|
Grex > Coop12 > #127: Grex, once again, has pissed me off | |
|
| Author |
Message |
| 25 new of 184 responses total. |
other
|
|
response 19 of 184:
| 
Sep 4 01:05 UTC 2002 |
If you don't like our practices, I suggest you do one of two things:
* Become a member and propose a specific change, or
* Don't become a member, in which case they don't apply to you.
Since there is a blatant attempt underway to confuse issues regarding our
membership and recordkeeping practices, I strongly suggest that we take
with a grain of salt any suggestions or implied threats by anyone not
directly affected.
|
aruba
|
|
response 20 of 184:
|
Sep 4 02:55 UTC 2002 |
Re #18: Right, Grex has always had a policy of not giving identifying
information to anyone without a court order. So far that's never happened.
|
jp2
|
|
response 21 of 184:
|
Sep 4 02:58 UTC 2002 |
This response has been erased.
|
jp2
|
|
response 22 of 184:
|
Sep 4 02:59 UTC 2002 |
This response has been erased.
|
other
|
|
response 23 of 184:
|
Sep 4 03:03 UTC 2002 |
Handy with the hyperbole, aren't we?
|
jp2
|
|
response 24 of 184:
|
Sep 4 03:07 UTC 2002 |
This response has been erased.
|
gull
|
|
response 25 of 184:
|
Sep 4 12:32 UTC 2002 |
I think there are real concerns, here. I don't really want to see them
glossed over just because jp2 brought them up.
|
aruba
|
|
response 26 of 184:
|
Sep 4 13:05 UTC 2002 |
David (gull) - I too would like to discuss this rationally. I respect
your opinion as a reasonable person, and I would like to do what I can to
make sure the ID information we collect is secure. Forgive me if I
misremember, but I think your suggestion for what to do is "destroy copies
and records of ID as soon as they are verified". The thing is, I don't
"verify" ID, I just record it, and count on being able to retrieve it if
necessary. So I don't see how your plan would work - maybe you could
explain it to me.
|
mdw
|
|
response 27 of 184:
|
Sep 4 13:32 UTC 2002 |
I believe most of the acts quoted in #15 (certainly EPCA) mainly deal
with unauthorized disclosure of information to 3rd parties. Most of
these acts do not pertain to the legitimate use of information within
one organization (some contain specific language to authorize this), and
certain other kinds of disclosure are also authorized (for instance,
EPCA specifically authorizes (but does not require) disclosure of a
crime that is discovered doing some unrelated business activity, such as
repairing filesystem damage.) I know of little within these acts that
restricts a companies ability to to either be incredibly nosey, or to
save those facts -- and there are a *lot* of companies in corporate
america that do amazingly gacky things. I don't think grex is doing
anything particular gacky or unreasonable. Possibly we could fix many
of these problems by making members sign some sort of membership
agreement, though I can't say I'm all that fond of creating more
paperwork, and personally find membership agreements in themselves kinda
gacky.
|
jp2
|
|
response 28 of 184:
|
Sep 4 13:37 UTC 2002 |
This response has been erased.
|
other
|
|
response 29 of 184:
|
Sep 4 13:58 UTC 2002 |
re #25: I'm not denying the legitimacy of the point. I acknowledged it
earlier. I'm mostly responding to tod's posting and jp2's typically
hysterical behavior.
Hmm. Jamie, if you refuse to become a member, how do you ever expect to
be elected to the board?
|
jp2
|
|
response 30 of 184:
|
Sep 4 14:32 UTC 2002 |
This response has been erased.
|
gull
|
|
response 31 of 184:
|
Sep 4 14:49 UTC 2002 |
I mostly just feel strongly that retaining credit card information is a bad
idea -- it exposes Grex to liability if that information is stolen. I
realize that's no longer a major concern, since we don't accept credit cards
anymore, but any remaining numbers should probably be stored offline -- on
paper or on removable media. I'm less concerned about things like names and
addresses, since those are essentially public information anyway.
