4

I'm creating a website that only allows nonprofits and government organizations (parks, etc) to sign up and post service project listings. The accounts posting the listings must be verified to protect the safety of the volunteers who want to go do the service projects.

All nonprofits have an EIN that can be confirmed using an online database, but the downside is that anyone can look up the EIN and pose as the organization. In this question, the answer is to use financial transactions to verify the person, but with an organization, the volunteer coordinator (who would probably be making this account) likely doesn't have access to financial data (I've never worked with an organization like this so I could be wrong here).

I thought about email verification, but not all organizations have contact emails posted on their websites to confirm against, as well as the access problems already mentioned with financial data.

How can I verify that the person making the account is a representative of the nonprofit or government organization that they claim they represent?

Community
  • 1
Ian
  • 143
  • 6
  • Is your system US-only? EINs are issued by the IRS only to US entities. And I don't think "all" nonprofits have one: they need it for IRS registration only if they want to be *tax-exempt* and are not a church or government agency; they (independently) need it for payroll tax only if they *pay* workers (which volunteer orgs often don't) and are not a state/local/tribal government with a non-FICA retirement plan. Maybe Guidestar or umbrella orgs like United Way have something useful. – dave_thompson_085 Aug 19 '14 at 21:51
  • I hadn't realized that. For now it's USA only. I was going to do something different for Govt. Orgs anyway – Ian Aug 20 '14 at 01:03
  • 2
    Mentioning that this is to protect the safety of the volunteer seems rather peculiar. You can step on a rusty nail or get mauled by a bear regardless of the tax status of the organization. The most dangerous things I have done have been for non-profits and churches. – jjanes Aug 20 '14 at 03:12
  • It's not protection from the danger of the project, but from the organization itself. If I claim to represent a national park and have everyone meet in remote location of the park to do a project and I'm not who I say I am, that could have serious consequences. – Ian Aug 20 '14 at 15:18

5 Answers5

2

I would suggest having multiple ways someone could confirm their identity with your site. Similar to how the DMV requires two forms of ID to get a driver's license (one from 'option A' and one from 'option b', etc...)

There are many examples already given: (if possible, I would give the user many options and only require a few)

  • Verify by email: Send an email to an official domain email address (perhaps even the whois email address).
  • Use a text message/call system with a pin. (you can also use the official whois data)
  • The old 1 cent bank deposit confirmation as that answer you found states.
  • Have the user upload a unique file to their website

Here are two more:

Google when adding your business, they send a postcard with a time-sensitive code on it to the registered business address. You could simply look at the whois contact info and mail a verification letter to them. Even if their site is registered as 'private' whichever company is 'protecting' your information obviously must know your real/listed address and thus may forward the correspondence. Here is some more info on how Google does that and here is still more info.

A more automated way to do this is how Paypal implements a real photo id verification system. You simply scan a copy of an official id card and send it to them. For your purposes, you can ask for any official documentation related to the company/organization (tax forms for instance).

Bare in mind, none of these are sure fire solutions. Even the best systems are sometimes vulnerable to fraud. I would strongly suggest audits as a means to continually veht your user base.

Also, you may want to look into a rating system for your volunteers to rate that organization after the fact -a lower rating gets flagged for your review...

Matthew Peters
  • 3,592
  • 4
  • 21
  • 39
  • 1
    That is exactly what I was looking for. I had thought about mailing but wasn't sure how that could be implemented. – Ian Aug 27 '14 at 23:05
1

If you don't need instant verification, then you can collect emails of different countries' departments which control non-profits and etc. and make template(s) of message where you explain that you need confirmation ASAP,and emails will be sent automatically to corresponding destination after registration. That way your don't have to limit your project to US only.

assp1r1n3
  • 133
  • 1
  • 1
  • 7
1

Multiple ways to verify enable more people to sign up. Some additional options:

  1. When the organisation has a website without contact email, you could ask them to add something to their website, like a not linked txt file or something else.

  2. If it has a postal address you could snail mail them a confirmation code. Downside: Its expensive.

  3. If it has a phone number on its website, you can call them using that. Its less expensive than option 2.

user10008
  • 4,315
  • 21
  • 33
1

One thought if they are signing up and you are asking for their email address many times they are issued a company address (even if the company doesn't have public email address as a point of contact). This would work best if the site has an EV certificate installed because you could essentially scrape their website for that and check that it was issued by a valid CA, who has already validated it as a legitimate business. If you already know the organization and trust them it could be a simple as making sure the signing up email address contains their domain.

As others have said you could also use the phone number on their site. This may require manual labor and telephone time due to many places having robotic switchboards but if you can reach them without a robotic switchboard you could possibly use something like Twilio to automate the call.

Then there is also mailing them the snail confirmation which was also mentioned.

Travis Pessetto
  • 670
  • 3
  • 6
1

Google has an interesting method for domain verification that can be applied. Make them upload a file named something like "a8br35.txt" to somewhere on their server.

Slava Knyazev
  • 716
  • 5
  • 12