|
Grex > Coop11 > #254: Grex's ID policy - email with account usgov |  |
|
| Author |
Message |
| 25 new of 133 responses total. |
carson
|
|
response 44 of 133:
| 
Apr 15 17:35 UTC 2001 |
This response has been erased.
|
cmcgee
|
|
response 45 of 133:
|
Apr 15 18:49 UTC 2001 |
Actually, I think we are required as a membership-based not-for-profit to have
the identification and address of our MEMBERS.
Even if the "protect-the-internet" argument is no longer valid, I think we
need to have identification of our members. (PS I will disagree with Steve's
arguments in the appropriate item).
|
scg
|
|
response 46 of 133:
|
Apr 15 22:16 UTC 2001 |
Yes, we are certainly required to have addresses on file for our members.
The question is how much work we have to do to verify those addresses. Do
you know of any other non-profit organizations that require members to supply
ID? I haven't encountered any.
|
krj
|
|
response 47 of 133:
|
Apr 15 23:43 UTC 2001 |
(This is an old computer programming design issue: trying to make one piece
of information serve two purposes...)
|
carson
|
|
response 48 of 133:
|
Apr 16 00:30 UTC 2001 |
resp:46
(the question *isn't* "how much work we have to do to verify
addresses," at least not here. *no one* from PESI has given an
address. *no one* from PESI has even given a full name. while
your question might be appropriate for a discussion of changing
the ID policy [and to some extent I may even agree with you there],
it doesn't address the complete lack of PESI's [or whomever's]
willingness to identify someone willing to take responsibility for
the account in question before adding the account to the member
roles. do you really not see such an inability to provide
information about a specific person to take responsibility for the
account as a potential problem?)
|
aruba
|
|
response 49 of 133:
|
Apr 16 02:14 UTC 2001 |
Since people seemed to think we needed a separate item for discussing
changing the ID policy, I entered item 255 for that purpose.
|
russ
|
|
response 50 of 133:
|
Apr 16 03:57 UTC 2001 |
It's exactly the "identifying members" thing which prompted me to
suggest re-vamping the definition of "business membership". Perhaps
we should call it "business sponsorship" instead, because it comes
without the voting priviledges of membership. If we also change it
to eliminate telnet and other problematic internet access, there is
no longer a need to identify anyone to take responsibility any more
than there is for a random, anonymous Grex account. Problem eliminated.
They get our thanks and, if they provide a mailing address, a letter to
file with their tax paperwork that entitles them to shave something off
their payments. We have nothing more to do.
I suggest this because we will probably see more PE&S's in the future,
and it would be nice to just deposit the check and point them at our
policy URL. With a policy like this in place, Mark would have had a
lot less work to do *and* we'd have the money in the bank.
|
scg
|
|
response 51 of 133:
|
Apr 16 04:32 UTC 2001 |
re 48:
I agree with you, more or less, that there's not much we can do for
this case other than return the check, given our current policies. I'm not
sure that treating this discussion as one special case, rather than an issue
of how to handle this sort of problem in general, is the right way to handle
this. Anyhow, since the other item exists, this discussion can be taken
there.
|
albaugh
|
|
response 52 of 133:
|
Apr 16 09:50 UTC 2001 |
This whole thing "smells bad". I can't think of any good, legitimate reasons
for a business in Missouri wanting to pay for a suspicious-looking ID on a
small BBS in Michigan. To protect grex from rotting fish in Denmark, I think
sticking strictly to the established policy is a convenient way to discourage
this malodorous foray.
|
keesan
|
|
response 53 of 133:
|
Apr 16 15:49 UTC 2001 |
Would it make sense to ask if someone at their company wanted a personal
membership instead? (I am wondering if the company consists of just one
peson). They obviously don't want to provide an address for the company.
|
flem
|
|
response 54 of 133:
|
Apr 16 16:07 UTC 2001 |
Way back there, someone (robh, maybe? Not sure...) said "Why the heck would
anyone want to impersonate a business?" Well, I can think of lots of reasons,
most of them illegal and malicious. I think it was Eric who said that we
don't really offer memberships to corporate entities, we offer nonvoting
memberships to individuals in the name of the company in question. If we
were actually to offer memberships to corporate entities, we would have to
be able to prove somehow that it was actually the corporation who was
requesting this membership, not someone pretending to be them. Not sure
what that would take; maybe a notarized letter from the registered agents
of the corporation.
