Re: [OSM-talk] HDYC, login requirement and "privacy"
Hi, because the whole issue alao affects Overpass API, I have written down my thoughts in a blog post: http://dev.overpass-api.de/blog/fahrenheit_451.html Best regards, Roland ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
On 05.05.2017 at 11:38 Martin Koppenhoefer wrote: General Data Protection Regulation (GDPR) just a hint to a talk held at the FOSDEM 2017 (including the video): https://fosdem.org/2017/schedule/event/foss_and_the_gdpr/ Maybody some persons discussing here might want to have a lock at that video. Cheers, Michael. ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
Hi, On 05/08/2017 10:53 AM, Richard Fairhurst wrote: > Breaking the connection between real people and "their map" fundamentally > alters the OSM community, and, I think, makes it closer to the toxic, > identity-free, virtual-personality environment that Wikipedia can so often > be. Yes. Therefore I am skeptical of the knee-jerk recommendation so often given to people who are concerned about their privacy: "You can choose any pseudonym you want, even make multiple accounts if need be", or, taken to the extreme in the thread above: "If you *really* value your privacy, just create a new account for every single edit you make." I would prefer if we could achieve a situation where users can dare to be a little less protective of their privacy inside the project, because we as a project take steps to keep what happens in OSM, in OSM. I know this can never happen in an airtight way. But I would like it if, when someone abuses one mapper's OSM "metadata" for reasons it wasn't intended for, the community stands behind that mapper and says: This is an abuse of our data, stop it - instead of engaging in "victim shaming" by telling the mapper that they were stupid to use their real name (or a traceable nickname) to begin with and/or that if they can't stand by the edits they make they shouldn't have joined in the first place. > You know and I know that several of OSM's most challenging edit wars in > recent years have involved people who have not admitted, or have heavily > obfuscated, their real names - sometimes generating a succession of > disguised identities. I do not think this is coincidence. With identity > comes accountability. You are coming dangerously close to suggesting a "real name policy" here in OSM. I wouldn't categorically oppose that, but it would mean an even greater responsibility on our side to protect the privacy of users. Most arguments raised in various other places (Facebook etc) about real name policies hold true for OSM as well; some people might open themselves up for prosecution or feuds if it became public that they're mapping in OSM. > There is nothing wrong with us saying "100% privacy is valuable, but it's > not compatible with the way OSM works, and if you can't cope with your edits > being trackable then OSM is perhaps not the project for you". For me there is a very big difference between hiding user names altogether, and hiding user names from "project outsiders who haven't clicked a button promising that they will play by our rules". What's been done by Pascal, and what I am advocating, is the former; what you seem to be arguing against, is the latter. Bye Frederik -- Frederik Ramm ## eMail frede...@remote.org ## N49°00'09" E008°23'33" ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
Frederik Ramm wrote: > saying "your privacy goes down the drain if you do anything > online anyway, so why should we at OSM take steps to protect > it more". > > Perhaps: because we can, and because it's a good thing? ...or perhaps it isn't quite that black and white. OSM, at its best, is a community of real people, mapping their neighbourhoods, and taking responsibility for their edits. I stand by my edits in Charlbury and nearby because it's verifiable that I live here. If anonguy1 comes along and repeatedly edit-wars "Market Street" into "High Street", OSM defers, correctly, to me as the accountable local who feels a sense of ownership for my part of the map. If I wrongly armchair some TIGER and Todd from North Carolina says "hey, actually that should be a tertiary road", I defer to him - it's his map, I'm just visiting. As Mikel says upthread, "[OSM] depends so much on user reputation to retain quality". Breaking the connection between real people and "their map" fundamentally alters the OSM community, and, I think, makes it closer to the toxic, identity-free, virtual-personality environment that Wikipedia can so often be. You know and I know that several of OSM's most challenging edit wars in recent years have involved people who have not admitted, or have heavily obfuscated, their real names - sometimes generating a succession of disguised identities. I do not think this is coincidence. With identity comes accountability. There is nothing wrong with us saying "100% privacy is valuable, but it's not compatible with the way OSM works, and if you can't cope with your edits being trackable then OSM is perhaps not the project for you". Richard -- View this message in context: http://gis.19327.n8.nabble.com/HDYC-login-requirement-and-privacy-tp5896250p5896429.html Sent from the General Discussion mailing list archive at Nabble.com. ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
