  * Case Number: a20100304.1
  * Status: closed
  * Claimants: Dirk A
  * Respondents: Bjoern E
  * Case Manager: SebastianKueppers
  * former Case Manager: MartinGummi
  * Arbitrator: UlrichSchroeter
  * Date of arbitration start: 2010-03-04
  * Date of ruling: 2010-07-27
  * Case closed: 2010-07-27
  * Complaint: dispute for privacy purposes

{{{
some minutes ago (R) came in with a cap-form in his hand 
and presented this form to me and another assurer ...
 
as far as i know, an assurer is allowed to show the contents of a 
cap-form only to an arbitrator, when he acts in an arbitration case 
and he needs the data from the cap for his ruling (there are some 
other cases, but this will not fit in this case)

... to keep the privacy of applicants data, i have to file a dispute 
against <name> (<email address>) ...
}}}

  * Relief: TBD

Before: Arbitrator UlrichSchroeter (A), Respondent: Bjoern E (R), Claimant: Dirk A (C), Case: a20100304.1


== History Log ==
 . 2010-03-04 (issue.c.o) case [s20100304.2]
 . 2010-03-04 (UlrichSchroeter): added to wiki, request for CM / A
 . 2010-03-04 (CM): I'll take care about this case
 . 2010-03-04 (A): I'll take care about this case
 . 2010-03-04 (A): (CM) please start the init mailing with PoV from (R)
 . 2010-03-04 (R): requests infos about the dispute filing
 . 2010-03-04 (A): forwarding of dispute filing to (R) as it was missing in the init mailing and isn't readable thru this wiki page at the moment
 . 2010-03-04 (C): accepts CCA / DRP under this arbitration
 . 2010-03-06 (A): Dominik G (A1) states to assist (R). Statement made in an interview between (A) and (A1)
 . 2010-03-06 (R): accepts CCA / DRP under this arbitration 
 . 2010-03-13 (A): requesting infos about course of event from (C), (R) and 3 other participants and witnesses
 || Assurer || Assurers name || answered ||
 || AS1 || Dominik G || {-} ||
 || AS2 || Martin G || {-} ||
 || AS3 || Joost S || {+} ||
 . 2010-03-13 (A): requesting infos about a 2nd privacy info from Cebit booth, dated Friday, March 5th 2010, about the course of event from 2 participants (C), (AS2)
 . 2010-03-13 (AS1): answered, see discovery
 . 2010-03-13 (A): (AS1) mail answered
 . 2010-03-14 (AS1): I accept this as an explanation. However, as I already mentioned, I did not witness either of the events in question.
 . 2010-03-14 (A): Intermediate Ruling
 . 2010-03-14 (SebastianKueppers): I'll take care as (CM) about this case if nobody objects.
 . 2010-03-14 (A): notification to participients in this case sent about new (CM)
 . 2010-04-04 (AS3): answering request from (A) dated 2010-03-13
 * 2010-07-16 (A): requests Assurer Challenge date of (R) from (Support), (R)
 * 2010-07-16 (R): I've passed the assurer challenge Sept 2009. During the CeBit event in 2010 I did numerous assurances, and even in the last days, I could still learn about new things.

== Discovery ==
 * Mail from Dominik G. dated 2010-03-13
{{{
I did not happen to witness the occasion mentioned on 4th of March.

I also refuse to comment on this case in any further way as its init was
inappropriately handled to the disadvantage of the respondent.

I request the respondent to be changed from <R's name> to CAcert
Community, specifically any common party, as named by the arbitrator, to
achieve a general ruling in this case. Assurers showing CAP forms to
fellow assurers in case of inconsitencies appears to be common practice
and <R's name>, being personally known to me, does not fit in here
as a single respondent, even if it be for reasons of POC.
}}}

 * Mail from (A) to Dominik, dated 2010-03-13
{{{
before I can come to a global ruling I want to investigate typical situations, that may happen on a recuring basis.

A 2nd privacy issue appeared at Cebit booth 2 days later on Friday, 5th of March. I've also requested infos about that issue.

From my knowledge, Bjoern wasn't as long as an assurer before ... probably he started his experience a few days ago, as it come to my knowledge, that Martin invited him to come to Cebit.

As the named issues happens more often on events than expected, this issue is a general purpose, but needs to be identified analyzed and named once. Therefor I've started the request to each participient to describe it individualy what happens, what he has seen, what info he gets, to get an overview how privacy is affected and how such situations probably can be prevented (if a privacy issue occured - thus I didn't get yet covered except thru the named dispute filing, but this dispute filing didn't include the special info what privacy info has been transfered ....)

To get this case to a broader audience, I first need to start what I've got thru the dispute filing, and thus was the case happened with the participient Bjoern and Martin and other assurers.

I had a short interview with Bjoern outside the Cebit hall 2 and described him my intentions to handle this case. But thus can only work, as long as I got all the infos needed as requested, to describe a "typical situtation" that happens at big events or other assurance events with more than one assurer.

So here again:
What does happen ?
Please describe the course of event as you've perceived it as detailed as possible.
Which info did you cover from the CAP form in question?
Name ? Email Address ? DoB ?

Those detailed infos are for the purpose describing formal a situation that may happen from time to time in one or another way assurers are under education, or in training situations, also in situations confronted with an unusal document and so on.

The request to discard Bjoern from Respondent at this moment I have to reject until I have enough infos to bring this case to the next higher level - a global view in the progress of this case.

Maybe it was a bad idea, to use Bjoern as a respondent in this case, so I've accepted you as an experienced Assurer
to assist Bjoern in this case.

We will all be required to work together after this Arbitration, so I ask you to maintain a positive and helpful spirit at all times! Thus means, we have to walk thru this case step by step. First starting with investigations what realy happens.
}}}

== Intermediate Ruling ==
 . As (CM) was involved in this case as a participent, and as a potential witness, I have decided to search for another (CM).  This is to maintain the independence of the CM/A team, as per DRP 1.5:

 . "Arbitrators are experienced Assurers of CAcert. They should be independent and impartial,...".

