Re: [OSM-talk] HDYC, login requirement and "privacy"

[Roland Olbricht]

Hi,

because the whole issue alao affects Overpass API, I have written down 
my thoughts in a blog post:

http://dev.overpass-api.de/blog/fahrenheit_451.html

Best regards,

Roland


___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Michael Kugelmann]

On 05.05.2017 at 11:38 Martin Koppenhoefer wrote:

General Data Protection Regulation (GDPR)
just a hint to a talk held at the FOSDEM 2017 (including the video):   
 https://fosdem.org/2017/schedule/event/foss_and_the_gdpr/
Maybody some persons discussing here might want to have a lock at that 
video.



Cheers,
Michael.


___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Frederik Ramm]

Hi,

On 05/08/2017 10:53 AM, Richard Fairhurst wrote:
> Breaking the connection between real people and "their map" fundamentally
> alters the OSM community, and, I think, makes it closer to the toxic,
> identity-free, virtual-personality environment that Wikipedia can so often
> be. 

Yes.

Therefore I am skeptical of the knee-jerk recommendation so often given
to people who are concerned about their privacy: "You can choose any
pseudonym you want, even make multiple accounts if need be", or, taken
to the extreme in the thread above: "If you *really* value your privacy,
just create a new account for every single edit you make."

I would prefer if we could achieve a situation where users can dare to
be a little less protective of their privacy inside the project, because
we as a project take steps to keep what happens in OSM, in OSM.

I know this can never happen in an airtight way. But I would like it if,
when someone abuses one mapper's OSM "metadata" for reasons it wasn't
intended for, the community stands behind that mapper and says: This is
an abuse of our data, stop it - instead of engaging in "victim shaming"
by telling the mapper that they were stupid to use their real name (or a
traceable nickname) to begin with and/or that if they can't stand by the
edits they make they shouldn't have joined in the first place.

> You know and I know that several of OSM's most challenging edit wars in
> recent years have involved people who have not admitted, or have heavily
> obfuscated, their real names - sometimes generating a succession of
> disguised identities. I do not think this is coincidence. With identity
> comes accountability. 

You are coming dangerously close to suggesting a "real name policy" here
in OSM. I wouldn't categorically oppose that, but it would mean an even
greater responsibility on our side to protect the privacy of users. Most
arguments raised in various other places (Facebook etc) about real name
policies hold true for OSM as well; some people might open themselves up
for prosecution or feuds if it became public that they're mapping in OSM.

> There is nothing wrong with us saying "100% privacy is valuable, but it's
> not compatible with the way OSM works, and if you can't cope with your edits
> being trackable then OSM is perhaps not the project for you".

For me there is a very big difference between hiding user names
altogether, and hiding user names from "project outsiders who haven't
clicked a button promising that they will play by our rules".

What's been done by Pascal, and what I am advocating, is the former;
what you seem to be arguing against, is the latter.

Bye
Frederik

-- 
Frederik Ramm  ##  eMail frede...@remote.org  ##  N49°00'09" E008°23'33"

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Richard Fairhurst]

Frederik Ramm wrote:
> saying "your privacy goes down the drain if you do anything 
> online anyway, so why should we at OSM take steps to protect 
> it more".
>
> Perhaps: because we can, and because it's a good thing?

...or perhaps it isn't quite that black and white.

OSM, at its best, is a community of real people, mapping their
neighbourhoods, and taking responsibility for their edits. I stand by my
edits in Charlbury and nearby because it's verifiable that I live here. If
anonguy1 comes along and repeatedly edit-wars "Market Street" into "High
Street", OSM defers, correctly, to me as the accountable local who feels a
sense of ownership for my part of the map. If I wrongly armchair some TIGER
and Todd from North Carolina says "hey, actually that should be a tertiary
road", I defer to him - it's his map, I'm just visiting. As Mikel says
upthread, "[OSM] depends so much on user reputation to retain quality".

Breaking the connection between real people and "their map" fundamentally
alters the OSM community, and, I think, makes it closer to the toxic,
identity-free, virtual-personality environment that Wikipedia can so often
be. You know and I know that several of OSM's most challenging edit wars in
recent years have involved people who have not admitted, or have heavily
obfuscated, their real names - sometimes generating a succession of
disguised identities. I do not think this is coincidence. With identity
comes accountability. 

There is nothing wrong with us saying "100% privacy is valuable, but it's
not compatible with the way OSM works, and if you can't cope with your edits
being trackable then OSM is perhaps not the project for you".

Richard



--
View this message in context: 
http://gis.19327.n8.nabble.com/HDYC-login-requirement-and-privacy-tp5896250p5896429.html
Sent from the General Discussion mailing list archive at Nabble.com.

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Christoph Hormann]

On Sunday 07 May 2017, Frederik Ramm wrote:
>
> It is a common issue in OSM (and elsewhere) for people to use the
> status quo as a reason. "Admin boundaries are not visible on the
> ground and they are mapped, THEREFORE I can also map everything else
> that is not visible on the ground" - no! And you're doing it the
> other way round, saying "your privacy goes down the drain if you do
> anything online anyway, so why should we at OSM take steps to protect
> it more".

But we also should be careful not to apply the 'analogy sledgehammer' 
the other way round - just because restricting access to data can in 
some case reduce privacy issues it is not necessarily always the best 
way to deal with such a problem.

Specifically that putting a login via OSM account in front of HDYC makes 
sense for this specific tool and some specific concerns regarding it 
(mainly the 'invitation to stalking' matter) should not lead anyone to 
consider this a useful standard measure for all privacy related 
concerns.  

Side note: Mailing lists are a very different matter for a variety of 
technical and social reasons.  I would say that the idea of restricting 
mailing list archive access due to metadata based privacy concerns is 
fairly far fetched (in contrast to content related concerns about 
privacy or confidentiality - which make much more sense) considering 
the archives show almost nothing of the mail metadata except 'From' 
and 'Date' which can be freely chosen by the user.

-- 
Christoph Hormann
http://www.imagico.de/

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Frederik Ramm]

Hi,

On 07.05.2017 22:54, Nicolás Alvarez wrote:
> Yet I don't know of any such platform that has rules on how such
> metadata can be used, and I don't see anyone here arguing that we need
> rules on the use of mailing list archive metadata.

One thing at a time. Pascal's request for identifying yourself as an OSM
user is a tiny first step. Farther down that road there might be
conditions for the release of user-related information (e.g. "you can
get this info but you have to affirm that you won't abuse that"). Making
mailing list archives accessible to mailing list members only is also
something that Mailman offers out of the box and that we could one day
switch on if we like.

It is a common issue in OSM (and elsewhere) for people to use the status
quo as a reason. "Admin boundaries are not visible on the ground and
they are mapped, THEREFORE I can also map everything else that is not
visible on the ground" - no! And you're doing it the other way round,
saying "your privacy goes down the drain if you do anything online
anyway, so why should we at OSM take steps to protect it more".

Perhaps: because we can, and because it's a good thing?

Bye
Frederik

-- 
Frederik Ramm  ##  eMail frede...@remote.org  ##  N49°00'09" E008°23'33"

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Nicolás Alvarez]

2017-05-05 6:59 GMT-03:00 Frederik Ramm :
> Today, if you are looking for a job and you're being interviewed by a
> potential employer, the potential employer could say: "I can see from
> OpenStreetMap that you've been editing a lot during the day in your last
> job. Did you not have any work to do?" - and the employer would not even
> be "wrong". Harvesting the full history file for totally OSM unrelated
> information like that is not against any of our rules; it might be
> against the law in some countries but certainly not in others. If you
> publicly complained about what happened to you, it is very likely that
> there will be many people like in this thread who will say "duh, you
> idiot why didn't you use a pseudonym, didn't you read what you signed up
> for, lah lah lah".
>
> I would like to come to a point where, if this happened to you in a job
> interview, you could afterwards point to an OSM policy and say: Clearly
> this company has violated OSM rules, they must have created an account
> under false pretenses to get at this data and they're using it for
> purposes not sanctioned by OSM. That won't make you get the job, but it
> would at least make clear that we stand with our contributors against
> abuse of their data.

