Before: Arbitrator EvaStöwe (A), Respondent: Benny B(R1) Martin G(R2), Claimant: Dominik G(C), Case: a20121228.1

Contents

  1. History Log
  2. Original Dispute, Discovery (Private Part) (optional)
      1. EOT Private Part
  3. Discovery (Visibility of private part)
  4. Intermediate Ruling (Visibility of private part)
  5. Questions to be answered by this case
    1. by complaint
    2. additional questions from C, R1, R2
    3. further problems encountered by A in this case
    4. Order of addressing the questions
  6. Discovery
    1. Collection of statements
    2. about the complaint
      1. A. What happened?
        1. relevant timeframes
    3. additional questions by C, R1, R2
      1. 1. Updating the Assurance Policy to authorize Privacy Policy as a subsidiary document
      2. 2. Updating the Assurer Handbook (or whatever) to point out that an assurer should visibly prove their submission to CCA, AP, etc. *before* having the assuree decide whether they permit usage of their data
      3. 3. Educating assurers to follow that proposal
      4. 4. Making very clear that an Arbitrator has no rights of self-justice, only when handling a real arbitration case under a duly filed dispute
      5. 5. Making very clear that CAcert is community-driven without a strong hierarchy, so all efforts should involve all related parties within the community
      6. 6. As the CAP forms were left unattended and in plain view (as for the clipboard at least) it would be of great interest WHEN exactly a CAP form starts to fall under privacy policy and as such requires the assurer to take proper action to ensure protection against unauthorized access by third parties.
      7. 7. What are necessary precautions (recommended and required ones) to be taken by the assurer for such a CAP form?
      8. 8. Why is it ok for another community member to move those [CAP forms] to a place as unsafe as the old one?
    4. about the complaint
      1. B. Did R1 act as event organizer?
      2. C. Did R2 act as arbitrator?
      3. D. Were their actions covered by their authority as assurers?
        1. securing the CAP forms
        2. not informing C directly
        3. not informing C and giving back the CAP forms ASAP at the next day
        4. resume
      4. E. Were R1's actions covered by his authority as event organizer?
      5. F. Were R2's actions covered by his authority as arbitrator?
      6. a. Did R1 abuse his position as event organizer?
      7. b. Did R2 abuse his position as arbitrator?
    5. further problems encountered by A in this case
      1. I. Consequences of Cs possible privacy breach (leaving CAP forms unattended for hours)
      2. II. Problems with statements of a co-auditor found in this case, not in line with our policies
  7. Ruling
  8. Execution
  9. Post arbitration action
  10. Personal words from (A)
  11. Related Policies
  12. Similiar Cases

History Log

WIT1-3: witness1-3

Original Dispute, Discovery (Private Part) (optional)

EOT Private Part

Discovery (Visibility of private part)

So even while as much as possible should be transparent to everybody, eventually, there are reasons to not abandomn the private part. C and R1 also being able to follow everything happening in the private part should cover the need to give them equal access to informations.

Intermediate Ruling (Visibility of private part)

Since one of the respondents is an arbitrator and can see the private part of this case A/CM will ensure, that C, R1 and R2 will gain the same access. The same goes for mails and other communication regarding this case that is visible to him because of being an arbitrator.

Cologne, 2013-11-18


Questions to be answered by this case

by complaint

complaint: abuse of position of R1 as event organizer and R2 as arbitrator

  1. Did R1 abuse his position as event organizer?
  2. Did R2 abuse his position as arbitrator?

to answer those questions:

  1. What happened?
  2. Did R1 act as event organizer?
  3. Did R2 act as arbitrator?
  4. Were their actions covered by their authority as assurer?
  5. Were R1's actions covered by his authority as event organizer?
  6. Were R2's actions covered by his authority as arbitrator?

additional questions from C, R1, R2

additional questions from C:

  1. Updating the Assurance Policy to authorize Privacy Policy as a subsidiary document
  2. Updating the Assurer Handbook (or whatever) to point out that an assurer should visibly prove their submission to CCA, AP, etc. *before* having the assuree decide whether they permit usage of their data
  3. Educating assurers to follow that proposal
  4. Making very clear that an Arbitrator has no rights of self-justice, only when handling a real arbitration case under a duly filed dispute
  5. Making very clear that CAcert is community-driven without a strong hierarchy, so all efforts should involve all related parties within the community

additional questions from R1/2:

  1. As the CAP forms were left unattended and in plain view (as for the clipboard at least) it would be of great interest WHEN exactly a CAP form starts to fall unter privacy policy and as such requires the assurer to take proper action to ensure protection against unauthorized access by third parties.
  2. What are necessary precautions (recommended and required ones) to be taken by the assurer for such a CAP form?

additional question from C:

  1. Why is it ok for another community member to move them to a place as unsafe as the old one?

further problems encountered by A in this case

  1. Consequences of Cs possible privacy breach (leaving CAP forms unattended for hours)
  2. Problems with statements of a co-auditor found in this case, not in line with our policies

Order of addressing the questions

Since some of the additional questions need to be answered at least partly to answer the legitimation of the acts of R1 and R2, but those questions being mostly general questions without a direct connection to the events of the case, the questions will be adressed in the following order. The general answers could be used to answer the concrete events by doing so.

A.

concrete events and timeframes

1. - 8.

general quesitons

B. - F.

questions concerning the original dispute

a., b.

oritinal dispute

I., II.

additional problems that have to be addressed by this case


Discovery

Collection of statements

Collection of statements made in this case about what happend. Those statements are anonymized as far as possible.

about the complaint

A. What happened?

Combining all statements made in this case, the following happened.