Teh point is that we can't accept PE&S as the legal identity of the
member in question because we've no real evidence that it's actually them
requesting the membership, and we don't have any other identity, corporate
or individual, to attach to the membership.
With regards to this guy in particular.... Well, the thing about making
copies seems to me to be a smokescreen. I have a hard time believing that
making photocopies of driver's licenses is illegal. I suspect that this
guy is willfully misunderstanding us and is arguing that making an actual
*copy* of the driver's license is illegal (which it no doubt is). Why he's
doing this, I'm not sure, but I suspect it's to impress us with his vast
legal knowledge and scare us into abandoning our policy. Prick.
Unless we want to make some effort to ascertain that PE&S is in fact the
entity behind this request, and come up with a set of policies for how to
deal with memberships attached only to a corporate identity, then we can't
accept this check.
|
scg
|
|
response 55 of 133:
|
Apr 16 20:49 UTC 2001 |
I'm confused about why we have "no real evidence that it's actually them
requesting the membership." For normal members, we accept a check as proof
of identity, presumably concluding that if they have access to somebody's
checkbook, they are that person. That may not be an entirely safe conclusion
to draw, but we do. In this case, we have somebody who apparrently has access
to this company's corporate checkbook. If they hadn't crossed out the
address, they'd be in compliance with our policy.
|
cmcgee
|
|
response 56 of 133:
|
Apr 16 23:11 UTC 2001 |
Yep, all they need to do is comply with our policy.
|
mdw
|
|
response 57 of 133:
|
Apr 17 01:27 UTC 2001 |
Actually, we don't have any evidence this guy has access to his
company's corporate checkbook. We have evidence that an unknown person
has access to *some* checkbook which *seems* to be connected to some
company. It doesn't take much to establish a bank account with J-random
name on it, and it takes even less to get checks printed up. We don't
have an address, the name of a human, or any strong evidence that this
entity is in fact connected to the company he claims to represent.
Personally, I'm kind of amazed at the degree of variance expressed in
this item, although I also think that there is actually a fair amount of
consensus expressed here.
|
aruba
|
|
response 58 of 133:
|
Apr 17 03:42 UTC 2001 |
Re #55: Even if they hadn't typed over the address, they wouldn't be in
compliance with our policy, which requires ID from a contact person.
|
swa
|
|
response 59 of 133:
|
Apr 17 07:08 UTC 2001 |
I agree with those who've said that this whole encounter smells funny, and
with Carson's comments in resp:42 with regard to Grex bending over
backwards to please customers.
|
mdw
|
|
response 60 of 133:
|
Apr 17 09:06 UTC 2001 |
While we are a non-for-profit, that's not precisely the same as saying
we can abandon all business principles. It *is* important that we not
operate at a loss, and the difference between that and a commercial
for-profit business in a competitive market is in some ways not so big.
What a commercial business would call "customer satisfaction" is
important, because that determines whether we can keep the users we
have, attract new users, and convince at least some of the existing
users that we deserve their personal financial support.
However, customer satisfaction is *not* as simple as just giving the
customer whatever he/she asks. Customers aren't always able to ask for
what they really want, it's not necessarily fair to spend too much time
on too small a percentage of customers, and there are some customers
that can't be pleased. Running a successful business requires juggling
a multitude of conflicting goals, setting priorities, evaluating risks,
and performing "triage" - recognizing which situations will work
themselves out just as well without attention, which situations cannot
be improved with attention, and which sitautions can best benefit from
some attention. Deciding which customers to help is an important part
of this process. There is usually a small number of things to be done
that will please most customers, and a large # of things that will
please successively smaller numbers of customers. Deciding which
customers to help is part of "defining your market niche".
