- Case Number: a20121228.1
- Status: closed
- Claimants: Dominik G
- Respondents: Benny B, Martin G
Initial Case Manager: AlexRobertson
Case Manager: BernhardFroehlich
- Date of arbitration start: 2013-11-17
- Date of ruling: 2014-01-11
- Case closed: 2014-01-31
- Complaint: Abuse of position
- Relief: TBD
Before: Arbitrator EvaStöwe (A), Respondent: Benny B(R1) Martin G(R2), Claimant: Dominik G(C), Case: a20121228.1
- History Log
- Original Dispute, Discovery (Private Part) (optional)
- Discovery (Visibility of private part)
- Intermediate Ruling (Visibility of private part)
- Questions to be answered by this case
- Collection of statements
- about the complaint
additional questions by C, R1, R2
- 2. Updating the Assurer Handbook (or whatever) to point out that an assurer should visibly prove their submission to CCA, AP, etc. *before* having the assuree decide whether they permit usage of their data
- 3. Educating assurers to follow that proposal
- 4. Making very clear that an Arbitrator has no rights of self-justice, only when handling a real arbitration case under a duly filed dispute
- 5. Making very clear that CAcert is community-driven without a strong hierarchy, so all efforts should involve all related parties within the community
- 7. What are necessary precautions (recommended and required ones) to be taken by the assurer for such a CAP form?
- 8. Why is it ok for another community member to move those [CAP forms] to a place as unsafe as the old one?
about the complaint
- B. Did R1 act as event organizer?
- C. Did R2 act as arbitrator?
- D. Were their actions covered by their authority as assurers?
- E. Were R1's actions covered by his authority as event organizer?
- F. Were R2's actions covered by his authority as arbitrator?
- a. Did R1 abuse his position as event organizer?
- b. Did R2 abuse his position as arbitrator?
- further problems encountered by A in this case
- Post arbitration action
- Personal words from (A)
- Related Policies
- Similiar Cases
2013-01-07 (issue.c.o) case s20121228.61
- 2013-01-07 (iCM): added to wiki, request for CM / A
2013-11-17 (A): I'll take the case, BernhardFröhlich will be CM
- 2013-11-18 (A): sent init mailing to C, R1, R2
- 2013-11-18 (Infrastructure): C, R1 gained read acces to private part
2013-11-18 (R2): accept CCA & DRP
2013-11-18 (R1): accept CCA & DRP (and rest from init mail)
- 2013-11-18 (A): information about read access and question to C to clarify some points of the original dispute
- 2013-11-18 (C): clarification of the dispute
- 2013-11-19 (A): question to C about possible (textual) mixup of policies and possible witnesses
- 2013-11-19 (DRO): contests part of the argumentation of C concerning emergency actions from arbitrators
- 2013-11-19 (C): confirms textual mixup and likelihood of two possible witnesses mentioned in last statement
- 2013-11-21 (R1): gives statement
- 2013-11-21 (A): question to R2 if he also wants to give a statement
- 2013-11-21 (R2): wants to give a statment until end of week (VoIP)
- 2013-11-22 (C): challenges some of the points made by R1 in his statement.
- 2013-11-22 (C): challenges that the arguments given by the DRO can be applied to the given case
- 2013-11-23 (C): asks A/CM to explanation, why someone not currently related to this case is making claims on it and whether there has been an information leak.
- 2013-11-23 (A): I did not discuss details of the case with anybody outside arbitration or C/Rs (treating them equally) and have no reason to assume that anybody else from arbitration did so
- 2013-11-23 (R2): gives statement
- 2013-11-23 (A): more questions to C, R1, R2
- 2013-11-23 (A): ask for contact-information for WIT1 and WIT2
- 2013-11-23 (C): provides contact information for WIT1 and WIT2
- 2013-11-23 (C): answers additional questions
- 2013-11-23 (A): questions to WIT3
- 2013-11-25 (R2): answers additional questions
- 2013-11-25 (R1): answers additional questions
- 2013-11-25 (C): gives personal impression to one of the answers from R1
- 2013-11-25 (A): questions to WIT1
- 2013-11-25 (A): got bounce for Mail to WIT1
- 2013-11-25 (A): questions to WIT2
- 2013-11-25 (A): used other address for WIT1 to send questions again
- 2013-11-26 (A): asked EOO about event-report (report is marked as missing in overview)
- 2013-12-01 (A): consulted internal auditor (Skype)
- 2013-12-02 (A): 1st reminders to WIT1, WIT2, WIT3
- 2013-12-02 (WIT1): I'll try to make a statment within 24 hours
- 2013-12-03 (WIT2): statement
- 2013-12-10 (A): question to R1 as EO if he has written an event report
- 2013-12-10 (C): I have send an event report to EOO
- 2013-12-10 (A): 2nd reminder to WIT1 about statement
- 2013-12-10 (WIT1): statement
- 2013-12-11 (A): 2nd reminder to WIT3 to send a statement
- 2013-12-12 (WIT3): statement
- 2013-12-12 (A): additional question to WIT3
- 2013-12-12 (A): additional questions to WIT1
- 2013-12-12 (WIT1): answers additional questions
- 2013-12-17 (WIT3): answers additional question
- 2013-12-17 (A): even more questions to WIT3
- 2013-12-17 (WIT3): answers even more questions
- 2013-12-18 (R1): sends event report and explains why he did not send it before
- 2013-12-22 (A): answers C that his event report is not needed, but if C thinks it is relevant he can send it in for consideration
- 2013-12-23 (A): thank you for your help to get everything together and notification about composition of statements, event-story and further proceedings to C, R1, R2, WIT1, WIT2, WIT3
- 2014-01-05 (A): irc-chat with AO about co-auditors, important knowledge and retraining
- 2014-01-06 (A): notification C, R1, R2, WIT1, WIT2, WIT3 about impending disclosure of statements
- 2014-01-08 (DRO): added training lession about arbitration emergency actions, as reaction to recommendation in the discovery
- 2014-01-11 (A): ruling, sent to C, R1, R2, AO, (CM, WIT1-3)
- 2014-01-31 (A): closed case
Original Dispute, Discovery (Private Part) (optional)
Link to Arbitration case a20121228.1 (Private Part), Access for (CM) + (A) and because of intermediate ruling C, R1, R2 only
EOT Private Part
Discovery (Visibility of private part)
- R2 is an arbitrator. As an arbitrator he has access to the private part of this case and other arbitrator-only areas, where this case may or may not be addressed.
- To be able to handle a case in a fair way, claimants and respondents should be able to access informations equally.
- To reduce the visibility of the case for R2 would be quite complicated since he also is a wiki administrator.
- The allegation is quite serious and since it concerns people with non-trivial functions - especially an arbitrator -, it is in the interest of the community to be as transparent as possible with this case.
- The incident of the dispute evolved around a (possilbe) privacy issue. Even as it is unlikely from the current point of view. it may be needed to look into some of those private informations during the case, To be able to document this accordingly the private part of the case may be needed.
- There are also some other situations where it is usefull, to file something in the private part at least temporarly.
