|
Grex > Coop11 > #245: ID requirements for institutional members | |
|
| Author |
Message |
aruba
|
|
ID requirements for institutional members
| 
Mar 14 03:04 UTC 2001 |
I got a check today which causes me to pose the following question:
What are the ID requirements for an institutional member? I don't think
we ever spelled that out. In the past, institutional members have paid
with corporate checks with their names and addresses pre-printed on them,
and we've accepted that. Some possible alternative forms of ID:
1. A driver's license, passport, or personal check from a representative
of the company.
2. A letter on company letterhead. (Pretty easy to fake these days.)
3. A letter signed by one or more company officers.
4. Some kind of official document verifying the existence of the company.
Which of these should be acceptable? Can anyone think of anything to add to
the list?
|
| 35 responses total. |
ashke
|
|
response 1 of 35:
|
Mar 14 04:44 UTC 2001 |
forgive my ignorance, but what is an Institutional Member?
|
carson
|
|
response 2 of 35:
|
Mar 14 05:39 UTC 2001 |
(sometimes we have memberships that are taken out in the name of an
organization. I don't remember the details for which types of
organizations qualify, but I seem to remember it has something to do with
fellow non-profits. Rane was a champion of htis, AIR.)
|
scg
|
|
response 3 of 35:
|
Mar 14 08:05 UTC 2001 |
In deciding on ID requirements, it's probably worth first considering what
we need the ID for. I believe the original rationalle several years ago was
that the Internet was a closed academic network, and that we needed to be very
careful about being good neighbors if we were going to let members of the
public onto it. I don't think anybody thinks of the Internet that way
anymore, and organizations that care tend to invest large amounts of resources
into securing their Internet connections, rather than trusting the rest of
the Internet to be good neighbors. It may still be important, to make our
own lives easier, to be able to ensure that somebody we cut off for misusing
Internet access doesn't come back again and again, but we already have that
problem and deal with it for misuse of our own system.
The other reason for requesting ID, that's been given occasionally, is that
we need a list of names and addresses of members, to give to the state if they
ask. That means we need to ask our members for their names and addresses,
and means our members should give us accurate information. It certainly means
we shouldn't knowingly falsify the list. However, asking for proof of the
information our members give us is probably going a bit far. That certainly
isn't anything any other non-profit I've ever joined has asked for.
|
eeyore
|
|
response 4 of 35:
|
Mar 14 14:02 UTC 2001 |
On the other hand, it would make sense t ome to ask for it in this case, since
they seem to be going out of their way to hide a multitude of information from
us.
|
aruba
|
|
response 5 of 35:
|
Mar 14 14:31 UTC 2001 |
Re #4: I'd rather not get stuck on the particular check that inspired this
item. If we could come up with a general policy on ID for institutional
members, then future treasurers and I won't have to fret over this every
time it comes up.
Re #1&2: When Grex was founded, it was assumed that all members would be
people. Later the bylaws were amended to allow institutions to become
members. They read in part:
a. Any individual or institution supporting the goals and objectives of
this organization as enumerated in the Preamble, and who agrees to
abide by these bylaws and pay dues, is eligible for membership.
The bylaws go on to say that institutional members have the same status as
individual members, except that they may not vote in elections or serve on
the Board of Directors.
Re #3: Here is the standard message I send to people when they ask me why
they need to send ID to become members:
There are two reasons Grex requires ID from its members:
1. While we are very comfortable allowing anonymous users access to Grex,
we are not comfortable unleashing them on the rest of the Internet. It
would be irresponsible of the Grex administration to allow people we
can't identify to telnet through Grex to other systems, so we require ID
from everyone we allow to do that.
2. Cyberspace Communications is required by the state of Michigan to
maintain an up-to-date list of members. Implied in this requirement is
that we make sure no two memberships are held by the same person. So we
require ID to connect accounts with real people and make sure no one has
the ability to vote twice in Grex elections.
Since institutional members may not vote, #2 is not as relevant as #1 to
them. Some staff member please correct me if I'm wrong, but I think
people trying to telnet through Grex is still a problem that we are
concerned about, and constitutes a valid reason for requiring ID from
members.
|
aruba
|
|
response 6 of 35:
|
Mar 14 14:40 UTC 2001 |
I hope we don't get too hung up on philisophical underpinnings of
requiring ID - that's really a different topic. At the moment we do have
a policy requiring ID from members, and that includes institutional
members. So we ought to be able to list what forms of ID are permissible.