Note: The participants did not agree on everything, but either both views can be explained by time passing by and things happening in-between, or they are not needed to decide on, to solve this case.

As far as known all times are CET - local time.

relevant timeframes

time an assurer has to safe keep CAPs

7 years

time C intended to leave the CAPs unattended

about 12 hours

time between C leaving CAPs and returning

about 13 hours

time CAPs were left alone

about 4 hours

time CAPs stored by R1

8-10 hours

time R1/R2 failed to return CAPs to C

1-2 hours

time of C not informed after his discovery that CAPs were gone

minutes?

(WIT3 informed him according to C)


additional questions by C, R1, R2

Beside the complaint, a lot of questions were asked by both sides to be answered by this case. Some of them are only very lightly connected to the original complaint or the events covered by this case.

As arbitration can be used to clarify some questions especially about how policies work together (often resulting in precedents cases), there are also some other forums that are better suited to answer most of the questions asked here.

An arbitration case should cover all aspects of the case to be complete. But as the CM of the case puts it: "arbitration is no request programme". A single arbitrator should be very careful before giving orders to policy group or other authorities to alter practices. For most of the things asked to clarify in this case, there is no evidence that there is a global problem, which has to be fixed by orders of arbitration.

So even while all those questions will be covered by this case somehow to fulfil the need of completeness, the answers will probably not be the ones hoped for by the parties.


1. Updating the Assurance Policy to authorize Privacy Policy as a subsidiary document

There are at least two places were the Privacy Policy (PP) is mentioned in the Assurance Handbook.

Since the Privacy Policy is included and stated as relevant for the assurances in the Assurance Handbook and the Assurance Policy includes the Assurance Handbook and explicitly names in the obligations of an assurer, Privacy Policy is linked to the Assurance Policy and the assurance process.

Any direct intervention of arbitration into the work of policy group can be seen as a severe intrusion to the idea of separation of powers of CAcert (arbitration being the judiciary, policy group the legislative organ of CAcert).

As an arbitrator I have the authority to rule a change in policies and procedures according to 3.6 DRP. But I and my fellow arbitrators (as far as I have consulted them) agree that such rulings should be restricted to cases where it is needed to prevent CAcert from imminent damage, which cannot be dealt with otherwise.

This is not the case here.

It may or may not be a good idea to have a more direct link between Assurance Policy and Privacy Policy. This decision is up to the policy group who has the authority to take up the matter or leave it alone and to decide whatever they think best.

Any CAcert member who sees the need for a policy change can address policy group. An arbitration ruling is not needed to do so.


2. Updating the Assurer Handbook (or whatever) to point out that an assurer should visibly prove their submission to CCA, AP, etc. *before* having the assuree decide whether they permit usage of their data

Every assurer (in a CAcert context) is bound to AP, since at least 2010.

According to AP 3.1:

Before everything else of an assurance begins, assuree and assurer have to agree about the assurance.

According to AP 4.1:

Since the AP is speaking of assurances as assurances under AP, they have to agree that the assurance is an assurance under AP.

According to AP 4.5:

By filling out the CAP forms the assurees state, that they give the permission to conduct an assurance (again under AP) - nothing else.

So even if assurer and assuree do not talk about what they are doing, the assuree asks for an assurance under AP by filling out the CAP form, signing it and handing it over to the assurer. When the assurer accepts it, the assurer also agrees by doing so, to perform an assurance (under AP). Else the assurer cannot assume that the assuree gives the permission to access the filled in data.

The assurer part on the CAP form also documents this. But the CARS the assurer is giving by signing the CAP form is not that the AP is accepted at the time of the signature. AP was probably accepted by the assurer long before the actual assurance happens.

Assurance Handbook "What about that CAP form" explicitly says:

The CARS is about that all went well according to AP.

The currently available CAP forms you can download from our website, also reads:

Assuree part:

Assurer part:

So every assurer (playing by our rules) is already giving a visual statement when accepting the filled in (and signed) CAP form from the assuree, that they will perform the assurance according to AP.

(Everybody not playing by our rules will not care what is written down somewhere else and even if they would make any visual signs that they would respect AP that would not make any difference.)

There is no need for any other signal, which HAS to be performed by an assurer. However since one of our principles is to educate our members it can be a good idea to explicitly state what one is doing in some circumstances.

But there are enough situations where this does not make much sense. For example multiple assurers assuring the same assuree at a big event one after another, or when two assurers are giving each other a mutual assurance.

There is no need to order the Assurance Handbook to be updated.

Anyone who thinks that it is a good idea to have the Assurance Handbook updated in this regard can address the AO (assurance officer).


3. Educating assurers to follow that proposal

While training is one of the principles of the CAcert Community, it is not the main job of arbitration to educate members or assurers, even if members may incidentally learn something by being involved in an arbitration case.

According to DRP 3.6 Remedies:

So a proposed remedy for arbitrators is to order retraining in a role, not to train someone themselves. The education itself should be done by the usual authorities.

The normal authority to train assurers is the education team lead by the education officer.

The education officer happens to be the CM (and supervising arbitrator) of this case so he is aware of anything related to this case. There is no need to inform (or even order) education further.


4. Making very clear that an Arbitrator has no rights of self-justice, only when handling a real arbitration case under a duly filed dispute

An arbitrator has no right to perform self-justice.

There is no known exception. Arbitrators are not allowed to handle any arbitration case when they are already involved in the case (even as witness) or other conflicts of interests are present.