So even while as much as possible should be transparent to everybody, eventually, there are reasons to not abandomn the private part. C and R1 also being able to follow everything happening in the private part should cover the need to give them equal access to informations.
Intermediate Ruling (Visibility of private part)
Since one of the respondents is an arbitrator and can see the private part of this case A/CM will ensure, that C, R1 and R2 will gain the same access. The same goes for mails and other communication regarding this case that is visible to him because of being an arbitrator.
- 2013-11-18 (A): Send to C, R1 and R2 via init mailing
- 2013-11-18 (Infrastructure): C, R1 gained read acces to private part
Questions to be answered by this case
complaint: abuse of position of R1 as event organizer and R2 as arbitrator
- Did R1 abuse his position as event organizer?
- Did R2 abuse his position as arbitrator?
to answer those questions:
- What happened?
- Did R1 act as event organizer?
- Did R2 act as arbitrator?
- Were their actions covered by their authority as assurer?
- Were R1's actions covered by his authority as event organizer?
- Were R2's actions covered by his authority as arbitrator?
additional questions from C, R1, R2
additional questions from C:
- Updating the Assurer Handbook (or whatever) to point out that an assurer should visibly prove their submission to CCA, AP, etc. *before* having the assuree decide whether they permit usage of their data
- Educating assurers to follow that proposal
- Making very clear that an Arbitrator has no rights of self-justice, only when handling a real arbitration case under a duly filed dispute
- Making very clear that CAcert is community-driven without a strong hierarchy, so all efforts should involve all related parties within the community
additional questions from R1/2:
- What are necessary precautions (recommended and required ones) to be taken by the assurer for such a CAP form?
additional question from C:
- Why is it ok for another community member to move them to a place as unsafe as the old one?
further problems encountered by A in this case
- Consequences of Cs possible privacy breach (leaving CAP forms unattended for hours)
- Problems with statements of a co-auditor found in this case, not in line with our policies
Order of addressing the questions
Since some of the additional questions need to be answered at least partly to answer the legitimation of the acts of R1 and R2, but those questions being mostly general questions without a direct connection to the events of the case, the questions will be adressed in the following order. The general answers could be used to answer the concrete events by doing so.
concrete events and timeframes
1. - 8.
B. - F.
questions concerning the original dispute
additional problems that have to be addressed by this case
Collection of statements
Collection of statements made in this case about what happend. Those statements are anonymized as far as possible.
about the complaint
A. What happened?
Combining all statements made in this case, the following happened.
Note: The participants did not agree on everything, but either both views can be explained by time passing by and things happening in-between, or they are not needed to decide on, to solve this case.
As far as known all times are CET - local time.
- 2012-12-27 at about 23:00
- C, WIT1 and WIT2 left the 29C3 location.
- C intended to come back to the location "before noon of next day".
- C left a folder with CAP forms of assurances he made over the day "well hidden" under his laptop.
- those assurances were not signed by C and not entered into the CAcert system.
- 2012-12-28 at about 03:30
- R1 and R2 came to the CAcert booth to check if everything was okay.
- When 5 to 10 meters away, R2 pointed R1 to a clipboard below the laptop of C. In concern of a possible privacy breach R2 asked R1 to check IF the forms were filled in while ensuring no information was read or copied (if present).
- Noticing THAT information was filled in R1 and R2 mutually agreed to ask a third assurer WIT3 to assist in assessment of the situation.
- R1 knew, R2 assumed that C was the owner of the clipboard.
- WIT3 was called to the CAcert booth by R1 or R2.
- When arriving at the CAcert booth, WIT3 could see the clipboard below laptop
- WIT3 got informed by R1/R2 about contents of clipboard.
- R1, R2, WIT3 discussed the further course of action and came to the conclusion to safe-guard the CAP forms until they could be handed back to C in person ASAP.
- "that it makes sense to seal the Clipboard containing the CAP-forms to take care of the applicants privacy." - according to WIT3
- To prevent accidental exposure of the topmost form it was flipped over to its back-side (blank).
- Before handing over the clipboard to R1 for safe-guarding the clipboard was sealed by R2 while the process was being observed by WIT3.
- R1 stored the sealed clipboard with all CAP forms in his bag at the engel area (separate area at the congress where only volunteers have access), to ensure that it could not be accessed even by R2 (who was responsible for the seal and shared loggings with R1) or WIT3.
- No note for C was left, nobody else was informed, C was not called (apparently, because it was the middle of the night and R1, R2, WIT3 preferred to inform C personally)
- 2012-12-28 around 12:00 (noon) (no witness statements cover the arrival or leaving of persons at the booth)
- R1 arrived at the congress location, passed CAcert booth on the way to engel area, but did not notice C, wanted to follow tracks (according to R1)
- R2 arrived at the congress location, did not go to CAcert booth directly (according to R2)
- C returned to CAcert booth and saw R1, R2 leaving at his arrival, instead of informing him about the confiscation (according to C)
- C discovered that his CAP forms are missing
- C directly contacted WIT3 about missing forms who informed him, that he had seen R1, R2 do something with his clipboard (according to C, WIT3 does not remember this)
- C tried to contact R1, R2 about missing forms for about an hour (according to C)
- According to WIT1 the next events happened only some minutes after C discovered the CAP forms missing.
- R2 was attending two talks until next events; he did not try to contact C (according to R2s statement)
- 2012-12-28 "Some time after noon"
- R1 returned to the booth.
- C asked R1 if he had seen the clipboard
- according to R1:
- R1 instantly acknowledged
- R1 mentioned that based on the earlier proceedings the return has to be witnessed by R2 to verify the seal.
- C threatens R1 to report the incident to the event administration for theft/stealing/misappropriation.
- R1 calls R2 on the phone to organize the return of the clipboard and verification of the seal.
- After R2 arrived at the stand R1 went to fetch the clipboard whose storage was not disturbed.
- When returning to the stand, R1 directly handed the clipboard to R2 to check on the seal to be intact.
- R2 checked the seal and addressed C for the return of the clipboard.
- C instantly took the clipboard away from R2 forcefully and starts to complain about the proceedings.
- R2 and R1 both tried to explain the backgrounds of the safe-guarding to C, pointing out the situation when the CAP forms were found at the CAcert booth unattended.
- R2 and R1 mutually agreed to not unnecessarily follow up on these events, especially to not file dispute as the situation was assessed as minor and had been resolved from their point of view.
- 2012-12-28 14:05 C filed this dispute
time an assurer has to safe keep CAPs
time C intended to leave the CAPs unattended
about 12 hours
time between C leaving CAPs and returning
about 13 hours
time CAPs were left alone
about 4 hours
time CAPs stored by R1
time R1/R2 failed to return CAPs to C
time of C not informed after his discovery that CAPs were gone
(WIT3 informed him according to C)
additional questions by C, R1, R2
Beside the complaint, a lot of questions were asked by both sides to be answered by this case. Some of them are only very lightly connected to the original complaint or the events covered by this case.
As arbitration can be used to clarify some questions especially about how policies work together (often resulting in precedents cases), there are also some other forums that are better suited to answer most of the questions asked here.