On Sunday 07 May 2017, Frederik Ramm wrote: > > It is a common issue in OSM (and elsewhere) for people to use the > status quo as a reason. "Admin boundaries are not visible on the > ground and they are mapped, THEREFORE I can also map everything else > that is not visible on the ground" - no! And you're doing it the > other way round, saying "your privacy goes down the drain if you do > anything online anyway, so why should we at OSM take steps to protect > it more". But we also should be careful not to apply the 'analogy sledgehammer' the other way round - just because restricting access to data can in some case reduce privacy issues it is not necessarily always the best way to deal with such a problem. Specifically that putting a login via OSM account in front of HDYC makes sense for this specific tool and some specific concerns regarding it (mainly the 'invitation to stalking' matter) should not lead anyone to consider this a useful standard measure for all privacy related concerns. Side note: Mailing lists are a very different matter for a variety of technical and social reasons. I would say that the idea of restricting mailing list archive access due to metadata based privacy concerns is fairly far fetched (in contrast to content related concerns about privacy or confidentiality - which make much more sense) considering the archives show almost nothing of the mail metadata except 'From' and 'Date' which can be freely chosen by the user. -- Christoph Hormann http://www.imagico.de/ ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
Hi, On 07.05.2017 22:54, Nicolás Alvarez wrote: > Yet I don't know of any such platform that has rules on how such > metadata can be used, and I don't see anyone here arguing that we need > rules on the use of mailing list archive metadata. One thing at a time. Pascal's request for identifying yourself as an OSM user is a tiny first step. Farther down that road there might be conditions for the release of user-related information (e.g. "you can get this info but you have to affirm that you won't abuse that"). Making mailing list archives accessible to mailing list members only is also something that Mailman offers out of the box and that we could one day switch on if we like. It is a common issue in OSM (and elsewhere) for people to use the status quo as a reason. "Admin boundaries are not visible on the ground and they are mapped, THEREFORE I can also map everything else that is not visible on the ground" - no! And you're doing it the other way round, saying "your privacy goes down the drain if you do anything online anyway, so why should we at OSM take steps to protect it more". Perhaps: because we can, and because it's a good thing? Bye Frederik -- Frederik Ramm ## eMail frede...@remote.org ## N49°00'09" E008°23'33" ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
2017-05-05 6:59 GMT-03:00 Frederik Ramm: > Today, if you are looking for a job and you're being interviewed by a > potential employer, the potential employer could say: "I can see from > OpenStreetMap that you've been editing a lot during the day in your last > job. Did you not have any work to do?" - and the employer would not even > be "wrong". Harvesting the full history file for totally OSM unrelated > information like that is not against any of our rules; it might be > against the law in some countries but certainly not in others. If you > publicly complained about what happened to you, it is very likely that > there will be many people like in this thread who will say "duh, you > idiot why didn't you use a pseudonym, didn't you read what you signed up > for, lah lah lah". > > I would like to come to a point where, if this happened to you in a job > interview, you could afterwards point to an OSM policy and say: Clearly > this company has violated OSM rules, they must have created an account > under false pretenses to get at this data and they're using it for > purposes not sanctioned by OSM. That won't make you get the job, but it > would at least make clear that we stand with our contributors against > abuse of their data. This scenario is not specific to OSM map edits at all. They could also use mailing list archives to see you have been arguing about OSM tagging conventions during work hours. Or see that you have been editing Wikipedia. Every web forum, mailing list, social network, wiki, etc. that has usernames and timestamps would be "vulnerable" to that. Yet I don't know of any such platform that has rules on how such metadata can be used, and I don't see anyone here arguing that we need rules on the use of mailing list archive metadata. -- Nicolás ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
On 4 May 2017 22:33:47 IST, Frederik Rammwrote: >It doesn't matter that anyone can sign up and then view that data; we >can at least make people promise to only use the data for project >internal use when they sign up. While I'm not looking forward to having to login to use various tools, I understand that it might be a step in the right direction for privacy-sensitive contributors. But seeing how low this new barrier is, I don't think that we should advertise it as a privacy-preserving feature, because it'll give a false sense of security to the very users we are trying to help. It's also annoying that it migh increase "contribution-less account bloat", but that's something we have to live with anyway. I'd be more interested in annonymising features like a "randomize changeset and gpx timestamps a bit" account setting and providing a best-effort "delete my account and as much data as you can" button. These are more invasive and complicated than "login to see usernames" but they would be much more useful. -- Vdp Sent from a phone. ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