DRP 1.5:

The current arbitration team is very aware of this. Known possible conflicts of interests are listed for each arbitrator in the list of arbitrators. Above that we try to not assign an arbitrator to a case where people are involved who previously were a party in another case that got personal. Not even as case manager. Some cases have to wait a little bit longer because of this.

For example R2 will not pick up a case where C is involved even as a known witness, if there are any other ways to get those cases handled.


The community plays a big role inside CAcert. A community spirit should be shown whenever possible.

CAcert is community driven in so far, as all our authorities are part of the community and every community member can participate at such important things like policy design - and theoretically everywhere, if they fulfil the requirements.

But processes within CAcert are very strictly formalized. We have

There are also some cases where a direct cooperation between some areas is not intended. For example support is not allowed to directly ask critical team for the execution of some sql queries. They have to go through arbitration to do so.

Arbitration on the other hand can give orders which are final and binding to any member of CAcert according to DRP 3.3. This can be done without the consent of the members for the given order since it may be a remedy the member is not happy with. Most of the orders given by arbitration are given even without previously consulting the ordered party about it. (Most orders are orders to support to provide some kind of information needed for a case or to perform some action on an account.)

So: No, there is no global concept within CAcert that "all efforts should involve all related parties within the community".

But there is much room for activities within CAcert outside the above mentioned formalities. Those are covered only sparely with explicit policies. The principles of the CAcert Community should be guidelines here. They are the basis for the CAcert Community Agreement.


6. As the CAP forms were left unattended and in plain view (as for the clipboard at least) it would be of great interest WHEN exactly a CAP form starts to fall under privacy policy and as such requires the assurer to take proper action to ensure protection against unauthorized access by third parties.

As stated above (1.) privacy policy (PP) is addressed in the assurance policy (AP) as a relevant policy for assurances and the assurance process. As stated above (2.) the assuree asks for an assurance under AP when filling out a CAP and AP covers the whole assurance process beginning with the agreement of assurer and assuree to perform an assurance.

AP and through this PP apply to the whole process. The same is true for the additional privacy elements included in AP and assurance handbook (AH). In theory a CAP form starts to fall under PP right at the beginning of the process, so when assurer and assuree start to discuss an assurance or at least when they agree on it.

In this regard it does not matter if the assurance is stopped later on, because the assurer is not sure about the identity of the assuree or the assuree getting doubts, later. The process is covered by AP independent from the result of the assurance process. If the assurance is not completed, the assurer is responsible for the CAP form as long as the assurer has hold on it thus being until the CAP form is either handed back to the assuree or destroyed or handed over to an arbitrator because of a filed dispute. (A situation like this is even described in the AH 1.3.2 Preparing yourself for an assurance as "Suggested Procedure").

On the other hand, it is impossible for an assurer to enforce PP as long as the assuree is holding the CAP forms. But even then, should an assurer at least inform the assuree about possible privacy issues.

Since there are enough situations where people do not actively discuss that they will perform an assurance, it may not be easy to define the exact time when the agreement for the assurance is made. However the latest possible moment is, when the assurer accepts a filled in and signed CAP form handed to him by the assuree.

As discussed above, both have agreed to an assurance under AP (and thus PP) at this moment.


7. What are necessary precautions (recommended and required ones) to be taken by the assurer for such a CAP form?

It is probably not possible, to give a global answer to that question. There are so many situations one can imagine and most of them would contradict one answer or another.

Neither PP, AP nor Assurance Handbook give us real answers, in this regard, beside that an assurer has to store them secure from the access of others (even experienced assurers) and is responsible for the personal data for 7 years. The ATE-presentation does not tell us much more.

The first answer that springs to mind is something like: "Always keep them close at hand, so that you can keep an eye on them."

That would be quite unpractical in many situations. (For example when a visit to the bathroom is needed or one takes a shower during an event.)

The answer would probably also be different for

Since so much has to be included, it does not make much sense to just cover a number of guidelines. (Btw: If we set fixed guidelines and make them well known, everybody knows where to look for CAPs.)

However there is one answer that covers it all:

"Use your brain and look out to find the best safety for your CAPs in the given situation."

Nonetheless there is one thing that should be possible in nearly every situation and may be thought of as a required precaution:

"Keep the personal information covered up, when you do not need access to it right now."

At least this guards against accidental privacy breaches by persons being around. This can be done with:

If no access to the forms is needed in the near future, it is a good idea to put them into a bag/case/backpack so that they will not be directly spotted (or forgotten).

At home one can store them even better. Maybe even in a safe or a cupboard only oneself can easily access.

Try to handle them, as if they would contain some valuable personal information of your own, for example access data to your bank account. Remember: Each of those CAP forms is (theoretically) worth up to €1000,- of your money.


8. Why is it ok for another community member to move those [CAP forms] to a place as unsafe as the old one?

The question if (or why) the move itself was ok, is covered somewhere else.

But I will compare the safety of the CAP forms before and after the move.

Before entering the topic, it is to say, that everybody (C, R1, R2, WIT1, WIT2, WIT3) seems to agree, that it was safe to leave worthy belongings at the event location, since according to different statements at least C, R1, WIT1 and WIT2 did so and R2 and WIT3 had no issue with R1 going to the Engle Area to store the folder containing the CAP forms with his belongings there.

But one has to make a difference about the security of things and data. In most situations potential attacker would probably focus on valuable items and leave mere paper with some data alone.

The events of this case took place at a hacker event, with many people present who knew the value of personal data and some of them looking for security issues for sport.