This scenario is not specific to OSM map edits at all. They could also
use mailing list archives to see you have been arguing about OSM
tagging conventions during work hours. Or see that you have been
editing Wikipedia. Every web forum, mailing list, social network,
wiki, etc. that has usernames and timestamps would be "vulnerable" to
that.

Yet I don't know of any such platform that has rules on how such
metadata can be used, and I don't see anyone here arguing that we need
rules on the use of mailing list archive metadata.

-- 
Nicolás

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[moltonel]

On 4 May 2017 22:33:47 IST, Frederik Ramm  wrote:
>It doesn't matter that anyone can sign up and then view that data; we
>can at least make people promise to only use the data for project
>internal use when they sign up.


While I'm not looking forward to having to login to use various tools, I 
understand that it might be a step in the right direction for privacy-sensitive 
contributors.

But seeing how low this new barrier is, I don't think that we should advertise 
it as a privacy-preserving feature, because it'll give a false sense of 
security to the very users we are trying to help.

It's also annoying that it migh increase "contribution-less account bloat", but 
that's something we have to live with anyway.

I'd be more interested in annonymising features like a "randomize changeset and 
gpx timestamps a bit" account setting and providing a best-effort "delete my 
account and as much data as you can" button. These are more invasive and 
complicated than "login to see usernames" but they would be much more useful.

-- 
Vdp
Sent from a phone.

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Mark Wagner]

On Fri, 5 May 2017 12:34:14 +0200
Martin Koppenhoefer  wrote:

> 2017-05-05 12:24 GMT+02:00 Frederik Ramm :
> 
> > I think that even if they are careful enough not to use their real
> > name, the identity of a mapper will often be easy to reconstruct if
> > you have access to just a little bit of extra information (might be
> > as little as a name on a doorbell).
> >  
> 
> 
> if I look at my "local area" in hdyc, there are probably a million
> people living within, but even if it were just a few thousand it
> would effectively not be possible to look at all those doorbells
> (where you won't have your name anyway if you are really concerned
> about privacy) and get a clue to which username this might be
> related. If you are living in a _very_ remote area (which most
> mappers are not), in very rare exceptional cases it might be possible
> to see who is which mapper, and that he mapped this remote area.
> Congratulations.

You're seriously underestimating how much information it's possible to
get from editing patterns.  There are a quarter-million people in the
area I keep an eye on; maybe four of them are active OSM contributors.
Just from looking at changesets, I know where two of them live: which
house for one of them, and the general neighborhood for the other.

(I also know which university a couple dozen hit-and-run editors
attend, and can make a good guess at which class they took last fall.)

-- 
Mark

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Simon Poole]

"‘personal data’ means any information relating to an identified or
identifiable natural person (‘data subject’); an identifiable natural
person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or
more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person;"

http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679=EN
Article 4 (1)  (about 1/3 into the document). Current national
definitions that I know of are not vastly different.

Simon


Am 05.05.2017 um 21:31 schrieb yvecai:
> Le 05. 05. 17 à 19:11, Simon Poole a écrit :
>>
>> That is why I suspect that the consequence of this discussion could
>> be fairly drastic and result in essentially all meta data being
>> removed from the planet dumps, including changeset ids and so on.
>>
> So, if you suspect, ... don't ?
> Editing the map *yourself* *is* Openstreetmap !!
>
> I'd really like to have a defintion of 'personal data' in this
> context. Otherwise, this discussion is quite useless, cause while
> interesting, an OSM-talk definition won't be anything close to a legal
> definition.
>
> Yves
>
> ___
> talk mailing list
> talk@openstreetmap.org
> https://lists.openstreetmap.org/listinfo/talk




signature.asc
Description: OpenPGP digital signature
___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[yvecai]

Le 05. 05. 17 à 19:11, Simon Poole a écrit :


That is why I suspect that the consequence of this discussion could be 
fairly drastic and result in essentially all meta data being removed 
from the planet dumps, including changeset ids and so on.



So, if you suspect, ... don't ?
Editing the map *yourself* *is* Openstreetmap !!

I'd really like to have a defintion of 'personal data' in this context. 
Otherwise, this discussion is quite useless, cause while interesting, an 
OSM-talk definition won't be anything close to a legal definition.


Yves

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Mikel Maron]

This topic started a bit backwards -- with an action taken by one project 
within the OSM ecosystem. We've covered a lot of perspectives on the topic of 
privacy in OSM, and possible actions and their implications. To turn this 
thread into some forward movement for us, a good course of action will be as 
follows. This does not clearly fit into one Working Group responsibility, so 
the OSMF Board can consider taking up the design of the process at least.
* We need to considerately research and assess the personal information (PI) 
risk. Including defining what is PI, and what various part of OSM might expose.
* LWG get informed legal advice on EU and other jurisdiction's PI laws* 
Consider the range of possible activities to address the risk
I reckon the most reasonable and effective starting activity will be to clearly 
define what OSM users need to know about contributing geodata to OSM, and the 
PI considerations they should keep in mind. As Frederik says, "raising 
awareness". For this to be effective, this means smarter design in the learning 
process and onboarding of new mappers. 
And perhaps that's the ending point. Personally I can't see any way the 
removing contributor metadata from geodata would 1) really protect anyone 2) 
not hobble the project, which depends so much on user reputation to retain 
quality. In any case, let's kick that question down the road.
-MIkel * Mikel Maron * +14152835207 @mikel s:mikelmaron 

On Friday, May 5, 2017 12:28 PM, Yves  wrote:
 

 Actually, can an OSM username be considered as 'personal data'? 
Can somebody point out to a definition of 'personal data' ? 
How would this be different from, say, my github account? 
Yves___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk


   ___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Simon Poole]

"It depends" the critical part (regardless of if it is your real name or
not) is that it can be used as a key to generate a profile a la HDYC and
that can then be associated with the help of  additional sources with a
real person, potentially revealing all kind of things about your life.
But strictly speaking the display name is not necessary for that as the
changeset meta data and likely the edits themselves  probably contain
enough information to generate unique or near unique fingerprints.

That is why I suspect that the consequence of this discussion could be
fairly drastic and result in essentially all meta data being removed
from the planet dumps, including changeset ids and so on.

Simon


Am 05.05.2017 um 18:25 schrieb Yves:
> Actually, can an OSM username be considered as 'personal data'?
> Can somebody point out to a definition of 'personal data' ?
> How would this be different from, say, my github account?
> Yves
>
>
> ___
> talk mailing list
> talk@openstreetmap.org
> https://lists.openstreetmap.org/listinfo/talk



signature.asc
Description: OpenPGP digital signature
___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Yves]

Actually, can an OSM username be considered as 'personal data'? 
Can somebody point out to a definition of 'personal data' ? 
How would this be different from, say, my github account? 
Yves ___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Christoph Hormann]

On Friday 05 May 2017, Frederik Ramm wrote:
> [...]
>
> I would like to come to a point where, if this happened to you in a
> job interview, you could afterwards point to an OSM policy and say:
> Clearly this company has violated OSM rules, they must have created
> an account under false pretenses to get at this data and they're
> using it for purposes not sanctioned by OSM. That won't make you get
> the job, but it would at least make clear that we stand with our
> contributors against abuse of their data.

One of the things i was trying to point out is that this would not be 
the case.  That company would simply say: "We got that info from  or from our human ressources consulting contractor and never 
agreed to any terms not to use such data.  Thanks for informing us that 
they are using this data without permission, we will not use it any 
more in the future." ;-)

> > For a balanced discussion - and i am not saying i would actually
> > prefer this approach to what you are suggesting - the whole problem
> > could also be approached from the other side by reconsidering the
> > possibility for partly anonymous edits.
>
> Yes. I think both approaches could be grouped under "restricted
> access to personal information", and there will probably be still
> other approaches with their own advantages and disadvantages.