 . Since the job of Case Managers has been moved from Support to Arbitrations Team, during 2009, the requirements for independence and impartiality also apply to Case Managers.  Therefore a Conflict of Interest may arise if a (CM) is involved in a case.  As long as the (CM) has a role of observation over the Arbitration, he needs to be independent.

 . As this case may become a leading case for CAcert practices, I intend to treat this case more seriously, and will appoint an independent (CM) not previously involved in any way in the case.

 . This ruling only applies to this particular case, and is not to be seen as a general comment over (CM).

 . Frankfurt/M., March 14th, 2010
 . Ulrich Schroeter

== Discovery II ==
 * 2010-04-04 (AS3): answer
  {{{
(R) came in (CAP in hand), starting a line of conversation directed to (AS2).  About (another) assuree with a suffix on his account which couldn't be verified based upon his ID documents.
(C) gained hold of the CAP form. (Fast move, not too violent. For what I took notice of it.)

As I recall the details were not discussed as such. More the privacy aspect. (Who can get access to the form, etc.)

Later on a dispute was started over (C) gaining access to the document. First focused on (R) "allowing"/facilitating that, later on focused on (C) gaining.


Related thoughts.

Earlier that day (while driving towards Hannover) there was a similar discourse on the backseat of my car between (R) and (AS2). ((R) was entering assurances in the system.) Fellow inhabitants of the vehicle ((AS3) & Martin S.) were privy to all details discussed. 
The dispute, while filed with the best intentions (namely a jurisprudence setting [1] case on the subject of privacy and access to CAP forms), fails. The desired outcome can not be gained in this case.
While an opportune target, as in the first that came along, (R) is a badly chosen victim. As a new assurer he had no experience with arbitration whatsoever, and the filing quite surprised him.
In retrospect warning, advice and possibly mentoring (regarding arbitration) should have been offered. (I am as much to blame as all others present in that regard.) 
Also in hindsight, (R) actively (possibly not consciously) seeking mentoring  by (AS2). (AS2), by not denying him, implicitly accepted mentorship over (R).
Discussions later in the week (over this, and unrelated subjects) suggest that mentor-ship is not a bad thing for either the directly involved parties or CAcert. Quite possibly something we actively want, especially for people yet inexperienced in arbitration cases, ABCs and the like. 
Regarding that last thought, I hereby strongly request the arbitrator to consider that policy group be directed/gently pushed to discuss mentor-ship as it relates to privacy, DRP and any other applicable policies.
}}}

 * 2010-03-29 (AS1): Proposal: "CAcert Community Spirit Team" published under
  [[https://lists.cacert.org/wws/arc/cacert-board/2010-03/msg00149.html|Proposal: CAcert Community Spirit Team]]

 * Approx. assurances per month over the last 12 months ([[http://www.cacert.org/stats.php]]):
  || 2009-07-09 || 110485 ||
  || 2010-07-17 || 126704 ||
  || Difference || 16219  ||
  * Approx 16219 Assurances within 1 year. Approx 1352 Assurances total per month   

 * New Arbitration cases within the last 12 months. (Values counted from [[Arbitrations|Arbitrations]] and [[Arbitrations/ArbitrationsClosed|Completed Arbitration Cases]])
  || Jul 09  || 12 ||
  || Aug 09  || 9  ||
  || Sep 09  || 7  ||
  || Oct 09  || 1  ||
  || Nov 09  || 22 ||
  || Dec 09  || 10 ||
  || Jan 10  || 11 ||
  || Feb 10  || 23 ||
  || Mar 10  || 22 ||
  || Apr 10  || 6  ||
  || May 10  || 6  ||
  || Jun 10  || 4  ||
  * Total 133 new arbitration cases within 1 year
  * Approx 11 new arbitration cases each month

 * "Training" in policy mailing list about AP [[https://lists.cacert.org/wws/arc/cacert-policy/2009-04/msg00037.html]]
 * CAcert Management Assertion [[http://svn.cacert.org/CAcert/CAcert_Inc/Board/ManagementAssertion.html]]

 * Where does the AP 6.2 section comes from (which discussion?)
  * By searching the mailing list for the subject "Training", i've got 39 results. But no one of the results directs me to the section 6.2 High Risk Applications section. Introducing AP WIP on Wiki doesn't include this section. So this section has been added while AP moved to DRAFT or close before. 

  * Section 6.2 as rev 1937, Rev 910 .. 860 (does include this section). No revision before. Rev 860  June 3rd, 2008 [[https://lists.cacert.org/wws/arc/cacert-policy/2008-06/msg00023.html]]


== Deliberation ==
At big events, where more than one Assurer assures an Assuree, the group of Assurers consists of Senior Assurers, Experienced Assurers and Assurers who started with Assuring others, the so called unexperienced Assurers. The latter group asks often Senior- and Experienced Assurers about problems with names and DoB and how they can handle this.

Following AP 7. Privacy limits the access to the members information in the following way:
The Member's information can be accessed under these circumstances:
 * Under Arbitrator ruling, in a duly filed dispute (Dispute Resolution Policy => COD7);
 * An Assurer in the process of an Assurance, as permitted on the CAcert Assurance Programme (CAP) form;
 * CAcert support administration and CAcert systems administration when operating under the authority of Arbitrator or under CAcert policy.

AP 7. Privacy also says:
Information is collected ... It is used secondarily for training, testing, administration and other internal purposes. 

CAP forms has an addtl. clause:
"... and request the CAcert Assurer (identified below) to verify me according to CAcert Assurance Policy"
This clause is to read as "I (the Assuree) hereby allow you to handle with my privacy data according to AP"
If this controlled passing of privacy data handling is given to all Assurers at an event, the secondarily issue of AP 7. Privacy about training and testing is no problem as the Assuree allowed the Assurer to work with the privacy data in a way AP allows it.