An arbitration case should cover all aspects of the case to be complete. But as the CM of the case puts it: "arbitration is no request programme". A single arbitrator should be very careful before giving orders to policy group or other authorities to alter practices. For most of the things asked to clarify in this case, there is no evidence that there is a global problem, which has to be fixed by orders of arbitration.
So even while all those questions will be covered by this case somehow to fulfil the need of completeness, the answers will probably not be the ones hoped for by the parties.
- Assurance Policy (AP)
- 0.3 Related Documentation
Documentation on Assurance is split between this Assurance Policy (AP) and the Assurance Handbook.
- 2.1 The Obligations of the Assurer
The Assurer is obliged to: - Follow this Assurance Policy; - Follow any additional rules of details laid out by the CAcert Assurance Officer; - Be guided by the CAcert Assurance Handbook in their judgment; [...]
- Assurance Handbook (AH)
Overriding Documents -> A word on Policies
- How is privacy protected?
Any direct intervention of arbitration into the work of policy group can be seen as a severe intrusion to the idea of separation of powers of CAcert (arbitration being the judiciary, policy group the legislative organ of CAcert).
As an arbitrator I have the authority to rule a change in policies and procedures according to 3.6 DRP. But I and my fellow arbitrators (as far as I have consulted them) agree that such rulings should be restricted to cases where it is needed to prevent CAcert from imminent damage, which cannot be dealt with otherwise.
This is not the case here.
Any CAcert member who sees the need for a policy change can address policy group. An arbitration ruling is not needed to do so.
Every assurer (in a CAcert context) is bound to AP, since at least 2010.
According to AP 3.1:
The Assurer is obliged to: Follow this Assurance Policy; Follow any additional rules of detail laid out by the CAcert Assurance Officer; Be guided by the CAcert Assurance Handbook in their judgement; ...
Before everything else of an assurance begins, assuree and assurer have to agree about the assurance.
According to AP 4.1:
The process consists of: Voluntary agreement by both Assurer and Member or Prospective Member to conduct the Assurance; ...
Since the AP is speaking of assurances as assurances under AP, they have to agree that the assurance is an assurance under AP.
According to AP 4.5:
The CAcert Assurance Programme (CAP) form requests the following details of each Member or Prospective Member: ... Statement of agreement with the CAcert Community Agreement; Permission to the Assurer to conduct the Assurance (required for privacy reasons); ...
By filling out the CAP forms the assurees state, that they give the permission to conduct an assurance (again under AP) - nothing else.
So even if assurer and assuree do not talk about what they are doing, the assuree asks for an assurance under AP by filling out the CAP form, signing it and handing it over to the assurer. When the assurer accepts it, the assurer also agrees by doing so, to perform an assurance (under AP). Else the assurer cannot assume that the assuree gives the permission to access the filled in data.
The assurer part on the CAP form also documents this. But the CARS the assurer is giving by signing the CAP form is not that the AP is accepted at the time of the signature. AP was probably accepted by the assurer long before the actual assurance happens.
Assurance Handbook "What about that CAP form" explicitly says:
you CARS: you agree to the CCA, you are an Assurer (have done CATS Challenge, have 100 Assurance Points), that you have conducted the assurance to Assurance Policy, all covered by your signature.
The CARS is about that all went well according to AP.
The currently available CAP forms you can download from our website, also reads:
I hearby confirm that the information stated above is both true and correct, and request the CAcert Assurer (identified below) to verify me according to CAcert Assurance Policy.
I, the Assurer, hereby confirm that I have verified the Member according to CAcert Assurance Policy.
So every assurer (playing by our rules) is already giving a visual statement when accepting the filled in (and signed) CAP form from the assuree, that they will perform the assurance according to AP.
(Everybody not playing by our rules will not care what is written down somewhere else and even if they would make any visual signs that they would respect AP that would not make any difference.)
There is no need for any other signal, which HAS to be performed by an assurer. However since one of our principles is to educate our members it can be a good idea to explicitly state what one is doing in some circumstances.
But there are enough situations where this does not make much sense. For example multiple assurers assuring the same assuree at a big event one after another, or when two assurers are giving each other a mutual assurance.
There is no need to order the Assurance Handbook to be updated.
Anyone who thinks that it is a good idea to have the Assurance Handbook updated in this regard can address the AO (assurance officer).
3. Educating assurers to follow that proposal
While training is one of the principles of the CAcert Community, it is not the main job of arbitration to educate members or assurers, even if members may incidentally learn something by being involved in an arbitration case.
According to DRP 3.6 Remedies:
The Arbitrator generally instructs using internal remedies, that is ones that are within the general domain of CAcert the Community, but there are some external remedies at his disposal. He may rule and instruct any of the parties on these issues. * "community service" typically including - attend and assure people at trade shows / open source gatherings, - writing documentation - serve in a role - support, dispute arbitration or others as decided. * Fined by loss of assurance points, which may result in losing Assurer or Assured status. * Retraining in role. [...]
So a proposed remedy for arbitrators is to order retraining in a role, not to train someone themselves. The education itself should be done by the usual authorities.
The normal authority to train assurers is the education team lead by the education officer.
The education officer happens to be the CM (and supervising arbitrator) of this case so he is aware of anything related to this case. There is no need to inform (or even order) education further.
An arbitrator has no right to perform self-justice.
There is no known exception. Arbitrators are not allowed to handle any arbitration case when they are already involved in the case (even as witness) or other conflicts of interests are present.
... Each selected Arbitrator has the right to decline the dispute, and should decline a dispute with which there exists a conflict of interest. ... Arbitrators are experienced Assurers. They should be independent and impartial, including of CAcert Inc. itself where it becomes a party.
The current arbitration team is very aware of this. Known possible conflicts of interests are listed for each arbitrator in the list of arbitrators. Above that we try to not assign an arbitrator to a case where people are involved who previously were a party in another case that got personal. Not even as case manager. Some cases have to wait a little bit longer because of this.
For example R2 will not pick up a case where C is involved even as a known witness, if there are any other ways to get those cases handled.
The community plays a big role inside CAcert. A community spirit should be shown whenever possible.
CAcert is community driven in so far, as all our authorities are part of the community and every community member can participate at such important things like policy design - and theoretically everywhere, if they fulfil the requirements.
But processes within CAcert are very strictly formalized. We have
- clearly defined areas of responsibilities - some of them being exclusive
- hierarchies with officers for all areas
- duties to write reports and documentation
There are also some cases where a direct cooperation between some areas is not intended. For example support is not allowed to directly ask critical team for the execution of some sql queries. They have to go through arbitration to do so.
Arbitration on the other hand can give orders which are final and binding to any member of CAcert according to DRP 3.3. This can be done without the consent of the members for the given order since it may be a remedy the member is not happy with. Most of the orders given by arbitration are given even without previously consulting the ordered party about it. (Most orders are orders to support to provide some kind of information needed for a case or to perform some action on an account.)
So: No, there is no global concept within CAcert that "all efforts should involve all related parties within the community".
But there is much room for activities within CAcert outside the above mentioned formalities. Those are covered only sparely with explicit policies. The principles of the CAcert Community should be guidelines here. They are the basis for the CAcert Community Agreement.