On Fri, 5 May 2017 12:34:14 +0200 Martin Koppenhoeferwrote: > 2017-05-05 12:24 GMT+02:00 Frederik Ramm : > > > I think that even if they are careful enough not to use their real > > name, the identity of a mapper will often be easy to reconstruct if > > you have access to just a little bit of extra information (might be > > as little as a name on a doorbell). > > > > > if I look at my "local area" in hdyc, there are probably a million > people living within, but even if it were just a few thousand it > would effectively not be possible to look at all those doorbells > (where you won't have your name anyway if you are really concerned > about privacy) and get a clue to which username this might be > related. If you are living in a _very_ remote area (which most > mappers are not), in very rare exceptional cases it might be possible > to see who is which mapper, and that he mapped this remote area. > Congratulations. You're seriously underestimating how much information it's possible to get from editing patterns. There are a quarter-million people in the area I keep an eye on; maybe four of them are active OSM contributors. Just from looking at changesets, I know where two of them live: which house for one of them, and the general neighborhood for the other. (I also know which university a couple dozen hit-and-run editors attend, and can make a good guess at which class they took last fall.) -- Mark ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
"‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;" http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679=EN Article 4 (1) (about 1/3 into the document). Current national definitions that I know of are not vastly different. Simon Am 05.05.2017 um 21:31 schrieb yvecai: > Le 05. 05. 17 à 19:11, Simon Poole a écrit : >> >> That is why I suspect that the consequence of this discussion could >> be fairly drastic and result in essentially all meta data being >> removed from the planet dumps, including changeset ids and so on. >> > So, if you suspect, ... don't ? > Editing the map *yourself* *is* Openstreetmap !! > > I'd really like to have a defintion of 'personal data' in this > context. Otherwise, this discussion is quite useless, cause while > interesting, an OSM-talk definition won't be anything close to a legal > definition. > > Yves > > ___ > talk mailing list > talk@openstreetmap.org > https://lists.openstreetmap.org/listinfo/talk signature.asc Description: OpenPGP digital signature ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
Le 05. 05. 17 à 19:11, Simon Poole a écrit : That is why I suspect that the consequence of this discussion could be fairly drastic and result in essentially all meta data being removed from the planet dumps, including changeset ids and so on. So, if you suspect, ... don't ? Editing the map *yourself* *is* Openstreetmap !! I'd really like to have a defintion of 'personal data' in this context. Otherwise, this discussion is quite useless, cause while interesting, an OSM-talk definition won't be anything close to a legal definition. Yves ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
This topic started a bit backwards -- with an action taken by one project within the OSM ecosystem. We've covered a lot of perspectives on the topic of privacy in OSM, and possible actions and their implications. To turn this thread into some forward movement for us, a good course of action will be as follows. This does not clearly fit into one Working Group responsibility, so the OSMF Board can consider taking up the design of the process at least. * We need to considerately research and assess the personal information (PI) risk. Including defining what is PI, and what various part of OSM might expose. * LWG get informed legal advice on EU and other jurisdiction's PI laws* Consider the range of possible activities to address the risk I reckon the most reasonable and effective starting activity will be to clearly define what OSM users need to know about contributing geodata to OSM, and the PI considerations they should keep in mind. As Frederik says, "raising awareness". For this to be effective, this means smarter design in the learning process and onboarding of new mappers. And perhaps that's the ending point. Personally I can't see any way the removing contributor metadata from geodata would 1) really protect anyone 2) not hobble the project, which depends so much on user reputation to retain quality. In any case, let's kick that question down the road. -MIkel * Mikel Maron * +14152835207 @mikel s:mikelmaron On Friday, May 5, 2017 12:28 PM, Yveswrote: Actually, can an OSM username be considered as 'personal data'? Can somebody point out to a definition of 'personal data' ? How would this be different from, say, my github account? Yves___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
"It depends" the critical part (regardless of if it is your real name or not) is that it can be used as a key to generate a profile a la HDYC and that can then be associated with the help of additional sources with a real person, potentially revealing all kind of things about your life. But strictly speaking the display name is not necessary for that as the changeset meta data and likely the edits themselves probably contain enough information to generate unique or near unique fingerprints. That is why I suspect that the consequence of this discussion could be fairly drastic and result in essentially all meta data being removed from the planet dumps, including changeset ids and so on. Simon Am 05.05.2017 um 18:25 schrieb Yves: > Actually, can an OSM username be considered as 'personal data'? > Can somebody point out to a definition of 'personal data' ? > How would this be different from, say, my github account? > Yves > > > ___ > talk mailing list > talk@openstreetmap.org > https://lists.openstreetmap.org/listinfo/talk signature.asc Description: OpenPGP digital signature ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