What other purpose can be read for "training" and "testing" ? if there exists a problem with the data of a user and an unexperienced Assurer asks an Experienced Assurer about such a case ?

In situations where problems araises in an assurance, the next step is, if there is no immediate solution, to file a dispute. This needs also some training, to realize, what can be handled immediatly and when to file a dispute.

Experienced Assurers can help unexperienced Assurers, but this often consists of exchanging the Assurees private data. As long as there can be expected, that the experienced Assurer also did assure the Assuree, there is no problem here. But there is a problem in the case, the Assuree hadn't give the experienced Assurer the permission to verify the Assurees privacy data.

A typical situation on big booths is: -- 2 Assurers staying byside, assuring 2 Assurees at the same time. The unexperienced Assurer has a problem with a hyphen in the name that isn't on the CAP form, but in the ID document. As the unexperienced Assurer didn't know about a special country variation rule for Germany, that 2 givennames combined by a hyphen are considered to be one name, he asks the experienced Assurer, how to proceed?

Assuming, that the Assurer hasn't been assured by the experienced Assurer, the experienced Assurer didn't got yet the permission to verify the data against data in the ID document. At this moment, the Assuree is participient of this situation. If he doesn't gave such a permission to the unexperienced Assurer, that the experienced Assurer can assist him, to handle this situation, he can intervent in this situation. As a recommendation, the unexperienced Assurer should ask the Assuree, if he can get assistance from an experienced Assurer. Privacy problem solved, as now the Assuree has the option to decline.

Same situation, different timing: -- At the booth an Assuree got assured by an unknown count of Assurers who works on the booth of a big event. Afterwork getting dining, the group of assurers mets for discussions about the day, hacking in their assurances and so on. The group of unexperienced, more experienced and experienced Assurers and also Senior Assurers can be seen as the events Assurers unit. So its likely that one Assuree gets assured by all Assurers. Now one Assurer detects one problem with one Assurance.

When, not now, is the best time to find a simple solution about this problem ?

With the assistance of experienced and [[https://wiki.cacert.org/AssuranceHandbook2#What_is_a_Senior_Assurer.3F|Senior Assurers]], probably a solution can be found: i.e. contact the Assuree by email to solve the problem, before starting a dispute. In such situations the experienced- and Senior Assurers fulfills a pre- Case Manager / Arbitrator role, before a case ends in the disputes queue. To check the solutions that are possible to handle this unique and special case.

At [[events/FrOSCon2008|Froscon 2008]] the group of Assurers had a closed communication channel thru mailing list. Close after the event the first assurer found a problem in an Assurees name and stopped assurance, contacted a 2nd Assurer ... who continued checking the Assurees data and found also a DoB problem. Both Assurers notified the other Assurers about such a problem. A 3rd Assurer was warned and also stopped to continue to transfer points to the account. Assurer 1 and 2 stumbled over the notification in the online form, that the Assuree has already 80 pts, later on 100 pts. So at least 4 Assurers had transfered their assurance points onto the account. Thru the communications channel the problem has been identified also the 4 assurers who already transfered assurance points. Support-Engineers, a Senior Assurer and also an Arbitrator has been contacted. The quick solution was to revoke the falsery given 4 assurances by request from the Assurers. The left 3 Assurers who didn't transfered their assurance
points yet, than later transfered their assurance points, after the Assuree corrected the Name and DoB data in his account at the moment the 4 assurances was revoked.

This story shows transparent the minimum need for communications between the Assurers, so they can detect and fix problems, before a case have to be moved into the arbitration queue. An unbureaucratic approach is a limited approach. Limited to big events (3 and more Assurers), the post-event work is handled not in the public and is limited to the Assurers who works on such an event as Assurer (at Cebit 2010 we had about 3 known people who doesn't
doing assurances but with my knowledge, that they have at least in 2 cases Assurer status, they aren't part of this closed group of active Assurers to be named under this limitation).

At [[events/Cebit2010|Cebit 2010]] we had a group of Under18 Assurees. Before the Assurances started we had to identify that all assurees are underaged and falling under [[PoJAM]]. This was the first event, a practicle workaround needs to be settled, to handle all these cases at once. As they underaged assurees are from Austria, the Assurers needs some knowledge about the Austrian regulations about underaged people. So we've contacted
PD by phone to get assistance from him. Without some knowledge about the Assurees - they are under 18 years old, they settled in Austria, this case hadn't been handled w/o prior informations and informations
exchange. The [[PoJAM]] was in force at this time, but it needs at least 4 Senior Assurers to find a solution, how to handle this case. Without a minimum of informations that has been exchanged before, this case hasn't been could opened and started. Not all Senior Assurers that are involved in this pre-Assurance work has done an Assurance
over the Assurees but w/o their assistance it wasn't possible to build up a script how to handle these Assurances. The Assurers get informed and to be named for this case to exchange informations also in the post-Assurance work to get the Parental Consent spread to all the Assurers.

In other than Assurance areas within CAcert we have also situations, where privacy data is exchanged as part of the jobs duty. These areas are
 * Support
 * Arbitration

Starting new in the Support or starting new as a Case Manager / Arbitrator each role gets probably informations about the involved parties privacy information (i.e. request from the arbitrator about the fullname of a user
named by email adress) under supervision. This means, the supervisor didn't get the explicit permission to handle the privacy data by the case related parties. At the moment of supervision, the Supervisor is a passive participient
in an defined event as long he controls the work of a trainee. This is covered thru AP 7. Privacy "CAcert support administration and CAcert systems administration when operating under the authority of Arbitrator or under CAcert policy." and AP 6.2. High Risk Applications "Additional training"

To train Assurers, Support-Engineers, Arbitrators is not yet well covered by the policys. But its an essential part in the overall operation, in the daily business, to increase the overall quality of Assurance, Support, Arbitration.