AP and through this PP apply to the whole process. The same is true for the additional privacy elements included in AP and assurance handbook (AH). In theory a CAP form starts to fall under PP right at the beginning of the process, so when assurer and assuree start to discuss an assurance or at least when they agree on it.
In this regard it does not matter if the assurance is stopped later on, because the assurer is not sure about the identity of the assuree or the assuree getting doubts, later. The process is covered by AP independent from the result of the assurance process. If the assurance is not completed, the assurer is responsible for the CAP form as long as the assurer has hold on it thus being until the CAP form is either handed back to the assuree or destroyed or handed over to an arbitrator because of a filed dispute. (A situation like this is even described in the AH 1.3.2 Preparing yourself for an assurance as "Suggested Procedure").
On the other hand, it is impossible for an assurer to enforce PP as long as the assuree is holding the CAP forms. But even then, should an assurer at least inform the assuree about possible privacy issues.
Since there are enough situations where people do not actively discuss that they will perform an assurance, it may not be easy to define the exact time when the agreement for the assurance is made. However the latest possible moment is, when the assurer accepts a filled in and signed CAP form handed to him by the assuree.
As discussed above, both have agreed to an assurance under AP (and thus PP) at this moment.
It is probably not possible, to give a global answer to that question. There are so many situations one can imagine and most of them would contradict one answer or another.
Neither PP, AP nor Assurance Handbook give us real answers, in this regard, beside that an assurer has to store them secure from the access of others (even experienced assurers) and is responsible for the personal data for 7 years. The ATE-presentation does not tell us much more.
The first answer that springs to mind is something like: "Always keep them close at hand, so that you can keep an eye on them."
That would be quite unpractical in many situations. (For example when a visit to the bathroom is needed or one takes a shower during an event.)
The answer would probably also be different for
- being at a big event with other assurers around
- being at a smaller event as single assurer
- meeting alone with an assure
- traveling with the CAPs (afterwards) (by car/train/airplane, alone/with assurers/non-assurers who know about you being an assurer)
- during the night while on the event/travelling
- storing them at home while living alone/with others
- storing them at the office
- storing them in a bank safe
- what precautions you can afford
Since so much has to be included, it does not make much sense to just cover a number of guidelines. (Btw: If we set fixed guidelines and make them well known, everybody knows where to look for CAPs.)
However there is one answer that covers it all:
"Use your brain and look out to find the best safety for your CAPs in the given situation."
Nonetheless there is one thing that should be possible in nearly every situation and may be thought of as a required precaution:
"Keep the personal information covered up, when you do not need access to it right now."
At least this guards against accidental privacy breaches by persons being around. This can be done with:
- a hand, other documents, empty CAP forms or by
- turning the CAP forms upside down or
- folding the CAP forms
If no access to the forms is needed in the near future, it is a good idea to put them into a bag/case/backpack so that they will not be directly spotted (or forgotten).
At home one can store them even better. Maybe even in a safe or a cupboard only oneself can easily access.
Try to handle them, as if they would contain some valuable personal information of your own, for example access data to your bank account. Remember: Each of those CAP forms is (theoretically) worth up to €1000,- of your money.
The question if (or why) the move itself was ok, is covered somewhere else.
But I will compare the safety of the CAP forms before and after the move.
Before entering the topic, it is to say, that everybody (C, R1, R2, WIT1, WIT2, WIT3) seems to agree, that it was safe to leave worthy belongings at the event location, since according to different statements at least C, R1, WIT1 and WIT2 did so and R2 and WIT3 had no issue with R1 going to the Engle Area to store the folder containing the CAP forms with his belongings there.
But one has to make a difference about the security of things and data. In most situations potential attacker would probably focus on valuable items and leave mere paper with some data alone.
The events of this case took place at a hacker event, with many people present who knew the value of personal data and some of them looking for security issues for sport.
So even while it may have been safe to leave secure laptops and closed bags alone, that does not indicate the same safety for paper, obviously containing personal data.
The CAP forms as left alone by C:
- were in a location that could be entered by all visitors of the 29C3 (about 6000),
- were in a location that was not under explicit surveillance by anybody,
- were in a folder, something where every passer-by would think about it containing papers at first glance (instead for example a jacket or a bag that may contain food and drinks),
- were at a booth where it is announced, that real personal data is exchanged (and written down) there - probably the first place on the whole event, where one would look when interested in such information,
- could be read and put back afterwards, so that a privacy breach would not be detected.
The CAP forms as stored by R1:
- were in a location only available for the helpers (about 500),
- were in a location that was under surveillance all the time by either an archangel or a shift coordinator (and maybe even other helpers),
- were sealed and through this safe against accidental access,
- were inside a bag, so it was not obvious, that there was paper with personal data inside,
- were in a place where others stored their valuables, too, since it was under surveillance, someone who would start to search for items containing data, would attract the interest of others and probably be stopped,
- were unreachable by R2, R1 and WIT3 who knew that the data existed,
- could not be read by anybody without showing the privacy breach afterwards.
While it was not the obvious solution (taking the CAP forms back to the hostel), it was one of the best choices available, as far as can be said from the distance. (Sometimes the best solution can be quite unorthodox at first glance.)
Even if there may have been better solutions, at least it can be said that the new location of the CAP forms was a lot safer than the old one.
about the complaint
B. Did R1 act as event organizer?
R1 and C agree on this (nobody else had any memories in this regard).
Yes, R1 acted as event organizer.
C. Did R2 act as arbitrator?
- R2 is (and was a the relevant time) a member of the arbitration team and an active arbitrator, so he generally could have acted as arbitrator.
- R1, R2, WIT3 congruently stated, that they decided to avoid a dispute against C. Since at least some kind of dispute is needed (maybe a vocal one if in a hurry or emergency) to start arbitration and to act as arbitrator, this contradicts the idea of R2 acting as arbitrator.
- R2 stated, that he thought himself acting as assurer - a quite reasonable role for the actions he made:
> - Under what authority do you think you acted while confiscating the CAPs? As Assurer. > - Did you mention that authority to the claimant? Yes. > - Did you mention any other authority of yours to the claimant during the confrontation? I don't remember the exect content of that conversation as the conversation was kinda heated. [...] > In what context was the posibility of arbitration mentioned? > when returning the clipboard I mentioned to C I am not amused about this and I didn't intent to file a dispute against C in this case. After this I did't want to follow up on this.
- He abstained to mention his role as co-auditor or event team member, which may have been better suited for the given situation, than the role as arbitrator. It is not reasonable why he should have chosen a problematic role, if he could have chosen a more appropriate one, especially since he already mentioned the role that was the best matching one.
- When asked about the roles people acted on, WIT3 stated:
It MAY have been possible, that we have talked about being Arbitrator/Board-Member/Software-Assessor/... ... but ... ... to handle the privacy issue of the applicants this did not matter: As far i remember, nobody argued as Arbitrator/Board-Member/Software-Assessor/... but in the state of a CAcert-Community-Member/Assurer to prevent a privacy breach against CAcert and ensure, that the person keeping the CAP-Forms for the night cannot modify them (to keep them valid for the Assurer).
