|
Grex > Coop12 > #123: Proposal to modify selection of corporate officers | |
|
| Author |
Message |
| 25 new of 118 responses total. |
gull
|
|
response 53 of 118:
| 
Sep 3 21:32 UTC 2002 |
The CC # is used to verify that the person is who they say they are,
correct? At that point you have their name/address info, so why do you need
to keep the CC #?
|
aruba
|
|
response 54 of 118:
|
Sep 3 22:46 UTC 2002 |
Maybe Greg can speak to whether we used credit card numbers to verify
anything; he was treasurer then. Usual practice with IDs is just to record
them, not to call anyone up and try to verify anything.
|
mdw
|
|
response 55 of 118:
|
Sep 4 13:18 UTC 2002 |
Credit card numbers do not verify adress for us. What's important to us
is that some law enforcement dude or lawyer can take that number, get
the appropriate court order, and extract not just the address we might
have, but a possibly updated trail leading to the bad guy. Basically,
grex lacks the resources or ability to do the detective work to check
out a person's background, and later, vouch for that person's identity,
which is what people are asking for here. Instead, the goal for grex is
to acquire sufficient raw data for such an inquiry, and retain it
against the hopefully extremely unlikely possibility of such an
investigation, and to do so in a manner that is least painful for all
concerned. This is a subtle distinction, to be sure, but I hopeful
meaningful.
In fact, a credit card number would be totally useless for us for
identity purposes today; the only way it's useful is if we were able to
verify that we could apply a charge against it at least once and not
have it contested. That is not absolute proof of identity (*nothing*
is) - all it does is raise the financial bar to fraud, which is the main
thing we're trying to discourage.
|
aruba
|
|
response 56 of 118:
|
Sep 4 13:30 UTC 2002 |
Thank you, Marcus, your first paragraph is what I've been trying to say.
|
cross
|
|
response 57 of 118:
|
Sep 4 14:51 UTC 2002 |
I was meaning verification to take the form of, e.g., comparing the
address that someone told you against what's written on their driver's
license or similar. That said.... Are people who've given credit
card numbers *aware* that their credit cards are being used for
identification purposes, and not just financial purposes, as they
perhaps thought? Maybe a better policy is to disallow the use of
credit cards as ID, and require a photocopy of a picture ID with
address on it. Make a note of the address, and destroy the copy.
Why would grex need to do anything more than that?
|
aruba
|
|
response 58 of 118:
|
Sep 4 15:34 UTC 2002 |
Our ID requirements were created to try to minimize the number of hoops
people have to jump through to become members. So we accept different kinds
of IDs, some of which don't have addresses on them, such as passports and
library cards. This also allows people who are concerned about sending a
copy of their drivers' license to send something else instead.
I will ask the two people whose credit card numbers we've retained if they
would rathr provide other ID instead.
|
mdw
|
|
response 59 of 118:
|
Sep 5 10:56 UTC 2002 |
I'm afraid even if we made a copy of the address we would still need to
retain other information on the ID that was presented to us - like what
sort of ID it was, if it had any serial number on it etc. That's
because that ID is valuable not merely as direct proof of identity, but
because it in itself may have a paper trail that is additionally
valuable to someone (not us) doing detective work. The serial number
shows we actually have a legitimate key into that person's database and
eliminates a lot of confusion over names and addresses, both of which
changed, and the history of which is not necessarily retained. If the
ID was forged, then none of this information is valuable, but the
forgery in itself may have other evidence of its origin. Unfortunately
we don't necessarily have the ability or resources to detect such a
forgery, but the more information we can record regarding such a forgery
the better. If nothing else, having "proof" such a forgery existed
shows that we weren't ourselves being irresponsible, but exercised due
reasonable diligence. Even if it wasn't a forgery, it still becomes
much easier for an evil-doer to claim "oh, that wasn't me at all".
An address we ourselves jot down retains none of this value. It
becomes, in the most literal sense possible, our word against theirs;
and I think this puts us in a terrible spot should any such such a
situation ever arise.
|
jmsaul
|
|
response 60 of 118:
|
Sep 5 13:22 UTC 2002 |
Why, exactly, do you feel it's your responsibility to retain this information
on people?
|
other
|
|
response 61 of 118:
|
Sep 5 15:11 UTC 2002 |
Because we're providing them the means to do mischief on the internet,
and by retaining proof of our reasonable attempts to validate them, we
display due diligence which serves to shield us from liability for the
actions of people who use our system. Sure, as an attorney, you can
understand that. The law typically protects those who practice due
diligence and not those who don't. (At least somewhat.)
|
tod
|
|
response 62 of 118:
|
Sep 5 16:25 UTC 2002 |
I think tasks are being confused here.