|
cross
|
|
response 32 of 184:
|
Sep 4 14:55 UTC 2002 |
Regarding #31; I believe Mark has already moved the last of the credit
card information offline, onto paper. Don't forget, though, that some
states' driver's licenses have SSN's on them.
|
mynxcat
|
|
response 33 of 184:
|
Sep 4 15:03 UTC 2002 |
Thats a point i was going to bring up. What about SSN information on the
licenses?
|
aruba
|
|
response 34 of 184:
|
Sep 4 15:27 UTC 2002 |
First of all, the credit card numbers were never available to anyone
online, unless they hacked into my machine while it happened to be
connected to the internet with a non-fixed IP address. (Most of the time
I'm online I dial into Grex anyway.)
I did indeed move both remaining credit card numbers off my computer and
onto paper. I don't record SSNs on drivers' licenses unless they *are*
the driver's license numbers - do any states still do that?
|
jep
|
|
response 35 of 184:
|
Sep 4 16:01 UTC 2002 |
Mark, I had thought you received ID information from users just to
verify they're real people, in order to prevent one person using
multiple votes. If that were the case, you could confirm the person
exists, then destroy the information you'd received other than the
person's real name, and Grex's requirements would be satisfied.
It turns out Grex has more requirements than I had realized. Would it
make sense to just keep verification information for those who want to
use Grex's Internet services and not for the rest? You don't need my
verification information, for example, since I never use Grex's
outbound Internet services. I'm just using me as an example. I don't
care if you keep any verification information you have about me.
I'm not concerned about this issue at all, other than to make sure the
treasurer and Grex are not exposed to lawsuits or other repercussions
if someone gets some personal information they shouldn't.
|
cmcgee
|
|
response 36 of 184:
|
Sep 4 16:47 UTC 2002 |
Right now, the compter file for allowing outbound acces is very simple: it
is identical to the file of "members". This file is also identical to the
file "allowed to vote".
It seems to me that what jep is suggesting is that we retain the members file
for voting, but create a different, and separately maintained members file
for outbound access.
I think this needlessly complicates the task of accumulating data for the
two separate purposes. I think our current system: verifying your
existance for voting purposes and some trackable data for security
purposes is all accomplished with one document, stored one place, and used
for two purposes.
|
jep
|
|
response 37 of 184:
|
Sep 4 17:45 UTC 2002 |
I agree my suggestion complicates things.
|
scott
|
|
response 38 of 184:
|
Sep 4 17:55 UTC 2002 |
I think it's a non-issue, inflated out of proportion by jp2 as some sort of
ego massage.
|
aruba
|
|
response 39 of 184:
|
Sep 4 18:12 UTC 2002 |
I tend to agree with Colleen, though as I said before, I will do whatever
the board and the membership direct me to do. John's suggestion is
implementable, but it would take some work. Among other things, it would
require people to declare, when they become members, whether they want to
use internet access, which in turn requires that they be confronted with
the technical explanation of what that means (i.e., which protocols anyone
can use and which are reserved for members only). I'm not inclined toward
things which make it harder to become a member than it already is,
especially when our membership is down from where we'd like it to be.
It would be simpler for me to just store all ID information on paper. I'd
rather not do that, just because I think it's not very efficient. A less
drastic action would be to encrypt all ID information on my computer. I
could probably find a way to do that which wouldn't be too difficult to
deal with, though I would welcome suggestions from people who know more
about security that I for what a good, efficient system would be.
|
gull
|
|
response 40 of 184:
|
Sep 4 18:34 UTC 2002 |
Re #38: Jp2's been searching very hard for something to be outraged about
for a long time now, it's true, and he finally found something. I do think
there's a real issue here, but I don't feel quite as strongly about it as
jp2.
|
jp2
|
|
response 41 of 184:
|
Sep 4 19:23 UTC 2002 |
This response has been erased.
|
mary
|
|
response 42 of 184:
|
Sep 4 19:43 UTC 2002 |
For some it would be a real step-up and cause for celebration.
|
cmcgee
|
|
response 43 of 184:
|
Sep 4 20:45 UTC 2002 |
No, 'fraid not. They don't give you a personality transplant when someone
steals your identity.
|