So even while it may have been safe to leave secure laptops and closed bags alone, that does not indicate the same safety for paper, obviously containing personal data.

The CAP forms as left alone by C:

The CAP forms as stored by R1:

While it was not the obvious solution (taking the CAP forms back to the hostel), it was one of the best choices available, as far as can be said from the distance. (Sometimes the best solution can be quite unorthodox at first glance.)

Even if there may have been better solutions, at least it can be said that the new location of the CAP forms was a lot safer than the old one.


about the complaint

B. Did R1 act as event organizer?

R1 and C agree on this (nobody else had any memories in this regard).

Yes, R1 acted as event organizer.


C. Did R2 act as arbitrator?

> - Under what authority do you think you acted while confiscating the CAPs?
As Assurer.

> - Did you mention that authority to the claimant?
Yes.

> - Did you mention any other authority of yours to the claimant during the confrontation?
I don't remember the exect content of that conversation as the 
conversation was kinda heated.

[...]

> In what context was the posibility of arbitration mentioned?
>
when returning the clipboard I mentioned to C I am not amused about
this and I didn't intent to file a dispute against C in this case.
After this I did't want to follow up on this.

It MAY have been possible, that we have talked about being Arbitrator/Board-Member/Software-Assessor/...

... but ...

... to handle the privacy issue of the applicants this did not matter:

As far i remember, nobody argued as Arbitrator/Board-Member/Software-Assessor/... but in the state of a CAcert-Community-Member/Assurer to prevent a privacy breach against CAcert and ensure, that the person keeping the CAP-Forms for the night cannot modify them (to keep them valid for the Assurer).

R2 accompanied R1 in his action because "that case could easily result in an arbitration", and he has a position in Arbitration.

R2 did not want to and did not think that he acted as arbitrator. Beside of his own argumentation this has to be concluded from the statement of WIT3.

Beside the one statement of C that R2 mentioned his position as arbitrator nothing can be seen in any statement that actually points to R2 having acted as arbitrator. On the contrary, all evidence - even the other statements from C - point to R2 having acted as assurer only and not as an arbitrator.

One has to come to the conclusion, that no, R2 did not act as arbitrator.


D. Were their actions covered by their authority as assurers?

C does partly accept that R1 and R2 were allowed to secure the CAP forms at least if they had tried to contact him first. (Even as he addresses the role of Event Organizer and not of assurer.)

R1 is correct in two points, and wrong in some others. I am going to draw the reason for this case from those arguments:
 + It is a little bit careless from a privacy point of view to leave a folder with filled-in CAP forms unattended at an event location, although it was well hidden under my laptop.
 + If the CAP forms had been of any interest to CAcert as a whole, some action should have been taken to solve this issue together with the assurer (i.e. me)
[...]
 - I am totally ok with R1, as event organizer, noticing a privacy issue. Now, if he *had* tried to call me, and would have failed, I would have regarded it as totally ok if he secured the forms in some place, and then informed me about it later, but returning the forms to me immediately. It is, however, a completely different issue that he refused to return the forms (and the rest of the folder) to me until I forcefully took it from him.

So there may be a different answer for

Those points should be addressed one at a time.

securing the CAP forms

When asked about the authority they acted on, R1 mentioned:

> - Under what authority do you think you acted while confiscating the CAPs?
Obligations of every assurer according to Assurer Handbook, sections 1.3.8 as well as privacy regulations to avoid unnecessary breach of private information.

Furthermore as I had responsibility as event organizer I acted to limit the impact of private information floating around unattended at night at the stand.

The responsibility and authority of an event organizer is covered below, currently the focus has to be on the first part - the authority of an assurer.

Assurer Handbook 1.3.8. states about the storage of CAP forms:

Mutual Assurance. For a mutual Assurance, fill them in (or use two CAP forms). If the other Member is not an Assurer as yet, then
- if the other Member is unsure, you may keep the CAP form(s) on her behalf (and take responsibility for both Assurances) which is why the form itself has both sets of details on it.
- if the other Member is about to become an Assurer, or you otherwise judge the Member is capable of meeting the storage requirements, then she may keep her CAP form recording her Assurance over you. 

Storage. The Assurer has to securely keep the paper CAP form for at least seven years. You are personally responsible for this (and in the mutual assurance with a non-Assurer, you remain responsible!) ! It is your evidence that you have followed CAcert's Assurance Policy and that you met the applicant in person (face to face).

For data protection and privacy reasons no-one else should have access to the CAP forms, once completed. 
[...]

If you find yourself unable to keep the CAP forms for whatever reason, file a dispute at support@cacert.org, explain the circumstances, and request the Arbitrator to provide instructions. 

So an assurer has to securely store CAP forms for 7 years without anybody being able to access them. This is a personal responsibility of the assurer.

But this section also anticipates situations where someone is not capable to secure CAP forms in such a way. In this case other assurers have to step in and take the responsibility. The example covered in this section is an assurer doing a mutual assurance with a non-assurer, but it can be used as a guideline to comparable situations, where the person who performed the assurance is (at least temporarily) not capable of securing the filled in CAP forms.

As C was not near the CAP forms when they were discovered by R1 and R2 and by this was obviously not capable to secure them in that moment, we have a (temporarily) comparable situation to the one described in the AH.

That an assurer may be unable to secure the CAP forms for any reason at least for a given time is also explicitly addressed later. However that part only covers what the assurer should do, not what other assurers who discover the problem should do.

