|
Grex > Coop11 > #255: Should we change Grex's ID policy? |  |
|
| Author |
Message |
aruba
|
|
Should we change Grex's ID policy?
| 
Apr 16 01:52 UTC 2001 |
People in item 254 seemed to think we need a separate item to discuss
changing Grex's current ID policy, so here it is. If you think the policy
should change, speak up here.
|
| 140 responses total. |
aruba
|
|
response 1 of 140:
|
Apr 16 01:55 UTC 2001 |
For the record, here is our current ID policy.
This is quoted from the minutes for the September 27, 1995 board meeting;
the relevant parts are sections 2 and 5. The policy was intended for
verification of non-members to use outbound Internet services, but as I
understand it, the ID criteria also apply to verification of members.
T. Verification Policy - John Remmers passed around a verification policy
which he had formulated. A few words were modified, but there was a long
discussion about whether it should be possible for trusted people, such
as staff, to relay information to the verifier. Ultimately, the wording
in this respect was left intact.
Here is the final wording of the motion:
MOTION: (remmers, steve)
(1) Anyone requesting access to Grex services for which verification
is required shall present proof of his or her identity. Members and
non-members will be held to the same verification criteria. In order
to be considered verified, a person shall submit a photocopy of an
item of acceptable identification and a signed letter requesting the
access.
(2) The acceptable items of identification are government-issued ID,
school-issued ID, library-issued ID, or a personal check written to
Cyberspace Communications Inc. by the person requesting access. To be
accepted, the item must be currently valid (i.e. not expired), must
identify the person by name, and must include additional identifying
information other than a photograph (such as home address,
passport number, or name of school).
(3) There shall be one individual, referred to hereafter as "verifier",
who is responsible for accepting verification requests and ID,
notifying the appropriate staff member(s) so that access may be
granted if the criteria of (1) and (2) are met, and notifying the
requester if the ID is not acceptable.
(4) The board shall solicit volunteers and appoint the verifier. The
term of office is one year and is renewable. Any verified user is
eligible for the post of verifier. If a volunteer for the post is not
currently verified, then for the purpose of gaining eligibility he or
she may present identification to the board that meets the criteria
enumerated in (2).
(5) In the case of personal checks submitted to the treasurer of
Cyberspace Communications Inc., the treasurer may also verify a user,
provided the check meets the criteria of (2) and is accompanied by a
signed letter as required in (1).
(6) An individual whose request for verification is denied may
appeal the decision to the board. The board's ruling on appeals
is final.
PASSED: 7-0
|
aruba
|
|
response 2 of 140:
|
Apr 16 01:59 UTC 2001 |
We have never enforced the "signed letter" criterion. We added this policy
for institutional members:
6. Institutional Membership Requirements: Much discussion, the following
conclusion:
Motion by other: In addition to those applicable requirements for individual
memberships, the requirements for institutional Grex memberships shall be:
1) A designated contact person who shall be responsible for all use of the
member account.
2) Verifiable personal identification for the designated contact person
(subject to the same ID requirements as individual memberships)
3) Renewal of institutional memberships requires an update of the contact ID.
Seconded by aruba.
Motion carries, 5,0,0
|
other
|
|
response 3 of 140:
|
Apr 16 07:23 UTC 2001 |
In item 254, response 50, Russ makes a very good suggestion. If we adapt the
policy to allow for the following, it might make things much smoother:
Any user applying for an institutional membership may submit a letter with
their check stating that they waive the outbound internet accesses which
normally accompany membership, and in such a case, validation requirements
will be waived.
Otherwise, anyone wanting outbound access *must* be validated, period. If
you don't want to be identified, you don't get to use Grex as your access
point to the internet.
|
albaugh
|
|
response 4 of 140:
|
Apr 16 09:52 UTC 2001 |
Although #3 would be reasonable, one must ask: What's the point of paying
for an institutional "membership" with no voting or internet rights? Just
make a donation...
|
other
|
|
response 5 of 140:
|
Apr 16 14:41 UTC 2001 |
Personally, I'm not concerned what anyone's point might be in that case.
I'm happy to let them do it anyway.
|
cmcgee
|
|
response 6 of 140:
|
Apr 16 17:20 UTC 2001 |
I don't think we need to change our policy at all. Corporations currently
have two options: a donation with all the rights of any anonymous user, or
a membership with all the rights of any paying member except voting.
We have very clear and very easy to comply with policies for both options.
This whole controversy is a result of someone trying to avoid complying with
the membership policy.
So several grexers spend hours detecting the available public information,
that was NEVER SUPPLIED to us, and then making arguments that, because the
information is public, we should change our policy. I don't think so.