In this case, this particular person (or company) has expressed a strong
interest in "privacy". This is not a product we "sell" on grex - we
don't promise to render our users untraceable, and indeed on the
contrary we hope people will cede some of their privacy by participating
publically in the conferences. We don't know for sure what this person
hopes to get out of grex, because we haven't asked him, but it's
possible given our lack of mutual understanding that he has unrealistic
expectations in other areas as well. A lot of this seems to boil down
to trust -- does he trust us with his identity; do we trust him not to
abuse things here? The principles of "triage" would in any case seem
easy to apply to this.
|
gull
|
|
response 61 of 133:
|
Apr 17 12:54 UTC 2001 |
Re: people impersonating corporations...
VeriSign recently issued some crypto certificates to a person who
falsely claimed to be an employee of Microsoft. There are now two
certificates out there that say "Microsoft Corporation" that don't
actually belong to them. Unfortunately Verisign never thought to
provide a way to let software automatically check if a certificate has
been revoked...
Reference:
http://www.cert.org/advisories/CA-2001-04.html
|
aruba
|
|
response 62 of 133:
|
Apr 17 13:18 UTC 2001 |
This was in my mailbox this morning:
From usgov@cyberspace.org Tue Apr 17 09:10:09 2001
Date: Tue, 17 Apr 2001 01:07:17 -0400 (EDT)
From: ~~ <usgov@cyberspace.org>
To: aruba@grex.cyberspace.org
Subject: Re: Money Received
Mark, please add these additional comments to the BBS from us:
P.S.
1# As #38 pointed out, why have an ID. at all? It makes no sense and
serves no useful purpose; further, ID's can be faked--just ask any 18 year
old college student.
#2 Whoever did research in Missouri on criminal law did not do a very good
job. It is a crime to make a copy of a Missouri driver's license; we can't
say what the law is in Missouri. For $100, we'll be happy to have it
researched for you and to give you a legal citation.
#3 The U.S. Privacy Act of 1974 prohibits the use of ID. for
"identification purposes." Just because someone may ask, does not mean you
have to give it to them. The opinion of our corporation is that if someone
does not know what their rights are, that is THEIR problem. Just because
they will not waive their rights, is nothing to consider suspicious. If a
lamb jumps over a cliff, should everyone follow? Next time a supermarket
asks you for your SS#, just say "no." Permit them to SEE your driver's
license, but do not permit them to make a copy. Under the U.S. Privacy
Act, service/benefits cannot be denied because one refuses to waive his or
her legal rights!
#4 Of course, you need to provide a SS# to a business who is hiring you.
They NEED that information for the exception to the U.S. Privacy Act,
reporting your wages to the I.R.S. Of course, they may want INFORMATION
from your driver's license if you are going to be driving a company car or
create liability on errands for the company. Your driving record is
reasonable under these circumstances. But what reasonable nexus exists
for GREX having such information? One does not need a "license" in order
to use the Internet. Grex does not report one's income to the I.R.S.
Further, Grex becomes legally liable if somehow, in some way, they
negligently permit, or some malevolent person obtains, this private
information that Grex should never have even possessed in the first place.
Does Grex want to take on THAT kind of protential liability?
#5 Mark mentions our address was "carefully" marked out on our check. We
are guilty! We moved from the old address on the check and rather than
have new checks printed with our new address, figured we would save money
in this economic times and just cross out our old address until the old
checks were used up. Did anyone think about this reasonable explanation or
was everyone, including Mark, reading too many mystery novels. We wanted
our check held by Mark until this matter were resolved. If he is going to
return it as a result of a "no vote," then he can mail it to us. If we
receive a "yes" vote, then he should cash it.
#6 Remember -- there are two sides to almost anything. Don't jump the gun
and assume things just because you have heard only one side.
#7 As one of the comments set forth, there are lots of free Internet
Service Providers, why would anyone in their right mind, whether
corporation or anyone else, go to all of this trouble unless we honestly
thought Grex was a worthwhile organization meritorious of support? Is
that too hard to understand?
Requiring ID's make no sense, they can be faked and easily obtained. They
signify nothing, One could get a fake driver's license (any college
student knows someone who can make them up or where to get them) and use
someone else's SS or make up a fake SS card. Would anyone at Grex even
know the difference?