Everybody knows the concept of the driving school. It consists of a theoretical part and the practicle part. The theoretical part in the Assurers education is the presentations part in ATEs and the practicle part is the co-Audited assurances part in ATEs. 

There still exists no ATE for Support-Engineers nor for Arbitrators. Support-Engineers and Arbitrators have to do their work from scratch. This doesn't work.

So here comes the education / training. The same way, Assurers get experience by doing Assurances, they sometimes need assistance from experienced Assurers, Support-Engineers needs assistance from an experienced SE, also unexperienced Arbitrators needs assistance from experienced Arbitrators.

So does the training on each roles leave limited room for exchanging privacy informations, as long as it is needed to handle a case that follows the policys (AP, AH, SP, SM, DRP) to the involved parties ?

A Supervisor and/or Mentor isn't explicitly named in a Support case, Arbitration case, Assurance process, but becomes part of this process.

So the question here is: does the Supervisor / Mentor be explicitly named under a case so his Supervisor / Mentor role gets noted ?

==== Questions ====

So the questions to be answered by this arbitration are (unordered):
 * Which policys / documents are affected by this arbitration case ?
 * Has (C) done all his duties before starting a dispute against (R) ?
 * Was there any policy breach by (R)'s action ?
 * What does the training thing mean under AP 6.2 ? How does this relates
  . to this Arbitration case ?
 * Is there a global concept on training for the several roles within the
  . business areas within CAcert or can be a global concept identified ?
 * How to handle the Supervision and Mentor concepts within cases (Assurance,
  . Support, Arbitration) ?
 * Is there a conflict between the Privacy issues and the Training purposes ?
 * Is the privacy problem well communicated into the community ?


==== Affected Policies ====

Possible affected policys and documents by this arbitration case:
 * Primary documents:
  * CCA, AP, AH, DRP, Privacy Policy
 * Secundary documents:
  * Principles, PracticeOnNames, Subsidiary Policies (PoJAM, OA)

==== Assurance, Privacy and Training ====

This case also covers the Privacy part of an assurance under the education and
training aspect that AP 7. Privacy allows under some circumstances
access to privacy informations in a limited way.

The group of Assurers at a booth at a big event can be seen as a Assurers "unit".
Mostly all got the permission from the Assuree, to conduct the assurance.
This wasn't probably the intension on writing the policy. But thus includes
the handling of the data in a problem case in a limited way.

One limitation is that only Assurers that are part of the Assurers "unit" can
exchange some informations. The 2nd limitation is, that only parts of the
full information set (Full name, DoB, Email address) is exchanged between the
assurers to identify one special case: i.e. Givenname or special part of the
lastname or year of DoB or Day+Month of a DoB or domain of email address
and not all informations (Fullname + DoB + Email) at once with the goal
to identify one case of all Assurees that got assured at one event. 

Thus relates for training purposes or to prepare an Arbitration case
to fix a problem with an Assuree if it cannot be handled directly.

With this PoV, actions in this way cannot be seen as a policy breach.
(R) handled as an unexperienced Assurer in his training phase, to ask for
assistance of an experienced Assurer about a special problem.

Every Assurer at the named event was aware of (R)'s status as
unexperienced Assurer. His training state wasn't in question.

So education - training is a central component, that needs deeper
inspection. As shown under deliberations, there are 2 elementary points
that needs a consideration: privacy vs. training.

Both are handled within AP, so both are under control of a policy as
stated under AP 7. Privacy:
The Member's information can be accessed under these circumstances: 
 * CAcert support administration and CAcert systems administration when
   operating under the authority of Arbitrator or under CAcert policy.
and AP 6.2. High Risk Applications:
Additional measures may include:
 * Additional training;

As (R) did not attend an ATE before, as long as (R) didn't got an
private educational training about privacy purposes before this event
happens, this event was under training of (R). The experienced-
and Senior Assurers were the named (C) and also other Assurers (AS#) that
are witnesses in this case.

 * What does the training thing mean under AP 6.2 ? How does this relates
  . to this Arbitration case ?

An Assurers job about privacy issues is like a system admin.
Its not limited to one special case, to the Assurees data an Assurer
has assured, its also over the additional duties, to educate and
train unexperienced Assurers. If he got informations by train others,
his duty is to keep the information safe and not to use the data
for any other purpose as for the training.
i.e. training purpose "file a dispute" - what data needs to be written
in a dispute filing ? The name of the Assuree, the primary email adress
that is used in the Assurance. If there is a problem with the DoB
also the DoB that is seen in the ID docs of the Assuree, what is written
on the CAP form and what has been found in the online account.
So on a DoB problem, the notation of the day, month and year needs
some addtl. informations, so the Supervisor, Trainer, Mentor probably
got also the DoB information of an Assuree the Mentor didn't assure
to give the Assurer in question advice how to write down the
dates from different sources (ID doc, CAP form, Online Account).
This described scenario relates to cases after an Assurance was made and
the Assuree hasn't direct control to the interactions the Assurer
has with a Mentor. Cases with interaction by the Assuree are described
under deliberations.

Each Assurer should limit the exchange of Assuree data informations
to a minimum under all circumstances, also under training purposes.
To inform the Assuree over the possibility, that after an event
an Assurer can exchange some of the privacy data with an experienced-
or Senior Assurer for training purposes seems to be impracticle:
 1. An Assurer has to inform the Assuree about CCA, CAcert and much more. 
 1. Problem cases in relations of uncomplicated cases are the minority.
    and also problem cases that needs training by an experienced-
    or Senior Assurer are a minority in relation to all problem cases.

