- Case Number: a20140925.2
- Status: close
- Claimant: Lora
- Respondent: CAcert
initial Case Manager: EvaStöwe
Case Manager: MartinGummi
Arbitrator: EvaStöwe
- Date of arbitration start: 2014-09-25
- Date of ruling: 2014-10-18
- Case closed: 2014-10-31
- Complaint: Remove non-assurer-account, primary email belongs to other person
- Relief: TBD
Before: Arbitrator Eva Stöwe (A), Respondent: CAcert (R), Claimant: Lora (C), Case: a20140925.2
History Log
- 2014-09-25 (issue.c.o): case [s20140925.7413]
- 2014-09-25 (iCM): added to wiki, request for CM / A
- 2014-09-25 (iCM): notified C about case
2014-09-25 (CM): I'll take care about this case, EvaStöwe volunteered as A
- 2014-09-25 (A): init mail to C
- 2014-09-26 (A): asks Support to block the account, give information if primary address was changed, look out for anything unusual in the account
- 2014-09-26 (C): requests that the account and anythin associating the name in the account with the email
- 2014-09-26 (Support): provides information from which it is visible that the primary address was changed
- 2014-10-03 (A): asks Support to confirm block of account
- 2014-10-03 (Support); confirms block
- 2014-10-03 (A): addresses original primary address for a statement, deadline
- 2014-10-18 (A): ruling send to C, Support, CM
- 2014-10-31 (CM): close case
Private Part
Link to Arbitration case a20140925.2 (Private Part), Access for (CM) + (A) only
EOT Private Part
original Dispute
PLEASE REMOVE MY EMAIL ADDRESS [mail address] FROM YOUR MAILING LIST. YOUR EMAIL CAME ADDRESSED TO A [name1] AND THIS IS NOT HIS EMAIL ADDRESS. HE DOES NOT HAVE AN EMAIL ADDRESS WITH [name2] AND IS NOT ASSOCIATED WITH [name2]. PLEASE REMOVE ALL INFORMATION THAT CONNECT [name2] AND [name1]. THANK YOU
Discovery
C (the owner of the primary email address) got an automated mail send from CAcert because of a policy change. C did not know about the existence of the account and asked for its closure.
It was discovered that the account was created with another email address, some days later the now primary address was created and some minutes afterwards a certificagte was created. This was during the last year but more than 6 months ago.
It has to be assumed that the account was created by somebody else than the claimant, who had access to the email account somehow.
The email address from which the account was created was tried to be contacted but without an answer.
To ensure that there was no issue with the software, it is sensible to ask the teams about any issues. But as there are no other indicators in this direction, this would be quite unlikely.
Ruling
As there was a certificate issued directly after the primary address was added, it may be that an incorrect certificate was issued if the claim about the email address is correct. Because of this, the account should not be closed by the normal procedure but:
Support should hijack the account and
- anonymise the account using the case number a20140925.2 without delay
- keep the secondary email address in the account
- revoke all certificates
If someone asks to free the email address a dispute should be filed with reference to this case.
The claimant should be informed that there may be the possibility that the email address was compromised as we do make an ownership check before adding addresses to an account.
Software and critical team should be contacted by the Arbitrator to check issues with the mail verification. The check itself will not be covered by this case.
-- Velbert, 2014-10-18
Execution
- 2014-10-18 (A): ruling send to C, Support, CM
- 2014-10-18 (Support): asks for information about the account that should be closed
- 2014-10-18 (A): provides Support the needed information
- 2014-10-19 (Support): confirms execution
- 2014-10-19 (Support): complains before DRO about the delay
- 2014-10-19 (A): explains to Support that the Arbitration lessons speak about spearated rulings and execution request, also A has to write the ruling according to DRP, while the policies, lessons and handbooks place the execution in the scope of the CM - even if it mostly is covered by A as well, for some while
- 2014-10-20 (C): asks again for removal of email address, refers to the automated mails send to the primary address because of the closure of the account
- 2014-10-20 (A): explains the automated mails, informs C about the possibility that the address was compromised, suggests to change password
- 2014-10-20 (A): addresses software and critical teams, to check that there was no issue
- 2014-10-20 (C): appology, shows mails C got from the closing of the account
- 2014-10-20 (C): asks for confirmation that the name in the account is not listed as a user of CAcert and that the company of C is not listed as well
- 2014-10-22 (Critical team): asks for more precise information
- 2014-10-24 (A): explains to C that the asked about data was deleted from the account, but that it is not possible to search for other accounts just by the name - and that it also may belong to someone else, if there is no organization account there is also no data about the company, the opening of an organization account involves some real paperwork and cannot be done automated
- 2014-10-26 (A): answers crit, that if they do not find something with the given information that there probably was nothing to detect
- 2014-10-27 (Critical team): responses that it cannot be assumed that an irregularity could be spotted without more data, but even with more data this would be not likely to reveal anything
Note from A: The information that critical team could spot with more data according to mail from critical team, is more or less the one that support already provided for this case.
Similiar Cases