If one has a valid checking account, that is acceptable to A.O.L. and to
any other business. Let the banks be in the verification business, not
Grex. If a bank is willing to permit an account (and one could write
checks, bounce them easily, and then skip town), then Grex should accept
a valid check. PERIOD.
Certainly it is reasonable to have a contact person and an address:
corporate if a corporation, individual if the membership is individual.
Nothing further, however is reasonably necessary and there is no
reasonable nexus to anything else. THAT should be Grex's 2001 policy on
new memberships, whether from Corporations or Individuals. If someone does
something illegal, i.e. denial of service, etc. let the FBI worry about
it. Grex cannot be the protector of the world from any possible thing
that could occur by any unscrupulous user; it should not even imply that
it can, will, or should.
Again, not a single corporation member made any commments. Perhaps there
are no corporations who even want to consider supporting Grex! That's a
shame.
We encourage a dramatic change in Grex's requirements for everyone--not
just corporations. We encourage the membership to vote in favor of our
membership and to "get real." We appreciate Mark's giving us an
opportunity to read your comments and to make our views known. We
apologize if our initial E-mail response sounded sarcastic or rude, that
was not our intention; however, we really found the existing policy to be
quite antiquated and non-sensical to the point of being absurd and
ridiculous.
|
pfv
|
|
response 63 of 133:
|
Apr 17 13:23 UTC 2001 |
Every employer I've had for years xeroxs my SSC and DL as part of
the inane laws around employement.
All noise aside, I agree that grex should stick to their guns..
a Firm is not a Person; a Firm MIGHT be "responsible", but a
Person doesn't have much choice.
|
aruba
|
|
response 64 of 133:
|
Apr 17 13:31 UTC 2001 |
Steve Gibbard asked up there somewhere why people were suspicious that this
account might be used for nefarious purposes, and had trouble accepting that
this is just a case of paranoia. The reason is the account name, usgov.
I'd like to ask, Rick, what you plan on using account usgov for? I ask this
as a Grex user, not in any official capacity.
|
aruba
|
|
response 65 of 133:
|
Apr 17 13:50 UTC 2001 |
Oops - I messed up - this message was in my mailbox too, and it was supposed
to be posted before the previous one. My apologies.
From usgov@cyberspace.org Tue Apr 17 09:47:43 2001
Date: Tue, 17 Apr 2001 00:16:21 -0400 (EDT)
From: ~~ <usgov@cyberspace.org>
To: aruba@grex.cyberspace.org
Subject: Our side of the matter.
Thanks for letting us view the comments. First, we were unable to comment
directly since when we logged in "254" the message was that it "does not
exist." Could you please do whatever you have to so that we may reply
directly to the BBS.
In the meantime, please provide a copy of this E-mail to the BBS. Thanks.
#1 - We are more than happy and have provided the name of a contact
person. What we will not do is provide personal information about a
contact person who is an employee of the corporation since the
corporation is a legally recognized entity within our state as well as
within the U.S.
#2 - A rose is a rose, no matter what the name. What is the difference if
we use "usgov" as a login name or "CIA" or "General Watchamagoo" or
whatever. There is nothing inherently sinister in the name selected as a
login. How could anyone with any common sense attribute anything to the
login name selected and consider it "suspicious?"
#3 - We have provided our corporate mailing address, of course. That is
certainly reasonable!
#4 - If someone had a sinister motive, why bother to go through all of
this trouble to belong to an organization. A hacker would just try to
hack in and use the service for nefarious purposes without contributing,
paying, or providing ANYTHING to Grex. Why would a hacker,
for example, form a corporation, maintain it in good standing for 20
years, and then apply to Grex for some sinister purpose? Let's get real,
fellows!
#5 - We are listed in the phone directory and with directory assistance;
(but even if we were not, what difference would it make?) We have had a
bank account at the same bank for 20 years. We are also listed with the
secretary of state of Missouri for 20 years. We are a legal entity and
recognized as such by the I.R.S., a government agency. The privacy of our
employees is important to us and we must respect that privacy,
particularly when there is absolutely no reason that such privacy should
be invaded by furnishing a home address, home telephone number, date of
birth, or social security number for that EMPLOYEE. The legal address of
the corporation and the name of a contact person is more than enough. It
is enough to get HUNDREDS OF THOUSANDS OF DOLLARS in credit from other
corporations, it should be enough for Grex which is not even a business.