To get an idea, how many problem cases are practicle, I use the
statistics data about total Assurances and total new Arbitration cases
Not all Arbitration cases are administrative disputes, not all problem
cases coming into the disputes queue, as they are solved in the pre-arbitration
stage, but the result may give an overview:
 * Approx 1352 Assurances total per month   
 * Approx 11 new arbitration cases each month
The relation between successful assurances and problem cases is 1352 : 11 => 0,8 %

So we're probably talking about 0,8 % of all Assurance cases, that probably needs
assistance from an experienced- or Senior Assurer.

Its too less to make it mandatory in a talk between the Assurer and the
Assuree, but its too much, to ignore this problem.

Policy group makes it clear, that thus is no default behavior,
so that it becomes a rare condition. But policy group by writing
AP allows such events in a limited way.

 * Is there a global concept on training for the several roles within the
  . business areas within CAcert or can be a global concept identified ?

There exists an Education group within CAcert with a team leader.
This is an indication that education and training is an integral component of
CAcert. Education groups duty is not only the education over Assurers.
Its also for Support-Engineers and Casemanagers/Arbitrators and
probably other areas within CAcert. CATS, the CAcert Training Service
is open to other areas also, not only for training of Assurers.
But yet only the Assurer Training has been implemented.
A training course for Support-Engineers and Casemanagers/Arbitrators
will be deployed within the Wiki, first to collect informations that
are essential for each group. Maybe one day this can be transferred
into a training course. 

In 2009, CAcert started the advanced Assurers training with the
Assurer Training Events (ATE's). An addtl. indication that there is a general
concept for education and training within CAcert.

Reporting to the board by these groups is also part of this concept. 

The Mentorship finds also its relation in the [[https://lists.cacert.org/wws/arc/cacert-board/2010-03/msg00149.html|Proposal: CAcert Community Spirit Team]]

and is also covered by
 * [[http://svn.cacert.org/CAcert/principles.html|Principles of the Community]]
  * x.  Training
   * We train our users. We train our users to train other users.
   * If we accept someone in a role, we train, we test, and we support them. The training is provided for free.
   * For our core community roles such as Assurer, sufficient quality training will be available at no charge. This does not preclude cost recovery for commercial services. 


 * How to handle the Supervision and Mentor concepts within cases (Assurance,
  . Support, Arbitration) ?
  
Organisation Assurance concept uses Supervision for the first two cases
a new Organisation Admin has to do, before he can be nominated to become
OA-Admin.

Support-Engineers have to pass the Triage phase, by practicle
work in the pre-Support work, to learn and understand the CAcert structure.
Than he has to undergo an ABC before he can be nominated to become
Support-Engineer. Case Managers and Arbitrators don't need to pass an ABC
but they also need some education and training for this area they will be
nominated for. In difference to the Support-Engineers, that have direct
system access and therefor falls under SP/SM and therefor has to undergo
an ABC, Case Managers and Arbitrators have to follow DRP and are not
directly under SP/SM sovereignty. Arbitrators have to follow SP in
cases were its applicable, but themselves they aren't under this regime.  

Privacy issues aren't such a problem in cases where an Arbitrator orders
a Support-Engineer to take actions. A Support-Engineer under Supervision
is also covered by this Arbitrators order. The Support-Engineer role is
exchangable.

The privacy issue is not in question if it is handled thru an Arbitration,
cause this is explicitly defined under [[http://www.cacert.org/policy/AssurancePolicy.php#7._Privacy|AP 7. Privacy]]
The Member's information can be accessed under these circumstances:
 * Under Arbitrator ruling, in a duly filed dispute (Dispute Resolution Policy => COD7);

So the areas in question regarding privacy issues are:
 * Assurance
 * Organisation Assurance 

 * Is there a conflict between the Privacy and the Training purposes ?

'''Privacy''' is defined under:
 * [[http://www.cacert.org/policy/CAcertCommunityAgreement.php|CAcert Community Agreement (CCA)]]
 * [[http://www.cacert.org/policy/AssurancePolicy.php|Assurance Policy (AP)]]
 * [[AssuranceHandbook2|Assurance Handbook (AH)]]
 * [[http://svn.cacert.org/CAcert/principles.html|Principles]]
 * [[http://www.cacert.org/index.php?id=10|Privacy Policy]]

 * [[http://www.cacert.org/policy/AssurancePolicy.php|Assurance Policy]]
  * [[http://www.cacert.org/policy/AssurancePolicy.php#7._Privacy|Assurance Policy Privacy Section]] explains under which conditions access to the privacy info can be accessed.
   * Under Arbitrator ruling, in a duly filed dispute (Dispute Resolution Policy => COD7);
   * An Assurer in the process of an Assurance, as permitted on the CAcert Assurance Programme (CAP) form;
   * CAcert support administration and CAcert systems administration when operating under the authority of Arbitrator or under CAcert policy.

  . The last clause leaves the privacy issue open to other policys or other policy sections under AP

 * [[AssuranceHandbook2]]
  * [[AssuranceHandbook2#How_is_privacy_protected.3F|AH: How is privacy protected?]] doesn't give addtl. answers that aren't written in AP. 

 * [[http://www.cacert.org/policy/CAcertCommunityAgreement.php|CCA]]
  * CCA 1.4  Privacy
   * You give rights to CAcert to store, verify and process and publish your data in accordance with policies in force. These rights include shipping the data to foreign countries for system administration, support and processing purposes. Such shipping will only be done among CAcert Community administrators and Assurers.
   * Privacy is further covered in the Privacy Policy ("PP" => COD5). 

 * [[http://www.cacert.org/index.php?id=10|Privacy Policy]]
  * 8. Privacy of user data
   * CAcert Assurers can see the name, birthday and the number of points by looking up the correct email address. No other person related data is published by CAcert.
  * 9. Exceptions
   * A CAcert arbitrator may override this policy in a dispute.To obtain access to confidential data, a dispute has to be filed.