Well - the difference with the scenario i outlined is that it much more 
clearly aims at the protection of the mappers' privacy and gives the 
mapper much broader and more immediate control over this.  This is no 
replacent for a solid strategy on educating mappers on what kind of 
privacy risks are involved with contributing in OSM but it kind of 
seems a more logical approach to the matter than a purely 
after-the-fact approach to protecting the data.

This does not mean i am convinced this is ultimately the best solution, 
this depends on a lot of details of the implementation.

-- 
Christoph Hormann
http://www.imagico.de/

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Martin Koppenhoefer]

sent from a phone

> On 5. May 2017, at 12:24, Frederik Ramm  wrote:
> 
> This is true. It would actually be possible to write a plugin for JOSM
> to do that - automatically sign up to OSM with a different throw-away
> account for each changeset you upload.



then you'd know it's either a German or a Chinese and could see from the region 
of the edit which one ;-)


cheers,
Martin 

PS: We could also offer anonymity through uploads via a third party (which you 
must trust then)
___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Frederik Ramm]

Hi,

On 05.05.2017 12:27, Martin Koppenhoefer wrote:
> I also fail to understand who would
> attack someones privacy by looking at OSM edits and for what scope, and
> why this can't be legally excluded by stating you must not do it if you
> want the data (which on the other hand will make OSM non-free data, at
> least with respect to data referring to mappers).

I think it would be good to separate - at least in our minds - the core
geodata from the "user data" or maybe "metadata" of who did what when
and using which operating system and editor.

The core geodata will always be freely available under the ODbL, and you
would not "make OSM non-free" by omitting e.g. user information from
that. Many current distribution forms (e.g. standard Overpass responses,
vector tiles, Garmin maps) already omit user information.

You could then offer the user information (needed for quality control
etc.) under separate rules (that say "for project internal use only").
This would automatically mean, that someone who runs a HDYC-like site
would have to put a login in front of the site in order to ensure that
he complies with the "internal use only" rule.

Bye
Frederik

-- 
Frederik Ramm  ##  eMail frede...@remote.org  ##  N49°00'09" E008°23'33"

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Martin Koppenhoefer]

2017-05-05 12:24 GMT+02:00 Frederik Ramm :

> I think that even if they are careful enough not to use their real name,
> the identity of a mapper will often be easy to reconstruct if you have
> access to just a little bit of extra information (might be as little as
> a name on a doorbell).
>


if I look at my "local area" in hdyc, there are probably a million people
living within, but even if it were just a few thousand it would effectively
not be possible to look at all those doorbells (where you won't have your
name anyway if you are really concerned about privacy) and get a clue to
which username this might be related. If you are living in a _very_ remote
area (which most mappers are not), in very rare exceptional cases it might
be possible to see who is which mapper, and that he mapped this remote
area. Congratulations.

What is the scenario? The chinese government? Your ex-wife? The NSA?
Nazi-terrorists? Your friends? According to who it is, the countermeasures
will have to be very different.

Cheers,
Martin
___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Martin Koppenhoefer]

2017-05-05 12:10 GMT+02:00 Frederik Ramm :

> How the goals of transparency and quality control in the project and the
> goal of protecting the privacy of the individual contributor can be
> reconciled is something we can, and should, think about
>


I still don't see how someone can be individually identified within OSM by
her edits, and I fail to understand how these edits are qualifying as
"personal data". Either the mapper is editing not much (so there is not
sufficient information about her, these are most mappers), or she is
editing a lot and according to his editing habits you could maybe say
something about her interests and the area where she lives, how often she
goes to other places, at what times she is active in OSM and similar. This
still won't help to identify single persons unless you have a very huge
database of many people which _already_ knows a whole lot about everyone,
including when they went abroad or in vacation, what their interests are
etc., so you won't probably gain more insight from looking at the OSM edits
as well. I also fail to understand who would attack someones privacy by
looking at OSM edits and for what scope, and why this can't be legally
excluded by stating you must not do it if you want the data (which on the
other hand will make OSM non-free data, at least with respect to data
referring to mappers).

Cheers,
Martin
___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Frederik Ramm]

Hi,

On 05.05.2017 10:37, Martin Koppenhoefer wrote:
> you write a lot about personal data, but all osm admins have about
> users is some email address, which often isn't even existing anymore
> and an associated user name

Many people choose their real name, or at least something easily
linkable to their real name via one hop on Github, Facebook, etc.; many
social media platforms even *expect* you to give your real name.

Of course they don't *have* to in OSM. But if they do use their real
name then I don't think you can interpret that as willfully signing away
their right to privacy. "Ha ha, your own fault for using your real name,
didn't you think about your job application with the Chinese government
25 years later, shoulda been more careful!"

I think that even if they are careful enough not to use their real name,
the identity of a mapper will often be easy to reconstruct if you have
access to just a little bit of extra information (might be as little as
a name on a doorbell).

> Also everyone can create new users at will, if your concern is
> privacy, you could use a new user for every edit and nobody could
> associate these edits to the same person.

This is true. It would actually be possible to write a plugin for JOSM
to do that - automatically sign up to OSM with a different throw-away
account for each changeset you upload. Do we want to encourage that?
Frankly, I'd rather not. But if that is our official suggestion on how
to balance privacy with contribution to OSM, maybe we should offer such
a plugin.

> Putting a log in to hdyc, from my point of view, doesn't change
> anything (because everybody can sign up), besides that there are now
> more data created (Pascal will know who is interested in whom, and
> osm admins can see how often someone uses the service, and if it
> becomes common to do it like this, which third party services someone
> uses).

That is true. The log-in required for HDYC currently only has symbolic
character and it says "this is for community members only". We're an
open community and you can become a member with a few mouse clicks. But
I think the symbolism is of value and I support Pascal's decision.

Bye
Frederik

-- 
Frederik Ramm  ##  eMail frede...@remote.org  ##  N49°00'09" E008°23'33"

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Frederik Ramm]

Hi,

On 05.05.2017 08:49, joost schouppe wrote:
> Putting a somewhat pointless access limitation to
> HDYC is counterproductive, as it might give people a false sense of
> security. 

This is correct, but so would

> A system to opt-out of being
> included in this particular system 

because it would give people the idea that if they don't opt in then
their data wouldn't be visible, when in fact anyone can run a software
like Pascal's.

I think that "raising awareness" is good; and if we could all unite
behind the idea that just because someone voluntarily contributes to OSM
that shouldn't mean they're automatically sacrificing their privacy then
that would already be a great step forward.

How the goals of transparency and quality control in the project and the
goal of protecting the privacy of the individual contributor can be
reconciled is something we can, and should, think about; I would be very
happy if as a first step we could at least agree that protecting the
privacy of the individual contributor *is* desirable. The knee-jerk
"well you knew what you signed up for" reaction doesn't help a
vulnerable community member when they see their privacy violated.

Bye
Frederik

-- 
Frederik Ramm  ##  eMail frede...@remote.org  ##  N49°00'09" E008°23'33"

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Frederik Ramm]

Hi,

On 05.05.2017 11:01, Christoph Hormann wrote:
> ... or use some rouge open instance running anonymiously somewhere.

I am aware that no matter what we do there will always be "rogue" uses
of our data.

Therefore making all contributors aware of what they are releasing about
themselves and how it could be used against them remains important no
matter what we do. (And we have to find ways to do that without sounding
alarmist.)

In fact, we have a similar situation with our license: We spent
countless years debating and then changed our license to what we thought
was best. We all know that we cannot keep a rogue user from ignoring our
license - but at least we can define what we want to allow.

I am expecting the same for the sensitive user data. We will never be
able to ensure that the data is not used against the wishes of the users
- but we can ensure that those who do this are in clear violation of our
terms and hence "bad guys".

