= Incident i20151207.1 =
  * Incident Number: i20151207.1
  * Status: closed
  * Incident Manager: BenediktHeintel
  * Date of incident opened: 2015-12-07
  * Date of incident closed: 2016-05-09
  * Incident title: Potential Abuse of Power


== History Log ==
 . 2015-12-07: Incident i20151207.1
 . 2015-12-09: Incident description and [[https://wiki.cacert.org/Audit/Incidents/priv/i20151207.1|private part]] added
 . 2015-12-10: Root Cause identification started
 . 2016-01-21: Added more evidence
 . 2016-04-07: Published remaining parts
 . 2016-05-09: Incident closed

== 1. Incident Response Team ==
 . Internal Auditor

== 2. Incident Description ==
A case manager of a running case reported that the arbitrator of that case lost access to the arbitration system by revocation of all access rights to (a) the private wiki parts for arbitrations, (b) personal arbitration documentations in the wiki, (c) the OTRS ticket queue for Arbitration.

The action was conducted by an infrastructure admin. 

== 3. Containment Actions ==
No containment actions necessary; the action does not void the integrity, availability or confidentiality of  CAcert's core assets or its operations. 

The accusation weights heavy and is therefore treated with the necessary urgency and elaborateness.

== 4. Root Causes ==
'''Sequence of Events I'''
 1. Infrastructure Admin (I1) identified through the changes incorporated in the wiki system. (I1) only removed the rights from the wiki system (see (a) and (b)) for the Arbitrators (A1) and (A2). (I1) got the orders from the Committee of CAcert Inc. provided by an unanimously voted decision of a motion under seal. The exact wording of this motion is unknown to (I1)
 1. The Committee also informed Infrastructure Admin (I2) based on the same motion to revoke the OTRS Arbitration queue access from (A1) and (A2). The exact wording of this motion is unknown to (I2)
 1. The Committee informed the Members via email about an "extraordinary action resolved unanimously by board", to prevent a thread of damage to operations, teams, association and community, claiming to suspend persons from all privileged roles, but CAcert Inc. membership. That email can be linked to this incident.
 1. Board derives its actions from [[https://community.cacert.org/board/motions.php?motion=m20091206.2|motion m20091206.2]], as a pre-requisite, the Dispute Resolution Officer (DRO) need to advice the removal of Arbitrators from their role.
 1. DRO was informed and questioned by board prior the motion. He did not object against the action.

'''Findings I'''
 1. An Infrastructure Admin has to execute orders from motions.
 1. As everyone else, she is free to fill a dispute if unsure, that the order was legitimate.
 1. There is no rule, how CAcert Inc. grants and revokes positions. Based on the [[https://wiki.cacert.org/Teams|Teams]] wiki page, the Committee accepts and releases the officers (aka team leaders). The team leaders choose their team members with their own principles based on faith and trust. There is especially no rule how to become an Arbitrator and how to force cancel this role. The [[https://wiki.cacert.org/ArbitrationForum|Arbitration Landing Page]] says, that "Arbitrators are appointed by the Board", [[https://wiki.cacert.org/Arbitrations/a20150420.1|a20150420]] contains a ruling defining a way how to remove officers and arbitrators from their position.
 1. In ruling 2b of [[https://wiki.cacert.org/Arbitrations/a20150420.1|a20150420]] an Arbitrator rules how to remove Arbitrators from office. This ruling contradicts its own tone of checks and balances and grants Arbitration additional power over Arbitration.
 1. Collateral: The Arbitration Team list contains three Arbitrators and Case Managers without stated Board Motion: Lambert Hofstra, Nick Bebout and Sebastian Kueppers
 1. Collateral: There are other people acting / acted as Case Manager or Assurer without being mentioned on the Arbitration Team list. If there is any motion for them is unknown: Lambert Hofstra, Alejandro Mery, Guillaume Romagny, Greg Rose. (Thanks to Eva for input)

'''Legitimation'''

The basic question is: ''Based on what legitimation was the Committee acting?''
 1. The Committee bases its decision on the general mandate of [[https://svn.cacert.org/CAcert/CAcert_Inc/By-Laws/CAcert-Rules%20of%20Association.pdf|CAcert's Committee granted by CAcert's Association Rules § 14]]:
{{{ 
14 Powers of the committee
The committee is to be called the committee of management of the 
association and, subject to the Act, the Regulation and these rules and to 
any resolution passed by the association in general meeting:

(a) is to control and manage the affairs of the association, and
(b) may exercise all such functions as may be exercised by the 
association, other than those functions that are required by 
these rules to be exercised by a general meeting of members 
of the association, and
(c) has power to perform all such acts and do all such things as 
appear to the committee to be necessary or desirable for the 
proper management of the affairs of the association.
}}}

And refined in [[https://svn.cacert.org/CAcert/CAcert_Inc/By-Laws/TradeOffice_AGM2007Reports_4392_001-Nov2007.pdf|2007's]] and [[http://svn.cacert.org/CAcert/CAcert_Inc/General_Meetings/AGM-Nov2008/Minutes-7Nov2008-AGM.pdf|2008's]] AGMs:

{{{
The board has the following mandates:
CAcert's operational affairs including finances for CAcert services;

 * veto right on policy documents;
 * last appeal on dispute resolution.
 * …
}}}

To the best of the incident response team's knowledge and belief these mandates are still valid and have been never changed by an AGM.
Side note: FY 2012/2013's Committee passed a motion ([[https://community.cacert.org/board/motions.php?motion=m20130210.2&showvotes=1|m20130210]]) to remove themselves as appeal panel and established the policy group.

'''Findings II'''
 1. The Board derives its right from the rules of the association (what looks lawful as a start)
 2. There is an [[https://wiki.cacert.org/Arbitrations/a20150420.1#Final_Ruling|Arbitration Ruling a20150420 (Part 2b)]] on ''Removal of Arbitrators''. The ruling is highly challenged due to the fact that is does not give any evidence based on CAcert Inc.'s rules and regulations. Moreover, it is not clear, if a temporary suspension has to be handled same as a permanent removal.

== 5. Permanent Corrective Actions ==
 1. The DRO should review the list of Arbitrators and Case Managers and add all missing team members to the list.
 1. Arbitrators / Case Managers without appointment by the Committee should be either moved to the retired section or approved by the committee as Arbitrators.

== 6. Verify Corrective Actions ==
N/A

== 7. Preventive Actions ==

 1. The nomination, removal and (temporary) suspension of members of the arbitration team should be defined; a policy would be appropriate for this.

== 8. Approval & Closure ==
|| '''Rejected'''    || 2016-05-01 [[https://community.cacert.org/board/motions.php?motion=m20160408.1|m20160408.1]] ||
|| '''Date closed''' || 2016-05-01 ||

Remark to m20160408.1: The text of the motion was reversed although old board members already voted prior the motion text was altered. Now it looks as if they voted against the measures, while they voted for it. 

----
 . CategoryAudit
 . CategoryIncident