Section 9. Exceptions is also handled in AP 7. Privacy.
Section 8. Privacy of user data
is more interesting for further inspection:
What does 
 . "CAcert Assurers can see the name, birthday and the number of points by looking up the correct email address."
mean ?

It leaves open the question, if other Assurers can possibly read the data, as long
an Assurer searches for an email address in the Online account database.

So other possibilities aren't allowed nor explicitly denied (i.e. for training
purposes, fixing problems within an assurance)

 * [[http://svn.cacert.org/CAcert/principles.html|Principles of the Community]]
  * x.  Security
   * We strive to provide security. This means that we cooperate in securing ourselves and others. As a principle, security is led by the Security Officer, but it is our joint responsibility. Where we come into contact with security breaches, we disclose these. 

'''Training''' is defined under:
 * [[http://www.cacert.org/policy/AssurancePolicy.php|Assurance Policy (AP)]]
 * [[AssuranceHandbook2|Assurance Handbook (AH)]]
 * [[http://svn.cacert.org/CAcert/principles.html|Principles]]

 * [[http://www.cacert.org/policy/AssurancePolicy.php|Assurance Policy]]
  * 6.2. High Risk Applications
   * Additional training  

 * [[AssuranceHandbook2|Assurance Handbook (AH)]]
  * [[AssuranceHandbook2#Mutual_Assurance|Conducting a Mutual Assurance]]
   * "... but instead training a future generation of Assurer. Your mission is to teach her the best ways and understandings."    
 
 * [[http://svn.cacert.org/CAcert/principles.html|Principles of the Community]]
  * x.  Training
   * We train our users. We train our users to train other users.
   * If we accept someone in a role, we train, we test, and we support them. The training is provided for free.
   * For our core community roles such as Assurer, sufficient quality training will be available at no charge. This does not preclude cost recovery for commercial services. 

The count of definitions about '''Privacy''' vs. '''Training''' written in
Policys and Documents leads to the conclusion, that the '''Training''' issue
gets less attention.

This is a false conclusion.

'''Training''' finds a way into the principles, and therefor is at the same level
to the '''Privacy''' issue. So the question '''Privacy''' or '''Training''' cannot
be answered exclusivly. Both needs to be considered by each action taken:
 * Is the '''Privacy''' under control ?
 * Is the '''Privacy''' protected in a Training event ? 

If I can answer both questions with Yes, I'm safe to all the Policys and Rules and Principles.

'''Training''' is not limited to special Training events. '''Training''' starts
within an Assurance. Each Assurance is a training for an Assurer, unexperienced
or experienced one. Questions that araises within an Assurance process, is a signal
'''Training''' required.

 * Is the privacy problem well communicated into the community ?

As shown in the answer in the section above a question '''Privacy''' or '''Training''' cannot
be answered exclusivly. But how can answer an Assurer this question in an Assurance event?

The nature of this question is a conflicting question between two principles.
Such conflicting questions can only be answered thru discussion, as each event is
individual, each event may result to either answer. So this questions needs to
be questioned in each event, for each case.
 
A simple rule can be simple followed:
''Don't show the CAP form any person''

The expanded rule is also not a problem to follow:
''Don't show the CAP form any person, except an Arbitrator on request''

But how to follow the rule if it gets expanded with the '''Training''' principle ?
''Don't show the CAP form any person, except an Arbitrator on request ... and
under Training purposes''

'''Training''' under CATS or ATE is defined properly as it includes the
training aspect in the name. But in an Assurance event '''Training''' moves
to a soft definition.  

Can it be named '''Training''' if an unexperienced Assurer runs into a problem
and asks an experienced- or Senior Assurer ?

The answer is yes.

At [[events/LinuxTag2009|Linuxtag 2009, Berlin]] a group of experienced and
Senior Assurers discussed the question:
"Is the Assurance limited to the face-2-face meeting by defining the Assurance points,
or does the Assurance include the process from the meeting upto the moment entering 
the Assurance Points given into the Online system ?"

I'm following the view, that the Assurance is a process.
A process with several steps and tasks, and each step and task is related
to the Assurance between an Assurer and one Assuree. A process with the possibility
of late descisions, Training, dispute filing. As long as the Assurance points
transfer to the account hasn't been finished, the Assurance process is still open,
the Assurance process hasn't been finished.

The definitions of "Assurance" and "Assurance process":

Wiki defines Assurance as [[http://en.wikipedia.org/wiki/Assurance_services|Assurance_services]]. and "... the goal of improving the information or the context of the information so that decision makers can make more informed, and presumably better decisions".
One can argue, that the moment I make the decision to give X assurance points by entering it on the CAP form is the moment of "Assurance". But remember, you may running into a problem, where you have to check further information you've gathered in the face-2-face meeting against databases. You, as an Assurer have an option of a late decision. So this moment of "Assurance" is not limited into the face-2-face meeting. These are rare conditions, but they'll exists.

The answer to this question relates also to the question "how to handle CAP forms of Assurances where the Assuree did not create an Online Account?" but this is out of scope of this arbitration. The question I have to answer is, how '''Privacy''' and '''Training''' relates to the Assurance process and if this is well communicated
to the community ?!?

The question, why I opened up this view is twofolded:
 * the Assurance process in the face-2-face meeting
 * the Assurance process after the face-2-face meeting

As shown under deliberations, the Assuree has the option to deny the request for assistance by an experienced- or Senior Assurer to the unexperienced Assurer.  

In the Assurance process after the meeting, the Assuree cannot answer this question, as long he hasn't been contacted by email by the Assurer.

Can it be assumed, that the Assuree will answer this question with Yes ?
Is this sufficient for argumentation?