Just to pick a random example:

Today, if you are looking for a job and you're being interviewed by a
potential employer, the potential employer could say: "I can see from
OpenStreetMap that you've been editing a lot during the day in your last
job. Did you not have any work to do?" - and the employer would not even
be "wrong". Harvesting the full history file for totally OSM unrelated
information like that is not against any of our rules; it might be
against the law in some countries but certainly not in others. If you
publicly complained about what happened to you, it is very likely that
there will be many people like in this thread who will say "duh, you
idiot why didn't you use a pseudonym, didn't you read what you signed up
for, lah lah lah".

I would like to come to a point where, if this happened to you in a job
interview, you could afterwards point to an OSM policy and say: Clearly
this company has violated OSM rules, they must have created an account
under false pretenses to get at this data and they're using it for
purposes not sanctioned by OSM. That won't make you get the job, but it
would at least make clear that we stand with our contributors against
abuse of their data.

(If that hasn't become clear already, I am of the opinion that the
current contributor terms don't necessarily mean that the contributor
asks OSMF to distribute their *metadata* under ODbL - I think it just
applies to the *geodata*, and if we wanted we could slap restrictions on
the *metadata* part of things.)

> For a balanced discussion - and i am not saying i would actually prefer 
> this approach to what you are suggesting - the whole problem could also 
> be approached from the other side by reconsidering the possibility for 
> partly anonymous edits. 

Yes. I think both approaches could be grouped under "restricted access
to personal information", and there will probably be still other
approaches with their own advantages and disadvantages.
, and I would even assume that "restricted access to personal
information" and "

>> Hence, 
>> anyone with an OSM account could make such an animated progress map,
>> and it could be shown to anyone with an OSM account. Only if you want
>> to distribute it outside of OSM you'd either have to
>> remove/pseudonymize the user names [...]
> 
> That part is really tricky, you'd have to be very specific on what kind 
> of aggregation is necessary to make the data ok to be published.  
> Obviously just replacing each user name with user is not 
> going to cut it.  Without clear rules here anyone who publishes 
> anything based on such data would be in a legal mine field.

Yes; even today if a person uses a nickname with OSM and not their real
name, I think it would in many cases be easy to make the case that it is
very easy to de-pseudonymize the person. Currently when someone asks us
to delete their account we simply replace their user name with user_1234
(their numeric user id); it is quite possible that this is totally
insufficient at least in countries with strong data protection laws such
as the UK because the person can still be identified and connected to
all their edits.

Bye
Frederik

-- 
Frederik Ramm  ##  eMail frede...@remote.org  ##  N49°00'09" E008°23'33"

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Simon Poole]

Am 05.05.2017 um 11:38 schrieb Martin Koppenhoefer:
>
> Usually in statistics, information down to the block level is not
> considered personal informationn. You won't be able from OSM edits to
> say in which house someone lives, or who she is, so it doesn't seem to
> apply.

Anybody that participated in contacting editors during the licence
change knows that the above, is, sorry, rubbish. While it is true that
you can't identify every single contributor the large majority can be
easily.

>
> At the moment we can't know what kind of data protection rules will
> govern OSMF in the future, given that EU rules will not automatically
> apply any more, soon, if Brexit is not stopped (nonetheless, local
> chapters might be an issue here).
>
The GDPR applies to anybody that processes data of EU residents (that
has been pointed out to you before) regardless of where they are located.



signature.asc
Description: OpenPGP digital signature
___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Maarten Deen]

On 2017-05-05 10:35, Simon Poole wrote:

Am 05.05.2017 um 09:47 schrieb Maarten Deen:

..
We have all agreed to the contributor terms (although I can not find
the version I have agreed to, I can only find a version from 2016) and
that says that OSMF has the right to sub-license.

PS
https://wiki.osmfoundation.org/w/index.php?title=Licence/Contributor_Terms=history


Thanks. Would it be possible to have the link in one's account page from 
OSM to link directly to the historic version that was signed? Now I have 
to judge that "about 6 years ago" will probably be later than the 1.2.4 
version.
It wasn't even clear to me that this is a wiki page because it is so 
modified.


The link in the ccount page is 
http://www.osmfoundation.org/wiki/License/Contributor_Terms which is 
also a redirect, maybe that should be tackled too.


Regards,
Maarten

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Simon Poole]

Am 05.05.2017 um 10:37 schrieb Martin Koppenhoefer:
> ..
> Also everyone can create new users at will, if your concern is privacy, you 
> could use a new user for every edit and nobody could associate these edits to 
> the same person.
>
> ..
Well if a "new user" includes

- changing (the version of) the editor you are using
- changing your language preferences
- changing how you comment on changesets
- changing your editing habits
- avoiding linking accounts via related edits

and observing a couple of further points, yes, then you might be correct.

Simon





signature.asc
Description: OpenPGP digital signature
___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Martin Koppenhoefer]

Again on the term "personal data". According to the General Data Protection
Regulation (GDPR) (Regulation (EU) 2016/679) [1], pseudonymized data is not
concerned, unless it would be possible to attribute it to a natural person:

___
(26) "The principles of data protection should apply to any information
concerning an identified or identifiable natural person. Personal data
which have undergone pseudonymisation, which could be attributed to a
natural person by the use of additional information should be considered to
be information on an identifiable natural person. To determine whether a
natural person is identifiable, account should be taken of all the means
reasonably likely to be used, such as singling out, either by the
controller or by another person to identify the natural person directly or
indirectly. To ascertain whether means are reasonably likely to be used to
identify the natural person, account should be taken of all objective
factors, such as the costs of and the amount of time required for
identification, taking into consideration the available technology at the
time of the processing and technological developments. The principles of
data protection should therefore not apply to anonymous information, namely
information which does not relate to an identified or identifiable natural
person or to personal data rendered anonymous in such a manner that the
data subject is not or no longer identifiable. This Regulation does not
therefore concern the processing of such anonymous information, including
for statistical or research purposes."
___

Usually in statistics, information down to the block level is not
considered personal informationn. You won't be able from OSM edits to say
in which house someone lives, or who she is, so it doesn't seem to apply.
The part "Personal data ... which could be attributed to a natural person
by the use of additional information should be considered to be information
on an identifiable natural person. To determine whether a natural person is
identifiable, account should be taken of all the means reasonably likely to
be used, such as singling out, either by the controller or by another
person to identify the natural person directly or indirectly." leaves some
risk, but is essentially stupid, because with any kind and amount of
additional personal data you will hypothetically always be able to get to a
person, and costs and amount of time are always neglectible in the times of
electronic data processing, and given the rapid technological development.
So as pseudonymization is suggested in the directive to be applied, it
likely does restrict implicitly this paragraph to reasonably expectacle and
not every hypothetical case. To get from OSM edits to a natural person you
will need so much information about this person that you won't gain more
insights from looking at their edits.

Also, I am not sure whether this applies at all to OSMF, because OSMF never
collects personal data, it only collects an email address and doesn't
verify to whom it belongs and never publishes it, so probably there is no
"personal data which have undergone pseudonymisation", rather there wasn't
any personal data at any time.

At the moment we can't know what kind of data protection rules will govern
OSMF in the future, given that EU rules will not automatically apply any
more, soon, if Brexit is not stopped (nonetheless, local chapters might be
an issue here).



Btw: I think we should require our contributors to confirm to be adults (or
get explicit permission from their parents?), because children aren't able
to legally sign the CT, and their data is particularly protected. Current
CTs don't seem to account for this (or I haven't seen it).


Cheers,
Martin



[1] http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679
___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Christoph Hormann]

On Friday 05 May 2017, Frederik Ramm wrote:
>
> I think that a viable middle ground could be to make user data
> available to signed-up project members only, and they'd have to
> promise to only use that data for project-internal purposes.

You know i have not formed an opinion on this matter yet but i wonder 
how this is supposed to work.  Do you suggest to have an addition to 
the contributor terms, kind of a 'terms for access to metadata' and 
require existing users to newly agree to that?  And after a transit 
period disable api access for those accounts who have not agreed?