Since this is not directly covered (other than the analogy discussed above), one should look at our global principles.

Principles of the CAcert Community:

Security
We strive to provide security. This means that we cooperate in securing ourselves and others. As a principle, security is led by the Security Officer, but it is our joint responsibility. Where we come into contact with security breaches, we disclose these. 

This idea is substantiated further in the Security Policy (SP).

Security Policy 9.1.6 Security:

It is the responsibility of all individuals to observe and report on security issues. All of CAcert observes all where possible. It is the responsibility of each individual to resolve issues satisfactorily, or to ensure that they are reported fully. 

The SP mostly addresses critical systems, but can be used as a guideline for other parts of CAcert: Security Policy 1.1.2. Out of Scope:

Non-critical systems are not covered by this manual, but may be guided by it, and impacted where they are found within the security context.

Both, the principles and SP give every community member of CAcert the responsibility to resolve security issues within CAcert and its community, when they are discovered.

So if there was a security issue, which was solved by the actions of R1 and R2, they acted rightly.

Even C states:

It is a little bit careless from a privacy point of view to leave a folder with filled-in CAP forms unattended at an event location, although it was well hidden under my laptop.

The Assurance Policy describes the obligations of an assurer regarding the CAP forms during the process of the assurance.

Assurance Policy 4.1 The Assurance Process:

The Assurer conducts the process of Assurance with each Member.

The process consists of: 
[...]
7. Safekeeping of the CAcert Assurance Programme (CAP) forms by Assurer. 

Assurance Policy 4.5 CAcert Assurance Programme (CAP) form:

The CAP forms are to be kept at least for 7 years by the Assurer. 

There is another section that explicitely addresses privacy in the context of assurances.

Assurance Policy 7 Privacy:

CAcert is a "privacy" organisation, and takes the privacy of its Members seriously. The process maintains the security and privacy of both parties. Information is collected primarily to make claims within the certificates requested by users and to contact the Members. It is used secondarily for training, testing, administration and other internal purposes.
The Member's information can be accessed under these circumstances:
- Under Arbitrator ruling, in a duly filed dispute (Dispute Resolution Policy => COD7);
- An Assurer in the process of an Assurance, as permitted on the CAcert Assurance Programme (CAP) form;
- CAcert support administration and CAcert systems administration when operating under the authority of Arbitrator or under CAcert policy.

This list is final. No other access may be given to the member’s information by CAcert and its members.

Every other access has to be considered a security and privacy issue (for the assurer and the assuree) as the first paragraph indicates.

Since the CAP forms were accessible by every visitor of the 29C3 when R1 and R2 discovered them (as they proved by accessing them), there was a security issue present.

R1 and R2 had to act on this security issue according to SP and our principles.

The way R1 and R2 acted on, improved the security of the CAP forms (as discussed above under 8.). R1 and R2 even prevented each other (and everybody else) to gain access to the CAP forms without somebody recognizing this.

(On a side note: Since the CAP forms were not entered in the system, there was a real security issue for assurees who had not created an account at that time. A potential attacker could create an account with their data. If such an attacker could also compromise the primary email address, said account would probably get all the assurances of the assuree and the attacker access to named certificates on the name of the assuree.)

R1 and R2 were not only allowed to act as they did, they were even responsible to take according actions.

not informing C directly

C claims:

 - R1 and R2 entirely ignored the fact that I was carrying at least two communication devices with me, connected to at least four handles, all of which both R1 knew and could have called. They proved their capability of getting a phone call routed through to me several times before, so I strongly suggest they could have done that in the case at hand as well. That makes the case look even more like an abusive power play.

At an event like this people mostly try to communicate over the eventphone (www.eventphone.de), but it is only working on the event location (and may be down now and again, especially the GSM-part). Since C had left the event location R1 and R2 could not know that they could contact C in the way C described. If R1 and R2 did use the eventphone at the event location they may not have had a working private phone with them, to call the private number of C.

While a little bit more research, may clarify if R1 and R2 could have contacted C per phone, there is something else that has to be considered a valid reason to not call C, even when we assume, that they could: The time R1 and R2 discovered the CAP forms. It was in the middle of the night, even by standards of geeks (3 - 4 in the morning). R1 and R2 intended to leave the location to get some sleep for the next day. C was asleep at this time for some hours.

If C would not have gone to the event location after the call, to grab the CAP forms in the middle of the night, a call would not have changed the actions that R1, R2 (and WIT3) had to do to secure the CAP forms. So a call would not have helped to solve the problem in this case.

If C would have gone to the event location,

So the decision to not call C at this time ensured a lot of sleep to a bunch of people and saved them a lot of trouble. The chances that a call had made a difference (because of C returning to the event location) to what R1 and R2 would have to do to secure the CAP forms cannot be estimated. But the costs of such a call can (non trivial for multiple persons). The level of security for the CAP forms would not have changed dramatically by a call. So the gain of the call would have been minor.

Because of this, R1 and R2 not calling C (if they were even able to do so) at this hour has to be considered a sensible decision. They should not be made responsible for this.

not informing C and giving back the CAP forms ASAP at the next day

Even as it was sensible not to disturb C with a call in the middle of the night and to solve the problem without the knowledge and involvement of C, R1 and R2 could have done a lot more to inform C about the whereabouts of the CAP forms and their intention to return them to C and maybe even a timeframe where they would be able to do so.

They could have left a note at the booth, about what they had done, or tried to get hold of someone at the booth when they returned to the event location at the next day, who may have been able to inform C, even if they did not meet C at this time.

