|
Grex > Coop12 > #15: Grex's ID policy - email with account usgov |  |
|
| Author |
Message |
| 25 new of 133 responses total. |
rcurl
|
|
response 31 of 133:
| 
Apr 14 17:08 UTC 2001 |
I think, on the contrary, that this has only gotten exaggerated because
more time has been spent on it than necessary. I agree that that was
caused by the behavior of the person that contacted Grex, who preferred to
argue than just refer us to their Resident Agent. The RA is fully
"identified" - by the State of Missouri, and if any problems arise, we can
complain to the Corporate Division of the State (who would contact the
Resident Agent). Of course, we can also just pull the plug at any time.
One reason for accepting the membership is, of course, $60. Also, I don't
think Grex should get so "personal" about the matter. I know Grex is just
a tiny club, but it can act in a business-like manner. Most businesses
have to deal with "difficult customers", and doing so graciously reflects
well on the organization.
My suggestion now, is to ask usgov to *confirm* that Richard Jacobs is the
corp's Registered Agent, and that the address and telephone number are
correct. Ask also for the corporations EIN. If he does that, the
organization is certainly sufficiently "identified".
(I am arguing, in part, for accepting this institutional membership
so we can "read the next chapter". 8^} )
|
drew
|
|
response 32 of 133:
|
Apr 14 17:52 UTC 2001 |
I don't quite understand why member access to the net would be required to
send out spam. Certainly it's possible to do a
foreach N in `cat maillist`
mail -s "GET RICH QUICK" $N < spamfile
end
with just normal access to mail. Isn't it?
|
carson
|
|
response 33 of 133:
|
Apr 14 18:21 UTC 2001 |
resp:31
(not to nick pits, but you mention a specific dollar amount wrt
accepting a membership. I wasn't aware that any specific dollar
amount, wrt to this specific question, had been mentioned, certainly
not in any authoritative sense. while the donation very well could be
for a full year [or ten months], I certainly wouldn't assume so. at
most, because of the mention of voting, I might assume that the initial
intended amount of donation would be eighteen dollars or greater.
however, given the active misinterpretation and noninterpretation of
current Grex policy by the potential donor in question, there's no
reason to believe the check was for any amount greater than $6.)
(would your suggestion dovetail with current I.D. requirements, or
would it also necessitate that said Resident Agent agree to accept
responsiblity for outgoing use of the account in question?)
---
(an aside: how long does Missouri allow a company to file an annual
report before revoking their status? the website I referenced in
resp:17 clearly states that the information it provides is not
authorative. this is an aside because the status of the company with
the State of Missouri has little-to-no relevance to our [Grex's] I.D.
policy.)
|
aruba
|
|
response 34 of 133:
|
Apr 14 23:19 UTC 2001 |
Re #28: Russ - the check has some text on it indicating that it is for a
Grex membership. Valerie and Steve Gibbard convinced me that that might
mean that by depositing the check, we would be agreeing to give them a
membership.
Re #31: Rane - We have a policy in place that says what kind of
identification institutional members must provide us, and it doesn't include
using resident agent information from the state government. So if we were
to accept that as ID in this case, we would be making an exception to our
policy for this member.
|
aruba
|
|
response 35 of 133:
|
Apr 14 23:26 UTC 2001 |
Re #32: I've been wondering about that too, Drew.
|
other
|
|
response 36 of 133:
|
Apr 15 03:49 UTC 2001 |
I'm tired of this, and the $60 is not worth the effort that has been put
into this. If a potential customer/donor is looking for trouble, we have
no business trying to find ways to let them make it.