Actually, can an OSM username be considered as 'personal data'? Can somebody point out to a definition of 'personal data' ? How would this be different from, say, my github account? Yves ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
On Friday 05 May 2017, Frederik Ramm wrote: > [...] > > I would like to come to a point where, if this happened to you in a > job interview, you could afterwards point to an OSM policy and say: > Clearly this company has violated OSM rules, they must have created > an account under false pretenses to get at this data and they're > using it for purposes not sanctioned by OSM. That won't make you get > the job, but it would at least make clear that we stand with our > contributors against abuse of their data. One of the things i was trying to point out is that this would not be the case. That company would simply say: "We got that info from or from our human ressources consulting contractor and never agreed to any terms not to use such data. Thanks for informing us that they are using this data without permission, we will not use it any more in the future." ;-) > > For a balanced discussion - and i am not saying i would actually > > prefer this approach to what you are suggesting - the whole problem > > could also be approached from the other side by reconsidering the > > possibility for partly anonymous edits. > > Yes. I think both approaches could be grouped under "restricted > access to personal information", and there will probably be still > other approaches with their own advantages and disadvantages. Well - the difference with the scenario i outlined is that it much more clearly aims at the protection of the mappers' privacy and gives the mapper much broader and more immediate control over this. This is no replacent for a solid strategy on educating mappers on what kind of privacy risks are involved with contributing in OSM but it kind of seems a more logical approach to the matter than a purely after-the-fact approach to protecting the data. This does not mean i am convinced this is ultimately the best solution, this depends on a lot of details of the implementation. -- Christoph Hormann http://www.imagico.de/ ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
sent from a phone > On 5. May 2017, at 12:24, Frederik Rammwrote: > > This is true. It would actually be possible to write a plugin for JOSM > to do that - automatically sign up to OSM with a different throw-away > account for each changeset you upload. then you'd know it's either a German or a Chinese and could see from the region of the edit which one ;-) cheers, Martin PS: We could also offer anonymity through uploads via a third party (which you must trust then) ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
Hi, On 05.05.2017 12:27, Martin Koppenhoefer wrote: > I also fail to understand who would > attack someones privacy by looking at OSM edits and for what scope, and > why this can't be legally excluded by stating you must not do it if you > want the data (which on the other hand will make OSM non-free data, at > least with respect to data referring to mappers). I think it would be good to separate - at least in our minds - the core geodata from the "user data" or maybe "metadata" of who did what when and using which operating system and editor. The core geodata will always be freely available under the ODbL, and you would not "make OSM non-free" by omitting e.g. user information from that. Many current distribution forms (e.g. standard Overpass responses, vector tiles, Garmin maps) already omit user information. You could then offer the user information (needed for quality control etc.) under separate rules (that say "for project internal use only"). This would automatically mean, that someone who runs a HDYC-like site would have to put a login in front of the site in order to ensure that he complies with the "internal use only" rule. Bye Frederik -- Frederik Ramm ## eMail frede...@remote.org ## N49°00'09" E008°23'33" ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
2017-05-05 12:24 GMT+02:00 Frederik Ramm: > I think that even if they are careful enough not to use their real name, > the identity of a mapper will often be easy to reconstruct if you have > access to just a little bit of extra information (might be as little as > a name on a doorbell). > if I look at my "local area" in hdyc, there are probably a million people living within, but even if it were just a few thousand it would effectively not be possible to look at all those doorbells (where you won't have your name anyway if you are really concerned about privacy) and get a clue to which username this might be related. If you are living in a _very_ remote area (which most mappers are not), in very rare exceptional cases it might be possible to see who is which mapper, and that he mapped this remote area. Congratulations. What is the scenario? The chinese government? Your ex-wife? The NSA? Nazi-terrorists? Your friends? According to who it is, the countermeasures will have to be very different. Cheers, Martin ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