In principle that would certainly be possible although there are tons of 
practical problems that would come with such an approach.  But 
ultimately this would probably lead to the vast majority of people who 
routinely get mapping metadata in bulk for whatever purpose to use 
anonymous accounts for downloading it and to also publish possibly 
problematic results of processing it in an anonymous way.  Under this 
scenario there would probably be some open source HDYC clone, you could 
run it either privately for yourself, use an access restricted 
officially sanctioned instance of it with your real or anonymous OSM 
account or use some rouge open instance running anonymiously somewhere.

For a balanced discussion - and i am not saying i would actually prefer 
this approach to what you are suggesting - the whole problem could also 
be approached from the other side by reconsidering the possibility for 
partly anonymous edits.  We don't have this primarily to fight 
vandalism but it could be considered to give mappers the option to 
activate an anonymous editing mode on their account which would mean 
their edits and any other access to their user identity through for 
example the API gets scrambled on a daily basis and resolution of the 
generated random id to the real user is only available to the DWG.  
This would certainly also generate tons of problems but i think it is 
important to keep this possibility in mind when considering the matter 
of privacy.

> Hence, 
> anyone with an OSM account could make such an animated progress map,
> and it could be shown to anyone with an OSM account. Only if you want
> to distribute it outside of OSM you'd either have to
> remove/pseudonymize the user names [...]

That part is really tricky, you'd have to be very specific on what kind 
of aggregation is necessary to make the data ok to be published.  
Obviously just replacing each user name with user is not 
going to cut it.  Without clear rules here anyone who publishes 
anything based on such data would be in a legal mine field.

-- 
Christoph Hormann
http://www.imagico.de/

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Martin Koppenhoefer]

sent from a phone

> On 5. May 2017, at 01:36, Frederik Ramm  wrote:
> 
> Only if you want to distribute it outside
> of OSM you'd either have to remove/pseudonymize the user names or get
> explicit permission (as in: "I am ok with you publishing this particular
> work with my name in it") from the participants. Would that really be
> such a big issue? I think you're making this into a much bigger issue
> than it needs to be.


you write a lot about personal data, but all osm admins have about users is 
some email address, which often isn't even existing anymore and an associated 
user name, and this email address is never published. For gpx tracks you can 
already choose the level of privacy, and even for identifiable tracks you don't 
know if the timestamps are real, if the track was recorded with an gps device 
or is simulated, and who has recorded it. In the planet there are only 
usernames, which can be chosen freely, and if I wanted I could choose "Frederik 
Ramm" or anything else, and nobody could know if this was my real name or not. 
HDYC allows to roughly locate someone in an area, but it doesn't allow to say 
who someone is or where exactly she lives. If you know which username is used 
by which real person then it is only because the person has disclosed this 
information and you believed her. If, for example, I map a nightclub frequented 
mostly by lgbt people it doesn't mean I have been there, it just means I know 
where it is (and unless I have told you, you won't know who I am), and even if 
I've been there you still wouldn't know when and for what reason.

Also everyone can create new users at will, if your concern is privacy, you 
could use a new user for every edit and nobody could associate these edits to 
the same person.

There are serious issues with surveillance and privacy in the world, but IMHO 
osm is the least of these problems. Does someone who sells a can of paint have 
to put a disclaimer on the can because people might write their name on a wall? 
Does an internet provider have to warn people not to disclose personal 
information in their blog? IMHO we have to account for different people wanting 
different levels of privacy: some people like to write their name on a wall 
(looking at the success of Facebook et al it seems that they are in a majority 
btw), others prefer to remain in the shadow. 

Maybe it could become an option not to disclose usernames, but actually this 
metadata is useful for other mappers: you can see if a user is local to a 
place, how much experience she has, how many discussed changesets, where and 
for what reason.

Really the people being able to tell who someone likely is are those that 
already have a huge collection of really private data from everyone, for 
example those that store the location data of every single step of you from 
mobile cells (you mostly can't get anonymous sim cards but have to identify 
with a document) and wireless networks, from passport controls at the borders 
and from flight lists, from your online orders and credit card payments, from 
cctv face recognition and fotos you uploaded, from your personal network in 
social networks, from the network of people you called and that called you, 
from the emails you send and receive, etc. Whom are you hiding from, the secret 
services, the government, big multinational companies? These actors will 
already know so much about you that your osm edits won't change anything, and 
if you have been able to hide your details from them you can also hide them 
already in OSM.

Putting a log in to hdyc, from my point of view, doesn't change anything 
(because everybody can sign up), besides that there are now more data created 
(Pascal will know who is interested in whom, and osm admins can see how often 
someone uses the service, and if it becomes common to do it like this, which 
third party services someone uses).

cheers,
Martin 
___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Simon Poole]

Am 05.05.2017 um 09:47 schrieb Maarten Deen:
> ..
> We have all agreed to the contributor terms (although I can not find
> the version I have agreed to, I can only find a version from 2016) and
> that says that OSMF has the right to sub-license. 
PS
https://wiki.osmfoundation.org/w/index.php?title=Licence/Contributor_Terms=history





signature.asc
Description: OpenPGP digital signature
___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Simon Poole]

Am 05.05.2017 um 09:47 schrieb Maarten Deen:

> ...
>
> And, "You also waive and/or agree not to assert against OSMF or its
> licensees any moral rights that You may have in the Contents."
> ...
"the Contents"  is defined  as "in contributing data and/or any other
content (collectively, “Contents”) " further it is limited to "to the
geo-database" and refers only to the the "intellectual property rights
in any Contents" that the contributor actively "that You choose to
submit" contributes.

This is very unlikely to include meta data generated by the act of
contributing and other supplementary account data and does not cover any
privacy related rights to start with (not to mention, as I've already
pointed out, that blanket use permissions for privacy relevant data are
likely invalid in any case).

Simon




signature.asc
Description: OpenPGP digital signature
___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Maarten Deen]

On 2017-05-05 09:17, Simon Poole wrote:

Am 05.05.2017 um 00:39 schrieb Michał Brzozowski:

...
Also, I see no reasonable way that upcoming EU privacy rules would
affect us. Would they consider OSM as a special case or what?
Everything mappers do, as has been said, is consensual and explicit.

...
Well I don't remember giving Pascal permission to process my data, and 
I

believe nobody else has :-)


But what Pascal does is not what you do, so how is this applicable?

We have all agreed to the contributor terms (although I can not find the 
version I have agreed to, I can only find a version from 2016) and that 
says that OSMF has the right to sub-license. Which would include what 
Pascal (or anyone else using or working on the data) is doing.


And, "You also waive and/or agree not to assert against OSMF or its 
licensees any moral rights that You may have in the Contents."


That is pretty broad and basically tells you to shut up or put up.
Not that I see that as the last in this discussion though.

Maarten

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Simon Poole]

Am 05.05.2017 um 00:39 schrieb Michał Brzozowski:
> ...
> Also, I see no reasonable way that upcoming EU privacy rules would
> affect us. Would they consider OSM as a special case or what?
> Everything mappers do, as has been said, is consensual and explicit.
>
> ...
Well I don't remember giving Pascal permission to process my data, and I
believe nobody else has :-)

And that is the crux of the matter, in a scenario in which a) any such
processing needs to be opt-in, and b) the permission for processing
needs to be explicit both wrt the entity doing the processing and what
is being done with the data, most such community activities become
impractical.

Which vandal is going to actively consent to their edits being feed in
to an osmcha instance outside of one run by the OSMF? We just  may be
able to make giving such permission to the OSMF a required condition of
getting an account but that is likely going to be it. And there are lots
of other aspects that I would rather not go in to right now, as it is
just asking for trouble.