Inform user usgov that since they are not interested in complying with
our policies, we are not interesting pursuing this further, and that we
will return their check uncashed as soon as they provide an address to
which to send it. If they choose not to provide an address and express
the preference, we will simply destroy the check.
|
carson
|
|
response 37 of 133:
|
Apr 15 04:21 UTC 2001 |
<sigh>
(so is it a $60 check that's at issue? [not that the actual amount
matters...])
|
scg
|
|
response 38 of 133:
|
Apr 15 05:03 UTC 2001 |
It's been said or implied several times, both here and in staff mail, that
it's this company that wants something from Grex, rather than Grex wanting
something from them, and that as such it should be them trying to make Grex
happy, rather than Grex trying to make them happy. That sounds to me as
backwards (at least for an organization not based in California ;) ). A Grex
membership is not something of value, but rather a thank you for a certain
size of donation. Judging by the number of requests for money Mark sent me
last time my Grex membership expired, and what I know from having been active
in the running of Grex for several years, membership donations have certainly
seemed in the past to be something of great value to Grex. If I've been
mistaken about this, and Grex doesn't need membership donations and has only
been asking me for them becasue people are under the impression that a Grex
membership is something that I desperately need, I suppose I could find
something else to spend the money on.
It appears to me that under current Grex policies, Grex is not able to offer
a membership under terms acceptable to this company. That's unfortunate, but
may not be something that can be gotten around at this time. It does raise
the question of whether Grex's current membership and ID policies are
reasonable. It seems that in this case, we do know the identity of this
potential member at least as well as any form of ID would establish, as
Missouri turns out to make it very easy to find out that information about
corporations. Our problem is that that isn't a method of validating members
approved by our policy, and adding it is unlikely to help in other cases,
since none of my not very random sampling of other state government websites
had that information available. The required policy change could be something
as simple as adding "or other easily verified identification information" to
the list of acceptable ID.
The larger question, though, seems to me to be why Grex has these ID
requirements at all. Initially it was to protect the insular Internet from
our public users, but that's a very different issue in 2001 than it was in
1993 or 94. The corporate membership list requirements are a red herring,
since no other non-profit organization I've ever been a member of has wanted
anything more than my word as to what my address was. The misunderstanding
there seems to be that Grex has approached corporate fundraising law from the
perspective of computer security people, and that's not the perspective
anybody else approaches it from.
In any case, speculation about what abusive uses this company might use their
account for is completely inappropriate. If that were the purpose, they could
be up and running doing whatever they wanted to do much more effectively from
any of the free ISPs. I'm not sure why people find it so hard to believe
that this isn't just some somewhat paranoid person wanting a membership, a
case we've certainly had and dealt with plenty of times before.
|
gelinas
|
|
response 39 of 133:
|
Apr 15 05:06 UTC 2001 |
Interestingly, the second of the cases cited in #12 involves PESI providing
false information about its officers and address: Richard Jacobs had his
housekeeper file the application for a post office box, saying she was a
vice-president of the PESI, using her home address as the address of PESI.
The Post Office determined that information to be false.
I guess Rick does value his privacy. And I can almost see why.
|
gelinas
|
|
response 40 of 133:
|
Apr 15 05:13 UTC 2001 |
Steve slipped in. I agree, this is just some paranoid wanting a membership.
And maybe we should revisit our membership ID requirements. HOWEVER, I have
to disagree that much has changed since 1991 on "protecting the insular
Internet from our public users." If anything, it is becoming _more_ important
to identify such users, not less. Even if the Michigan law requiring ISPs
to identify the people they let out on the Internet fails.
|
scg
|
|
response 41 of 133:
|
Apr 15 08:15 UTC 2001 |
How so? The original reason for Grex's policy was that the Internet was a
network mostly of universities and research organizations, putting their
computers on the expectation that anybody connecting to them would most likely
also be from such an institution, would be reasonably trustworthy, and would
be easy to track down if they did anything they shouldn't. Whether things
actually were that way I don't know, but that's how it was explained on Grex.
In addition, law enforcement, with its accompanying powers, didn't have much
interest in the Internet at that point, so cutting off problem users was left
soley up to whoever was giving them Net access, with the understanding that
if their original provider cut them off they probably wouldn't have an easy
time finding alternate access.
Now, getting Internet access is about as easy as getting access to a phone.