Let's not complicate our simple to understand, and simple to apply policies
to create some new category that this person could then fall under, if they
wanted to. Remember, all the work has been done by grexers. This
person/corporation has not done anything except write rude emails to our
treasurer, implying that he doesnt know what he is doing, and is doing
something that Grex doesn't want done.
There is no reason to think that by changing our policies we would create a
better, larger Grex community.
|
aruba
|
|
response 7 of 140:
|
Apr 16 17:20 UTC 2001 |
Adding a requirement that institutions must submit a letter with their check
is undoubtrdly adding a headache for the treasurer, because I have no doubt
that people will forget to do it, which means I'll have to bug them until
they do. Our policy could say, however, that institutional members don't
get full internet access, and that wouldn't make more work.
|
carson
|
|
response 8 of 140:
|
Apr 16 17:56 UTC 2001 |
resp:3
(actually, the part of Russ's suggestion I liked was eliminating
outbound telnet for institutional memberships, period.)
|
keesan
|
|
response 9 of 140:
|
Apr 17 00:39 UTC 2001 |
Members also get FTP and access to ports suchas the one that the Ann Arbor
library uses to renew books and the ones used by many Russian sites.
|
mdw
|
|
response 10 of 140:
|
Apr 17 01:29 UTC 2001 |
I think there are some significant differences between us digging
out information on a corporation, and someone submitting information
to us:
(1) it takes a bunch more of our time to dig information out
(2) if the information turns out to be wrong, we end up
responsible not the person who submitted it.
|
aruba
|
|
response 11 of 140:
|
Apr 17 13:19 UTC 2001 |
Got this from usgov:
From usgov@cyberspace.org Tue Apr 17 09:13:06 2001
Date: Tue, 17 Apr 2001 02:19:09 -0400 (EDT)
From: ~~ <usgov@cyberspace.org>
To: aruba@grex.cyberspace.org
Subject: Re: Money Received
Please post the following to your classification BBS Item #255:
1. Corporations are not second class citizens. They pay their taxes just
like individuals. They can be criminally and civilly liable just like
an individual can. Any restrictions on corporations is not supportable by
any possible logic. As a corporation, if an organization were to
discriminate against us by restricting our rights or voting, our Board
would vote not to join the organization. Period.
2. A checking account should be the only requirement for any membership.
As indicated in #254, let the financial institutions worry about ID's. If
they are satisfied to open a checking, Grex should accept it. Grex, as a
non-profit corporation, should not go into the verification business.
3. As indicated in #254, the only other reasonable request to a
corporation is an address and the NAME (only) of a contact person.
PERIOD.
4. Once Grex starts obtaining and/or retaining and/or collecting ANY
personal information, it then becomes legally liable for any damage to the
individual if Grex is negligent and someone obtains it (from or through
Grex's possession) and uses it for theft of I.D., etc. Is Grex ready to
assume legal liability in such an event?
We believe that Grex's ID policy needs to be revised--and eliminated. If
it doesn't make sense, eliminate it. If it has no connection with any
reasonable goal of Grex, then it should not be made a requirement. Grex
does not have as one of its goals, that of protecting the entire Internet
from ANY potential and/or possible harm by anyone! All members, whether
corporations or individuals, should have equal rights and privileges. Any
policy must be reasonably related to the purpose for which it is intended.
|
cmcgee
|
|
response 12 of 140:
|
Apr 17 14:31 UTC 2001 |
>I move that we reaffirm our current Grex policy on corporate memberships.
|
carson
|
|
response 13 of 140:
|
Apr 17 14:38 UTC 2001 |
(I concur.)
|
robh
|
|
response 14 of 140:
|
Apr 17 15:02 UTC 2001 |
#12 - Agreed here.
|
eeyore
|
|
response 15 of 140:
|
Apr 17 15:58 UTC 2001 |
Here here.
|
gull
|
|
response 16 of 140:
|
Apr 17 19:16 UTC 2001 |
Re #11:
Corporations *are* second-class citizens, though. They can't vote, for
example. The analogy to a real individual only goes so far.
|
scg
|
|
response 17 of 140:
|
Apr 17 23:00 UTC 2001 |
I'm curious about why people are so passionate about Grex's seven year old
ID policy. I'm somewhat ambivalent on the specific case that touched this
off -- our current policy is our current policy and we have to follow it, but
the hostility being expressed towards the potential donor amazes me -- but
that's a very small part of the question of what Grex's membership policies
should be.
Grex's current membership policy was introduced in 1993 or 94, and last
modified to permit some additional types of IDs in 1995. It was designed to
protect the Internet of that era, at the time mostly an academic research
network, from the random members of the public we were going to unleash on
it. The Internet, and what is expected of its users, has changed
considerably in the last several years since the last time the policy was
looked at, so it doesn't make much sense not to reexamine the policy
occasionally.
