Before: Arbitrator UlrichSchroeter (A), Respondent: CAcert (R), Claimant: StefanBruening (C), Case: a20110428.1

History Log

Original Dispute, Discovery (Private Part)

EOT Private Part

Intermediate Ruling

  1. The users, if not already happened, should be notified by the Triage member (C) about the privacy breach
  2. The lists admins should take the necessary steps to remove all private data sent to the list concerning this case (eg. remove the effected attachments from the posts from the public archives or if this is impossible, to remove the complete post from the mailing list)

Frankfurt/Main, 2011-04-29

Discovery

Intermediate Ruling #2

  1. The users, if not already happened, should be notified by the Triage member (C) about the privacy breach
  2. The lists admins should take the necessary steps to remove all private data sent to the list concerning the case

[s20110521.19] (2nd new dispute) (eg. remove the effected attachments from the posts from the public archives or if this is impossible, to remove the post from the mailing list that includes the PII)

Frankfurt/Main, 2011-05-22

Deliberations

The PII breach issue is a repeating event. Training cannot solve this problem alone. One suggestion that was made is, to make the public support mailing list a "walled garden". That has its advantages and its disadvantages. The advantage is to limit the count of involved users. The disadvantage is, that the count of potential helpers also becomes limited.

Questions to answer:

  1. Which informations about a user can be published?
    • Publishing the name and the email of the user is not on discussion, so the answers given can reach the requestor.
    • Addtl. informations about a user, often added as a footer, with full address, phone, webaddress and so on is a problem. Also informations about a 3rd party (Assurees).
    • Triage members are trained to sanitize these infos before forwarding mails to the public mailing list.
    • But by the nature of multipart/mixed messages, the addtl. informations still left in the attachment part within the ticket system, that causes the PII breach after the forward to the mailing list
  2. What is about a moderated forward ?
    • Moderating mode of the mailing list means, at least 2 people have to handle each post. From the services side this is an unrealistic venture and as seen in the PII removal requests to the lists admins this results in a removal of a complete post because no modifications can be made within the posts.
  3. Preventing multipart/mixed messages from forwarding ?
    • Preventing forwards of multipart/mixed messages to the mailing list can be an option.
    • One may argue, that someone can send attachments within his mail, to explain his problem.
    • The answer here is: starting with the mailing, a potential supporter can get in contact with the user and the addtl. infos can be send later between the P2P contact.
    • So there is no real need to allow attachments in the public support mailing list.
    • This option needs some testing ...
      • Sending mulitpart/mixed messages allowed includes the attachments to the post
      • Sending multipart/mixed messages to be forwarded to moderators does only allow rejection or approval, no modification
      • Sending multipart/mixed messages and to strip the mulitpart/mixed and attachments is impossible within the mailing list software, but delete attachments on forwarding within OTRS is possible
    • On Forwarding messages from Triage queue to public support mailing list
      1. Delete Attachments
      2. Sanitize message text
    • can be trained to the Triage members
  4. Prevent Google indexing and external archives ?
    • publishing all the email addresses of everyone who needs support, that seems like a dumb idea for a supposed privacy organisation.
    • So the archive has to be restricted to subscribers only.
    • To send a signal: no external archiving

Ruling

Execution

Similiar Cases

a20110228.1

mistakenly moved ticket in the wrong queue (Fabian K)

a20100304.1

dispute for privacy purposes

a20110503.1

Remove my old account if exists... (Daniel R)

a20101025.1

removal of posts from mailing list


Arbitrations/a20110428.1 (last edited 2015-03-04 19:01:51 by BernhardFröhlich)