- According to this, it seems that all three actors (R1, R2, WIT3) were convinced, that the role as assurer was sufficient and no arbitrator was needed for securing the CAP forms.
- When asked in what context arbitration was mentioned during the confrontation, everybody - including C - only mentioned C threatening R1 and R2 with a dispute - which he did actually file later. Nobody could remember arbitration being mentioned in any other way, when answering that question.
- If R2 would have acted as arbitrator, and even more had stressed the bounds of arbitration, maybe threatening C with his position as arbitrator (so abusing his position), he would have had to mention arbitration and others should have remembered this and mentioned it when asked that question.
- C stated that R2 mentioned his role as arbitrator for his actions, when he was explicitly asked that question. But when first asked, what position R2 may have abused, C stated:
R2 accompanied R1 in his action because "that case could easily result in an arbitration", and he has a position in Arbitration.
- "Could easily result in arbitration" is quite away from "this is an arbitration going on". Only when an arbitration case is started one can act as arbitrator. But arbitrators are often asked to give their insight to a situation before it escalates and results in a real problem. An arbitrator is not actually acting as an arbitrator in that situation. It is comparable to asking a support engineer if it would be possible to revoke an assurance or change a name or anything. The support engineer would be the best person to answer that question but until he gets officially asked to do something, he cannot do anything and does not use his role as support engineer (but as expert).
R2 did not want to and did not think that he acted as arbitrator. Beside of his own argumentation this has to be concluded from the statement of WIT3.
Beside the one statement of C that R2 mentioned his position as arbitrator nothing can be seen in any statement that actually points to R2 having acted as arbitrator. On the contrary, all evidence - even the other statements from C - point to R2 having acted as assurer only and not as an arbitrator.
One has to come to the conclusion, that no, R2 did not act as arbitrator.
D. Were their actions covered by their authority as assurers?
C does partly accept that R1 and R2 were allowed to secure the CAP forms at least if they had tried to contact him first. (Even as he addresses the role of Event Organizer and not of assurer.)
R1 is correct in two points, and wrong in some others. I am going to draw the reason for this case from those arguments: + It is a little bit careless from a privacy point of view to leave a folder with filled-in CAP forms unattended at an event location, although it was well hidden under my laptop. + If the CAP forms had been of any interest to CAcert as a whole, some action should have been taken to solve this issue together with the assurer (i.e. me) [...] - I am totally ok with R1, as event organizer, noticing a privacy issue. Now, if he *had* tried to call me, and would have failed, I would have regarded it as totally ok if he secured the forms in some place, and then informed me about it later, but returning the forms to me immediately. It is, however, a completely different issue that he refused to return the forms (and the rest of the folder) to me until I forcefully took it from him.
So there may be a different answer for
- securing the CAP forms
- not informing C directly
- not informing C and giving back the CAP forms ASAP at the next day
Those points should be addressed one at a time.
securing the CAP forms
When asked about the authority they acted on, R1 mentioned:
> - Under what authority do you think you acted while confiscating the CAPs? Obligations of every assurer according to Assurer Handbook, sections 1.3.8 as well as privacy regulations to avoid unnecessary breach of private information. Furthermore as I had responsibility as event organizer I acted to limit the impact of private information floating around unattended at night at the stand.
The responsibility and authority of an event organizer is covered below, currently the focus has to be on the first part - the authority of an assurer.
Assurer Handbook 1.3.8. states about the storage of CAP forms:
Mutual Assurance. For a mutual Assurance, fill them in (or use two CAP forms). If the other Member is not an Assurer as yet, then - if the other Member is unsure, you may keep the CAP form(s) on her behalf (and take responsibility for both Assurances) which is why the form itself has both sets of details on it. - if the other Member is about to become an Assurer, or you otherwise judge the Member is capable of meeting the storage requirements, then she may keep her CAP form recording her Assurance over you. Storage. The Assurer has to securely keep the paper CAP form for at least seven years. You are personally responsible for this (and in the mutual assurance with a non-Assurer, you remain responsible!) ! It is your evidence that you have followed CAcert's Assurance Policy and that you met the applicant in person (face to face). For data protection and privacy reasons no-one else should have access to the CAP forms, once completed. [...] If you find yourself unable to keep the CAP forms for whatever reason, file a dispute at email@example.com, explain the circumstances, and request the Arbitrator to provide instructions.
So an assurer has to securely store CAP forms for 7 years without anybody being able to access them. This is a personal responsibility of the assurer.
But this section also anticipates situations where someone is not capable to secure CAP forms in such a way. In this case other assurers have to step in and take the responsibility. The example covered in this section is an assurer doing a mutual assurance with a non-assurer, but it can be used as a guideline to comparable situations, where the person who performed the assurance is (at least temporarily) not capable of securing the filled in CAP forms.
As C was not near the CAP forms when they were discovered by R1 and R2 and by this was obviously not capable to secure them in that moment, we have a (temporarily) comparable situation to the one described in the AH.
That an assurer may be unable to secure the CAP forms for any reason at least for a given time is also explicitly addressed later. However that part only covers what the assurer should do, not what other assurers who discover the problem should do.
Since this is not directly covered (other than the analogy discussed above), one should look at our global principles.
Security We strive to provide security. This means that we cooperate in securing ourselves and others. As a principle, security is led by the Security Officer, but it is our joint responsibility. Where we come into contact with security breaches, we disclose these.
This idea is substantiated further in the Security Policy (SP).
Security Policy 9.1.6 Security:
It is the responsibility of all individuals to observe and report on security issues. All of CAcert observes all where possible. It is the responsibility of each individual to resolve issues satisfactorily, or to ensure that they are reported fully.
The SP mostly addresses critical systems, but can be used as a guideline for other parts of CAcert: Security Policy 1.1.2. Out of Scope:
Non-critical systems are not covered by this manual, but may be guided by it, and impacted where they are found within the security context.
Both, the principles and SP give every community member of CAcert the responsibility to resolve security issues within CAcert and its community, when they are discovered.
So if there was a security issue, which was solved by the actions of R1 and R2, they acted rightly.
Even C states:
It is a little bit careless from a privacy point of view to leave a folder with filled-in CAP forms unattended at an event location, although it was well hidden under my laptop.
The Assurance Policy describes the obligations of an assurer regarding the CAP forms during the process of the assurance.
Assurance Policy 4.1 The Assurance Process:
The Assurer conducts the process of Assurance with each Member. The process consists of: [...] 7. Safekeeping of the CAcert Assurance Programme (CAP) forms by Assurer.
Assurance Policy 4.5 CAcert Assurance Programme (CAP) form:
The CAP forms are to be kept at least for 7 years by the Assurer.
There is another section that explicitely addresses privacy in the context of assurances.
Assurance Policy 7 Privacy:
CAcert is a "privacy" organisation, and takes the privacy of its Members seriously. The process maintains the security and privacy of both parties. Information is collected primarily to make claims within the certificates requested by users and to contact the Members. It is used secondarily for training, testing, administration and other internal purposes. The Member's information can be accessed under these circumstances: - Under Arbitrator ruling, in a duly filed dispute (Dispute Resolution Policy => COD7); - An Assurer in the process of an Assurance, as permitted on the CAcert Assurance Programme (CAP) form; - CAcert support administration and CAcert systems administration when operating under the authority of Arbitrator or under CAcert policy.