#6 - Just because some people are stupid enough to furnish social security
numbers and to waive their rights to privacy and furnish information that
the law prohibits (for I.D.) or which, if compromised, could lead to
threats of I.D. does not mean everyone is just as stupid and will follow
along like lambs to slaughter. Just because there are people who care
little about their privacy that they will copy driver's licenses and
passports does not make it right for anyone. It is illegal in Missouri to
copy a driver's license for ANY purpose. It is also illegal to copy a
passport. If people do it, that is THEIR PROBLEM, not ours!
#7 - What exactly are you afraid of by having corporations as members of
Grex? Why do you discriminate against corporations?
#8 - Frankly, we have never run into such 20th century thinking; we don't
intend to be rude or sound callous, but Aruba's comments just struck us
as being very much behind the times. Grex needs to get into the 21st
century!
#9 - It seems like some of the Grex members treat Grex as a secret
organization. They went through a process, why shouldn't everyone else.
Apparently there is nobody who is a member who even has any legal training
or background--this is sad!
#10 - We would like to see some input from CORPORATE members of Grex, not
individual members. How about it? Do you have any corporations that are
members of Grex? If not, why not? If so, why has not a single comment
been from a CORPORATE MEMBER OF GREX?
#11 - And, how can anyone decide anything based on different views from
different perspectives. Is someone who doesn't like our login name, voting
no, and is someone who feels that all people should furnish copies of
driver's licenses, voting no. How do you make any decisions.
#12 Since we are a corporation, only those members who are corporations
should be allowed to vote on this matter. Only a legal corporate entity
knows the facts surrounding their existence in whatever state they exist.
Grex individual members should not be entitled to vote on a matter such as
this.
#13 One can buy phony driver's licenses and software for making them at
hundreds of places on the Internet. Would you prefer a copy of a phony
license made up by someone using a mail drop as an address who has done so
just to join Grex or a solid corporation with a long history, no complaints
with the B.B.B., and who furnishes Grex with multiple verifiable
references? Again, let's get real fellows! Some of you just simply don't
use common sense. It is not we who are paranoid, but some of you seem to
be by your comments.
#14 It is up to you, fellows. Think about it. If you arbitrarily deny us
membership because we respect the privacy of our employees, abide by the
law, and will not waive certain other rights, then it is Grex that loses.
Once again, let's hear from ANY corporation members you have who belong to
Grex. What do those corporations think?
|
aruba
|
|
response 66 of 133:
|
Apr 17 14:02 UTC 2001 |
As far as comments from corporate members of Grex: we currently have 3
institutional members, all (I believe) Michigan nonprofits. None of them
have ever posted responses in coop, to my knowledge.
We don't discriminate against corporations in terms of ID - they are
required to submit the same type of ID as individual members. We do prevent
institutional members from voting in Grex elections. That was to prevent
any one person from potentially having more than one vote.
About stolen ID: None of the ID information which Grex collects from members
is stored on the Internet. It's on my computer and in Grex's file cabinet.
Of course that doesn't eliminate all the ways it could be lost, but most of
them. I think it would be reasonable to implement an encryption scheme for
what's on my computer.
And PESI has not provided Grex with an address of any kind.
I'll see what I can do to help make it possible for usgov to participate
directly in this item and the next one.
|
jp2
|
|
response 67 of 133:
|
Apr 17 14:03 UTC 2001 |
This response has been erased.
|
cmcgee
|
|
response 68 of 133:
|
Apr 17 14:30 UTC 2001 |
Let's quit wasting time on this. If the person wants to become a member,
he/she/it can comply with our policies. If they don't want to comply, they
don't have to join.
Mark is doing far more than any treasurer needs to to help this person join.
I'm making a motion:
I move that we reaffirm our current Grex policy on corporate memberships.
No amendments, no changes, nothing. Leave it the way it is now.
|