Incident i20140625.1

History Log

1. Incident Response Team

2. Incident Description

The initial Case Manager of arbitration case a20140624.1 consulted the internal auditor based on that case by e-mail. Since the e-mail compromises several sites of e-mail conversation between a community member and a support person, only the summary is cited here; the full anonymised text provided to Audit is documented in Arbitration Case (access for Arbitration and Audit only). The affected person are unknown to the internal Auditor.

- some action of the Support member to get the member to reveal more
details about his person, including the demand to hand him over what is
written in his official documents - without any authority given by
arbitration
- the support member giving warnings to members - without any authority
given by an arbitration case
- the support member requiring from the member to not use his account,
until further notice and especially not getting assurances or issuing
certificates
- the support member refusing to delete the account of a member as
requested because he favours another solution
- a privacy breach when forwarding all name details of a member and all
assurance details of multiple assurances to an arbitrator who did not
have an arbitration case in this direction running

The summary (proven by the e-mail itself) contains a data privacy breach and potentially abuse of power.

3. Containment Actions

No action was done to contain the incident, there is no current danger of expansion in this case.

4. Root Causes

  1. The community member requests to delete one of his CAcert accounts.
  2. The supporter asks for the e-mail addresses of the other accounts.
  3. Finding 1: To execute the delete this information is not required and should not be requested ("need to know").

  4. The member provides the second e-mail address and requests to delete the first account.
  5. The supporter looks up the second account and proposes to delete this.
  6. Finding 2: The member did not ask the supporter to look up the second account, nor an arbitrator did, nor a precedence case gives him the right to do so. The supporter violates § 8 in conjunction with § 9 Privacy Policy.

  7. The member again asks to delete the first account.
  8. The supporter contacts and blames two assurers for unlawful behaviour, who assured the member twice on each account.
  9. Finding 3: The supporter again violated § 8 in conjunction with § 9 Privacy Policy when looking up the e-mail addresses of two assurers.

  10. Finding 4: There is no rule in CAcert, that one assurer cannot assure an assuree several times. Since the supporter does not give any information on what basis he judges, an abuse of power is presumed.

  11. The supporter forwards two e-mail of the member and one email written by himself from former conversation with the member without anonymisation to an arbitrator. The emails contained names, e-mail addresses, dates and locations of several assurances.
  12. Finding 5: The supporter violates a third time § 8 in conjunction with § 9 Privacy Policy; even if the recipient is an arbitrator, the further rights of § 9 Privacy Policy only apply if the arbitrator would have acted in a duly filed dispute.

  13. A second supporter filed a dispute.

To sum it up, the supporter

5. Permanent Corrective Actions

Dispute a20140712.1 was requested:

Dear Arbitrators,

As CAcert's internal Auditor, I would like to open a dispute against the supporter S1 (private data unknown to me) from arbitration case a20140624.1's anonymised mail collection [1]. 

Reasons:
Audit got aware of a massive data privacy breach and abuse of supporter power by S1, documented in i20140625.1 [2]. Audit has not the tools and power to prosecute an individual based on his/her misbehaviour. Therefore, I'd would like to ask arbitration to take over the case and handle the individual prosecution against S1.

Supporter S1
 * violated § 8 in conjunction with § 9 Privacy Policy [3] three times and
 * abused his power as supporter to request additional information and provide false information (to be verified by arbitration case [4]).

Best Regards
Benedikt

[1] https://wiki.cacert.org/Arbitrations/priv/a20140624.1/AnonymSupportCase
[2] https://wiki.cacert.org/Audit/Incidents/i20140625.1
[3] http://www.cacert.org/policy/PrivacyPolicy.html
[4] https://wiki.cacert.org/Arbitrations/a20140624.1

6. Verify Corrective Actions

7. Preventive Actions

The internal Auditor recommends the following preventive actions:

Board decided to install following preventive actions:

moves 
  1) that board takes steps to ensure that each CAcert team member of Support, SE, Arbitration, Infrastructure honours CAcert's Privacy Policy and prove the understanding of named policy by repeating a PP CATS Test yearly, 
  2) the change has to be retained in accordant policies via Arbitration and Policy group, and 
  3) the required CATS test is prepared under the responsibility of the Education Team

8. Approval & Closure

Approved

2014-07-13 in m20140713.1

Date closed


Audit/Incidents/i20140625.1 (last edited 2014-11-30 20:36:50 by BenediktHeintel)