2017-05-05 12:10 GMT+02:00 Frederik Ramm: > How the goals of transparency and quality control in the project and the > goal of protecting the privacy of the individual contributor can be > reconciled is something we can, and should, think about > I still don't see how someone can be individually identified within OSM by her edits, and I fail to understand how these edits are qualifying as "personal data". Either the mapper is editing not much (so there is not sufficient information about her, these are most mappers), or she is editing a lot and according to his editing habits you could maybe say something about her interests and the area where she lives, how often she goes to other places, at what times she is active in OSM and similar. This still won't help to identify single persons unless you have a very huge database of many people which _already_ knows a whole lot about everyone, including when they went abroad or in vacation, what their interests are etc., so you won't probably gain more insight from looking at the OSM edits as well. I also fail to understand who would attack someones privacy by looking at OSM edits and for what scope, and why this can't be legally excluded by stating you must not do it if you want the data (which on the other hand will make OSM non-free data, at least with respect to data referring to mappers). Cheers, Martin ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
Hi, On 05.05.2017 10:37, Martin Koppenhoefer wrote: > you write a lot about personal data, but all osm admins have about > users is some email address, which often isn't even existing anymore > and an associated user name Many people choose their real name, or at least something easily linkable to their real name via one hop on Github, Facebook, etc.; many social media platforms even *expect* you to give your real name. Of course they don't *have* to in OSM. But if they do use their real name then I don't think you can interpret that as willfully signing away their right to privacy. "Ha ha, your own fault for using your real name, didn't you think about your job application with the Chinese government 25 years later, shoulda been more careful!" I think that even if they are careful enough not to use their real name, the identity of a mapper will often be easy to reconstruct if you have access to just a little bit of extra information (might be as little as a name on a doorbell). > Also everyone can create new users at will, if your concern is > privacy, you could use a new user for every edit and nobody could > associate these edits to the same person. This is true. It would actually be possible to write a plugin for JOSM to do that - automatically sign up to OSM with a different throw-away account for each changeset you upload. Do we want to encourage that? Frankly, I'd rather not. But if that is our official suggestion on how to balance privacy with contribution to OSM, maybe we should offer such a plugin. > Putting a log in to hdyc, from my point of view, doesn't change > anything (because everybody can sign up), besides that there are now > more data created (Pascal will know who is interested in whom, and > osm admins can see how often someone uses the service, and if it > becomes common to do it like this, which third party services someone > uses). That is true. The log-in required for HDYC currently only has symbolic character and it says "this is for community members only". We're an open community and you can become a member with a few mouse clicks. But I think the symbolism is of value and I support Pascal's decision. Bye Frederik -- Frederik Ramm ## eMail frede...@remote.org ## N49°00'09" E008°23'33" ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
Hi, On 05.05.2017 08:49, joost schouppe wrote: > Putting a somewhat pointless access limitation to > HDYC is counterproductive, as it might give people a false sense of > security. This is correct, but so would > A system to opt-out of being > included in this particular system because it would give people the idea that if they don't opt in then their data wouldn't be visible, when in fact anyone can run a software like Pascal's. I think that "raising awareness" is good; and if we could all unite behind the idea that just because someone voluntarily contributes to OSM that shouldn't mean they're automatically sacrificing their privacy then that would already be a great step forward. How the goals of transparency and quality control in the project and the goal of protecting the privacy of the individual contributor can be reconciled is something we can, and should, think about; I would be very happy if as a first step we could at least agree that protecting the privacy of the individual contributor *is* desirable. The knee-jerk "well you knew what you signed up for" reaction doesn't help a vulnerable community member when they see their privacy violated. Bye Frederik -- Frederik Ramm ## eMail frede...@remote.org ## N49°00'09" E008°23'33" ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
Hi, On 05.05.2017 11:01, Christoph Hormann wrote: > ... or use some rouge open instance running anonymiously somewhere. I am aware that no matter what we do there will always be "rogue" uses of our data. Therefore making all contributors aware of what they are releasing about themselves and how it could be used against them remains important no matter what we do. (And we have to find ways to do that without sounding alarmist.) In fact, we have a similar situation with our license: We spent countless years debating and then changed our license to what we thought was best. We all know that we cannot keep a rogue user from ignoring our license - but at least we can define what we want to allow. I am expecting the same for the sensitive user data. We will never be able to ensure that the data is not used against the wishes of the users - but we can ensure that those who do this are in clear