This may be a dumb idea, but why not have nefario provide goat with a list of BTC addresses linked as a deposit address to the user's GLBSE account and a share count.
Then there's no liability for goat - as if they lose control of their GLBSE account then they're in exactly the same position as if they'd lost control of it BEFORE goat was delisted (the unauthorised user can sell shares/withdraw BTC). All liability after goat sends the funds then rests with GLBSE -as it would have done had he been paying by their dividend mechanism. And the block-chain allows verification of whether funds were actually sent.
On the surface, it's a good idea. However, it has the following problems:
1) Deposits may not have all come from a non-shared wallet. This opens the potential for MtGox, etc., to fraudulently claim shares as their own. This is besides the fact that some people will NEVER be able to claim their shares. The same goes for withdrawal addresses.
2) This breaks the privacy that users expected that they had with GLBSE.
3) Nefario could just make up the list. You know, since apparently he can't be trusted to do anything right.
These exact issues also exist with email addresses, except replace 1 with "Users may not have signed up with a secure email address, since it wasn't ever supposed to single-handedly protect the account." Same with any other personal information GLBSE has.
Ask yourself, what does it take to liquidate all of a person's assets and empty their account at GLBSE? The answer is access to their account. Thus, access to someone's account should be all the protects this transfer of assets.
I wasn't clear enough what I meant.
I didn't mean nefario gives goat the addresses the user deposited to GLBSE with (which is how it appears you read it).
What I meant was that nefario generates a new GLBSE-owned deposit address for each user - linked to their user-account (so BTC sent to that address arrive in their GLBSE account). Then gives goat THAT list.
your point 1) is then not relevant.
point 2) also isn't relevant - as the user never provided the address, nor is there any way for someone to link it to their GLBSE account.
point 3) is also a non-issue - GLBSE has no responsibility for how many funds are sent to that address or why those funds are sent (that's down to goat to sort out with his users himself). Nefario explicitly CAN make up the list - but GLBSE takes on responsibility to provide users with the funds associated with THEIR deposit address (just like they do for deposits to any other deposit address). So there'd be no benefit in nefario giving goat a list of addresses (and each user the ID of their own goat-related address) that was fake - as he'd then be accepting responsibility for delivering funds that he'd not got control over.
What it doesn't do is give goat any way of identifying individual investors - or investors a way of proving that they're the person receiving funds on the address. Which would basically limit goat to only being able to pay dividends or do a buy-back. But he already has the codes which allow that - so long as he's not dumb enough to send funds other than to the BTC address provided by nefario, he could also then buy back shares from individual users (a scammer with the code could only trick goat into buying back the share by sending BTC to the true owner). Transfers to third-parties (which would take the shares away from GLBSE totally) could be achieved by goat buying the share from the original owner (confirming code then paying to the nefario-provided GLBSE account) then selling it to the third-party. Provided the amount transferred in both transactions is the market value then the worst a scammer (who somehow got the code) can do is BUY a share from goat at market rate - a share which isn't registered on GLBSE and which goat could just take away from them if he decided they were scamming. Not much of a reward really.