PROPOSAL: Levels of User Access to Internet/EMail Resources

Apr 19 13:45 UTC 2007

At the last board meeting, there was discussion of redoing the way we grant
access to different resources to our users.  Right now, we have (defacto)
three basic categories that people fall into:

1) No access.  You're a brand new user, and we give you no access to
   outbound Internet or email resources.  You can still create a web page,
   and receiving incoming email.

2) Minimal access.  You're still a newish user, but you have somehow
   been granted minimal Internet access and possibly the ability to send
   outbound email.  Minimal Internet access is defined as access to the web
   (as a client), making DNS requests, using finger, whois, and maybe talk
   (whether people actually *use* these last three is questionable).

3) All access.  You can send (almost) anything you want to the Internet
   and can send outbound email.  Currently restricted to members.

These three categories were not necessarily planned, but rather grew up in
response to changing conditions on grex and the Internet as a whole.  We've
never *really* formalized any of the categories, nor how one moves between
them.  There are some defacto rules and perhaps some old member decisions,
but we haven't evaluated this in a long time.  I submit that it is now time
to do so; in particular, whatever decisions we've made in the past really
need to be re-evaluated in light of how the electronic landscape has changed
since we made those decisions (probably in the 1990s).

What follows are my proposals for how we should handle this issue, as well
as my rationale.  This item is for discussion of this proposal and this
issue as a whole.  Please note, I am not a lawyer; I don't understand how
this would affect, say, our common carrier status for instance, but I'm
hoping that those who do will weigh in.

I propose that we maintain the following three levels of access and
associated methods for transitioning between levels.  Note that each level
is a superset of the level below it:

1) No access.  This is for new users; they are given no Internet access
   at all and are blocked from sending and receiving Internet email, though
   they can send and receive as much local email as they like (for instance,
   they can send email to staff).  This is similar to how things are
   presently set up.

   RATIONALE: The Internet has changed drastically since 1991, when Grex
   first set up shop (though I understand that the first connection to the
   net did not come for another couple of years).  In particular, the
   Internet is far more dangerous now than it was then.  We simply cannot
   allow access to the Internet, even minimal access, for untrusted users
   anymore.  We have seen too many attacks originate from grex for this to
   be practical anymore.  With respect to email, we've seen that the vast
   majority of users just don't read email on grex; there's no point in
   creating them a mailbox that quickly becomes filled with spam unless they
   ask for it, which brings us to the next level of access.

2) Minimal access.  Again, this is similar to the way things are currently
   set up; we allow minimal access to some common protocols (HTTP, DNS,
   finger, talk, etc) and allow users to send and receive Internet email,
   but otherwise constrain there access.  One transitions from the no access
   category to the minimal access category by requesting minimal access.  In
   practice, this will involve running a program from grex's command line;
   that program will send a message to a team of volunteers taken from the
   community who, if they approve of the request, will run another program
   that moves the user to the minimal access category.

   RATIONALE: This is little different from how we do things right now,
   except that it combines requests for Internet email access with requests
   for minimal Internet access, and adds community verification (a term I
   heard at the last board meeting, though I do not recall who coined it;
   perhaps cmcgee?).  The idea is that the social interaction required by
   actually requesting access from a human being will be enough to deter
   most Internet predators.  As Steve has observed, most of the people who
   will abuse grex's services want to remain under the radar and are loathe
   to do something public and personal (like request Internet access).  It's
   easier for them just to go somewhere else.  Further, we tie minimal
   network access to email since it seems that there is little reason to
   separate them; in the case where we did separate them, the procedure for
   requesting access for one would be nearly identical to requesting access
   to another.  It would put an undue burden on both our community
   volunteers and our users to separate the requests.

3) Verified access.  This is full (almost) unrestricted access.  (Almost in
   the sense that a verified user still can't, e.g., allocate a privileged
   port, for instance).  A user transitions to this level by providing some
   form of identification to grex that validates their identity.  This might
   mean either making a minimal payment via PayPal, or using some form of
   identification comparable to one of those used for, e.g., gaining
   membership.  Note that all members are automatically verified, but that
   verification does not require membership.  Once a user is verified, that
   users account becomes non-reapable for somewhere on the order of five
   years since the last time the user logged in.

   RATIONALE: It has always struck me as strange that the primary criterion
   for outbound access has been membership.  We say we want to prevent the
   situation where members are granted special privileges over non-members,
   but that's basically what ends up happening.  However, it seems clear
   that the intent is to prevent abuse, and to require some sort of
   verification before granted unrestricted access to the Internet; this is
   certainly a reasonable step to help mitigate risk.  But if that's the
   case, then let us decouple the notion of verification from the notion of
   membership.  Verified users get outbound Internet access, as do members,
   but membership is no longer the focus of verification.