violation of our terms and hence "bad guys". Just to pick a random example: Today, if you are looking for a job and you're being interviewed by a potential employer, the potential employer could say: "I can see from OpenStreetMap that you've been editing a lot during the day in your last job. Did you not have any work to do?" - and the employer would not even be "wrong". Harvesting the full history file for totally OSM unrelated information like that is not against any of our rules; it might be against the law in some countries but certainly not in others. If you publicly complained about what happened to you, it is very likely that there will be many people like in this thread who will say "duh, you idiot why didn't you use a pseudonym, didn't you read what you signed up for, lah lah lah". I would like to come to a point where, if this happened to you in a job interview, you could afterwards point to an OSM policy and say: Clearly this company has violated OSM rules, they must have created an account under false pretenses to get at this data and they're using it for purposes not sanctioned by OSM. That won't make you get the job, but it would at least make clear that we stand with our contributors against abuse of their data. (If that hasn't become clear already, I am of the opinion that the current contributor terms don't necessarily mean that the contributor asks OSMF to distribute their *metadata* under ODbL - I think it just applies to the *geodata*, and if we wanted we could slap restrictions on the *metadata* part of things.) > For a balanced discussion - and i am not saying i would actually prefer > this approach to what you are suggesting - the whole problem could also > be approached from the other side by reconsidering the possibility for > partly anonymous edits. Yes. I think both approaches could be grouped under "restricted access to personal information", and there will probably be still other approaches with their own advantages and disadvantages. , and I would even assume that "restricted access to personal information" and " >> Hence, >> anyone with an OSM account could make such an animated progress map, >> and it could be shown to anyone with an OSM account. Only if you want >> to distribute it outside of OSM you'd either have to >> remove/pseudonymize the user names [...] > > That part is really tricky, you'd have to be very specific on what kind > of aggregation is necessary to make the data ok to be published. > Obviously just replacing each user name with user is not > going to cut it. Without clear rules here anyone who publishes > anything based on such data would be in a legal mine field. Yes; even today if a person uses a nickname with OSM and not their real name, I think it would in many cases be easy to make the case that it is very easy to de-pseudonymize the person. Currently when someone asks us to delete their account we simply replace their user name with user_1234 (their numeric user id); it is quite possible that this is totally insufficient at least in countries with strong data protection laws such as the UK because the person can still be identified and connected to all their edits. Bye Frederik -- Frederik Ramm ## eMail frede...@remote.org ## N49°00'09" E008°23'33" ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
Am 05.05.2017 um 11:38 schrieb Martin Koppenhoefer: > > Usually in statistics, information down to the block level is not > considered personal informationn. You won't be able from OSM edits to > say in which house someone lives, or who she is, so it doesn't seem to > apply. Anybody that participated in contacting editors during the licence change knows that the above, is, sorry, rubbish. While it is true that you can't identify every single contributor the large majority can be easily. > > At the moment we can't know what kind of data protection rules will > govern OSMF in the future, given that EU rules will not automatically > apply any more, soon, if Brexit is not stopped (nonetheless, local > chapters might be an issue here). > The GDPR applies to anybody that processes data of EU residents (that has been pointed out to you before) regardless of where they are located. signature.asc Description: OpenPGP digital signature ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
On 2017-05-05 10:35, Simon Poole wrote: Am 05.05.2017 um 09:47 schrieb Maarten Deen: .. We have all agreed to the contributor terms (although I can not find the version I have agreed to, I can only find a version from 2016) and that says that OSMF has the right to sub-license. PS https://wiki.osmfoundation.org/w/index.php?title=Licence/Contributor_Terms=history Thanks. Would it be possible to have the link in one's account page from OSM to link directly to the historic version that was signed? Now I have to judge that "about 6 years ago" will probably be later than the 1.2.4 version. It wasn't even clear to me that this is a wiki page because it is so modified. The link in the ccount page is http://www.osmfoundation.org/wiki/License/Contributor_Terms which is also a redirect, maybe that should be tackled too. Regards, Maarten ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
Am 05.05.2017 um 10:37 schrieb Martin Koppenhoefer: > .. > Also everyone can create new users at will, if your concern is privacy, you > could use a new user for every edit and nobody could associate these edits to > the same person. > > .. Well if a "new user" includes - changing (the version of) the editor you are using - changing your language preferences - changing how you comment on changesets - changing your editing habits - avoiding linking accounts via related edits and observing a couple of further points, yes, then you might be correct. Simon signature.asc Description: OpenPGP digital signature ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