This list is final. No other access may be given to the member’s information by CAcert and its members.
Every other access has to be considered a security and privacy issue (for the assurer and the assuree) as the first paragraph indicates.
Since the CAP forms were accessible by every visitor of the 29C3 when R1 and R2 discovered them (as they proved by accessing them), there was a security issue present.
R1 and R2 had to act on this security issue according to SP and our principles.
The way R1 and R2 acted on, improved the security of the CAP forms (as discussed above under 8.). R1 and R2 even prevented each other (and everybody else) to gain access to the CAP forms without somebody recognizing this.
(On a side note: Since the CAP forms were not entered in the system, there was a real security issue for assurees who had not created an account at that time. A potential attacker could create an account with their data. If such an attacker could also compromise the primary email address, said account would probably get all the assurances of the assuree and the attacker access to named certificates on the name of the assuree.)
R1 and R2 were not only allowed to act as they did, they were even responsible to take according actions.
not informing C directly
- R1 and R2 entirely ignored the fact that I was carrying at least two communication devices with me, connected to at least four handles, all of which both R1 knew and could have called. They proved their capability of getting a phone call routed through to me several times before, so I strongly suggest they could have done that in the case at hand as well. That makes the case look even more like an abusive power play.
At an event like this people mostly try to communicate over the eventphone (www.eventphone.de), but it is only working on the event location (and may be down now and again, especially the GSM-part). Since C had left the event location R1 and R2 could not know that they could contact C in the way C described. If R1 and R2 did use the eventphone at the event location they may not have had a working private phone with them, to call the private number of C.
While a little bit more research, may clarify if R1 and R2 could have contacted C per phone, there is something else that has to be considered a valid reason to not call C, even when we assume, that they could: The time R1 and R2 discovered the CAP forms. It was in the middle of the night, even by standards of geeks (3 - 4 in the morning). R1 and R2 intended to leave the location to get some sleep for the next day. C was asleep at this time for some hours.
If C would not have gone to the event location after the call, to grab the CAP forms in the middle of the night, a call would not have changed the actions that R1, R2 (and WIT3) had to do to secure the CAP forms. So a call would not have helped to solve the problem in this case.
If C would have gone to the event location,
- it would have been a long wait for R1, R2 who wanted to get some sleep instead
- other - not involved people - may have been woken up in the middle of the night
- C would have to do a lot (get up, dress, go the event location, return, undress go to bed again) to just get hold on the CAP forms at a time, when they could be secured in some other way.
- a discussion about the problem at this time would probably have been an even more heated one between tired people, unhappy at each other because they were prevented to sleep.
So the decision to not call C at this time ensured a lot of sleep to a bunch of people and saved them a lot of trouble. The chances that a call had made a difference (because of C returning to the event location) to what R1 and R2 would have to do to secure the CAP forms cannot be estimated. But the costs of such a call can (non trivial for multiple persons). The level of security for the CAP forms would not have changed dramatically by a call. So the gain of the call would have been minor.
Because of this, R1 and R2 not calling C (if they were even able to do so) at this hour has to be considered a sensible decision. They should not be made responsible for this.
not informing C and giving back the CAP forms ASAP at the next day
Even as it was sensible not to disturb C with a call in the middle of the night and to solve the problem without the knowledge and involvement of C, R1 and R2 could have done a lot more to inform C about the whereabouts of the CAP forms and their intention to return them to C and maybe even a timeframe where they would be able to do so.
They could have left a note at the booth, about what they had done, or tried to get hold of someone at the booth when they returned to the event location at the next day, who may have been able to inform C, even if they did not meet C at this time.
They even may have tried to actively get in contact with C or to wait at the booth for him.
But since they did not know when C would return to the event location or the booth, one cannot expect them to go as far, since they
- were paying guests at a big event with a lot of other stuff going on, that they may have wanted to attend
- were helpers at this event with obligations that they also had to attend.
- already spend some of their time to fix the original problem and the return of the CAP forms was no pressing issue because their security was not at stake anymore.
Since R1 and R2 did not have to stay at the booth until they would meet C there, the only thing they failed to do is to leave information to C. They cannot be responsible to be available to return the CAP forms at any given time when C would learn about the events of the night.
Such information probably would not have changed the security of the CAP forms or the time of their return to C. But it may have saved C a lot of trouble and concern.
To leave a note would have been the nice (and right) thing to do.
Some statements indicated that R1 and R2 intended to educate C about the privacy issue and did not inform him before they had time for a discussion of the problem.
Education is one of our community principles and has to be considered to be a valid reason: Principles of the CAcert Community:
Training We train our users. We train our users to train other users. If we accept someone in a role, we train, we test, and we support them. The training is provided for free. For our core community roles such as Assurer, sufficient quality training will be available at no charge.
While this may be a good reason to wait with the return of the CAP forms until R1 and R2 had time for a longer discussion of the original problems (because they may have thought that they may not be able to get the attention of C after the return of the CAP forms), it is not clear if not informing C was helpful in this regard.
Sure, C would have to discover the loss of the CAP forms and experience the worry of the loss, so the training about the risks of leaving CAP forms alone was probably much more intense than if he would have just been informed about the events. But while experience is a good teacher, just the fact that someone moved the CAP forms could be considered to be enough in this regard. The additional worry was probably not needed.
If this is the case and the additional experience was a worthy one in regard of training is hard to tell from the distance. The delay may be covered by the training effect, it had to C.
However since C was informed by WIT3 after he discovered the loss, the time to worry about the safety of the CAP forms should not have been long for C. So no real harm can be detected. Since R1, R2 and WIT3 probably thought that they had acted as a team of three in the night, from their perspective information by WIT3 was the same as one by R1 or R2 (even if it was different from the perspective of C).
The delay of the information and the return also was minor (1 - 2 hours if one does not count the information by WIT3) compared to everything else. C planned to leave the CAP forms alone for 12 hours and even stayed away for 13. One or two additional hours do not change a lot in this regard. The event also went over 3 additional days, during which R1 and R2 could have returned the CAP forms. The CAP forms have to be secure for 7 years.
Overall it would have been better if R1 and R2 had informed C as soon as possible, probably with a note at the booth. This could have prevented C to worry about a potential loss of the CAP forms. It would have been the nice thing to do.
But there was no direct harm connected with the comparably short delay and it has to be regarded as just covered by our principles, because of a potential additional training element.
An assurer may (or even should) secure CAP forms as done by R1 and R2. Especially since they also prevented each other to perform a privacy breach.
It was sensible that they did not call C in the middle of the night to solve the problem together with him.
But it would have been better if they would have informed C about their actions sooner.
However this delay was minor and is even just covered by the training principle of our community.
Since the action itselve was indicated by our policies (and the principles) the comparably short delay to inform C and return the CAP forms cannot change this.