They even may have tried to actively get in contact with C or to wait at the booth for him.

But since they did not know when C would return to the event location or the booth, one cannot expect them to go as far, since they

Since R1 and R2 did not have to stay at the booth until they would meet C there, the only thing they failed to do is to leave information to C. They cannot be responsible to be available to return the CAP forms at any given time when C would learn about the events of the night.

Such information probably would not have changed the security of the CAP forms or the time of their return to C. But it may have saved C a lot of trouble and concern.

To leave a note would have been the nice (and right) thing to do.

Some statements indicated that R1 and R2 intended to educate C about the privacy issue and did not inform him before they had time for a discussion of the problem.

Education is one of our community principles and has to be considered to be a valid reason: Principles of the CAcert Community:

Training
We train our users. We train our users to train other users. If we accept someone in a role, we train, we test, and we support them. The training is provided for free.
For our core community roles such as Assurer, sufficient quality training will be available at no charge. 

While this may be a good reason to wait with the return of the CAP forms until R1 and R2 had time for a longer discussion of the original problems (because they may have thought that they may not be able to get the attention of C after the return of the CAP forms), it is not clear if not informing C was helpful in this regard.

Sure, C would have to discover the loss of the CAP forms and experience the worry of the loss, so the training about the risks of leaving CAP forms alone was probably much more intense than if he would have just been informed about the events. But while experience is a good teacher, just the fact that someone moved the CAP forms could be considered to be enough in this regard. The additional worry was probably not needed.

If this is the case and the additional experience was a worthy one in regard of training is hard to tell from the distance. The delay may be covered by the training effect, it had to C.

However since C was informed by WIT3 after he discovered the loss, the time to worry about the safety of the CAP forms should not have been long for C. So no real harm can be detected. Since R1, R2 and WIT3 probably thought that they had acted as a team of three in the night, from their perspective information by WIT3 was the same as one by R1 or R2 (even if it was different from the perspective of C).

The delay of the information and the return also was minor (1 - 2 hours if one does not count the information by WIT3) compared to everything else. C planned to leave the CAP forms alone for 12 hours and even stayed away for 13. One or two additional hours do not change a lot in this regard. The event also went over 3 additional days, during which R1 and R2 could have returned the CAP forms. The CAP forms have to be secure for 7 years.

Overall it would have been better if R1 and R2 had informed C as soon as possible, probably with a note at the booth. This could have prevented C to worry about a potential loss of the CAP forms. It would have been the nice thing to do.

But there was no direct harm connected with the comparably short delay and it has to be regarded as just covered by our principles, because of a potential additional training element.

resume

An assurer may (or even should) secure CAP forms as done by R1 and R2. Especially since they also prevented each other to perform a privacy breach.

It was sensible that they did not call C in the middle of the night to solve the problem together with him.

But it would have been better if they would have informed C about their actions sooner.

However this delay was minor and is even just covered by the training principle of our community.

Since the action itselve was indicated by our policies (and the principles) the comparably short delay to inform C and return the CAP forms cannot change this.

R1 and R2s actions were covered by their authority as assurers (or community members).


E. Were R1's actions covered by his authority as event organizer?

An event organizer (EO) is responsible for all assurances done at the event being covered by AP. After an event the EO even has to give a CARS about this in the event report.

EventOrganiser:

The tasks are: 
[...]
running the event
- briefing to all Assurers,
- cross-assurances, coaching, training, AssurerChallenge, helping the new Assurers,
- ensuring that quality is maintained and that Assurance Policy is followed, ready to deal with minor issues as they arise 
[...]
post-event
- a report to EventOrganisationOfficer on the event
[...]

Events/EventOrganisation:

Part 2 - Later or at home
[...]
if you are the EventOrganiser:
-    you have to write an Event Report for audit purpose to confirm in the report that the Assurance Policy was followed during the event and sending the report to the EventOrganisationOfficer

Because of this an EO has to ensure (beside other thing) that privacy of the assurees is not violated. If an EO detects some private information "flying around" the EO is responsible to collect and safe keep it to prevent (further) privacy issues, at least until it can be handed back to the correct owner, if one is identifiable.

While every assurer should step in to ensure the security of personal data, an event organizer has to do so during an event. Else an EO would not be able to give the needed CARS for the event report.

As EO, R1 had to ensure that no privacy would be violated at the CAcert booth. So the confiscation of the CAP forms is covered by his authority as EO. Even C agrees on that.

- I am totally ok with R1, as event organizer, noticing a privacy issue. Now, if he *had* tried to call me, and would have failed, I would have regarded it as totally ok if he secured the forms in some place, and then informed me about it later, but returning the forms to me immediately.

The next question is, again, if the delay about informing C and returning the CAP forms was ok. The arguments are comparable to those for an assurer. But as an EO the argument, that R1 wanted to confront C in person, with enough time to discuss the matter, weights even more, since he was responsible to ensure that C was duly informed about the privacy problem, so that the same problem would not occur again.

Another solution, where C did not have to worry about the CAP forms at all, may have been preferable. But since the delay was comparably short, the chosen time to confront C is inside the bounds of leeway, which have to be allowed for the decisions of an event organizer to solve a problem.

R1 acted inside his authority as event organizer.


F. Were R2's actions covered by his authority as arbitrator?

Probably not, since there was no arbitration case filed.

During the evidence gathering process the subject came up between C and the DRO under what circumstances an arbitrator can act in an emergency case. This is currently not documented well.