Nobody expects it to be a trusted network to connect sensitive systems to,
and anybody with sensitive information that has to be net connected has
probably invested quite a bit of money in firewalls (whether or not they work
as intended), rather than relying on being able to ask a remote administrator
to put a stop to abuse. In cases of serious abuse, law enforcement gets
called in, and at that point just knowing what phone line they called into
at what time is enough information to track them as well as anybody using a
phone could be tracked. True, most non-free ISPs do ask for their users'
addressses, and either bill via a credit card number they know or bill by
mailing a bill to the address, but my understanding is that most of the free
ISPs don't have a way to verify that information and therefore don't. Perhaps
we're still being good Net citizens by knowing who our users are, but it's
certainly not the obligation it was seen as originially.
Anyhow, though, changing the ID policy probably belongs in a different item.
|
carson
|
|
response 42 of 133:
|
Apr 15 16:23 UTC 2001 |
(I disagree fairly strongly with most of Steve's comments in resp:38
and in resp:41.)
(firstly, Steve [as well as Rane] seem to take the position that
Grex is a business. that's incorrect: Cyberspace Communications,
last I checked, was recognized as a *not-for*-profit. this is a
key distinction, because business lives and dies by the whim of the
consumer. business *needs* customers, and wants repeat business.
that's why, for business, "the customer is always right." I, for
one, would rather NOT see Grex run like a business all the way to
the logical extreme, which is to change its services and policies
to meet the needs of its customers, because that's not IMO where
I want to see Grex go. speaking of which, I pribly never should
have used the word "customer" in any of my previous responses, even
though the distinction was clear in my mind.)
(secondly, Mark, IMO, was as accomodating as he could be, given
what he had to work with. all he requested was a way to verify
that someone at the company would take responsibility for the use
of the account. while Steve's suggestions for potentially
modifying the ID policy certainly bear a look, they're not relevant
in this instance. the point isn't to verify the existence of the
company, or even to verify the identity of the user. the point of
the ID policy is to identify someone who will take responsibility
for the use of the account by providing a reasonable means for
contacting said person. it doesn't matter where the company is
located, who the officers are, what their status as a legitimate
business is, or why they want the account. again, the ID policy
only requests that *someone* take responsibility for the account.
there's zero reason, despite Steve's [and Rane's] implications to
the contrary, that the Resident Agent identified as responsible for
the business in Missouri would also want to take responsibility for
a shell account created on a Michigan computer. I would pose this
question to Steve [and Rane]: if I were to create an account and
send in a check to create a corporate membership for, say, AOL-Time
Warner, would it be OK if I simply pointed Grex's treasurer to the
Resident Agent as the person responsible for the account? I see
a "yes" answer as creating a Pandora's Box.)
(I agree that changing the ID policy probably belongs in a
different item. suffice to say, I disagree with Steve's take on
why [and whether] Grex needs to ask for I.D. for outgoing access,
and would be happy to expound on those points separately.)
|
ryan
|
|
response 43 of 133:
|
Apr 15 17:26 UTC 2001 |
This response has been erased.
|
carson
|
|
response 44 of 133:
|
Apr 15 17:35 UTC 2001 |
This response has been erased.
|
cmcgee
|
|
response 45 of 133:
|
Apr 15 18:49 UTC 2001 |
Actually, I think we are required as a membership-based not-for-profit to have
the identification and address of our MEMBERS.
Even if the "protect-the-internet" argument is no longer valid, I think we
need to have identification of our members. (PS I will disagree with Steve's
arguments in the appropriate item).
|
scg
|
|
response 46 of 133:
|
Apr 15 22:16 UTC 2001 |
Yes, we are certainly required to have addresses on file for our members.
The question is how much work we have to do to verify those addresses. Do
you know of any other non-profit organizations that require members to supply
ID? I haven't encountered any.
|
krj
|
|
response 47 of 133:
|
Apr 15 23:43 UTC 2001 |
(This is an old computer programming design issue: trying to make one piece
of information serve two purposes...)
|
carson
|
|
response 48 of 133:
|
Apr 16 00:30 UTC 2001 |
resp:46
(the question *isn't* "how much work we have to do to verify
addresses," at least not here. *no one* from PESI has given an
address. *no one* from PESI has even given a full name. while
your question might be appropriate for a discussion of changing
the ID policy [and to some extent I may even agree with you there],
it doesn't address the complete lack of PESI's [or whomever's]
willingness to identify someone willing to take responsibility for
the account in question before adding the account to the member
roles. do you really not see such an inability to provide
information about a specific person to take responsibility for the
account as a potential problem?)