R1 and R2s actions were covered by their authority as assurers (or community members).
E. Were R1's actions covered by his authority as event organizer?
An event organizer (EO) is responsible for all assurances done at the event being covered by AP. After an event the EO even has to give a CARS about this in the event report.
The tasks are: [...] running the event - briefing to all Assurers, - cross-assurances, coaching, training, AssurerChallenge, helping the new Assurers, - ensuring that quality is maintained and that Assurance Policy is followed, ready to deal with minor issues as they arise [...] post-event - a report to EventOrganisationOfficer on the event [...]
Part 2 - Later or at home [...] if you are the EventOrganiser: - you have to write an Event Report for audit purpose to confirm in the report that the Assurance Policy was followed during the event and sending the report to the EventOrganisationOfficer
Because of this an EO has to ensure (beside other thing) that privacy of the assurees is not violated. If an EO detects some private information "flying around" the EO is responsible to collect and safe keep it to prevent (further) privacy issues, at least until it can be handed back to the correct owner, if one is identifiable.
While every assurer should step in to ensure the security of personal data, an event organizer has to do so during an event. Else an EO would not be able to give the needed CARS for the event report.
As EO, R1 had to ensure that no privacy would be violated at the CAcert booth. So the confiscation of the CAP forms is covered by his authority as EO. Even C agrees on that.
- I am totally ok with R1, as event organizer, noticing a privacy issue. Now, if he *had* tried to call me, and would have failed, I would have regarded it as totally ok if he secured the forms in some place, and then informed me about it later, but returning the forms to me immediately.
The next question is, again, if the delay about informing C and returning the CAP forms was ok. The arguments are comparable to those for an assurer. But as an EO the argument, that R1 wanted to confront C in person, with enough time to discuss the matter, weights even more, since he was responsible to ensure that C was duly informed about the privacy problem, so that the same problem would not occur again.
Another solution, where C did not have to worry about the CAP forms at all, may have been preferable. But since the delay was comparably short, the chosen time to confront C is inside the bounds of leeway, which have to be allowed for the decisions of an event organizer to solve a problem.
R1 acted inside his authority as event organizer.
F. Were R2's actions covered by his authority as arbitrator?
Probably not, since there was no arbitration case filed.
During the evidence gathering process the subject came up between C and the DRO under what circumstances an arbitrator can act in an emergency case. This is currently not documented well.
It has to be possible for arbitration to act in an emergency and since the normal way to handle a dispute is quite time consuming (about 2h is needed alone to grab a case, create the according wiki-page and close the case) there may be cases where the normal formalities have to be skipped or postponed. One can even think about situations, where the normal procedure may be impossible, since it depends on being able to connect to OTRS-, mail- and wiki-systems and triage/support being available to hand the dispute through to arbitration in the first place. If there is an emergency on this parts where an arbitrator would be needed, arbitration has to be able to work anyway, since it is the fallback for unpredictable situations installed in CAcert.
Because of this, the fact that no written dispute was present at the time of the events does not have to be a hindrance to authorize arbitration activity in itself. But later documentation (also about the reasons why it was acted without a proper documented case) probably would have been needed.
However, since R2 did not act as an arbitrator in this case, as discovered above, the question if the actions would have been allowed by an arbitrator (and what documentation etc. would have been needed) is not relevant in this case and should not be finally answered here.
But it would be a good idea if the arbitration team would cover this, for example in the arbitration training lessons. I recommend doing so.
Edit 2014-01-08: DRO added a first version for an arbitration training lesson on this regard.
a. Did R1 abuse his position as event organizer?
No, his actions are covered by his authority as event organizer.
The claim, that R1 abused his position as event organizer has to be dismissed.
b. Did R2 abuse his position as arbitrator?
Since R2 did not act as an arbitrator he could not abuse his position as an arbitrator.
The claim that R2 abused his position as arbitrator has to be dismissed.
further problems encountered by A in this case
I. Consequences of Cs possible privacy breach (leaving CAP forms unattended for hours)
As discovered above C did violate his obligations regarding the security of the private information written in the CAP forms when he left them unattended over night at the event location of the 29C3, even when they were covered by a laptop.
C argued that it was only for a "short time".
While it is true, that some hours are a short time compared to the 7 years C is responsible for the privacy of the documents, it is quite a long time for an attacker who wants to access the private information on the CAP forms.
A short time would be a few minutes for example to use the bathroom. But even then one has to trust ones luck that the privacy is not disturbed while doing so.
12 to 13 hours over night, as C stayed away from the CAP forms is too long to leave CAP forms unattended in plain view at a place where a lot of people come along (even if covered originally by a laptop).
But the time the CAP forms were exposed was dramatically reduced (to a third or quarter) thanks to the actions of R1 and R2.
All persons present rated the remaining possible privacy breach as minor enough to not file a dispute about it. At least R2, WIT3 and C were trained as co-auditors in filing such disputes and had done before.
Their explicit stated and eligible decision against a dispute on this matter has to be respected. So there should be no ruling over the found privacy issue without a further dispute.
II. Problems with statements of a co-auditor found in this case, not in line with our policies
In the original dispute and the following statements C gave some arguments that were not addressed before, but should be addressed now, because they are not in line with our policies. This could leave a wrong impression to readers, if they were not commented, since C mentioned them with a reference of being a co-auditor.
In the original dispute C stated:
These forms were: - NOT signed by me, so I did NOT acknowledge that any of the proceedings were connected to official CAcert work - NOT entered into the system, so the data on them did NOT affect active assurances or statements made by me towards CAcert
As discussed above, just by accepting a filled and signed CAP form, a CAcert assurer acts under the AP and the proceedings of the assurances are directly connected to CAcert. The signature of the assurer only states, that everything went well. If the signature is not given, the process of assurance may not be finished and may even be stopped by the assurer, but everything done is under the authority of the AP. Any assurer accepted that (by previously accepting CCA and maybe even AP directly and by accepting the request of the assurer to handle the assurance under AP).
For the obligation to protect (the private information on) CAP forms, it does not matter, if the data is entered into the system or not. Again AP and PP apply.
There is no term of "active assurance" in the AP or anywhere else. Since the face to face meeting with the assuree was over, the assurees could assume that the assurances would be entered into the system, if C would not detect something unexpected later. The date of an assurance entered into the system is those from the face to face meeting. This is also the date used by arbitration to figure when the 7 years are over. So the assurances should be treated as real and running assurances even if they were not entered in the system and the assurance process could be canceled by the assurer. (But that is the case for any assurance. Any assurer can ask for a revocation of an assurance at any time. If this is done within a day after the assurance is entered into the system, this can even be handled by support without the need to go through arbitration.)
While R2 and R1 are right in saying that leaving CAP forms with assuree data at the booth is a privacy issue, this is a *personal* issue between the assuree and me for the reasons mentioned above (NO assurerstatement given by me).
For the same reasons as above this is wrong. That assurances are more than a personal issue between assuree and assurer even at this state, can also be concluded from the fact, that those assurances can be addressed with a dispute, as C should know since he was involved in such disputes before (for example a20100304.1).
