|
Grex > Coop12 > #127: Grex, once again, has pissed me off | |
|
| Author |
Message |
| 25 new of 184 responses total. |
other
|
|
response 29 of 184:
| 
Sep 4 13:58 UTC 2002 |
re #25: I'm not denying the legitimacy of the point. I acknowledged it
earlier. I'm mostly responding to tod's posting and jp2's typically
hysterical behavior.
Hmm. Jamie, if you refuse to become a member, how do you ever expect to
be elected to the board?
|
jp2
|
|
response 30 of 184:
|
Sep 4 14:32 UTC 2002 |
This response has been erased.
|
gull
|
|
response 31 of 184:
|
Sep 4 14:49 UTC 2002 |
I mostly just feel strongly that retaining credit card information is a bad
idea -- it exposes Grex to liability if that information is stolen. I
realize that's no longer a major concern, since we don't accept credit cards
anymore, but any remaining numbers should probably be stored offline -- on
paper or on removable media. I'm less concerned about things like names and
addresses, since those are essentially public information anyway.
|
cross
|
|
response 32 of 184:
|
Sep 4 14:55 UTC 2002 |
Regarding #31; I believe Mark has already moved the last of the credit
card information offline, onto paper. Don't forget, though, that some
states' driver's licenses have SSN's on them.
|
mynxcat
|
|
response 33 of 184:
|
Sep 4 15:03 UTC 2002 |
Thats a point i was going to bring up. What about SSN information on the
licenses?
|
aruba
|
|
response 34 of 184:
|
Sep 4 15:27 UTC 2002 |
First of all, the credit card numbers were never available to anyone
online, unless they hacked into my machine while it happened to be
connected to the internet with a non-fixed IP address. (Most of the time
I'm online I dial into Grex anyway.)
I did indeed move both remaining credit card numbers off my computer and
onto paper. I don't record SSNs on drivers' licenses unless they *are*
the driver's license numbers - do any states still do that?
|
jep
|
|
response 35 of 184:
|
Sep 4 16:01 UTC 2002 |
Mark, I had thought you received ID information from users just to
verify they're real people, in order to prevent one person using
multiple votes. If that were the case, you could confirm the person
exists, then destroy the information you'd received other than the
person's real name, and Grex's requirements would be satisfied.
It turns out Grex has more requirements than I had realized. Would it
make sense to just keep verification information for those who want to
use Grex's Internet services and not for the rest? You don't need my
verification information, for example, since I never use Grex's
outbound Internet services. I'm just using me as an example. I don't
care if you keep any verification information you have about me.
I'm not concerned about this issue at all, other than to make sure the
treasurer and Grex are not exposed to lawsuits or other repercussions
if someone gets some personal information they shouldn't.
|
cmcgee
|
|
response 36 of 184:
|
Sep 4 16:47 UTC 2002 |
Right now, the compter file for allowing outbound acces is very simple: it
is identical to the file of "members". This file is also identical to the
file "allowed to vote".
It seems to me that what jep is suggesting is that we retain the members file
for voting, but create a different, and separately maintained members file
for outbound access.
I think this needlessly complicates the task of accumulating data for the
two separate purposes. I think our current system: verifying your
existance for voting purposes and some trackable data for security
purposes is all accomplished with one document, stored one place, and used
for two purposes.
|
jep
|
|
response 37 of 184:
|
Sep 4 17:45 UTC 2002 |
I agree my suggestion complicates things.
|
scott
|
|
response 38 of 184:
|
Sep 4 17:55 UTC 2002 |
I think it's a non-issue, inflated out of proportion by jp2 as some sort of
ego massage.
|
aruba
|
|
response 39 of 184:
|
Sep 4 18:12 UTC 2002 |
I tend to agree with Colleen, though as I said before, I will do whatever
the board and the membership direct me to do. John's suggestion is
implementable, but it would take some work. Among other things, it would
require people to declare, when they become members, whether they want to
use internet access, which in turn requires that they be confronted with
the technical explanation of what that means (i.e., which protocols anyone
can use and which are reserved for members only). I'm not inclined toward
things which make it harder to become a member than it already is,
especially when our membership is down from where we'd like it to be.
It would be simpler for me to just store all ID information on paper. I'd
rather not do that, just because I think it's not very efficient. A less
drastic action would be to encrypt all ID information on my computer. I
could probably find a way to do that which wouldn't be too difficult to
deal with, though I would welcome suggestions from people who know more
about security that I for what a good, efficient system would be.
|
gull
|
|
response 40 of 184:
|
Sep 4 18:34 UTC 2002 |
Re #38: Jp2's been searching very hard for something to be outraged about
for a long time now, it's true, and he finally found something. I do think
there's a real issue here, but I don't feel quite as strongly about it as
jp2.
|
jp2
|
|
response 41 of 184:
|
Sep 4 19:23 UTC 2002 |
This response has been erased.
|
mary
|
|
response 42 of 184:
|
Sep 4 19:43 UTC 2002 |
For some it would be a real step-up and cause for celebration.
|
cmcgee
|
|
response 43 of 184:
|
Sep 4 20:45 UTC 2002 |
No, 'fraid not. They don't give you a personality transplant when someone
steals your identity.
|
other
|
|
response 44 of 184:
|
Sep 4 21:26 UTC 2002 |
Too bad. Poor Jamie's just begging for one.
|
jp2
|
|
response 45 of 184:
|
Sep 4 21:33 UTC 2002 |
This response has been erased.
|
aruba
|
|
response 46 of 184:
|
Sep 4 21:51 UTC 2002 |
It seems to me we are balancing three ideals here, which I hope we can all
agree are good things:
1) Protecting the privacy of our members,
2) Being good netizens (which means discouraging illicit use of Grex and
having available the information needed to follow up when it happens),
and
3) Keeping Grex alive and healthy (which means, among other things, making
it as easy as possible to become a member and stay a member, and
keeping the treasurer's job reasonable so there will always be someone
willing to do it).