I'm hoping we can use this item to first figure out what requirements we are
dealing with, what results we want to accomplish, and what the best way of
accomplishing those results is, preferably in that order. Perhaps we'll end
up with something that looks a lot like the current policy, or perhaps we
won't.
|
russ
|
|
response 18 of 140:
|
Apr 17 23:58 UTC 2001 |
Corporations cannot hold office either. A corporation is a legal
individual, not a real individual.
|
mary
|
|
response 19 of 140:
|
Apr 18 00:11 UTC 2001 |
Steve, Grex's policy on organizational memberships was reviewed and
updated just about a month ago. It was reviewed with the current state of
the Internet in mind. You may disagree with the policy but it isn't there
out of administrative neglect.
|
aruba
|
|
response 20 of 140:
|
Apr 18 00:26 UTC 2001 |
Steve, what do you mean by "what requirements we are dealing with"?
|
scg
|
|
response 21 of 140:
|
Apr 18 05:04 UTC 2001 |
I'm not talking about organizational memberships, but about memberships in
general. I'm hoping we can think beyond this specific case.
I'm also not sure I disagree with the current policy. I'm hoping that with
an open discussion of it, we can reasonably evaluate whether it is what the
policy should be. If so, we should keep it. If not, we should change it.
If others refuse to discuss it at all, beyond hurling insults at somebody
who is attempting to become a member and disagreeing with it, that's not the
way to make good decisions.
What requirements we are dealing with is the fairly basic question beyond any
membership ID verification policy we might come up with. It's been claimed
probably accurately, that the state requires us to have a list of names and
addresses of members. Is that the case? If so, what does the state require
from us in terms of collecting that information? Can we ask for it and accept
the information we are given? Are we required to verify it? If so, how are
we required to verify it? Do we need to ask for identification? How many
pieces of identification, and of what sort? Are there any requirements that
we as an organization feel we have for knowing how accurate our membership
list is beyond those required by the state? As for Internet access, what
acceptable use policies have we agreed to from our ISP regarding the
identities of our users? What are practices with regard to ID collection of
other companies and organizations providing access to the Internet? What does
the law require us to provide to law enforcement if they come looking for one
of our users? What does the law forbid us to supply to law enforcement? What
protocols are we required to collect identifying information before allowing
the use of, if any?
|
russ
|
|
response 22 of 140:
|
Apr 18 12:49 UTC 2001 |
Re #17: I'm sure you are far more familiar with the ID policy
than I am, but the changes in the Internet since 1994 have not
made it less important to be careful about who we let onto our
outbound connection. Arguably, we should be more careful.
There are a number of state laws, in force or making their way
through the sausage-grinding process, which require ISP's to be
able to identify the people they let onto the Internet. If Grex's
hardware happens to become the subject of a search warrant because
of the activities of someone we couldn't point to, bye-bye Grex.
There are also extra-legal issues. If someone uses Grex to perform
computer trespass or IRC shenanigans, other people are bound to take
exception to this. Some of them may try to shut Grex down, e.g. with
a DDoS attack. This is extremely easy, and the only thing that protects
us is that nobody's doing anything here that makes it worthwhile.
Because of this, I think we have every right to be suspicious of people
whose claimed motives don't match with their actions. Even (especially?)
if they are waving money at us. Don't the words of "usgov" smack of a
social-engineering attack to you? They sure do to me.
My response: either straighten up, fly right and come clean, or get lost.
|
aruba
|
|
response 23 of 140:
|
Apr 18 13:14 UTC 2001 |
Steve asks a lot of good questions in #22, that no one on Grex has really
explored, as far as I know. I think we might need to ask a lawyer about
them in order to get good answers. Though someone could probably search the
MCL and find what ID requirements the State makes.
|
gull
|
|
response 24 of 140:
|
Apr 18 14:40 UTC 2001 |
I think the requirement for ID has become obsolete. I think it's good
to ask for contact information, but I see no reason to verify it with
an ID that's of dubious quality anyway.
Realistically, if an account is misused, we're going to disable it.
Yes, someone can create a new account, but if they want outgoing
Internet access again they'll have to pay Grex another $6. I don't see
a potential hacker doing this repeatedly when they can more easily make
mischief via Netzero or Bluelight, or by using nether.net or another
free shell server. If we're asked to provide information for a legal
investigation, we provide what we were given -- that's all we can do,
anyway.
It's my opinion that the ID verification requirement should be
dropped. We can always revisit this decision if Michigan law changes
to require us to verify people's identities. Our current method
probably wouldn't stand up to such a law anyway.
|