Up to the moment I sign the assurer statement on the form and enter the assurance into the system, I do NOT acknowledge officially that I acted in the name of CAcert.
Being an assurer one never acts as a representative of CAcert while performing an assurance according to AP.
The assurer part of a CAP form does not address the assuree, but the CAcert community. Assurees should know even without the assurer if they are the persons they claim to be. It has no value to state this to the assuree. The CAcert community wants to rely on the statement of the assurer, so the community can trust assurees to be who they claim to be. That would not work if the assurer would just act as a representant of CAcert. So the assurer is giving a statement to CAcert by signing the CAP form. Assurers are acting in their own name and none else by signing a CAP form or giving any other CARS (CAcert Assurer Reliable Statement).
+ If the CAP forms had been of any interest to CAcert as a whole, some action should have been taken to solve this issue together with the assurer (i.e. me) - However, the CAP forms in question were only vicariously related to CAcert as a whole.
Every assurance is of interest to CAcert. They are done under a policy of CAcert. And every single one of them is relevant for the web of trust (WoT) of CAcert. A lot of effort is done by arbitration (and other parts of CAcert) to preserve as many of them as possible. There is even a figure to show how valuable every single assurance is to CAcert: € 1000,-
Again, I do not think that an Arbitrator may judge in any case not passed to arbitration by a (valid) claimant - with the claimants being all assurees that handed CAP forms to me that day.
Not only assurees can file a valid dispute in such a case. Every community member can do so (even non-members - for example parents for PoJAM assurances - can do so). C should know this, since he had issued disputes on assurances where he was neither the assurer nor the assuree before. (For example a20111230.1)
On a side note: Arbitration cases are not passed from a claimant to arbitration directly, at least not outside of an emergency.
According to What is a co-auditor?:
A co-auditor is a very experienced Assurer who helps the Assurance Officer collect results suitable for verifying the entire system of Assurance. These results are collated for audit over CAcert.
Since our WoT is one of the basic elements of trust for our certificates, the internal auditor was asked on the importance of a co-auditor arguing in the way of C. The internal auditor suggested ordering board to take the co-auditor-status away for C, or at least to suggest this to board.
However it is a little bit harsh to order board on this matter, if there are other alternatives. C showed interest to learn when he asked his questions.
Since the community also has an interest to have enough co-auditors, it would be better to ensure that C has learned his lessons and let him continue to do co-audits.
The right authority for co-auditors is the Assurance Officer, so the matter should be given to him.
1. R1 did not abuse his position as Event Organizer. I dismiss the case against R1.
2. R2 did not abuse his position as Arbitrator. I dismiss the case against R2.
3. The seizing of the CAP forms by R1 and R2 is covered by our principles and policies. While some details leave room for improvement, no action should be taken against them.
4. A privacy issue of C was discovered in this case. But since multiple persons trained in the matter were present at the events and explicitly decided against a dispute, I will not rule on this matter here, because of a missing dispute. The matter is not finaly handled by this ruling and stays open for further disputes.
5. C showed some uncertainty and ignorance about core elements of assurances, related policies, privacy and security issues. As a Co-Auditor he is specially trained and should be well aware of these issues. Even more, he should be able to train others on such issues. The Assurance Officer (AO) shall re-evaluate C's fitness as a co-auditor with respect to the detected issues. If considered necessary, C's co-auditor status may be suspended for further training. If C fails the process, C's co-auditor status shoudl be revoked altogether.
6. The final decision of the AO about C's co-auditor status shall be recorded as a post arbitration result.
7. Since the reason for the intermediate ruling is gone, because R2 will not be concerend by the remaining part of the case as a respondent, the need to give C and R1 the same information as R2 gains as an arbitratior regarding this case is canceled. A and CM do not need to forward such informations to either of them anymore. However the private part of this case should stay visible to C and R1.
-- Cologne, 2014-01-11
- 2014-01-11 A: ruling
- 2014-01-11 A: execution order to AO
- 2014-01-11 AO: initiated execution, set co-audit-status of C on hold
- 2014-01-19 A: personal words sent to C, R1, R2 (CM, WIT1-3)
current status of review process will be documented under Co-Auditor
Post arbitration action
- 2014-03-23 C: resignes from his position as Co-Auditor
Comment from A: Because of the resign a final decision from the AO on C being a co-auditor can be considered as obsolete.
Personal words from (A)
There are very few arbitration cases in CAcert that get personal. This probably shows the good spirit in our community, and the ability solve most personal issues without the need to involve authorities. Sadly, this case is one of the few others, with people accusing each other about lying and worse. It is no fun to be involved in such a case. So I want to say some personal words in the hope that such cases can be avoided in the future. I personally think, after all I've written above to handle the case in the formal way of arbitration, some of the following is more important than anything above.
C had any right to file a dispute, since every member has any right to file a dispute about more or less anything. But theoretically the dispute was not complete, since according to DRP 1.4 a dispute has to specify 'The action(s) requested by the filing party (technically, called the relief).' We could have rejected this case. But the complaint of the dispute 'abuse of position [of an arbitrator]' was so severe that if it was true and not handled, the integrity of arbitration and through that an important leg of CAcert would be damaged.
Most of the questions asked in my mails were to look for hints that an arbitrator had abused his position as arbitrator. At the same time it seemed like the real interest of both sides was to get an answer to other questions. (Probably the real one - the personal one - never asked.) Nonetheless the complaint of abuse of position of an arbitrator was repeated.
I do not want to discourage people to file disputes. On the contrary, I think it is quite important that such an option exists. Else I would not have taken the job as arbitrator. But even easy cases take a lot of time, if handled with appropriate seriousness. If one looks at the history log and the length of the discovery, one can imagine how much time is needed for a case like this. It does not even display all the research done 'behind the scenes' (like looking up policies, old cases or other resources).
It would have been a lot easier for all of us, if the complaint would have been more focused and in line with the actual problem.
Before filing a dispute, one should always consider if the problem can be solved in another way and what can be gained or healed by a dispute. Arbitration is probably the most expensive way to solve anything in the context of CAcert. We have only so many resources - volunteer time being a valuable one. The time, which went into this case, could else have been used to write some patches, to polish up the wiki, to work on the policies or solve multiple other arbitration cases which are waiting a long time and need some arbitrators time dearly.
I really doubt that the original events were worth all the time and I also doubt that any party is satisfied in the end. So I ask both sides to consider if it was worth all the trouble. I know that the respondents did not file the dispute and are not directly responsible for the complaint. But it looks like there may have been ways to handle the information and confrontation of C in a way that may have prevented a dispute.
Even as their actions are covered by our principles, I think it would be appropriate for them to apologize to the claimant for the time he was not informed about what happened to the CAP forms and the worry he went through until he got them back.
I will not order them to do so, since an ordered apology has no worth. As things went, I'm not sure if they will be able to show such greatness, because this case probably cannot cure all hurt feelings that arose between the parties since the dispute was filed. It probably even intensified them.
On the other hand a thank you to the respondents would have been more appropriate than to file a dispute against them, because R1 and R2 are mostly responsible for the fact that the original issue (CAP forms lying around) was stopped and classified as minor.