Obviously we can't achieve perfection in all three at the same time; we
have to find an acceptable compromise. I hear people (gull and cross in
particular) saying that they think the current system needs more of ideal
1). OK, fine; but before changing any policies, we should consider the
effect on all three ideals.
I'll repeat that I'm not trying to be a stick-in-the-mud here - if most
people think we should have a different compromise than we have now, then
I'll implement it.
|
cross
|
|
response 47 of 184:
|
Sep 4 21:58 UTC 2002 |
I think that shifting a smallish amount of the burden to the member is
acceptable; dropping a photocopy of a driver's license or other ID with
an address on it isn't terribly difficult; one is often required to do
so when, e.g., moving and getting a utility turned on (ie, a phone or
similar). Yeah, one detracts *slightly* from Mark's 3rd ideal, but in
practice, not much. Grex's treasurer then just has the job of saying,
``yup, this is the address they told me. Let me copy it down and destroy
my photocopy.'' I think that might increase (perhaps not the best word,
bear with me) Ideal 2, and certainly will enhance Ideal 1.
|
aruba
|
|
response 48 of 184:
|
Sep 4 22:11 UTC 2002 |
Quite often, actually, the address on someone's driver's license *doesn't*
match the address they want their handbook sent to. I assume it's because
they have moved, but I also assume that the police could track them down
more easily with the driver's license number than without it.
I'll submit that having me destroy the ID doesn't enhance ideal 1) any
more than simply having me store it in an encrypted form, which makes my
job a little harder but doesn't otherwise detract from ideal 3). And if
we come up with the right system, I think my job need not be much harder
at all. And I do think that destroying all record of the ID might
significantly detract from ideal 2); however, we would need the opinion of
a law-enforcment official to say for sure.
|
carson
|
|
response 49 of 184:
|
Sep 5 00:26 UTC 2002 |
(I think Dan's suggestion as presented in resp:47 is reasonable. plus, if
it's really necessary to hang on to the specific ID information in its
"original" [to Grex] form, I can't see a reason [aside from Mark's
suggestion of making it easier for expired members to renew] to hang on to
that information once the membership [and grace period] expires.)
|
gull
|
|
response 50 of 184:
|
Sep 5 01:07 UTC 2002 |
If the police have to track someone down based on an old address, they will.
It's not our job to do it for them. I'm not keen on Grex holding onto
information above and beyond what's legally necessary. In today's day and
age, with restrictions on search and seizure and privacy weakening by the
day, I don't think we should put ourselves in the position of holding
extra information that might be of interest to law enforcement.
|
tod
|
|
response 51 of 184:
|
Sep 5 03:08 UTC 2002 |
re #27
I think the tacky and unreasonably "thing" Grex might be questionable about
is whether a court order is required. I stated those acts directly in
relation to the repeated statements that ID for Grex membership would be used
to "find" someone at a police request. If there is a policy of court order
before disclosure, that is an entirely different matter. Unfortunately, I
have not seen an agreement on the mechanisms in place to determine when the
personal ID data may be disclosed. I'm seeing in some places that Passport
copies are okay, yet in other places I'm seeing that Grex would need to "find"
me. Did I goof by submitting my driver's license for a Grex membership, or
did I do what Grex requires to "find" me?
That's what the whole issue boils down to, imo.
|
aruba
|
|
response 52 of 184:
|
Sep 5 05:20 UTC 2002 |
I'm not sure I followed that, Todd, but: yes, Grex has a policy of requiring
a court order before turning over ID information. To date we've never
turned ID over to anyone, ever.
It's not Grex that would want to find someone who had done something
illegal, it's law enforcement. We just want to have the "raw material",
as Marcus put it, to help them. So either a passport or driver's license
is fine, and you didn't goof.
|
mdw
|
|
response 53 of 184:
|
Sep 5 11:22 UTC 2002 |
I don't believe SSN numbers are any more or less of an issue than DL#'s.
Either works as a sufficient key into credit databases, and is
sufficient for identity theft, and I don't believe there is any
meaningful difference in the law's treatment of the two forms of
identification information to matter to us. If we were a public
institution, there are more strigent requirements regarding SSN's in
particular, but what we're doing would still be allowed.
I think Todd is confusing 2 issues: what we accept as sufficient
identification information, and when we might disclose such information.
For the latter, #52 is right on the spot, althought there are some
nagging little details about the Patriot law that nobody really
understands (it loosened some features of federal law, but didn't create
new structure, so there is more grey area that nobody really wants to
explore, at least not yet.) For forms of what we *accept*, we don't
actually have 100% fast rules about this. We have things we *generally*
accept, but we reserve the right to refuse them if in any individual
case we think something fishy is up. Our responsibilty is to avoid
fraud; so even though we generally accept school ID, if you *mail* us
your school ID (and not just a photocopy), and don't want it back, we
*are* going to think something is up, and we will *not* accept it.
(Believe it not, this really happened, and yes it turned out it had been
stolen.)
|