response 91 of 184:

Sep 7 20:39 UTC 2002

I've been thinking the same thing as I've been following this
discussion.  Considering the number of times I hand my credit
card to a stranger over the course of any given week, often
to have them take it out of the room for a few minutes, I'd
expect that my risk of identity theft is a lot higher from
that kind of thing than from any of Grex's practices.  So
let's try to keep all this in perspective.  I think what
we're seeing here is a case of much ado about very little.

response 93 of 184:

Sep 7 21:17 UTC 2002

Jamie, quantum physics should tell you that the probability that your brain
will suddenly tunnel out of your head and land on the keyboard in front of
you is greater than zero.  Do you worry about that?

response 95 of 184:

Sep 7 21:52 UTC 2002

Act locally; think globally.

response 97 of 184:

Sep 7 22:06 UTC 2002

resp:94 (because he cares about Grex, and [most] people on Grex are 
        willing to consider such a topic reasonably? a wild concept, I 
        know, but you might look into it.)

response 99 of 184:

Sep 7 23:09 UTC 2002

Re #94:  Restaurants actually need your credit card number, Scott.  This
         may surprise you, but you have to pay for your meal, and if you use
         a credit card, they need the number to collect the money.

response 101 of 184:

Sep 8 00:21 UTC 2002

Indeed, they do need the number.  But it's quite possible (and not incredibly
rare) for servers to write the number for personal use.  Since the issue being
debated is whether the treasurer can be trusted or whether some system (yet
unspecified) must be set in place to prevent the treasurer from having
personal access to that data, why not make a bigger deal about restaurants?

response 103 of 184:

Sep 8 01:27 UTC 2002

Re #93:  Some might argue that this has already happened.

response 105 of 184:

Sep 8 01:39 UTC 2002

(talk about completely missing the point!)

(Grex doesn't take credit cards directly anymore.  as of a couple of days
ago, Grex's treasurer doesn't even have any credit card numbers on file.
so, despite Scott's obsession with prepared food [and who's to say that
Grex should be less important than a restaurant?], the issue isn't about
credit card numbers anymore.  it's about what Grex does with the member
information it collects and why.  I really can't for the life of me fathom
why Scott wants to avoid any sort of discussion on the topic, and,
frankly, I'm VERY disappointed by his attitude, *especially* since, as a
board member, it's his responsibility to allow the issue to be considered,
even if he thinks restaurants should set the standard.)

(personally, I trust Grex with any and all of the information I provide to
it, its officers and staff.  even so, I don't object to an open discussion
of what happens to that information.  I'm glad that Mark has been very
forthright about how he handles the information, and he's setting an
example that should be followed, in more ways than one.)

response 107 of 184:

Sep 8 02:44 UTC 2002

Re 105:  Actually, I haven't been on board for at least a couple years.

response 109 of 184:

Sep 8 03:16 UTC 2002

Re #101:  That's already not only illegal, but against the restaurants'
          policies.

          I'm not saying the treasurer can't be trusted.  I'm saying that
          Grex shouldn't be collecting sensitive data about its users that
          it doesn't need to collect.  That's independent of how the 
          treasurer protects it, or whether the treasurer is a good person.

response 111 of 184:

Sep 8 05:50 UTC 2002

re 104:
        I can think of at least one other system where it's possible to telnet
in, create an account, and have access to run things on the Net.  However,
I'm not sure that sort of thing really matters so much at this point, what
with PPP dial-up accounts, ethernet access in dorms, internet cafes running
unsecured computers, lots of wide open wireless networks, and so forth.  Those
who want somewhat anonymous access to do bad things on the Internet can easily
find it.

I say somewhat anonymous, rather than really anonymous, though, since
sufficiently motivated law enforcement people with the proper court orders
can generally figure out who somebody is, or at least where somebody was. 
Grex, like most other systems, records the IP addresses connections come in
from.  If that doesn't trace directly back to the user's computer, it
generally at least traces back to a phone line, which traces to a location.
From there, law enforcement may be dependant on any witnesses who may have
seen the person using the computer at that time, but that's also as well as
they can do with non-computer related crimes a lot of the time.  This gets
trickier with wireless access, if the basestation has been set up to not
require authentication (which lots of them are).  At best, in that case, you
can probably guess which block the person was on, unless they were using a
directional antenna, in which case they could have been farther away.  If
they're still connected, I suppose there are tools that could figure out where
their signals were coming from.  If they were gone, it might be harder. 
Again, though, law enforcement runs up against that sort of problem frequently
with other sorts of crimes.

So please, let's stop the argument that Grex, if it dropped its ID
requirement, would be the only place in the world that gave anonymous access
to the Internet, because the access wouldn't really be anonymous, and because
Grex certainly wouldn't be the only place giving that kind of access.  There's
still a very legitimate question here, which is whether, given the current
state of the Internet, it still makes sense for Grex to require ID before
providing access to it.  My feeling is that it does, not to help law
enforcement (who can help themselves), but to help us.  If we've got somebody
using our resources to cause trouble elsewhere, it hurts us, and we should
be able to tell that person to go away.  Without knowing who the person is,
and how to recognize them if they come back, we don't have any good way to
cut them off.

If we are going to collect this ID, it seems quite reasonable to keep the
data.  It's not as if we're carding somebody in a bar, and once we find out
they have ID they're fine and we no longer care about them.  This ID is being
collected so that we'll know who the people are, and if we needed to know who
somebody was, having destroyed the records would make the records rather
non-useful.

response 113 of 184:

Sep 8 07:48 UTC 2002

I have to wonder what all these internet cafes et al plan to do when
people complain to them about vandals or spammers, or worse yet they get
sued.  Most of them haven't been in business long enough that what they
do necessarily represents best business practice.

Many libraries offer some form of network access, but I think there's a
trend there to restrict the basic services that are offered and/or to
require some form of identification/authorization.  The degree of
paranoia is likely to depend on the size of the institution and its
surrounding community, how long they've been providing such services,
the skill of any experts they can draw upon, and any problems they've
encountered - a small library in Paradise MI might be a lot less
paranoid than a big library in downtown Detroit.

Something else to keep in mind: the access an internet cafe or library
can offer is geographically limited.  The service grex offers is not.
If an internet cafe has problems with the local punk kids, they can
summon the police.  If grex has problems with punk kids anywhere on the
planet, the steps grex can take are quite limited, and not necessarily
effective.