I think the rules need to be lax enough that we don't discourage many
potential donors, and stringent enough that someone can track down a
member given the information we collect. (Or, even better, stringent
enough that we discourage people who plan to do illegal and unsavory
things from becoming members at all.)
|
aruba
|
|
response 7 of 35:
|
Mar 14 14:51 UTC 2001 |
Here's the current ID policy, from the 9/27/1995 board minutes. It was
intended for verification of both members nonmembers for internet access,
but we have yet to get around to applying it to nonmembers. Note that it
was adopted before we allowed institutional members. Points (2) and (5)
are the relevant ones.
T. Verification Policy - John Remmers passed around a verification policy
which he had formulated. A few words were modified, but there was a long
discussion about whether it should be possible for trusted people, such
as staff, to relay information to the verifier. Ultimately, the wording
in this respect was left intact.
Here is the final wording of the motion:
MOTION: (remmers, steve)
(1) Anyone requesting access to Grex services for which verification
is required shall present proof of his or her identity. Members and
non-members will be held to the same verification criteria. In order
to be considered verified, a person shall submit a photocopy of an
item of acceptable identification and a signed letter requesting the
access.
(2) The acceptable items of identification are government-issued ID,
school-issued ID, library-issued ID, or a personal check written to
Cyberspace Communications Inc. by the person requesting access. To be
accepted, the item must be currently valid (i.e. not expired), must
identify the person by name, and must include additional identifying
information other than a photograph (such as home address,
passport number, or name of school).
(3) There shall be one individual, referred to hereafter as "verifier",
who is responsible for accepting verification requests and ID,
notifying the appropriate staff member(s) so that access may be
granted if the criteria of (1) and (2) are met, and notifying the
requester if the ID is not acceptable.
(4) The board shall solicit volunteers and appoint the verifier. The
term of office is one year and is renewable. Any verified user is
eligible for the post of verifier. If a volunteer for the post is not
currently verified, then for the purpose of gaining eligibility he or
she may present identification to the board that meets the criteria
enumerated in (2).
(5) In the case of personal checks submitted to the treasurer of
Cyberspace Communications Inc., the treasurer may also verify a user,
provided the check meets the criteria of (2) and is accompanied by a
signed letter as required in (1).
(6) An individual whose request for verification is denied may
appeal the decision to the board. The board's ruling on appeals
is final.
PASSED: 7-0
|
aruba
|
|
response 8 of 35:
|
Mar 14 15:01 UTC 2001 |
I regret to say that I have never enforced the "signed letter" criterion; I
only found out about it a couple of years ago. With the board's consent,
I've allowed people to email scans of their ids as well as send photocopies,
and more recently have allowed people to fax copies. And as I said before,
both Greg and I have accepted corporate checks as ID for institutional
members.
None of the forms of ID enumerated in (2) apply to institutions - they don't
have government-issued ID (unless you count articles of incorporation - I
suppose someone could send that), school-issued ID, or library-issued ID,
and they can't write a personal check. It's a good question whether, if an
individual writes a check for a corporation's membership, that check counts
as ID for the corporation.
So, basically, the question posed in #0 is up in the air, and we need
suggestions to answer it.
|
cmcgee
|
|
response 9 of 35:
|
Mar 14 18:36 UTC 2001 |
Why don't we do the same thing the bank does: require that a corporation has
to supply us with two real people to represent the corporation or institution.
Perhaps the treasurer and president of the instituion's board. That way we
can use the same "people" policies on these folks, and still have the
institution as the member.
|
pfv
|
|
response 10 of 35:
|
Mar 14 18:48 UTC 2001 |
What would that do to a state or federal request, let alone an
external systems complaint on "user XXX"?
You still need a PERSON related to a body (state or federal
database).
|
carson
|
|
response 11 of 35:
|
Mar 14 19:04 UTC 2001 |
(I think #9 is a good compromise.)
|
scg
|
|
response 12 of 35:
|
Mar 14 19:43 UTC 2001 |
If we want to continue requiring ID, #9 is probably a good compromise.