Grex should be authenticating members which includes: identifying,
authenticating(verifying identity), and finally authorizing.
Due diligence is a waste of time when not coupled with due care(doing
everything possible to originally prevent said mischief).
I think it is very important to understand the separation of those purposes.
Is identification being obtained for the authentication process, or for the
liability purpose?
|
cross
|
|
response 63 of 118:
|
Sep 5 16:36 UTC 2002 |
Sometimes I think that grex takes itself a little too seriously; CD's
that come in the mail advertising ``50 free hours on AOL'' provide a
much larger window of opportunity for those who wish to do ``mischief''
on the Internet (Re #61; in the context of the global network, Internet
should be capitalized. ``internet'' is a general networking term.
Yeah, that's a quibble). But that's one reason I like grex: it's very
professional, and commited to what it does; something ultimately to
be admired. However, that's neither here nor there.
I don't understand what Marcus means when he says, ``it's their word
against ours.'' What, that they became a member? That it was really them
who became a member? How does knowing someone's driver's license number
improve the quality of the data you have on a potentially nefarious user,
over just having an address? Don't the authorities that you might turn
such data over to already have the means to correlate a name, address,
and time with a person?
The arguments of due diligence are flawed. Are you demonstrating due
diligence in protecting the privacy of that data? I think that Mark
certainly is; he promptly deleted all the credit card data he had from
his system, but the larger issue does come up. There's more than one
issue here, yet it's easy to become sidetracked and see only one.
|
tod
|
|
response 64 of 118:
|
Sep 5 16:51 UTC 2002 |
I think the interject of "due diligence" implies that "due care" has first
taken place. I have yet to see anything clearly defined on how Grex is
protecting itself only by maintaining copies of various identification.
|
other
|
|
response 65 of 118:
|
Sep 5 18:10 UTC 2002 |
Grex's entire networking software base has been developed and modified
with significantly more than usual "due care" to prevent when possible
and track when not any abuses originating from our machine. Unless you
are truly ignorant of this (and I grant that you may be), any suggestion
that this obligation has been unattended is entirely specious.
|
tod
|
|
response 66 of 118:
|
Sep 5 18:48 UTC 2002 |
Is that why I'm not receiving a clear answer on how Grex intends to utilize
its resources(copies of ID)? Because Grex is practicing "due care"?
The only ignorance I'm detecting is your understanding that "due care" does
not have the limitation of PicoSpan, rather, we should include resources and
the responsibilities taken for all corporate activities.
I'm certainly not questioning the obvious ability of the system administrators
to "lock down" Grex. Try to understand that I'm offering some direction and
insight "outside of the box".
|
other
|
|
response 67 of 118:
|
Sep 5 19:28 UTC 2002 |
We have a simple system, with voluntary participation. We do our best to
keep it secure and to keep the tools we offer from being abused. In
order to both discourage abuse of our democratic management system and to
responsibly provide Internet services, we keep minimal information
(voluntarily provided in exchange for use of those services) on the
people to whom we provide access. That information is kept by the
treasurer, and is not provided to anyone else except as needed for the
purposes listed above. It is only given to anyone not functioning in an
administrative capacity on Grex's machines under court order. Period.
Very simple. A complete non-issue.
Try to understand that the questions you are asking may be valid, but
that our system wasn't spawned overnight by thoughtless or malicious
individuals and that it functions very well as is, and poses no
significant threat to the privacy or security of anyone who does not
abuse the resources we provide. I do not know what your intent is in
raising these concerns, and it may very well be legitimate concern, but
given the stated purpose of certain individuals to go to whatever lengths
they will to undermine and confuse Grex for their own entertainment, try
to understand that persistent, public, microscopic review of our
carefully implemented practices may be viewed with some annoyance and
skepticism. And, try to understand that Grex management has nothing to
hide in our policies and practices, and that such skepticism and
annoyance under these circumstances is both entirely justified and
completely unreflective of any wrongdoing or malintent on the part of
Grex or its board or staff.
|
tod
|
|
response 68 of 118:
|
Sep 5 19:49 UTC 2002 |
Entertainment, skepticism, annoyance, etc
I dont understand your statements: That information is kept by the
treasurer, and is not provided to anyone else except as needed for the
purposes listed above. It is only given to anyone not functioning in an
administrative capacity on Grex's machines under court order. Period.
Very simple. A complete non-issue.
The purposes listed above state that ID will be given to "find" someone if
the police ask for it. Then, another purpose listed states "only under court
order".
