Policy-Discussion

[Ian G <iang AT systemics.com>]

Philipp Gühring wrote:
> Hi,
>
> > What follows is a cut/paste of an email exchange I had with someone (a
> > CAcert Assurer) who reported that his Assurance Form archive was stolen
> > (from his parked car).
> >
> > Question: is there any policy rule on this?
>
> Not yet.
>
> I think at first we should investigate, and try to answer the following 
> questions:
>
> * How many papers/people are affected?
> * Are the assurances entered into the system yet?
> * When and where was the meeting?
> * When and where were the forms stolen?
> * The names (+ email addresses) of the other assurers that were at the same 
> assurance event
> * How likely is it that the information on the papers could be abused by the 
> thief?
> * How likely is it that the information on the papers were actually the 
> intended target of the thief?
> * People from which nationalities were affected?
> * Were just the forms of one single event lost, or all forms?
> * Is the account data leaked as well? (Username+password) ?
> * Is the assurer still able to login to the account?


OK, all good questions.  Who is the "we" doing this? 
Sysadmins or core team in the old concept?


> The following procedure has been developed for generally lost or otherwise 
> unavailable assurance forms:
> As soon as CAcert gets knowledge about unavailable assurance forms, CAcert 
> tries to inform all affected users, that their assurances might not be 
> verifyable anymore, and that could therefore get deleted in the future. Since 
> this could cause their assurance points to drop under the necessay level for 
> the certificates they issued, their certificates are in danger of being 
> revoked. Therefore the users are told that they should try to get assured to 
> collect reserve points, to protect against the loss of points.


OK, now that sounds like a policy!

Next question:  Were?  Is this a policy that is suitable for 
the CPS?  Or is it too flexible / lightweight and should be 
in the Handbook?  Or is it too obscure so should be in a FAQ 
somewhere?  Wiki or main site?


> Now with the problem of stolen assurance forms, the topic gets a bit more 
> complicated:
> http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html
> http://www.cippic.ca/en/bulletin/BreachNotification_9jan07-web.pdf
>
> On the one hand, it only applies to California (have other countries adopted 
> that bill too, afterwards?), but on the other hand, I think that personally 
> thinkt that it might be a good idea for CAcert to adopt it for CAcert 
> worldwide.


OK, that is good to point out ... it sounds like a *separate 
policy question*: "does CAcert adopt a disclosure policy to 
its registered users?  What is it?"

One note:  American disclosure is apparently rather 
different to European disclosure.

> (Hmmm, does ROT13 on paper count as encrypted?)


And add: "do we include encryption as a covering case?"


> The things that should be done now:
> * Inform the users whose identities are affected
>   * Inform them that the papers have been lost

* include list of PII?

>   * Inform them that they should meet another assurer in case they might not 
> have enough points, when the points you already issued are revoked


OK, perhaps in two parts:

* Inform them of the ramifications:  points may be lost, and 
certificates may be revoked, subject to ruling, etc.
* Inform them of the workaround / remedy:  Meet assurers and 
pick up more points.

?


> Assurances are only revoked when we have any good reason to believe that they 
> were wrong in itself. (is perhaps a better definition than "material 
> evidence")


But, we are suggesting above, lost papers are a cause for 
revoking assurances?

Hmm, it seems that challenging an assurance will result in 
the papers being requested, and then as they are not 
supplied, the assurances will be revoked?  Or do I 
misunderstand?

Do you mean:

  * Assurances may be revoked when there is good reason to 
believe they were wrong in and of themselves.
  * Assurances may be revoked if called into question, and 
the papers are not available to back up the claim.
  * ...


> One open question is, whether we should publically announce the breach, or 
> just contact the affected people directly.


A *public* disclosure policy, yes.


> In the mean time, our PR department (thanks Henrik!) has developed a concept 
> for how we could announce the breach:
> -------------------
> Assurance forms have been stolen
>
> At a theft in XX the real aim was computer parts and cash the thief took
> along in the enthusiasm also approx. 20 CAcert CAP forms. There are only
> the forms merely names, date of birth and necessary e-mail addresses on
> the forms and there don't have further material value. We therefore ask
> anybody to contact us at references to the whereabouts of these forms
> under support AT cacert.org. CAcert will contact the affected people within the 
> next few days to inform them that they should make the Assurence up once 
> again.
> -----------------
>
>
> Any other ideas, suggestions, ...?


One issue is that before any advice goes out, the legal team 
should check how the impact of the disclosure fits with 
various jurisdictions.  California is pretty benign, you 
just have to disclose to victims, suffer the indignity in 
the press, and the potential for class action suits.

OTOH, I hear that Germany gets real upset, and considers 
each PII data record to be a 25k fine ... so in the above, 
we lost 3 PIIs for each, and if it was ... say 100 users, 
then that's Euros 7.5m.

Don't bother coming to work that day ;)

iang