Before: Arbitrator UlrichSchroeter (A), Respondent: CAcert (R), Claimant: MarcusMaengel (C), Case: a20130810.1

History Log

Original Dispute

Discovery (Private Part)

EOT Private Part

Discovery & Deliberations

Intermediate Ruling #1

So therefor I come to following intermediate ruling #1

  1. The first question in dispute filing
    • "In a first step I would like to get the allowance to send a mail to one of the users that can be found in the admin view."
    • has been checked by sending a test email to the postmaster of the affected domain according to RFC's rfc-5321 and rfc-822 that revealed by receiving a NDR, that the domain no longer accepts any emails.
    • So therefor I reject request #1 from dispute filing.
  2. Claimants request #2 requires some deeper inspection, to investigate the impact in CAcert's WoT that is caused by the reported closing down of an email service provider. Here the found potential critical impact is of special interest to arbitration:

    • the next thing that is of interest in this case is the critical relation of members who did loose their primary email address

      • What does this mean: critical ?

      • critical in relation to existing member accounts means, that we have to check topics that affects WoT, thats why we referencing in CCA 3.3 Termination [1] every Termination by a member [4] to Arbitration

        1. existing, valid certificates (Relying Party Statement problem) x1)

        2. had given assurances (securing the CAP forms)

    • This impact can be counted with a couple of Adhoc SQL queries. These SQL queries have been deployed in the Software-Assessment project team meeting dated 2013-08-13 and also can be found in the minutes. The SQL queries have been deployed by a nominated Software-Assessor Michael Taenzer and checked by myself against a local copy of the developers testserver image
    • Critical team shall execute following 4 Adhoc SQL queries to answer 4 questions:
      1. SQL query 1: how many users we have that have a lavabit email address as primary email address?
        select count(users.id) from users where users.email like "%@lavabit.%" and users.deleted = 0;
      2. SQL query 2: how many of the members found under sql query #1 have an addtl. secondary email address we can use to contact the users by email them or using in a scripted mailing?
        select count(distinct email.memid) from email inner join users on email.memid = users.id  where users.email like '%@lavabit.%' and users.deleted = 0 and email.deleted=0 and email.email not like '%@lavabit.%';
      3. SQL query 3: how many of all members (according to sql query 1) with lavabit as primary email address falls under the category critical while having active certs or did gave assurances?

        select count(*) from (
            select notary.from as memid
                from (select users.id from users where users.email like "%@lavabit.%" and users.deleted = 0) as interesting_users inner join notary on interesting_users.id = notary.from
                where notary.deleted = 0
            
            union distinct
            
            select emailcerts.memid as memid
                from (select users.id from users where users.email like "%@lavabit.%" and users.deleted = 0) as interesting_users inner join emailcerts on interesting_users.id = emailcerts.memid
                where emailcerts.expire > NOW() and revoked = 0
            
            union distinct
            
            select domains.memid as memid
                from (select users.id from users where users.email like "%@lavabit.%" and users.deleted = 0) as interesting_users inner join domains on interesting_users.id = domains.memid inner join domaincerts on domains.id = domaincerts.domid
                where domaincerts.expire > NOW() and domaincerts.revoked = 0
        ) as  critical_users;
      4. SQL query 4: how many of the members (according to sql query 2) with lavabit as primary email address, but having addtl. other secondary email address(es) falls under the category critical while having active certs or did gave assurances?

        select count(*) from (
            select notary.from as memid
                 from (select users.id from email inner join users on email.memid = users.id  where users.email like '%@lavabit.%' and users.deleted = 0 and email.deleted=0 and email.email not like '%@lavabit.%') as interesting_users inner join notary on  interesting_users.id = notary.from
                where notary.deleted = 0
            
            union distinct
            
            select emailcerts.memid as memid
                 from (select users.id from email inner join users on email.memid = users.id  where users.email like '%@lavabit.%' and users.deleted = 0 and email.deleted=0 and email.email not like '%@lavabit.%') as interesting_users inner join emailcerts on  interesting_users.id = emailcerts.memid
                where emailcerts.expire > NOW() and revoked = 0
            
            union distinct
            
            select domains.memid as memid
                 from (select users.id from email inner join users on email.memid = users.id  where users.email like '%@lavabit.%' and users.deleted = 0 and email.deleted=0 and email.email not like '%@lavabit.%') as interesting_users inner join domains on  interesting_users.id = domains.memid inner join domaincerts on  domains.id = domaincerts.domid
                where domaincerts.expire > NOW() and domaincerts.revoked = 0
        ) as  critical_users;
  3. As this case discloses a clash in practice between CCA obligation (to keep his own primary email address in good working order) and the information given to each member: Arbitration uses the members primary email address to contact members, we're trying to assist our members to bring them back into a safe status for their accounts.
    • We know, we currently have an exception, that members may violate CCA 3.5 status, but this running case shall bring them back to have their accounts in a good working order. So here we following the principles that our focus is a functional community, we don't want to blame these members for that situation and we want to assist these members to get their account back into a good working order. A blog post still have been published and a mailing probably follows, once we have the results of the Adhoc SQL queries.
    • So the current status of such affected member accounts I declare as a temporarly exemption.
    • Its expected, that a clearance of the status can be executed until final ruling of this running case.
  4. The question, if the SQL queries results can be published I come to the following ruling:
    • The proposed results of the 4 SQL queries are counts only similar to statistical data we still have published on our main website. So at this point we have no disclosure of any personal identifyable informations but the results will give us a measure how deep the impact of the lavabit closing down to CAcert's WoT is
    • Speculative expectations, what happens if we once publish the counted results and the possibility, that agencies will send CAcert a "Legal process (subpoenas, etc) delivered by an external court of 'competent jurisdiction.'". Such processing has to undergo CAcert's arbitration review according to DRP so it becomes unlikely that CAcert has to deal with follow-up actions that are described in the published articles [6] + [7]
    • So there is nothing that prevents publishing of the SQL query results requested under top 2

Frankfurt/Main, 2013-08-15

Discovery II

Intermediate ruling #2

Frankfurt/Main, 2013-08-16

Discovery III

Ruling

Execution

Similiar Cases

a20090525.1

Event officer request recurrent notification to assurers near the location of the following ATEs - Precedent Case

a20110608.1

Scripted Mailing to Organisation contacts

a20111128.3

Delete Account cases which may be handled by SE - No Assurances given, no certs or certs expired - Precedents Case

a20111204.3

Minor account data differences which may be handled by SE - Precedents Case

a20090424.1

Ad hoc SQL query requested

a20090427.2

Ad hoc SQL query requested

a20090518.2

SQL: mail addresses of former assurers without the CATS passed

a20090810.3

User requests a list of people who have more than 150 points

a20090902.1

request list of OA

a20091221.1

U18 query

a20100822.1

SQL query

a20101114.1

Addtl. adhoc interactive sql-query

a20110413.1

How many users using sample pwd

a20130521.1

Adhoc SQL query: Dispute to get some statisical data (U18)

a20110221.1

PII and problematical sys settings on 1057 of 1074 deleted accounts cases still remains in database


Arbitrations/a20130810.1 (last edited 2019-10-02 20:05:30 by BernhardFröhlich)