- Case Number: a20141022.2
- Status: closed
- Claimants: Florian L, CAcert (Support - originally filed by Werner D)
- Respondent: CAcert
initial Case Manager: BernhardFröhlich
Case Manager: PietStarreveld
Arbitrator: EvaStöwe
- Date of arbitration start: 2016-07-30
- Date of ruling part I: 2016-08-10
- Date of ruling part II: 2016-08-11
- Case closed: 2016-09-10
- Complaint: Access to database needed to track down user interface error
- Relief:
- C1: Terminate account of Florian L
- C2: Access to database needed to track down user interface error
Before: Arbitrator: EvaStöwe (A), Respondent: CAcert (R), Claimant 1: Florian L (C1), Claimant 2: CAcert (Support - originally filed by Werner D) (C2), Case: a20141022.2
Contents
History Log
Note from CM: During the execution phase of this case it was discovered that there was a yet unanswered ticket in the OTRS Arbitration queue in which Florian L requested to undo the account locking/deletion he had requested earlier. At the time ruling part I and ruling part II were given this was unknown to both CM and A.
2015-01-30 (issue.c.o): case s20140604.45
- 2015-01-30 (iCM): added to wiki, request for CM / A
- 2015-01-30 (iCM): send additional email to C2
2016-07-30 (CM): I take care of this case and select EvaStöwe as (A)
2015-12-05 (issue.c.o): case s20151205.33
- 2015-12-06 (Marcus M): add note about relation with ticket s20140604.45
- 2015-12-07 (Martin G): assume ownership of ticket s20151205.33
- 2016-08-08 (CM): decision about what is dispute and relief and who is claimant
- 2016-08-10 (A): init mail to C2 and Werner D to inform about identification of claimants, dispute and relief
- 2016-08-10 (A): combined init and ruling part I mail to C1, C2/support, board
- 2016-08-10 (Support): confirms all account certificates and signatures expired and normal account deletion
- 2016-08-11 (Werner D): reply to init mail (does not regard himself as claimant)
- 2016-08-11 (A): reply to mail of Werner D
- 2016-08-11 (A): ruling part II to C1, C2, board (for courtesy)
- 2016-08-13 (CM): merge s20151205.33 into a20141022.2
- 2016-08-24 (CM): send mail to C1 to explain the relation between the member's original request and his follow-up request and to suggest possible next steps
- 2016-09-10 (CM): notify C1 that case is now closed
Link to Arbitration case a20141022.2 (Private Part), Access for (CM) + (A) only
EOT Private Part
Original Dispute
Original Dispute by Florian L
Hello, please close/delete my Account. Many thanks regards,
Original Dispute by Werner D for Support
Dear Arbitrators, I need your decision. I wanted delete this account with the usual routine but got an error message that not all certificates are expired or revoked. This error message is wrong since indeed all certificates are long enough revoked. To fix the software error we nee the raw data from the date base from the critical admins, which requires your authorisation.
Original Follow-up Dispute by Florian L
Hallo, ich glaube ich habe vor einiger Zeit mein Konto sperren lassen. Heute habe ich verucht mein Konto Passwort zurückzusetzen. Dies gelingt mir, aber ich kann mich trotzdem nicht einloggen.
Pre-Arbitration activity
Initial Decisions by Arbitrator
1. In the OTRS there is more than the dispute filed by Werner D that was added to the wiki by the iCM. The original delete account request has to be added to the case as well, because a) It was not finally handled by support. b) Support is not able to handle it further as the ticket was moved to Arbitration. c) Support did not manage to match this case with a ruled precedents case, so it has to be handled by Arbitration. d) Even as the supporter requested something else, it WAS the original request and the original "dispute", as CCA says that by default delete account cases are arbitration cases. 2. Update parties and relief By this we have two quite different requests (and relief) in this case: * close the account, with everything that is missing * deal with the request of the supporter regarding the access to the data from the productive server For each request there is a different claimant. I as Arbitrator think that the person who wanted the account closed by this also is a claimant of this case. And Werner was acting as a support engineer, so "CAcert (Support)" has to be a claimant for that second part. There is no indication that he was filing the case personally. The case file should be updated accordingly.
