicit activity. Now, it's just that it's
too much of a hassle for the treasurer to destroy it. Which is it?
|
mary
|
|
response 109 of 118:
|
Sep 9 22:47 UTC 2002 |
Both.
After hearing what others and staff have had to say about the
way hackers can be tracked I'm not so sure the little
bit of very voluntary information we gather would really
be of any use. But I'm not so sure that just the asking
and collecting doesn't somehow make us less of a
facilitator when something bad happens using Grex as
the on ramp. It's a fine point and may not make much
of a difference. Not sure.
Cool about your library card. Sounds like my library card.
And my Kroger card.
|
aruba
|
|
response 110 of 118:
|
Sep 10 03:33 UTC 2002 |
Since there is a question about what kinds of ID are acceptable, here is th
official policy.
This is quoted from the minutes for the September 27, 1995 board meeting;
the relevant parts are sections 2 and 5. The policy was intended for
verification of non-members to use outbound Internet services, but as I
understand it, the ID criteria also apply to verification of members.
T. Verification Policy - John Remmers passed around a verification policy
which he had formulated. A few words were modified, but there was a long
discussion about whether it should be possible for trusted people, such
as staff, to relay information to the verifier. Ultimately, the wording
in this respect was left intact.
Here is the final wording of the motion:
MOTION: (remmers, steve)
(1) Anyone requesting access to Grex services for which verification
is required shall present proof of his or her identity. Members and
non-members will be held to the same verification criteria. In order
to be considered verified, a person shall submit a photocopy of an
item of acceptable identification and a signed letter requesting the
access.
(2) The acceptable items of identification are government-issued ID,
school-issued ID, library-issued ID, or a personal check written to
Cyberspace Communications Inc. by the person requesting access. To be
accepted, the item must be currently valid (i.e. not expired), must
identify the person by name, and must include additional identifying
information other than a photograph (such as home address,
passport number, or name of school).
(3) There shall be one individual, referred to hereafter as "verifier",
who is responsible for accepting verification requests and ID,
notifying the appropriate staff member(s) so that access may be
granted if the criteria of (1) and (2) are met, and notifying the
requester if the ID is not acceptable.
(4) The board shall solicit volunteers and appoint the verifier. The
term of office is one year and is renewable. Any verified user is
eligible for the post of verifier. If a volunteer for the post is not
currently verified, then for the purpose of gaining eligibility he or
she may present identification to the board that meets the criteria
enumerated in (2).
(5) In the case of personal checks submitted to the treasurer of
Cyberspace Communications Inc., the treasurer may also verify a user,
provided the check meets the criteria of (2) and is accompanied by a
signed letter as required in (1).
(6) An individual whose request for verification is denied may
appeal the decision to the board. The board's ruling on appeals
is final.
PASSED: 7-0
I don't think I would accept a library card that didn't have some kind of id
number on it.
|
jmsaul
|
|
response 111 of 118:
|
Sep 10 12:32 UTC 2002 |
Huh. So a personal check does work without any additional items of ID.
|
davel
|
|
response 112 of 118:
|
Sep 10 12:55 UTC 2002 |
Yes, if it has an address preprinted on it.
|
cross
|
|
response 113 of 118:
|
Sep 10 20:38 UTC 2002 |
Regarding #109; Right. That's what I meant about that ``neglecting the
argument'' thing....
Regarding #112; Hmm, my checks don't have my address printed on them;
just my name. Of course, they also have an account and routing number.
|
cross
|
|
response 114 of 118:
|
Nov 14 19:46 UTC 2002 |
Regarding #104; Is this, combined with a PayPal payment, sufficient for
grex? Or do users still have to submit ID?
|
aruba
|
|
response 115 of 118:
|
Nov 14 19:57 UTC 2002 |
Re #114: No and Yes. Accepting Paypal's authentication as good enough for
us would certainly streamline our process, but (a) it would require
modifying our official policy, and (b) I'd want to know more about how
Paypal verifies people and under what conditions they release that
information before I'd vote to accept it. What do you know about it, Dan?
|
cross
|
|
response 116 of 118:
|
Nov 14 20:04 UTC 2002 |
Not much at all, I'm afraid, other than what was mentioned in 104. No
one has ever sent me money on PayPal, but I've sent money to other folks.
I do know that they're pretty thorough in validating people; your credit
card billing address really must match what you tell them, as far as I
am aware. If they really do give address and name information to the
people who receive money, that'd be worth changing policy for, I Think.
|
mta
|
|
response 117 of 118:
|
Apr 20 19:26 UTC 2003 |
If you request name and address iunformation, PayPal does release it to you.
However, as far as I know, they give the name and address the payor has given
to be passed along rather than anythign actually associated with the credit
card.
|
gull
|
|
response 118 of 118:
|
Apr 21 15:18 UTC 2003 |
If it's a 'verified' address, it means that they've checked it against
either the credit card records or the bank account records.
|