Simon



signature.asc
Description: OpenPGP digital signature
___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[joost schouppe]

It's nice to know where this is coming from, because I was a bit confused
about this too. In what way is my privacy protected if 2 million people can
see my profile; oh and also everyone who bothers to make an OSM account?
Putting a somewhat pointless access limitation to HDYC is
counterproductive, as it might give people a false sense of security. One
thing it might add is that it's now easier to trace who has been looking at
your profile in case there is a suspicion of abuse.

Pascal's own argument (on Twitter) seemed to be that "it"s not just data,
it's computed intelligence". Well yes. HDYC shows how much info you release
about yourself through your OSM edits. The only way to solve this, is with
a behavior change of the mapper themselves, or with a radically different
way to share OSM data (as seems to be one of the ideas in the linked
discussion). For example by using multiple accounts. A blog post about what
an ill-intentioned analyst could do with your data would seem more
productive than a half-measure protecting what a well-intentioned analyst
learns. A more general discussion like the one you linked, but in a
language more of us understand, might also help.

That said, obviously HDYC is the most elaborate individual analysis tool
around, so it does make snooping very easy. A system to opt-out of being
included in this particular system might be reasonable. This could
technically work in a way similar to the opt-in you can do to link your
HDYC profile to your osm-related profiles (by including links in your OSM
profile).
While I would also have liked to see a more inclusive discussion about
this, ultimately, it doesn't matter where and how Pascal came to his
conclusion. It is his tool, so the decision is his alone. I would really
love to see tools like this integrated into the core OSM systems, where we
would theoretically all have a say. Unfortunately, that's not the case.
___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Frederik Ramm]

Hi,

On 05/05/2017 12:39 AM, Michał Brzozowski wrote:
> Many national communities use their own change monitoring tools that
> will break, for instance greeting and monitoring new mappers. 

Why? Would it be so hard to adapt the tools to log in to OSM to access
user information?

> We use one site in Poland and the Dutch community also uses another site.
> There's also Overpass API.

Sure, all these would have to change in the long run but it is such a
big deal? Even today, Overpass only gives you user names if you
explicitly ask for it.

> This is not feasible on a technical level IMO 

I don't agree, I think it would be quite easy.

> and would require
> significant effort to satisfy just these paranoid people. 

I don't think it is fair to talk of "just these paranoid people". Our
mappers are not enemies; they trust us with their data and it is our
moral duty to handle the data they trust us with responsibly. (And I'm
not even starting to talk about what our legal duties are!)

> I don't
> trust OSMF to accommodate everyone's needs on change monitoring.

I don't know what "everyone's needs" are but if these needs include "I
must be able to download personal user data without logging in" and "I
must be able to distribute personal user data without taking any
safeguards as to its further use" then I'm not sure if these needs
*should* be accommodated.

I am sure that all existing quality control measures can be kept up even
if we start saying that username data is for internal use only.

> Also, I see no reasonable way that upcoming EU privacy rules would
> affect us. Would they consider OSM as a special case or what?
> Everything mappers do, as has been said, is consensual and explicit.

As I said, I think that even in a world without data protection, it
would be our duty to think about how to protect the privacy of our
contributors. Just saying "you've signed this here, ha ha ha, your fault
if you haven't read the small print" is not enough. Certainly not
morally; maybe even not legally.

If you start looking at the legal side there are many aspects that need
to be evaluated. I am not a lawyer but I have a feeling that even today
there's a lot of issues not directly related to the above topic where we
fall foul of data protection rules, for example the way we continue to
offer old planet files for download complete with user names, even if
people have asked us to delete their personal information. (Remember,
even if people should have agreed to the distribution of their personal
data on signup, they can - as far as personal data is concerned - always
withdraw their agreement; we cannot then say "har har it is too late now
the data is already released under ODbL".) It is also totally unclear if
this "metadata" is even part of the ODbL licensed database. Another
issue is that there's no way for downstream users mirroring our data to
know that "user XY has revoked permission to distribute their user
name". Another big issue at least for European users is likely that many
governemnt institutions and large companies have strict house rules on
working with personal data; if your random government agency importing a
planet file into a database were told that this actually contains a ton
of personal data, they'd probably have to stop their machines
immediately and ask for permission from the relevant data protection
commissioner or whomever.

But I don't want this to become discussion about "how low can we go with
data protection to still be legal". I want this to be "how high can we
go with data protection to still be useful", and I think there's a lot
that can be done that will make our project better, friendlier, and a
safer place to be for everyone.

> When I said spirit, I though for instance mapping parties which were
> once very popular and still somewhat are. It was customary to make
> animated progress maps colored by user.

I think that a viable middle ground could be to make user data available
to signed-up project members only, and they'd have to promise to only
use that data for project-internal purposes. Hence, anyone with an OSM
account could make such an animated progress map, and it could be shown
to anyone with an OSM account. Only if you want to distribute it outside
of OSM you'd either have to remove/pseudonymize the user names or get
explicit permission (as in: "I am ok with you publishing this particular
work with my name in it") from the participants. Would that really be
such a big issue? I think you're making this into a much bigger issue
than it needs to be.

Bye
Frederik

-- 
Frederik Ramm  ##  eMail frede...@remote.org  ##  N49°00'09" E008°23'33"

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Michał Brzozowski]

On Thu, May 4, 2017 at 11:33 PM, Frederik Ramm  wrote:
> I have personally talked to people who said they don't want to
> contribute to OSM because Pascal Neis' page was "inviting stalkers".
>
> Those people were not the geek elite who have made it a habit to
> thoroughly think about what gets published and how to ensure that
> there's no link between their online identity and their private live if
> they don't want their privacy violated. Those were people from groups
> currently underrepresented in OSM, people whom we would like to see more
> of in OSM, but who felt unsafe making themselves visible like that.


How many people? I think we would make it worse for many just to have
a handful of people happy. I don't think we should strive to catch
mappers at any cost. I know the intentions are good, but reality has
often taught me otherwise.

Many national communities use their own change monitoring tools that
will break, for instance greeting and monitoring new mappers. We use
one site in Poland and the Dutch community also uses another site.
There's also Overpass API.
This is not feasible on a technical level IMO and would require
significant effort to satisfy just these paranoid people. I don't
trust OSMF to accommodate everyone's needs on change monitoring.

Also, I see no reasonable way that upcoming EU privacy rules would
affect us. Would they consider OSM as a special case or what?
Everything mappers do, as has been said, is consensual and explicit.

When I said spirit, I though for instance mapping parties which were
once very popular and still somewhat are. It was customary to make
animated progress maps colored by user.

Long story short: weigh "benefits" to all the far-reaching implications.

I really hope this won't come through. Really.

Michał

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Christoph Hormann]

On Thursday 04 May 2017, Michał Brzozowski wrote:
>
> > Well - HDYC is a tool offered by Pascal Neis, AFAIK it is not even
> > open source.  Pascal could turn it off any time if he wanted to and
> > of course he can also put up constraints.
>
> Keep in mind that I don't make it appear that my requests are based
> on something formal, they're not. I simply hope that people will tell
> him they don't agree with me and two already did ;)

I can only say if i was in Pascal's position here and i had decided to 
add the requirement of authorization to my tool because i am convinced 
this is important for the privacy of mappers (and i don't want to imply 
that i would see it that way nor that this was actually Pascal's 
motivation) users not liking my decision but having no convincing 
arguments w.r.t. the basis of my decision would not have any bearing on 
the matter.

> I think it also emphasizes how open-source tools are important. There
> are tons of obscure analysis pages which don't have their source
> available.

Yes - and the situation about HDYC would have different dynamics 
obviously if it was open source.

But also keep in mind that the functionality of HDYC is not really that 
complex.  Writing a replacement for it would certainly be quite a bit 
of work but it is not really rocket science.

-- 
Christoph Hormann
http://www.imagico.de/

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Frederik Ramm]

Hi,

On 05/04/2017 09:33 PM, Michał Brzozowski wrote:
> I don't like the idea how this was never introduced and discussed
> outside of the German forum.
> I think that such "privacy" measures are futile and go against the
> spirit of OSM - transparency.