It has to be possible for arbitration to act in an emergency and since the normal way to handle a dispute is quite time consuming (about 2h is needed alone to grab a case, create the according wiki-page and close the case) there may be cases where the normal formalities have to be skipped or postponed. One can even think about situations, where the normal procedure may be impossible, since it depends on being able to connect to OTRS-, mail- and wiki-systems and triage/support being available to hand the dispute through to arbitration in the first place. If there is an emergency on this parts where an arbitrator would be needed, arbitration has to be able to work anyway, since it is the fallback for unpredictable situations installed in CAcert.

Because of this, the fact that no written dispute was present at the time of the events does not have to be a hindrance to authorize arbitration activity in itself. But later documentation (also about the reasons why it was acted without a proper documented case) probably would have been needed.

However, since R2 did not act as an arbitrator in this case, as discovered above, the question if the actions would have been allowed by an arbitrator (and what documentation etc. would have been needed) is not relevant in this case and should not be finally answered here.

But it would be a good idea if the arbitration team would cover this, for example in the arbitration training lessons. I recommend doing so.

Edit 2014-01-08: DRO added a first version for an arbitration training lesson on this regard.


a. Did R1 abuse his position as event organizer?

No, his actions are covered by his authority as event organizer.

The claim, that R1 abused his position as event organizer has to be dismissed.


b. Did R2 abuse his position as arbitrator?

Since R2 did not act as an arbitrator he could not abuse his position as an arbitrator.

The claim that R2 abused his position as arbitrator has to be dismissed.


further problems encountered by A in this case

I. Consequences of Cs possible privacy breach (leaving CAP forms unattended for hours)

As discovered above C did violate his obligations regarding the security of the private information written in the CAP forms when he left them unattended over night at the event location of the 29C3, even when they were covered by a laptop.

C argued that it was only for a "short time".

While it is true, that some hours are a short time compared to the 7 years C is responsible for the privacy of the documents, it is quite a long time for an attacker who wants to access the private information on the CAP forms.

A short time would be a few minutes for example to use the bathroom. But even then one has to trust ones luck that the privacy is not disturbed while doing so.

12 to 13 hours over night, as C stayed away from the CAP forms is too long to leave CAP forms unattended in plain view at a place where a lot of people come along (even if covered originally by a laptop).

But the time the CAP forms were exposed was dramatically reduced (to a third or quarter) thanks to the actions of R1 and R2.

All persons present rated the remaining possible privacy breach as minor enough to not file a dispute about it. At least R2, WIT3 and C were trained as co-auditors in filing such disputes and had done before.

Their explicit stated and eligible decision against a dispute on this matter has to be respected. So there should be no ruling over the found privacy issue without a further dispute.

II. Problems with statements of a co-auditor found in this case, not in line with our policies

In the original dispute and the following statements C gave some arguments that were not addressed before, but should be addressed now, because they are not in line with our policies. This could leave a wrong impression to readers, if they were not commented, since C mentioned them with a reference of being a co-auditor.

In the original dispute C stated:

As discussed above, just by accepting a filled and signed CAP form, a CAcert assurer acts under the AP and the proceedings of the assurances are directly connected to CAcert. The signature of the assurer only states, that everything went well. If the signature is not given, the process of assurance may not be finished and may even be stopped by the assurer, but everything done is under the authority of the AP. Any assurer accepted that (by previously accepting CCA and maybe even AP directly and by accepting the request of the assurer to handle the assurance under AP).

For the obligation to protect (the private information on) CAP forms, it does not matter, if the data is entered into the system or not. Again AP and PP apply.

There is no term of "active assurance" in the AP or anywhere else. Since the face to face meeting with the assuree was over, the assurees could assume that the assurances would be entered into the system, if C would not detect something unexpected later. The date of an assurance entered into the system is those from the face to face meeting. This is also the date used by arbitration to figure when the 7 years are over. So the assurances should be treated as real and running assurances even if they were not entered in the system and the assurance process could be canceled by the assurer. (But that is the case for any assurance. Any assurer can ask for a revocation of an assurance at any time. If this is done within a day after the assurance is entered into the system, this can even be handled by support without the need to go through arbitration.)

For the same reasons as above this is wrong. That assurances are more than a personal issue between assuree and assurer even at this state, can also be concluded from the fact, that those assurances can be addressed with a dispute, as C should know since he was involved in such disputes before (for example a20100304.1).

Being an assurer one never acts as a representative of CAcert while performing an assurance according to AP.

The assurer part of a CAP form does not address the assuree, but the CAcert community. Assurees should know even without the assurer if they are the persons they claim to be. It has no value to state this to the assuree. The CAcert community wants to rely on the statement of the assurer, so the community can trust assurees to be who they claim to be. That would not work if the assurer would just act as a representant of CAcert. So the assurer is giving a statement to CAcert by signing the CAP form. Assurers are acting in their own name and none else by signing a CAP form or giving any other CARS (CAcert Assurer Reliable Statement).

Every assurance is of interest to CAcert. They are done under a policy of CAcert. And every single one of them is relevant for the web of trust (WoT) of CAcert. A lot of effort is done by arbitration (and other parts of CAcert) to preserve as many of them as possible. There is even a figure to show how valuable every single assurance is to CAcert: € 1000,-

Not only assurees can file a valid dispute in such a case. Every community member can do so (even non-members - for example parents for PoJAM assurances - can do so). C should know this, since he had issued disputes on assurances where he was neither the assurer nor the assuree before. (For example a20111230.1)

On a side note: Arbitration cases are not passed from a claimant to arbitration directly, at least not outside of an emergency.