Discovery
For simplicity "claimant" in the next part means C1 (Florian L):
- 2014-06-04: claimant requested to close his CAcert account.
- 2015-06-06: claimant got a mail from CAcert support that dealt with this request.
- 2014-07-02: claimant was informed that
- there is some need for some retention time after revocation of some certificates and
- that the account would be deleted at 2014-09-05 without the need of further actions from his side
Regrettably this was not what was done. And even worse claimant was not informed about the derivation of the announced process.
Instead what happened was:
- 2014-10-22 support filed a dispute with arbitration to get
- information about claimant's account as support was not able to execute the deletion at that time.
This case was filed as "Access to database needed to track down user interface error", because this was what the support engineer had requested.
Ironically this lead to this case not being picked up for some while, as arbitration was busy to deal with a lot of delete account cases at that time which were given some more priority. As this case was not marked as a delete account case, it's priority was considered to be lower.
Regarding the issue of the support engineer
With the dispute some account data was provided. It showed an active PGP signature.
The research done by the Case Manager (after discussion with the Arbitrator) suggests/confirms that the account could not be deleted at the requested time, because of this signature.
Because those signatures cannot be revoked, an account cannot be closed while the signature is active. As with certificates, the same retention time has to be applied, afterwards.
The PGP key expired in 2015. Since about mid 2015 it should be possible to delete the account with the standard procedure.
Addendum
Elaboration
Ruling
Ruling Part I (close account)
In the following "claimant" is the member who had asked to close his account (Florian L). 1. The account of the claimant should be closed by support directly without further checks or mails to the claimant as this steps were already covered. The case number of this case should be used for the closing process. 2. If support has issues to close the account with the automated process, the manual procedure should be used. This should be done in coordination with the Arbitrator and - if the Arbitrator sees the need - critical team. 3. If the account of the claimant was already closed by some other case, the above becomes obsolete. 4. All risks, liabilities and obligations of the claimant which were caused by the fact that the account was not closed at the time that the claimant was told as the time when his account would be closed, are transferred to CAcert. As the delay was singularly caused by CAcert and the claimant was not even informed that his account was open and that he remained to be a member with those risks, liabilities and obligations, he cannot be made responsible for that period. 5. If either the account is already closed or the account can be closed directly without issues by support, no need for further investigations regarding the data of the claimant exists, the according request will be dismissed. Eva Stöwe, 2016-08-10
Ruling Part II
1. The CAcert membership of Florian L is terminated at 2016-08-11. 2. The request from the support engineer to get "the raw data from the data base from critical team" to "fix the software error" is rejected and dismissed for the following reasons: a) There was no error with the software to begin with. The behaviour of the software was the expected one, regarding the ruled process for closing accounts. At the time when that supporter tried to close the account, there was a non-expired PGP signature in the account. An account may not be closed in such a case. b) Even if there would have been an error it would not have been the task of support to "fix the error", so providing even additional data to support would have been unreasonable. c) There has to be a good reason for looking up the data of a member. While it may be necessary to identify or verify a software error, in general there have to be prior steps and checks done. If possible there should be a specific theory about what could be the issue to be checked or excluded. Looking up user data should not be the first step to identify a possible bug. In normal situations there should be at least a bug filed, the respective code checked for expected behaviour and if reasonable some attempt to re-create the issue on the test server. The estimate could be different in a critical situation. Nothing of this was mentioned in the current case. Eva Stöwe, 2016-08-11
Execution
- 2016-08-10 (A): combined init and ruling part I mail to C1, C2/support, board
- 2016-08-10 (Support): confirms all account certificates and signatures expired and normal account deletion
- 2016-08-11 (A): ruling part II to C1, C2, board (for courtesy)
Similiar Cases
There is a multitude of similar account deletion cases. They are available through the Categegory links mentioned towards the end of this case log. For brevity only the applicable precedents cases are listed here.
Delete Account cases which may be handled by SE - No Assurances given, no certs or certs expired |
|
Delete assurer account with all assurances older than 7 years |
|
Account Deletion Procedure