response 169 of 184:

Sep 11 23:32 UTC 2002

Regarding #93; Yes, I worry about it.

Regrding #111; The question is, what data do you keep?  If they send you
a driver's license, that's fine.  Do you need to keep their DL number and
other identifiers, or just their name, address, and possibly phone number?

Regarding #113; So far, I've never heard of an Internet cafe being sued.
It seems unlikely that it would happen.  However, I agree with you about
the geographic limitation versus global accessability.

Regarding #115; That sounds like an excellent solution; look at the ID,
record the name and address, etc, and then destroy it.

Regarding #117; I had forgotten about that incident; it was rather
amusing.  It's a good point, but even if that company had sent a driver's
license or similar, that doesn't mean it would need to be retained.
There's a minimum of information that grex *needs*, and it ideally it
shouldn't store any more than that.

Regarding #137; Yes, I am telling you that public kiosks at Columbia
allow public access (isn't that implicit in the definition of ``public
kiosk?''), and I'm telling you that a Java applet can save files to the
local machine's disk.  Of course they have a network interface; they're
kiosks.  They run Linux, boot off the network, and reinitialize the disc
every time they come up; if you're concerned about security, power-cycle
the machine.  The diskette drives have a physical lock mechanism in them
that prevents one from booting off a floppy, but we can afford that.

Regarding #140; The issue isn't the *asking* of ID, it's what is done
with the ID after its received.

Regarding #142; Seeing an ID doesn't mean you have to keep it.

Regarding #161; dude, that's just rude.

response 171 of 184:

Sep 12 17:23 UTC 2002

resp:170 - Believe what you will.

response 175 of 184:

Sep 12 21:28 UTC 2002

THRASHHHH                            LIBRAARIES!


FUCKING COMMIES!

response 177 of 184:

Sep 13 02:10 UTC 2002

Re #169:  Dan, if you're worried about Jamie's brain falling out of his
head, I think you are wrrying too much.

response 179 of 184:

Sep 13 22:37 UTC 2002

Still, I think you should just have a beer.

response 181 of 184:

Sep 15 20:40 UTC 2002

Sure.  I'll join you.

response 183 of 184:

Oct 2 17:19 UTC 2002

While you might tell the police that you haven't verified an ID, and thus
you can't be certain of its accuracy, can the police necessarily be trusted
to treat it as if it might be inaccurate?  I've certainly heard enough
claims of police fabricating evidence that this bothers me.

And the stolen school ID case that Marcus mentions is an interesting one;
what would have happened if that ID had actually been copied, rather than
the original sent?

I think a check provides a reasonable level of verification, in that if
someone writes a forged check against my account, I will probably notice
and say something to my bank.  Knowing where an ID has traveled might be
a bit harder.

I do find myself wondering if providing a phone number and having the treasurer
call that number might be more effective verification.  Yes, it would cost
something, but it would cost less than $1 to verify each member, at least
in the US, I would expect.  Or, perhaps do both phoning and getting ID.

As for storing the data: I don't have any problem with trusting aruba to not
do anything dishonest, but it's a little bit harder to feel confident that
his computer hasn't been compromised by some sort of malicous software.
And encryption doesn't provide any protection against keystroke recording
software, really.  (Well, it might raise the bar far enough to make some
attacks fail.)