|
aruba
|
|
response 49 of 133:
|
Apr 16 02:14 UTC 2001 |
Since people seemed to think we needed a separate item for discussing
changing the ID policy, I entered item 255 for that purpose.
|
russ
|
|
response 50 of 133:
|
Apr 16 03:57 UTC 2001 |
It's exactly the "identifying members" thing which prompted me to
suggest re-vamping the definition of "business membership". Perhaps
we should call it "business sponsorship" instead, because it comes
without the voting priviledges of membership. If we also change it
to eliminate telnet and other problematic internet access, there is
no longer a need to identify anyone to take responsibility any more
than there is for a random, anonymous Grex account. Problem eliminated.
They get our thanks and, if they provide a mailing address, a letter to
file with their tax paperwork that entitles them to shave something off
their payments. We have nothing more to do.
I suggest this because we will probably see more PE&S's in the future,
and it would be nice to just deposit the check and point them at our
policy URL. With a policy like this in place, Mark would have had a
lot less work to do *and* we'd have the money in the bank.
|
scg
|
|
response 51 of 133:
|
Apr 16 04:32 UTC 2001 |
re 48:
I agree with you, more or less, that there's not much we can do for
this case other than return the check, given our current policies. I'm not
sure that treating this discussion as one special case, rather than an issue
of how to handle this sort of problem in general, is the right way to handle
this. Anyhow, since the other item exists, this discussion can be taken
there.
|
albaugh
|
|
response 52 of 133:
|
Apr 16 09:50 UTC 2001 |
This whole thing "smells bad". I can't think of any good, legitimate reasons
for a business in Missouri wanting to pay for a suspicious-looking ID on a
small BBS in Michigan. To protect grex from rotting fish in Denmark, I think
sticking strictly to the established policy is a convenient way to discourage
this malodorous foray.
|
keesan
|
|
response 53 of 133:
|
Apr 16 15:49 UTC 2001 |
Would it make sense to ask if someone at their company wanted a personal
membership instead? (I am wondering if the company consists of just one
peson). They obviously don't want to provide an address for the company.
|
flem
|
|
response 54 of 133:
|
Apr 16 16:07 UTC 2001 |
Way back there, someone (robh, maybe? Not sure...) said "Why the heck would
anyone want to impersonate a business?" Well, I can think of lots of reasons,
most of them illegal and malicious. I think it was Eric who said that we
don't really offer memberships to corporate entities, we offer nonvoting
memberships to individuals in the name of the company in question. If we
were actually to offer memberships to corporate entities, we would have to
be able to prove somehow that it was actually the corporation who was
requesting this membership, not someone pretending to be them. Not sure
what that would take; maybe a notarized letter from the registered agents
of the corporation.
Teh point is that we can't accept PE&S as the legal identity of the
member in question because we've no real evidence that it's actually them
requesting the membership, and we don't have any other identity, corporate
or individual, to attach to the membership.
With regards to this guy in particular.... Well, the thing about making
copies seems to me to be a smokescreen. I have a hard time believing that
making photocopies of driver's licenses is illegal. I suspect that this
guy is willfully misunderstanding us and is arguing that making an actual
*copy* of the driver's license is illegal (which it no doubt is). Why he's
doing this, I'm not sure, but I suspect it's to impress us with his vast
legal knowledge and scare us into abandoning our policy. Prick.
Unless we want to make some effort to ascertain that PE&S is in fact the
entity behind this request, and come up with a set of policies for how to
deal with memberships attached only to a corporate identity, then we can't
accept this check.
|
scg
|
|
response 55 of 133:
|
Apr 16 20:49 UTC 2001 |
I'm confused about why we have "no real evidence that it's actually them
requesting the membership." For normal members, we accept a check as proof
of identity, presumably concluding that if they have access to somebody's
checkbook, they are that person. That may not be an entirely safe conclusion
to draw, but we do. In this case, we have somebody who apparrently has access
to this company's corporate checkbook. If they hadn't crossed out the
address, they'd be in compliance with our policy.
|