   This will clean up a few edge cases.  For instance, what happens when a
   user who has previously been a member lets his or her membership lapse?
   That user has been verified and was trusted to access the Internet, why
   suddenly is the user no longer permitted to access the network?  They
   haven't been *unverified*, they're just not a member presently.  We are
   in a situation presently where some members have decided that given the
   surplus of cash we have on hand at the moment, grex does not need their
   continued financial support right now, and have decided to let their
   memberships lapse.  Very well.  But why do we take away Internet access
   from them?  We know who they are, we know we can count on them not to
   attack remote hosts.  So why not let them retain outbound access?
   Further, suppose their account becomes inactive for a time; we went to
   the trouble to verify them, so lets let them ride inactivity for a little
   while.  We may remove their outbound access until they come back and run
   some sort of a program to validate that, yes, it really is them logging
   in again, but there's no need to remove and re-validate the account after
   only three months.

This is my proposal.  What do others think?

response 2 of 44:

Apr 19 15:05 UTC 2007

I like it.

response 4 of 44:

Apr 19 15:53 UTC 2007

I doubt that most people who want to use a browser here also want to receive
email from outside grex.  There are probably also people who want the email
but not the other internet privileges.  I set up spam filters for people from
India, Mexico, and Indonesia who appear to just like using shell account
email.  So please decouple them.

response 6 of 44:

Apr 19 17:03 UTC 2007

Regarding #4; Well, just because one *can* receive Internet email doesn't
mean that one *has* to.  One can certainly forward it elsewhere or to
/dev/null or just opt-out.  And similarly, just because one *can* use a web
browser or other minimal form of outgoing access doesn't mean that one has
to.  On the other hand, if we decouple the request process, that does place
an additional burden on the volunteers (these are not necessarily staff
members) to authorize the same account for multiple services.  It seems like
an unnecessary complication to separate the two.  Sindi, what's your
reasoning?  It imposes no additional burden on the user to have something that
he or she doesn't use....

response 8 of 44:

Apr 19 23:55 UTC 2007

#7: That's what I thought he was saying -- just a user wouldn't have to file
two separate requests for email and Internet access.

response 10 of 44:

Apr 20 14:26 UTC 2007

Regarding allowing all users to create web pages:  M-net, in the 
policy conference, has reports that malicious users have been using
M-net to host phishing pages, and M-net's hosting provider 
is threatening to cut access if this happens again.

Has this been an issue for Grex?  Can Grex move fast if it does 
become an issue?
 
(A phishing page is the page set up to collect financial information,
such as bank account information or PayPal passwords, on a fraudulent
basis.)

response 12 of 44:

Apr 20 17:28 UTC 2007

I hate to pull a function before it is necessary for Grex to 
pull it.  Here's a suggestion:
 
If Grex is not being threatened due to phishing pages, allow 
no-access users to create web pages, as we do today.  Obviously
staff continues to swat down phishing pages as they are reported.

If such a threat arises, then have the hooks in place so that 
web page creation can be switched to the limited-access category
at a moment's notice.   This might mean board pre-approving the 
switch in advance, at staff's judgement.

response 14 of 44:

Apr 20 17:45 UTC 2007

I would volunteer to preapprove any webpages to be posted by non-members, and
any changes to them made later.  

response 16 of 44:

Apr 20 18:16 UTC 2007

Re #13:  Couldn't JavaScript be used to override a server side banner?

Re #15 re #14:  I agree.

response 18 of 44:

Apr 20 20:17 UTC 2007

Javascript could be used to override the server side banner. Maybe with
a InnerHTML property.

response 20 of 44:

Apr 20 20:56 UTC 2007

well, if there were a way to have a server side banner, that would be
the best solution imho. 

response 22 of 44:

Apr 20 21:47 UTC 2007

 At the very least, Grex should have some language in its terms of use
 that empowers staff to take web pages off-line in response to complaints
 about things like phishing.  It should be a clearly defined system policy
 and without authorization under such a policy staff shouldn't remove
 anything -- otherwise censoring one web site and not another could be
 argued to be implicit approval or endorsement of the other.

response 24 of 44:

Apr 22 00:42 UTC 2007

I like the idea of decoupling membership from service, and I think that
the tiered access system makes sense, where increased privilege is
granted by increased exposure to the staff, thereby increasing personal
accountability. 

keesan, the idea of having to have webpages vetted concerns me, and I
suspect it would concern others as well. I would prefer that staff had
the right to revoke before giving them the responsibility to vet a page
beforehand. Requiring approval before putting up content without some
reason to suspect the user in question would have a chilling effect.
That said, I also think staff should have a mechanism in place to be
able to yank a webpage that violates TOS. I also think it would be a
good idea to have the TOS looked over, reaffirmed by staff and reposted
in a prominent place when we have the next system upgrade.