Again on the term "personal data". According to the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) [1], pseudonymized data is not concerned, unless it would be possible to attribute it to a natural person: ___ (26) "The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes." ___ Usually in statistics, information down to the block level is not considered personal informationn. You won't be able from OSM edits to say in which house someone lives, or who she is, so it doesn't seem to apply. The part "Personal data ... which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly." leaves some risk, but is essentially stupid, because with any kind and amount of additional personal data you will hypothetically always be able to get to a person, and costs and amount of time are always neglectible in the times of electronic data processing, and given the rapid technological development. So as pseudonymization is suggested in the directive to be applied, it likely does restrict implicitly this paragraph to reasonably expectacle and not every hypothetical case. To get from OSM edits to a natural person you will need so much information about this person that you won't gain more insights from looking at their edits. Also, I am not sure whether this applies at all to OSMF, because OSMF never collects personal data, it only collects an email address and doesn't verify to whom it belongs and never publishes it, so probably there is no "personal data which have undergone pseudonymisation", rather there wasn't any personal data at any time. At the moment we can't know what kind of data protection rules will govern OSMF in the future, given that EU rules will not automatically apply any more, soon, if Brexit is not stopped (nonetheless, local chapters might be an issue here). Btw: I think we should require our contributors to confirm to be adults (or get explicit permission from their parents?), because children aren't able to legally sign the CT, and their data is particularly protected. Current CTs don't seem to account for this (or I haven't seen it). Cheers, Martin [1] http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679 ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
On Friday 05 May 2017, Frederik Ramm wrote: > > I think that a viable middle ground could be to make user data > available to signed-up project members only, and they'd have to > promise to only use that data for project-internal purposes. You know i have not formed an opinion on this matter yet but i wonder how this is supposed to work. Do you suggest to have an addition to the contributor terms, kind of a 'terms for access to metadata' and require existing users to newly agree to that? And after a transit period disable api access for those accounts who have not agreed? In principle that would certainly be possible although there are tons of practical problems that would come with such an approach. But ultimately this would probably lead to the vast majority of people who routinely get mapping metadata in bulk for whatever purpose to use anonymous accounts for downloading it and to also publish possibly problematic results of processing it in an anonymous way. Under this scenario there would probably be some open source HDYC clone, you could run it either privately for yourself, use an access restricted officially sanctioned instance of it with your real or anonymous OSM account or use some rouge open instance running anonymiously somewhere. For a balanced discussion - and i am not saying i would actually prefer this approach to what you are suggesting - the whole problem could also be approached from the other side by reconsidering the possibility for partly anonymous edits. We don't have this primarily to fight vandalism but it could be considered to give mappers the option to activate an anonymous editing mode on their account which would mean their edits and any other access to their user identity through for example the API gets scrambled on a daily basis and resolution of the generated random id to the real user is only available to the DWG. This would certainly also generate tons of problems but i think it is important to keep this possibility in mind when considering the matter of privacy. > Hence, > anyone with an OSM account could make such an animated progress map, > and it could be shown to anyone with an OSM account. Only if you want > to distribute it outside of OSM you'd either have to > remove/pseudonymize the user names [...] That part is really tricky, you'd have to be very specific on what kind of aggregation is necessary to make the data ok to be published. Obviously just replacing each user name with user is not going to cut it. Without clear rules here anyone who publishes anything based on such data would be in a legal mine field. -- Christoph Hormann http://www.imagico.de/ ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