Ok, two scenarios:
Scenario 1:
The Assurer runs into a simple question for an experienced Assurer, but the
question is not simple to the unexperienced Assurer.
If the Assurer is now at home, sitting over this question, and finds no answer,
he can come to the conclusion, to search the answer in the internet.
Asking in the mailing list. As long he uses the users data for the question,
the 'Privacy' is no longer under control.
Does the Assuree will answer the question with Yes ?  Probably No.

Scenario 2:
The Assurer runs into a simple question for an experienced Assurer, but the
question is not simple to the unexperienced Assurer.
If the Assurer is sitting in a group of Assurers from the Event, where the
Assurance was made, and he asks for assistance one of the experienced- or
Senior Assurers who also did assurances at this event. The 'Privacy' is under
control by the experienced- or Senior Assurer.
Does the Assuree will answer the question with Yes ? Probably Yes. 

Can I use assumptions as a basis for my decision ?

In the Assurance process one task is to check the ID document for validity.
I'm trained about all the security features of a Germany IDcard. I've verfied
all the security features and I've found they are all ok.
I've also checked the script type of the fields against the DoB field
(one indication of a faked DoB). They are all of identical type.
The picture on the IDcard shows the person I'm sitting face-2-face.
All UV security features are on the IDcard. Also the 2nd wavelength shows
other security features on the IDcard. All holograms are at the position
they have to be. The expiry date is in the future. The issuing authority is
correct and valid. And at the very end of the ID checking process, the
Assuree tells me, that this document is a fake. Puhh.

Would you like to continue with the Assurance ?

==== The Nondeterministic Experiment (Watzlawick) ====

Test persons got pairs of numbers submitted (31 and 80). They must decide
whether the numbers ''fit''. The pairs of numbers are coincidentally arranged,
and the test manager gives his evaluation ''correct'' or ''wrong'' on the
basis to a half rising Gauss bath tub curve. The evaluation becomes ''correct''
also runs away the experiment ever more frequently, it comes to the training
of a hypothesis by the test subject.

If them the experimental assembly is revealed, the test subject assumes even
occasionally a regularity to have discovered which escaped the test manager.
The test subject thus in the true sense of the word reality invented from which
it with good reason accepts, it to have found. For the test situation this
reality is assertible, it recognizes however not in the removing the actual
experimental assembly. 

How does this relates to the Assurance, the Privacy and the Training ?

Assumtions mostly tends not to fit but we have to make daily decisions
based on assumptions. So we have to deal with the risk, that our assumptions
are wrong.

So how we can reduce the risks ?

==== Practicle solutions ====

In the moment of Assurance, running into a problem, asking an experienced-
or Senior Assurer for assistance, we are not aware about the ''Training''
purpose that happens and we're also not aware of the ''Privacy'' concerns
over the Assuree as we, the experienced- and Senior Assurers are bound
to the principle to assist unexperienced Assurers but we have also to
take care about the privacy concerns.

So every assistance request of an unexperienced Assurer to an experienced
Assurer is a training also for privacy purposes. Tell the unexperienced
Assurer, that he is bound by AP 7. Privacy, to allow access to the privacy
data only to Arbitrators by request and you are now running into a
privacy conflict if you didn't assure the Assuree also. That you may assist
under the premiss of AP 6.2. High Risk Applications by 'Additional training'
and the access to privacy data has to be limited to solve the problem. So none
or a minimum of the privacy data should be presented to the experienced Assurer,
to assist the unexperienced Assurer in this case. 

While reading http://www.sfwork.com/jsp/index.jsp?lnk=644
(Keywords: Systems Action in Organisations, Change, A Learning Organisation,
Levels of Learning, First Level Learning, Changing The Rules,
Second Level Learning), I'm impressed about the analogies to this case.
The conflict between ''Privacy'' and ''Training'' is also a question over
First Level Learning and Second Level Learning.
We don't need to change the rules (Second Level Learning) here, as long as
we allow some First Level Learning here. The First Level Learning is
implemented in AP 6.2. High Risk Applications by 'Additional training'.
Accepting the need for ''Training'' of our unexperienced Assurers and by
following the ''Privacy'' requirements by our experienced- and Senior Assurers
that they not only bound by direct relations of an Assurance, also to
indirect relations of an Assurance (assistance of unexperienced Assurers),
we have a construct with a limited scope to a group of Assurers of a
special event where the assurance was conducted. As such cases may happen
rarely, the High Risk Applications definition is adequate.

Later on in a dispute filing about this Assurance, an Arbitrator
may be interested in the details that happens in the Assurance process.
So its likely, that the Arbitrator still gets notice, that the unexperienced
Assurer gots assistance from an experienced- or Senior Assurer.
So it maybe helpful, to have the name of the experienced- or Senior Assurer
to contact him also. So documentation comes in place.
If the unexperienced Assurer documents this asssistance onto the
CAP form, he has requested assistance for, the involved parties
where a possible "privacy data" leak occures are named and can be later on
a dispute case be heard. 

==== The purpose of the CAP form ====

The CAP form can be seen as the Assurance protocol.
First to document the details seen in an ID document of the Assuree.
Also its a document like a contract about the CCA.
In dispute filings the CAP form will be used as a protocol over an Assurance.
Notes made by the Assurer about found differences of different documents,
notes about Assurees push to finish the Assurance and so on.
Later on at home, trying to transfer the Assurance points onto the
online account, the not found email address in the online system
can/should be added as a note onto the CAP form, to document, that
the non-existance of an account did happen. Waiting a few days, until
the Assuree created his account, the try of transfering the points
can be noted and the date of transfer of points should also be documented.
Adding notes about consulted assistance from an experienced- or Senior Assurer
is an addtl. note that states what happens in the Assurance process
and documents a AP 6.2. High Risk Applications - ''Additional Training''.


== Ruling ==
Training is yet a not so well documented feature, that may break privacy issues. But as long as its documented, this behavior is revealed. So in relation - privacy vs. training - do we want our Assurers running into a problem, by not giving them the optional assistance? Every assistance is also a training. So therefor "Additional training" is also named under AP 6.2. as "High Risk Applications". This issue needs attention.