According to What is a co-auditor?:

A co-auditor is a very experienced Assurer who helps the Assurance Officer collect results suitable for verifying the entire system of Assurance. These results are collated for audit over CAcert. 

Since our WoT is one of the basic elements of trust for our certificates, the internal auditor was asked on the importance of a co-auditor arguing in the way of C. The internal auditor suggested ordering board to take the co-auditor-status away for C, or at least to suggest this to board.

However it is a little bit harsh to order board on this matter, if there are other alternatives. C showed interest to learn when he asked his questions.

Since the community also has an interest to have enough co-auditors, it would be better to ensure that C has learned his lessons and let him continue to do co-audits.

The right authority for co-auditors is the Assurance Officer, so the matter should be given to him.


Ruling

1. R1 did not abuse his position as Event Organizer. I dismiss the case against R1.

2. R2 did not abuse his position as Arbitrator. I dismiss the case against R2.

3. The seizing of the CAP forms by R1 and R2 is covered by our principles and policies. While some details leave room for improvement, no action should be taken against them.

4. A privacy issue of C was discovered in this case. But since multiple persons trained in the matter were present at the events and explicitly decided against a dispute, I will not rule on this matter here, because of a missing dispute. The matter is not finaly handled by this ruling and stays open for further disputes.

5. C showed some uncertainty and ignorance about core elements of assurances, related policies, privacy and security issues. As a Co-Auditor he is specially trained and should be well aware of these issues. Even more, he should be able to train others on such issues. The Assurance Officer (AO) shall re-evaluate C's fitness as a co-auditor with respect to the detected issues. If considered necessary, C's co-auditor status may be suspended for further training. If C fails the process, C's co-auditor status shoudl be revoked altogether.

6. The final decision of the AO about C's co-auditor status shall be recorded as a post arbitration result.

7. Since the reason for the intermediate ruling is gone, because R2 will not be concerend by the remaining part of the case as a respondent, the need to give C and R1 the same information as R2 gains as an arbitratior regarding this case is canceled. A and CM do not need to forward such informations to either of them anymore. However the private part of this case should stay visible to C and R1.

-- Cologne, 2014-01-11

Execution

current status of review process will be documented under Co-Auditor

Post arbitration action

Comment from A: Because of the resign a final decision from the AO on C being a co-auditor can be considered as obsolete.

Personal words from (A)

There are very few arbitration cases in CAcert that get personal. This probably shows the good spirit in our community, and the ability solve most personal issues without the need to involve authorities. Sadly, this case is one of the few others, with people accusing each other about lying and worse. It is no fun to be involved in such a case. So I want to say some personal words in the hope that such cases can be avoided in the future. I personally think, after all I've written above to handle the case in the formal way of arbitration, some of the following is more important than anything above.

C had any right to file a dispute, since every member has any right to file a dispute about more or less anything. But theoretically the dispute was not complete, since according to DRP 1.4 a dispute has to specify 'The action(s) requested by the filing party (technically, called the relief).' We could have rejected this case. But the complaint of the dispute 'abuse of position [of an arbitrator]' was so severe that if it was true and not handled, the integrity of arbitration and through that an important leg of CAcert would be damaged.

Most of the questions asked in my mails were to look for hints that an arbitrator had abused his position as arbitrator. At the same time it seemed like the real interest of both sides was to get an answer to other questions. (Probably the real one - the personal one - never asked.) Nonetheless the complaint of abuse of position of an arbitrator was repeated.

I do not want to discourage people to file disputes. On the contrary, I think it is quite important that such an option exists. Else I would not have taken the job as arbitrator. But even easy cases take a lot of time, if handled with appropriate seriousness. If one looks at the history log and the length of the discovery, one can imagine how much time is needed for a case like this. It does not even display all the research done 'behind the scenes' (like looking up policies, old cases or other resources).

It would have been a lot easier for all of us, if the complaint would have been more focused and in line with the actual problem.

Before filing a dispute, one should always consider if the problem can be solved in another way and what can be gained or healed by a dispute. Arbitration is probably the most expensive way to solve anything in the context of CAcert. We have only so many resources - volunteer time being a valuable one. The time, which went into this case, could else have been used to write some patches, to polish up the wiki, to work on the policies or solve multiple other arbitration cases which are waiting a long time and need some arbitrators time dearly.

I really doubt that the original events were worth all the time and I also doubt that any party is satisfied in the end. So I ask both sides to consider if it was worth all the trouble. I know that the respondents did not file the dispute and are not directly responsible for the complaint. But it looks like there may have been ways to handle the information and confrontation of C in a way that may have prevented a dispute.

Even as their actions are covered by our principles, I think it would be appropriate for them to apologize to the claimant for the time he was not informed about what happened to the CAP forms and the worry he went through until he got them back.

I will not order them to do so, since an ordered apology has no worth. As things went, I'm not sure if they will be able to show such greatness, because this case probably cannot cure all hurt feelings that arose between the parties since the dispute was filed. It probably even intensified them.

On the other hand a thank you to the respondents would have been more appropriate than to file a dispute against them, because R1 and R2 are mostly responsible for the fact that the original issue (CAP forms lying around) was stopped and classified as minor.

Similiar Cases

a20100304.1

dispute for privacy purposes

a20120614.1

Emergency Patch

a20120622.1

Authorize emergency visit

a20130904.1

Educated Assurance Issues - Possible Precedent Case

a20101227.2

Reimbursement of expenses for 27c3 event

a20111230.1

Dispute filing about Junior Member