I'm asking for clarification stating specifically in what situation will the
ID data be rendered to "other than" the treasurer. I'm also asking
specifically, is the ID intended to be used for identifying a member OR is
the ID intended to "find" a member?
Would a passport serve the same purpose as a driver's license?
I think my questions are valid concerns that can be addressed in this item.
If you are still unsure of my intent for raising these concerns, rest assured
my intent nears nowhere near malicious entertainment value. The fact that
you have read my prior responses and still question my intent has the stench
of prejudgice only because of my M-Net affiliation.
|
other
|
|
response 69 of 118:
|
Sep 5 20:15 UTC 2002 |
The "find" reference was unspecific. Our policy is (and this has been
stated at least once already, recently, in this or another current co-op
item) that identifying information (other than real names) we collect
from people will only be given out under court order. Real names of
voting members are excepted, as required by law.
We collect the information both to prevent the same individual from
controlling multiple votes on our system, and to discourage abuse by
requiring the provision of information which can be used to track down
the individual providing it. We do not track down the individuals, and
we do not claim the responsibility for doing so. In fact, we are so
intentionally protective of the privacy of this information that we
require judicial action as proof of the legitimacy of an investigation
before we will surrender it to anyone. How much plainer an answer could
you want? NOTHING I have said here has not been said multiple times
elsewhere in public postings or on fixed pages on our website. And no,
I'm not going to waste my time pointing you to them, because I'd have to
search, and you can do it as well as I.
|
cross
|
|
response 70 of 118:
|
Sep 5 20:18 UTC 2002 |
Regarding #67; Calm down dude. No one here is trying to ``annoy'' the
grex staff, board, membership, or general user populace. They're asking
legitimate questions about legitimate concerns. Grex isn't perfect;
nothing is. Don't take a raised concern as an affront to the efforts
of those who make grex possible, take it as a constructive comment or
question from those who want to make grex better. Making statements
of the form, ``try to understand that persistent, public, microscopic
review of our carefully implemented practices may be viewed with some
annoyance and skepticism'' just sounds arrogant, and somewhat ignorant,
given that in a previous post you said, ``Grex's entire networking
software base has been developed and modified with significantly more
than usual "due care" to prevent when possible and track when not any
abuses originating from our machine,'' when it's stated publicly that
only a few routines in the kernel were modified. Are you quite sure you
know what you're refering to? And assuming you do, are you sure that's
been effectively communicated to the userbase?
Some legitimate questions are being raised; it's unbecoming to dismiss
them out of hand due to your own prejudices, which is my impression of
what you're doing.
|
tod
|
|
response 71 of 118:
|
Sep 5 20:24 UTC 2002 |
Heaven forbid a member "wastes your time" presenting legitimate concerns.
I would feel much more satisfied if your answer had been sincere rather than
tinted with accusatory tones and disdain. Perhaps you could quench my
curiosity by showing a commitment to put your stated standards in #69 in
writing as a corporate policy rather than responding with "find it yourself
amongst the numerous other stated opinions on the system."
BTW, you suck at PR. How did you get the chair?
|
jp2
|
|
response 72 of 118:
|
Sep 5 20:34 UTC 2002 |
This response has been erased.
|
mynxcat
|
|
response 73 of 118:
|
Sep 5 20:37 UTC 2002 |
I can't imagine that
|
tod
|
|
response 74 of 118:
|
Sep 5 21:01 UTC 2002 |
I wouldn't call getting the chair "winning"
|
aruba
|
|
response 75 of 118:
|
Sep 5 21:14 UTC 2002 |
I believe all the facts Eric quoted are correct, and I have quoted the same
ones either in this item or the next. I apologize if it was me who caused
confusion about the conditions under which an ID would be used. I may have
said it could be used to "track someone down", and what I meant was not that
*we* would use it for that, but that we could hand it over to
law-enforcement for them to use to to find someone. I'm not sure th exact
conditions under which we would turn over ID to law enforcement have ever
been codified (like I said, we've never been asked to do it, since just
asking for ID scares off most potential vandals), but I know I have seen it
written that we wouldn't do so without a court order in some official
document. It might not hurt for the board to nail that down.
|
tod
|
|
response 76 of 118:
|
Sep 5 21:18 UTC 2002 |
Agreed. I think it looks good to be able to quote a bylaw or standard if a
prospective member asks if their ID will be compromised.
|
jmsaul
|
|
response 77 of 118:
|
Sep 5 22:47 UTC 2002 |
<shrug> I don't think Grex has a responsibility to retain the information,
honestly.
|