However, the Internet is a very diffrent entity now than it was in 1995, and
a policy based on the theoretically closed Internet of 1995 probably ought
to be revisited.
|
flem
|
|
response 13 of 35:
|
Mar 15 02:59 UTC 2001 |
I'd think that the normal ID requirements would be fine for institutional
members, i.e. we have to make a good faith effort to ensure that we know the
name and contact info of a real person who is voluntarily associated with the
account. After all, what's the difference between a member with a driver's
license calling itself "Foobar, Inc." and a member with a driver's license
calling himself "Greg Fleming"? The fact that the first person has
voluntarily chosen to waive voting priveleges in exchange for having the
membership be "in someone else's name" doesn't seem to be overly significant
to me, as far as security and accountability policies are concerned.
|
mdw
|
|
response 14 of 35:
|
Mar 15 07:52 UTC 2001 |
In 1995, it wasn't clear exactly what sort of internet abuse we might
need to worry about. In 2001 it's much clearer in some ways. We don't
need to worry so much about "smart" vandals, because they've been
enormously diluted by the pool of available systems. On the other hand,
cookbook vandals are much more common. UCE and various commercial fraud
schemes are also much more common now than then. In the case that
appears to have inspired this item, it seems possible that we're dealing
with a potential spammer. That has interesting implications - spamming
isn't, precisely, against the law, but it would almost certainly result
in our losing our internet connectivity.
In the past, we've tried not to get too bogged down in defining just
what "bad" behavior is, and in many cases, we've tried to give people
the benefit of the doubt, but this isn't always practical; some people
will take an inch, and assume it means a mile.
|
scg
|
|
response 15 of 35:
|
Mar 15 08:57 UTC 2001 |
It should be noted that there's been no evidence at all that the case that
inspired this item has anything to do with spam. That's the conspiracy
theorists going wild.
|
remmers
|
|
response 16 of 35:
|
Mar 15 11:56 UTC 2001 |
Long term, it would be reasonable to revisit our ID requirements
policy. Short term, we need a policy *now* to deal with an
existing situation, and I think what we should aim for is a
policy that's a consistent and reasonable extension of our ID
requirements for individuals. Colleen's suggestion in resp:9
sounds good to me.
|
remmers
|
|
response 17 of 35:
|
Mar 15 11:58 UTC 2001 |
(Since the board is meeting in less than a week, I recommend
that they enact a policy and that it be applied to any pending
requests for institutional membership.)
|
mary
|
|
response 18 of 35:
|
Mar 15 12:51 UTC 2001 |
I like Colleen's proposed solution too.
|
flem
|
|
response 19 of 35:
|
Mar 15 16:37 UTC 2001 |
Fair enough.
|
don
|
|
response 20 of 35:
|
Mar 16 04:45 UTC 2001 |
If the institution paid, it would have most likely done it by check, which
currently is an acceptable form of ID for personal memberships. Why isn't this
good enough for institutions? Or did this institution mail six crisp
sequential dollar bills in an envelope with no return address?
|
aruba
|
|
response 21 of 35:
|
Mar 16 04:50 UTC 2001 |
I don't feel comfortable going into the specifics of a payment here in coop.
That's why this is an item about a general policy on ID for institutional
members.
|
carson
|
|
response 22 of 35:
|
Mar 16 15:48 UTC 2001 |
re #20: (reading between aruba's lines, I'm guessing that the address
[or other information] wasn't preprinted on the check recieved.
but that's just idle speculation on my part.)
|
aruba
|
|
response 23 of 35:
|
Mar 16 19:18 UTC 2001 |
Regarding Collen's suggestion in #9: I think requiring two people may be one
too many. We might potentially have an istitutional member which really
only *has* one person. And we certainly have institutional members which
are not full-fledged corporations, so I don't think we should require
specific corporate officers to sign. In other words, I think whatever
policy we adopt should be broad enough to include small and informal
organizations.
That said, we don't want to be hoodwinked, either.
|
cmcgee
|
|
response 24 of 35:
|
Mar 16 20:28 UTC 2001 |
Any small and informal organization that only has one member is hardly an
organization. Even not-for-profits who are not tax exempt have to have two
officers to be considered an organization in Michigan. And those have to be
a president and a secretary IIRC.
Any small and informal business that only has one member is a sole
proprietorship, and I suppose we are allowing businesses as members. Or are
we? I don't remember exactly what we voted on.
|