  * Case Number: a20110221.1
  * Status: running
  * Claimants: CAcert
  * Respondents: CAcert
  * Case Manager: AlexanderPrinsier
  * Arbitrator: UlrichSchroeter
  * Date of arbitration start: 2011-02-21
  * Date of ruling: 201Y-MM-DD
  * Case closed: 201Y-MM-DD
  * Complaint: PII and problematical sys settings on 1057 of 1074 deleted accounts cases still remains in database

  * Relief: General database maintenance

Before: Arbitrator name arbitor (A), Respondent: CAcert (R), Claimant: CAcert (C), Case: a20110221.1


== History Log ==
 . 2011-02-21 (A): split Ruling Part II to new case from case [[Arbitrations/a20100131.1|a20100131.1]]
 . 2011-02-21 (A): added to wiki, request for CM / A
 . 2011-02-21 (A2): questions from another Arbitrator
 . 2011-02-21 (A): questions answered to (A2) 
 . 2011-02-21 (A2): addtl infos regarding [[https://bugs.cacert.org/view.php?id=893|bug #893]]
 . 2011-04-23 ([[Arbitrations/a20110418.1|a20110418.1]]): users that assured themselves (at least 2 known cases): [[Arbitrations/a20110418.1|a20110418.1]], [[Arbitrations/a20090510.3|a20090510.3]], routine to check automaticly ?
 . 2011-05-06 (A): new [[Arbitrations/Training/Lesson20/DeleteAccountProcSEv3|Delete Account for SE's Procedure v3]] ruled under [[Arbitrations/a20110502.1|a20110502.1]]
 . ?
 . 2013-03-11 (MarcusMaengel): filed [[https://bugs.cacert.org/view.php?id=1152|bug #1152]] "When the last email address of an account is disputed the personal data is not anonymized. (see also a20110221.1)"
 . 2013-03-11 (MarcusMaengel): filed [[https://bugs.cacert.org/view.php?id=1153|bug #1153]] "Delete personal information from the webdb"
 . 2013-03-11 (A): [[https://bugs.cacert.org/view.php?id=1153|bug #1153]] closed, issue is subject to arbitration (current running case)
 . 2013-03-22 (A): invitation to (MarcusMaengel) to become (Claimant) in this case based on bug filing [[https://bugs.cacert.org/view.php?id=1153|bug #1153]]

== Original Dispute, Discovery (Private Part) ==

 * Link to Arbitration case [[Arbitrations/priv/a20110221.1|a20110221.1 (Private Part)]]

<<Include(Arbitrations/priv/a20110221.1)>>  

==== EOT Private Part ====

== Discovery ==
 * Procedures that leads in "Delete an Account"
  1. Delete Account function - Link in Admin Console
  1. Delete Account after Email Dispute if Email is the Primary and the last Email in an Account -> Auto Delete an Account

 * 2013-03-11 (MarcusMaengel): filed [[https://bugs.cacert.org/view.php?id=1152|bug #1152]] "When the last email address of an account is disputed the personal data is not anonymized. (see also a20110221.1)"
  {{{
problem still has been identified under arbitration case
https://wiki.cacert.org/Arbitrations/a20100131.1 [^]
by ruling this case has been separated to new case
https://wiki.cacert.org/Arbitrations/a20110221.1 [^]
and a20110221.1 is still in progress
}}}

 * 2013-03-11 (MarcusMaengel): filed [[https://bugs.cacert.org/view.php?id=1153|bug #1153]] "Delete personal information from the webdb"
  {{{
After a retention time that is to be defined all data of a "deleted account" must be removed from the database.
This means the entry in users as well as all linked references to that account:
emails
domains
any kind of certificates
location
}}}
 * 2013-03-11 (A): [[https://bugs.cacert.org/view.php?id=1153|bug #1153]] closed, issue is subject to arbitration (current running case)
  {{{
problem still has been identified under arbitration case
https://wiki.cacert.org/Arbitrations/a20100131.1 [^]
by ruling this case has been separated to new case
https://wiki.cacert.org/Arbitrations/a20110221.1 [^]
and a20110221.1 is still in progress
}}}