I think that what we mainly want to create in OSM is a geo database, not
a database of where a particular OSM mapper was at a particular time, or
whether a particular OSM mapper tends to stay up long at night editing OSM.

I have personally talked to people who said they don't want to
contribute to OSM because Pascal Neis' page was "inviting stalkers".

Those people were not the geek elite who have made it a habit to
thoroughly think about what gets published and how to ensure that
there's no link between their online identity and their private live if
they don't want their privacy violated. Those were people from groups
currently underrepresented in OSM, people whom we would like to see more
of in OSM, but who felt unsafe making themselves visible like that.

We are currently doing far too little to protect the privacy of our
mappers, and our methods of educating mappers about the privacy
consequences of their actions in OSM are laughable at best. That your
contributions to OSM can lead to a detailed analysis of your online
behaviour like the one produced by Pascal Neis is obvious to the
tech-savvy among us but certainly not to everyone who signs up. We have
a duty to, at the very least, educate new mappers about what happens to
their data, and ideally we should also do more to protect their data.

The "metadata" of *who* edited what when is not a necessary part of our
database proper; someone just wanting to *use* the data does not have to
know. We use this information inside of OSM to improve quality, to
contact mappers, to find vandalism and so on. But I don't think that the
broader public necessarily needs to know about such internal aspects.

I am very much in favour of limiting at least the value of the "user
name" field to project-internal use. Pascal has made a first step in
that direction. Currently, anyone can download the planet file with all
user information intact and thereby circumvent the (extremely low)
barrier of having to provide an OSM username; I hope that in the long
run, we will stop making username information available to the public,
and instead make the user name only available "for project internal
purposes", i.e. to logged in users. I think this will not hurt any
legitimate use case, while at the same time making clear that we
consider this information privileged and not for general consumption.

It doesn't matter that anyone can sign up and then view that data; we
can at least make people promise to only use the data for project
internal use when they sign up.

> Maybe this is due to some "moral panic" in Germany revolving around
> privacy, just like StreetView ban - except it's made clear that your
> edits are public and you agree to it!

It is made clear that your edits are public, and we even explain about
the meta data (the Privacy Policy says: "All edits made to the map are
recorded in the database with the user ID of the user making the change,
and a timestamp at the time of change upload. In general all of this
information is also made available to everyone via the website,
including links to allow everyone to easily cross-reference which user
has made which edit. "). But we are hiding this like the small print in
a contract; there are many people who have signed up to OSM and who are
shocked to find their life reflected in Pascal's analyses. You might say
it's their fault, they are stupid not to read what they signed up to; I
say it's out fault, we have a duty of explaining to them what they are
signing up to. Every single person who signs up to OSM and who doesn't
understand what they are publishing about themselves is our fault.

Pascal has recevied numerous legal threats about his pages. Making them
"for project internal use only" considerably improves his legal standing
should anyone ever actually try and sue him. It's his service, his legal
risk, and his decision. New EU data protection regulations announced for
2017 will make things even stricter, and we will have to spend serious
thought on how we can protect the privacy of our mappers if we want to
expand the project past the group of geeks who know how to manage their
privacy online. And it is not just a legal issue; you might call it a
"moral panic", I call it a moral duty to do everything we can to ensure
that our mappers don't suffer disadvantages from contributing to OSM.

Bye
Frederik

-- 
Frederik Ramm  ##  eMail frede...@remote.org  ##  N49°00'09" E008°23'33"

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Simon Poole]

This seems to be derailing rather fast.

The background is that we are publishing a fair amount of meta data
about our contributors that could at least be seen as not totally
harmless from a privacy and data protection point of view.

This includes all the changeset meta data, user ids and display names in
the data and last but not least timestamps, distributed in the data
dumps and the website. It is currently rather simple to generate a
profile for a specific editor and likely even finger print contributions
over multiple accounts.

Most of us, I would hope, are aware of the potential consequences and
accept the risk that contributing out in the open implies, but this is
definitely not universally true. It has been suggested that one possible
approach to resolving this is to remove all the relevant meta data from
places where it can be accessed without an OSM account (that would imply
no changeset dumps, and no user-ids etc in the planet dumps, and
re-working the website to only show such information to logged in
users). This would have to be accompanied by a new set of ToS that would
clearly lay down how such meta data can be used.

Naturally the above will not stop the bad guys, but it would make it
slightly less trivial to misuse OSM. Pascal, who has in the past been
threatened with legal action wrt privacy issues, reacted very promptly
to the discussion and implemented such a login-only access model, I
don't really see how he can be faulted for that given that it doesn't
limit community access at all, and he is fully responsible for what he
is publishing.

Now the other aspect is the upcoming (2018) changes in privacy
regulations in the EU. They will undoubtedly impact any such discussion
and future policy and the LWG has budgeted a fair bit of money exactly
to investigate and potentially implement any such required changes,
which could very well include all of above and more. 

Personally I'm not very happy with the concept of reducing the
availability of contribution meta data as it will make lots of things
harder (vandalism detection and fighting for example) and likely require
many things to move to OSMF run tasks that are currently done by the
community at large, but it may be something that we can't avoid.

Simon




signature.asc
Description: OpenPGP digital signature
___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[James]

As Michal said, forcing login wont stop "those that want to cause harm".
They will just login and harvest the data. They can also just scrape the
osm data, so I dont think this is an issue with  HDYC as much it is a
privacy concern with OSM data itself.

If you dont want to be associated with your edits: create a generic account
that has nothing to do with your usual usernames i.e. AnonymousUser001 or
OSMUser001 and never communicate about the work done on that account with
your main profile/email. That way you dissociate yourself from that user
and your social media accounts.


If people cant find a link between personal identifyable info(facebook,
twitter, email, linkedin) and the editing user there is no cause for alarm.

Worst case they will say: Oh there's an osm user that lives in this
areaso do 35 other users.

Basic internet anonymity 101...

On May 4, 2017 4:51 PM, "Christoph Hormann"  wrote:

> On Thursday 04 May 2017, Nicolás Alvarez wrote:
> >
> > > Just to make this clear since there are likely quite a few people
> > > reading here who will not be able or willing to parse the
> > > discussion on the German forum - discussion there was about privacy
> > > concerns w.r.t. editing metadata, which is what is the basis of
> > > Mixing this with the subject of openness of geodata and
> > > privacy concerns reagarding geodata (like mappers recording names
> > > from the doors of private homes etc.) is not really appropriate -
> > > two very different matters which need to be considered separately.
> >
> > I don't think Michał was mixing those two different matters.
>
> Michał made a connection to privacy concerns regarding Google StreetView
> which were exclusively about the recorded data and not about the
> recording metadata (which Google obviously has no interest in
> publishing).
>
> --
> Christoph Hormann
> http://www.imagico.de/
>
> ___
> talk mailing list
> talk@openstreetmap.org
> https://lists.openstreetmap.org/listinfo/talk
>
___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Michał Brzozowski]

On Thu, May 4, 2017 at 10:48 PM, Christoph Hormann  wrote:
> Michał made a connection to privacy concerns regarding Google StreetView
> which were exclusively about the recorded data and not about the
> recording metadata (which Google obviously has no interest in
> publishing).

Yes, these matters are separate, but I was talking about the sentiment
towards privacy and over-exaggeration of it. Hence I wrote "moral
panic".
I think any of us here knows how Streetview and OSM work.

Michał

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Christoph Hormann]

On Thursday 04 May 2017, Nicolás Alvarez wrote:
>
> > Just to make this clear since there are likely quite a few people
> > reading here who will not be able or willing to parse the
> > discussion on the German forum - discussion there was about privacy
> > concerns w.r.t. editing metadata, which is what is the basis of
> > Mixing this with the subject of openness of geodata and
> > privacy concerns reagarding geodata (like mappers recording names
> > from the doors of private homes etc.) is not really appropriate -
> > two very different matters which need to be considered separately.
>
> I don't think Michał was mixing those two different matters.

