Before: Arbitrator: EvaStöwe (A), Respondent: CAcert (R), Claimant: Marcus M (C1) Benny B (C2), Case: a20141106.2

History Log

Private Part

EOT Private Part

Original Dispute (Anonymized)

Discovery

Note of CM: The Discovery section below is a preliminary version that I created as part of my training. It is pending a review by the Arbitrator.

About the original dispute

The dispute is a request to Arbitration to allow the Critical team to run two queries against the production database. Claimants state that they need the output of the queries to enable them to further investigate what they describe as strange behavior on (a) domain dispute.

The Claimants describe one occurrence of strange behavior that involves a user with two valid and active accounts and a domain in one of them that the user wants transferred to the other. Upon using the dispute domain menu to perform that action the user then receives a notification that the domain can't be disputed for administrative reasons and that he could contact Support. Support receives a Someone has just attempted to dispute this domain '%s', which belongs to a locked account notification of the event.

The Claimants consider this behavior to be strange and suspect a user account with a wrong entry to be causing it.

Claimants therefore want Critical to run the following queries against the production database and use the output for further investigation:

  1. an sql statement to find out which user account holds the wrong entry

    this query is meant to list all locked account-ids that link to the one specific domain that the user was trying to dispute

  2. an sql statement to check which domains are linked to more than one user account

    this query is meant to list all active domains that link to more than 1 user

Evaluation of the request

The description of the event as presented by Claimants is probably incomplete. A third locked account linked to the domain that the user tried to dispute provides a plausible and simple explanation for what occurred. This is also the account (or one of the accounts) that the first query as suggested by Claimants is going to reveal.

The fact that the link to the (deleted) domain in that locked account is considered a wrong entry by Claimants, while in fact it is a perfectly valid entry from an operational and design perspective, points to a mis-perception of what actually occurred. A less invasive slightly different query showing only a count of locked accounts would have done just as well here. Claimants fail to provide a valid reason for needing specific user-ids for further investigation.

The second query that Claimants propose doesn't bear any relation to the observed behavior and would never return results, if any at all, that would be helpful for investigating the strange behavior on domain dispute issue. The Claimants fail to provide a substantial reason for this query in their request.

The behavior described in the example presented by Claimants is not so much strange as unwanted and it affects both email and domain disputes. Due to a missing check for deletion the dispute code doesn't handle deleted emails and deleted domains in locked accounts similar to deleted emails and deleted domains in active accounts.

Bugtracker currently reports 3 overlapping/duplicate bugs related to similar 'strange behavior' in both automated email and domain disputes:

For Bug 1310 a fix was submitted that addresses the unwanted behavior in both email and domain dispute functionality. This fix for Bug 1310 made it to the testerver-stable branch in 2014 but is still awaiting a final review and was never merged into the release branche. Until the fix for Bug 1310 is reviewed and merged into the release branch unwanted behavior similar to that described in this and similar cases is bound to occur in both email and domain disputes.

Reviews of Respondents and Claimants

At the time of the filing the Claimants were a member of the Support Team and a member of the Software team.

The case log doesn't reveal whether the affected domain owner ever got in touch with Support over this nor whether Support ever got in touch with the affected owner.

Additionally there are no references to the affected domain owner to be found nor in the case log nor in the ticket:

The Arbitrator therefore is unable to determine the domain owner whose dispute is the basis for the request nor can she add the domain owner to the list of Claimants or ask for additional information if she so choses.

Ruling

Before the case could be started it was relevant to
a) clarify who is claimant of this case and
b) what kind of data the queries would provide

Depending on the answer to both questions the case either has to be entered or dismissed.

It was not possible to identify the claimant who entered the "domain dispute" via the website, because
 * that information was deleted from the dispute that reached arbitration and
 * there was no case found either by support or by arbitration for the case number that was named in the dispute to arbitration.

Even as the Arbitrator wanted to add that member to the list of claimants, this was not possible.

The claimants who filed the dispute with arbitration are a lot farther away from the data, as it is not their data.



Regarding the "issue" described by the claimants in the dispute: there exists a valid possible situation which would clearly explain the situation and which also already was addressed in bugs by the software team at the time being (without that becoming productive).

As both claimants were quite active in the software area at the time when the dispute was filed and when those bugs were handled (both were involved in them), they should have been aware about that issue and should have been able to address the issue and to create a comparable situation on a test-system as the Case Manager has done.


Regarding the first query: It is also not possible, to use that data to solve the original issue, as the ticket with the original issue cannot be found. This possible need for the data provided by the first query does not exist.

Without being able to identify and consulting with the original member, that query should not be executed, if there is a good explanation.


Regarding the second requested query: It would have provided a list of all domains that ever were entered with CAcert which were transferred between accounts at least once. There was absolutely no motivation provided for that request and there is also no reason visible how that information would have helped to fix any software bug at all.

The Arbitrator cannot see any situation where the result of that query ever would be allowed to be provided to another member. If at all a counter would be allowed.

The request for such kind of information without any motivation comes close to be an attack to the data or privacy of our members. It is highly dubious.

Board should be informed about this requests, to consider if it has to be documented further or if any other action in the executive branch has to be taken.

As both claimants have left their posts in the critical teams and by this it is unlikely that they would file according requests outside of such roles, again, no further steps should be taken.

It should be noted, that the domain in question was provided in the dispute to arbitration. By this is was shared with the second claimant, without consent of the member or an arbitration request. The consent of the member that the data is shared with arbitration can be assumed as the member was filing a "domain dispute". But there is no evidence at all that the member gave his consent to get that data shared with software assessors.

The dispute is dismissed.

Eva Stöwe, 2016-07-29

Execution

Addendum

Similiar Cases

Domain Disputes

a20100827.1

domain dispute not solved by auto-domain-dispute

a20110315.1

Domain dispute, turned to CCA violation, administrative delete account

a20110407.1

Please remove <domain> from my Organisational Domains

a20120305.1

Password Reset, Domain Dispute, Paypal Dispute

a20120723.1

Cert Renewal problem, Domain Dispute, Remove Mail from Mailinglist, various issues

a20150824.1

Domain Dispute

a20151130.1

Identify person who tried to add the domain to her account.

Comparable Email Disputes

a20110226.1

Auto dispute request doesn't work (Account cleanup)

a20160621.1

Email dispute on locked account

Technical References


Arbitrations/a20141106.2 (last edited 2016-07-30 14:09:54 by PietStarreveld)