 * [[https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html|SP 4.4. Data retention]]
  * 4.4.1. User data
   * Termination of user data is under direction of the Arbitrator. See CCA. 
  * 4.4.2. System logs
   * See §4.2.1.
    {{{
4.2.1. Coverage

All sensitive events should be logged reliably. Logs should be deleted after an appropriate amount of time as documented in the Security Manual. 
}}}
  * 4.4.3. Incident reports
   * See §5.6. 
    {{{
5.6. Report

Incident reports shall be be published. The Incident Report is written on closing the investigation. A full copy should be appended to the documentation of the investigation. Sensitive information may be pushed out into a restricted appendix of the report. The Systems Administration team leader is responsible for publication and maintenance.

Incidents are not normally kept secret nor confidential, and progress information should be published as soon as possible. The knowledge of the existence of the event must not be kept secret, nor the manner and methods be kept confidential. See §9.5. 
}}}

== Ruling ==

== Execution ==

== Similiar Cases ==
|| [[Arbitrations/a20090703.2|a20090703.2]] || [[Arbitrations/a20090703.2|please remove me from the database (deleted by SE)]] ||
|| [[Arbitrations/a20080702.1|a20080702.1]] || [[Arbitrations/a20080702.1|User requests to delete account with Assurance Points]] ||
|| [[Arbitrations/a20090618.3|a20090618.3]] || [[Arbitrations/a20090618.3|Assurer requests to delete account]] ||
|| [[Arbitrations/a20090618.5|a20090618.5]] || [[Arbitrations/a20090618.5|User requests to delete account with no Assurance Points]] ||
|| [[Arbitrations/a20090826.1|a20090826.1]] || [[Arbitrations/a20090826.1|User wants account deleted, no Assurance Points, no certificates]] ||
|| [[Arbitrations/a20090926.1|a20090926.1]] || [[Arbitrations/a20090926.1|User wants account deleted, no Assurance Points, no certificates]] ||

see also: [[Arbitrations/Training/Lesson20|Arbitrations Training Lesson 20 - Arbitration Case - Delete Account Request]]

||[[Arbitrations/a20090810.2|a20090810.2]] ||[[Arbitrations/a20090810.2|User requests removal of first (incorrect) account.]] ||
||[[Arbitrations/a20080702.1|a20080702.1]] ||[[Arbitrations/a20080702.1|User requests to delete account with Assurance Points]] ||
||[[Arbitrations/a20080702.1|a20080702.1]] ||[[Arbitrations/a20090618.3|Assurer requests to delete account]] ||
||[[Arbitrations/a20090703.2|a20090703.2]] ||[[Arbitrations/a20090703.2|please remove me from the database (SE special case)]] ||
||[[Arbitrations/a20090913.1|a20090913.1]] ||[[Arbitrations/a20090913.1|user want that we remove his name and email from lists archive]] ||
||[[Arbitrations/a20130530.1|a20130530.1]] ||[[Arbitrations/a20130530.1|Adhoc SQL Query to get info about accounts with DOB in the future]] ||

=== Bug reports ===

|| [[https://bugs.cacert.org/view.php?id=794|bug #794]] || [[https://bugs.cacert.org/view.php?id=794|visibility over certificates for sysadm in account administration (fixed)]] ||
|| [[https://bugs.cacert.org/view.php?id=893|bug #893]] || [[https://bugs.cacert.org/view.php?id=893|Extend Delete account feature for support]] ||
|| [[https://bugs.cacert.org/view.php?id=1005|bug #1005]] || [[https://bugs.cacert.org/view.php?id=1005|User is shown in find an Assurer while account is deleted]] ||
|| [[https://bugs.cacert.org/view.php?id=1152|bug #1152]] || [[https://bugs.cacert.org/view.php?id=1152|When the last email address of an account is disputed the personal data is not anonymized. (see also a20110221.1)]] ||
|| [[https://bugs.cacert.org/view.php?id=872|bug #872]] || [[https://bugs.cacert.org/view.php?id=872|PoJAM restricitions to apply to production system (several restrictions) PoJAM 3.3,, 4.1, 4.2]] ||


----
 . CategoryArbitration
 . CategoryArbCaseSystemTasks