Michał made a connection to privacy concerns regarding Google StreetView 
which were exclusively about the recorded data and not about the 
recording metadata (which Google obviously has no interest in 
publishing).

-- 
Christoph Hormann
http://www.imagico.de/

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[James]

> So you think the German community should be required to proactively
> communicate any subject they discuss in German language channels to the
> international community?

We have to do this for imports, the least you could have done is brought it
up on the talk mailing list.

On May 4, 2017 4:41 PM, "Michał Brzozowski"  wrote:

> So you think the German community should be required to proactively
> communicate any subject they discuss in German language channels to the
> international community?

I think the tools are _de facto_ used by the whole OSM community
worldwide, that's why I think any sort of announcement would be
appropriate. I am realistic.

> Well - HDYC is a tool offered by Pascal Neis, AFAIK it is not even open
> source.  Pascal could turn it off any time if he wanted to and of
> course he can also put up constraints.

Keep in mind that I don't make it appear that my requests are based on
something formal, they're not. I simply hope that people will tell him
they don't agree with me and two already did ;)

I think it also emphasizes how open-source tools are important. There
are tons of obscure analysis pages which don't have their source
available.

For starters, there's a little known program called ChangesetMD which
allows you to load changeset and discussion metadata to Postgres.
However, this is changeset only and one won't be able to do all of the
analyses (bboxes alone often are inaccurate, also no info on tags).

Michał

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk
___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Michał Brzozowski]

> So you think the German community should be required to proactively
> communicate any subject they discuss in German language channels to the
> international community?

I think the tools are _de facto_ used by the whole OSM community
worldwide, that's why I think any sort of announcement would be
appropriate. I am realistic.

> Well - HDYC is a tool offered by Pascal Neis, AFAIK it is not even open
> source.  Pascal could turn it off any time if he wanted to and of
> course he can also put up constraints.

Keep in mind that I don't make it appear that my requests are based on
something formal, they're not. I simply hope that people will tell him
they don't agree with me and two already did ;)

I think it also emphasizes how open-source tools are important. There
are tons of obscure analysis pages which don't have their source
available.

For starters, there's a little known program called ChangesetMD which
allows you to load changeset and discussion metadata to Postgres.
However, this is changeset only and one won't be able to do all of the
analyses (bboxes alone often are inaccurate, also no info on tags).

Michał

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Nicolás Alvarez]

2017-05-04 17:21 GMT-03:00 Christoph Hormann :
> On Thursday 04 May 2017, Michał Brzozowski wrote:
>> Maybe this is due to some "moral panic" in Germany revolving around
>> privacy, just like StreetView ban - except it's made clear that your
>> edits are public and you agree to it!
>
> Just to make this clear since there are likely quite a few people
> reading here who will not be able or willing to parse the discussion on
> the German forum - discussion there was about privacy concerns w.r.t.
> editing metadata, which is what is the basis of HDYC.  Mixing this with
> the subject of openness of geodata and privacy concerns reagarding
> geodata (like mappers recording names from the doors of private homes
> etc.) is not really appropriate - two very different matters which need
> to be considered separately.

I don't think Michał was mixing those two different matters. "Your
edits are public" also means the fact that *you* edited *that
particular* piece of data is public, from which someone could infer
eg. where you live; it's not mixing the subject of privacy concerns
with the data itself.

-- 
Nicolás

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Christoph Hormann]

On Thursday 04 May 2017, Michał Brzozowski wrote:
>
> https://forum.openstreetmap.org/viewtopic.php?id=57813
>
> I don't like the idea how this was never introduced and discussed
> outside of the German forum.

So you think the German community should be required to proactively 
communicate any subject they discuss in German language channels to the 
international community?

> I think that such "privacy" measures are futile and go against the
> spirit of OSM - transparency.

Well - HDYC is a tool offered by Pascal Neis, AFAIK it is not even open 
source.  Pascal could turn it off any time if he wanted to and of 
course he can also put up constraints.

If you think that is against the spirit of OSM that is up to you but 
don't forget that there are tons of tools based on OSM data developed 
and run with restricted access you never hear about.  It is not really 
conceivable how in case of HDYC making such a tool available for all 
mappers based on authentification with an OSM account makes this less 
in the spirit of OSM than a private tool that is not even known to the 
public.

> Maybe this is due to some "moral panic" in Germany revolving around
> privacy, just like StreetView ban - except it's made clear that your
> edits are public and you agree to it!

Just to make this clear since there are likely quite a few people 
reading here who will not be able or willing to parse the discussion on 
the German forum - discussion there was about privacy concerns w.r.t. 
editing metadata, which is what is the basis of HDYC.  Mixing this with 
the subject of openness of geodata and privacy concerns reagarding 
geodata (like mappers recording names from the doors of private homes 
etc.) is not really appropriate - two very different matters which need 
to be considered separately.

-- 
Christoph Hormann
http://www.imagico.de/

___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[Denis Carriere]

+1 both James & Michal's comments.

Thanks Michal for bringing up this undiscussed topic to the mailing list.

*~~*
*Denis Carriere*
*GIS Software & Systems Specialist*

On Thu, May 4, 2017 at 3:42 PM, James  wrote:

> What Michal said. Any body can download the OSM data and run the same
> analysis. You agreed to contribute to OSM, if you want your online
> footprint to be non-existant: unplug your internet.
>
> On Thu, May 4, 2017 at 3:33 PM, Michał Brzozowski 
> wrote:
>
>> Many know Pascal Neis' site HDYC which displays detais about an OSM
>> user, like first created node, activity area, edit stats and so on:
>>
>> http://hdyc.neis-one.org/
>>
>> Today to view any stats of a user you have to login with OSM.
>> Pascal replied to me that this is related to this discussion on the
>> German users forum:
>>
>> https://forum.openstreetmap.org/viewtopic.php?id=57813
>>
>> I don't like the idea how this was never introduced and discussed
>> outside of the German forum.
>> I think that such "privacy" measures are futile and go against the
>> spirit of OSM - transparency.
>>
>> Maybe this is due to some "moral panic" in Germany revolving around
>> privacy, just like StreetView ban - except it's made clear that your
>> edits are public and you agree to it!
>>
>> Michał
>>
>> ___
>> talk mailing list
>> talk@openstreetmap.org
>> https://lists.openstreetmap.org/listinfo/talk
>>
>
>
>
> --
> 外に遊びに行こう！
>
> ___
> talk mailing list
> talk@openstreetmap.org
> https://lists.openstreetmap.org/listinfo/talk
>
>
___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk

Re: [OSM-talk] HDYC, login requirement and "privacy"

[James]

What Michal said. Any body can download the OSM data and run the same
analysis. You agreed to contribute to OSM, if you want your online
footprint to be non-existant: unplug your internet.

On Thu, May 4, 2017 at 3:33 PM, Michał Brzozowski 
wrote:

> Many know Pascal Neis' site HDYC which displays detais about an OSM
> user, like first created node, activity area, edit stats and so on:
>
> http://hdyc.neis-one.org/
>
> Today to view any stats of a user you have to login with OSM.
> Pascal replied to me that this is related to this discussion on the
> German users forum:
>
> https://forum.openstreetmap.org/viewtopic.php?id=57813
>
> I don't like the idea how this was never introduced and discussed
> outside of the German forum.
> I think that such "privacy" measures are futile and go against the
> spirit of OSM - transparency.
>
> Maybe this is due to some "moral panic" in Germany revolving around
> privacy, just like StreetView ban - except it's made clear that your
> edits are public and you agree to it!
>
> Michał
>
> ___
> talk mailing list
> talk@openstreetmap.org
> https://lists.openstreetmap.org/listinfo/talk
>



-- 
外に遊びに行こう！
___
talk mailing list
talk@openstreetmap.org
https://lists.openstreetmap.org/listinfo/talk