* Case Number: a20090913.1
    * Status: Closed
    * Claimant: Ja. St. (made anonymous by Christopher Hoth)
    * Respondent: CAcert Inc - Sysadmin lists, Iang
    * Case Manager: Ulrich Schroeter
    * Arbitrator: Lambert Hofstra
    * Date of arbitration start: 2009-09-13
    * Date of ruling: 2009-11-16
    * Case closed: 2010-11-14
    * Complaint: User want his name and e-mailaddress removed from lists

The user requests to remove his name and e-mailaddress from lists archive on 5 posts.

    * Relief: 
  . - the posts of C do not have to be removed
  . - the posts of R on the email list "cacert-board@lists.cacert.org" must be changed so that all PII (name, email address, link to corresponding posts) is removed from the posts

Before: Case Manager Ulrich Schroeter (CM). Arbitrator Lambert Hofstra (A). Respondent: Iang (R2) Claimant: Ja. St. (C) Case: a20090913.1

 1. 2009-09-13 (CM) Req. CCA / DRP acceptance of (C)
 1. 2009-09-13 (CM) Arbitrator assigned (A)
 1. 2009-09-15 (C) accepts arbitration under CCA/DRP
 1. 2009-09-14 (R2) accepts arbitration under CCA/DRP
 1. 2009-09-24 (A) Updated wiki, added more detail to the claim of C:
<<BR>>
Claim is twofold:
 * the access policy for the email list and archive made it only accessible by CAcert members, this has changed, and now personal data is available on public search engines. Because of the change in access policy I now like to have my posts removed from the archives
 * my request to remove the data was copied to a publicly accessible mail list, this is not acceptable, please also remove my personal data on that list.
<<BR>>
 1.#6 2009-09-24 (A) Multiple Respondents are mentioned, this is impractical, especially because one of the respondents is CAcert Inc. Since the initial claim only addresses the policy email list, (one of) the owners of this list shall act as Respondent. The second claim is regarding a specific post on a public email list. Since it was posted by one of the mail list owners of the policy list, I choose him (Iang) as the Respondent
 1. 2009-09-24 (A) Further questions sent to C and R. Also question to mail list admins: mail list architecture has changed on March 27, 2009. Mail archives have been available to everyone before that date, but are more easily accessible by search engines since that date. So basically not much changed since march 2009.
 1. 2009-10-04 (A) Private discussions between CM and R were shared with C and his feedback was requested. C has nothing further to add.
 1. 2009-10-27 (CM) request for progress report
 1. 2009-11-15 (A) A has asked for info on how email is search-able by search engines like Google. 


=== Ruling ===
Regarding the request of C, to remove his posts from the email archive, I rule that this is not required. This ruling is based on the following observations:
  . - this email list was accessible to everyone, also non-members, and no specific policy forbids further distribution. The fact that the implementation was changed in March 2009 does not really change this: although before that date one had to register with an email address, it was already open to everyone (no further restrictions existed)
  . - C posted knowing that this email list was readable by a potentially unlimited group 
  . - removing posts will break a mail thread, thereby putting consecutive posts in a "orphan" state, and rendering the thread less useful to the audience

Regarding the request to remove PII that was put on a public mail list by a third person I rule that this is valid, and the corresponding email archive must be modified in such a way that no PII of C is kept in the posts. This ruling is based on the following observations:
  . - the privacy policy of CAcert states that: 
{{{ 
8. Privacy of user data

CAcert Assurers can see the name, birthday and the number of points by looking up the correct email address. No other person related data is published by CAcert. 
}}}
  . - posting information on a public email list can be considered as "publishing" by the sender
  . - since the sender was a member of CAcert, this is in violation of the Privacy Policy
  . - therefore the post is a violation of the privacy policy
<<BR>>
I also rule that a discussion on email list policies must be started on the policy list, to extend the privacy policy with policies on email lists. This discussion will be started by A.



===== Instructions to Support =====
Please remove all Personally Identiable Information (PII) in the specific posts by:
  . - Removing full name (change all "Firstname Lastname" to "F S")
  . - Remove Email address (change all "Firstname Lastname <name@domain>" to "F S < >" )
  . - Remove links to relevant pages (change all "https://lists.cacert.org/wws/arc/cacert-policy/xxxx" to "< link removed >"


 * 2009-12-27 (CM): progress report request to (A)
 * 2010-09-08 (CM): progress report request to (A)
 * 2010-11-14 (A): verified that requested instructions are carried out. Confirmed, so case is closed.

----
 . CategoryArbitration
 . CategoryArbCaseSystemTasks
 . CategoryArbCaseOthers