I follow the opinion of (AS1) and (AS3), that (R) is a badly chosen victim in this case. I relieve (R) in this case and move the duty to (C) as an experienced and also Senior Assurer to educate and train unexperienced Assurers instead of filing a dispute at the very first time.

But this said, I have also to point to CCA "2.  Your Risks, Liabilities and Obligations"
As a Member, you have risks, liabilities and obligations within this agreement. 
 2.1  Risks
  * You may find yourself subject to Arbitration (DRP => COD7). 
So this Arbitration case is the practicle part of this agreement that each member has to accept, before he can become a member.

So Arbitration system is also there to protect the members. An Arbitrator has to decide, if a claim against (R) is either valid or invalid and needs to be rejected. Like other courts, an accused is innocent until its
debt is proven.

The Arbitration system is about to handle all disputes between members. But this cannot be read as a global charter to move all cases to the Arbitration system at the very first time.

The disputing parties should check before they move a case into the disputes queue, if they can handle a dispute by their own, by either discussing a case in a face-2-face meeting or by email. If the disputing parties doesn't came to a solution, either disputes party has the option to file a dispute. This step of pre-arbitration work can be mentored by an experienced Assurer, a Senior Assurer or by an Arbitrator.

Also an experienced- or Senior Assurer have to check, if the problem case was done by an unexperienced Assurer, so his own duty is to train the unexperienced Assurer. If this fails, than a dispute can be filed. In the presented case, there was an option to first talk with (R) about the privacy problems and discuss it. I cannot read in any statement, that (R) rejected a training, instead he asks for assistance.

==== Detailed questions ====

===== AP 6 and AP 6.2 sections =====

AP 6.2. High Risk Applications is a subsection of 6. Subsidiary Policies. It can be read that the subsection talks about Subsidiary Policies only, not about AP. From talks with persons working on AP, I've got the impression, that 6.2's intension relates also to AP, the main policy. But this needs the section title to be modified to:

 {{{
 6. AP & Subsidiary Policies
}}}

thus it includes AP also (inclusive / exclusive view).
To find answers in this Arbitration case I've read and use this section this way (inclusive), but I will leave this question open for Policy Group to further discuss this part and to clarify this issue about AP.

===== (C) gained hold of the CAP form. (Fast move, not too violent. ...) =====

(C) as a Senior Assurer should know AP 7. Privacy. So therefor he also takes care about unexperienced Assurers and their knowledge about privacy issues.
(C)'s duty in such an event is to train the unexperienced Assurer about the privacy issue, not to push him into a situation, so that he has to file a dispute regarding this issue. Maybe (C) acted in affect as he wrest the CAP form away from (R). But this isn't an adequate handling of a Senior Assurer. Despite the fact of the following discussion about privacy issues and the handover to a dispute filing to get a precedence case, as it shows the problem with such a case, I let the incident be based on itself.

===== Regarding the request 'I hereby strongly request the arbitrator to consider that policy group be  directed / gently pushed to discuss mentor-ship as it relates to privacy, DRP and any other applicable policies.' =====

As shown, rules exists to handle ''Training'' and ''Mentorship'' in such events. The only missing component is ''documentation'' of such events. 

Here I come back to the question (under Deliberation):
The question, why I opened up this view is twofolded:
 * the Assurance process in the face-2-face meeting
 * the Assurance process after the face-2-face meeting

Document such issues is possible in the face-2-face meeting and documentation is possible after the face-2-face meeting with an Assuree, so it makes no difference to the Assurance process. The need: to document such events.

Returning to the question (under Deliberation):
"Is the privacy problem well communicated into the community ?"

My simple answer is: No.

Solutions found in this arbitration ruling, thats more an excurse over Assurance, Privacy and Training, aren't yet communicated to the community of Assurers.

So therefor I order:

a) Policy Group should take a review over AP section 6 title
 . if it should be named "6. AP & Subsidiary Policies" instead of "6. Subsidiary Policies" to clarify the intension that was made in writing AP 6 subsections that it applies to AP also.

b) To the Education- and ATE teams
 . Please rethink adding a presentation topic about "Privacy issues" and how they relates to the principle "Training" in Assurances. Communicate and discuss the possible solutions to solve a conflict between privacy concerns and training purposes to sensibilize the Assurers about this issue and how they can act in accordance to AP. 

c) To the Assurers:
 . If you request or getting assistance in an Assurance from an experienced or Senior-Assurer, please note this on your CAP form (name and email of experienced Assurer, short description of the incident), as its also the protocol to the conducted Assurance and Training (assistance) is also part of the Assurance like you document behaviors in a face-2-face meeting (weak documents, rush from Assuree, and so on)

d) To the [[AssuranceOfficer|AO]]:
 . To document in [[AssuranceHandbook2|AH]] practicle solutions how the "Privacy" vs. "Training" conflict can be solved in an Assurance

e) No explicite actions over (C) or (R) needed.

Frankfurt/Main, July 27th, 2010

== Execution ==
 * 2010-07-27 (A): sent Ruling to (C), (R), (CM). Also published in CAcert, Policy and Education mailing list
 * 2010-07-27 (A): case closed.

== Similiar Cases ==
|| [[Arbitrations/a20100313.1|a20100313.1]] || [[Arbitrations/a20100313.1|Coordinated privacy breach]] ||

== Post Arbitration Note ==
 * 2010-09-16 (AO) Ruling b) + c) -> added section Assurance - Special - Privacy to ATE material season 2010 [[https://svn.cacert.org/CAcert/Education/Material/v4-Sydney/ATE-02_Assurer_EN_Oz.odp|Presentation #2 Assurer/Assurance]]

----
 . CategoryArbitration
 . CategoryArbCaseOtherAssurerErrors