sent from a phone > On 5. May 2017, at 01:36, Frederik Rammwrote: > > Only if you want to distribute it outside > of OSM you'd either have to remove/pseudonymize the user names or get > explicit permission (as in: "I am ok with you publishing this particular > work with my name in it") from the participants. Would that really be > such a big issue? I think you're making this into a much bigger issue > than it needs to be. you write a lot about personal data, but all osm admins have about users is some email address, which often isn't even existing anymore and an associated user name, and this email address is never published. For gpx tracks you can already choose the level of privacy, and even for identifiable tracks you don't know if the timestamps are real, if the track was recorded with an gps device or is simulated, and who has recorded it. In the planet there are only usernames, which can be chosen freely, and if I wanted I could choose "Frederik Ramm" or anything else, and nobody could know if this was my real name or not. HDYC allows to roughly locate someone in an area, but it doesn't allow to say who someone is or where exactly she lives. If you know which username is used by which real person then it is only because the person has disclosed this information and you believed her. If, for example, I map a nightclub frequented mostly by lgbt people it doesn't mean I have been there, it just means I know where it is (and unless I have told you, you won't know who I am), and even if I've been there you still wouldn't know when and for what reason. Also everyone can create new users at will, if your concern is privacy, you could use a new user for every edit and nobody could associate these edits to the same person. There are serious issues with surveillance and privacy in the world, but IMHO osm is the least of these problems. Does someone who sells a can of paint have to put a disclaimer on the can because people might write their name on a wall? Does an internet provider have to warn people not to disclose personal information in their blog? IMHO we have to account for different people wanting different levels of privacy: some people like to write their name on a wall (looking at the success of Facebook et al it seems that they are in a majority btw), others prefer to remain in the shadow. Maybe it could become an option not to disclose usernames, but actually this metadata is useful for other mappers: you can see if a user is local to a place, how much experience she has, how many discussed changesets, where and for what reason. Really the people being able to tell who someone likely is are those that already have a huge collection of really private data from everyone, for example those that store the location data of every single step of you from mobile cells (you mostly can't get anonymous sim cards but have to identify with a document) and wireless networks, from passport controls at the borders and from flight lists, from your online orders and credit card payments, from cctv face recognition and fotos you uploaded, from your personal network in social networks, from the network of people you called and that called you, from the emails you send and receive, etc. Whom are you hiding from, the secret services, the government, big multinational companies? These actors will already know so much about you that your osm edits won't change anything, and if you have been able to hide your details from them you can also hide them already in OSM. Putting a log in to hdyc, from my point of view, doesn't change anything (because everybody can sign up), besides that there are now more data created (Pascal will know who is interested in whom, and osm admins can see how often someone uses the service, and if it becomes common to do it like this, which third party services someone uses). cheers, Martin ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
Am 05.05.2017 um 09:47 schrieb Maarten Deen: > .. > We have all agreed to the contributor terms (although I can not find > the version I have agreed to, I can only find a version from 2016) and > that says that OSMF has the right to sub-license. PS https://wiki.osmfoundation.org/w/index.php?title=Licence/Contributor_Terms=history signature.asc Description: OpenPGP digital signature ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
Am 05.05.2017 um 09:47 schrieb Maarten Deen: > ... > > And, "You also waive and/or agree not to assert against OSMF or its > licensees any moral rights that You may have in the Contents." > ... "the Contents" is defined as "in contributing data and/or any other content (collectively, “Contents”) " further it is limited to "to the geo-database" and refers only to the the "intellectual property rights in any Contents" that the contributor actively "that You choose to submit" contributes. This is very unlikely to include meta data generated by the act of contributing and other supplementary account data and does not cover any privacy related rights to start with (not to mention, as I've already pointed out, that blanket use permissions for privacy relevant data are likely invalid in any case). Simon signature.asc Description: OpenPGP digital signature ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
On 2017-05-05 09:17, Simon Poole wrote: Am 05.05.2017 um 00:39 schrieb Michał Brzozowski: ... Also, I see no reasonable way that upcoming EU privacy rules would affect us. Would they consider OSM as a special case or what? Everything mappers do, as has been said, is consensual and explicit. ... Well I don't remember giving Pascal permission to process my data, and I believe nobody else has :-) But what Pascal does is not what you do, so how is this applicable? We have all agreed to the contributor terms (although I can not find the version I have agreed to, I can only find a version from 2016) and that says that OSMF has the right to sub-license. Which would include what Pascal (or anyone else using or working on the data) is doing. And, "You also waive and/or agree not to assert against OSMF or its licensees any moral rights that You may have in the Contents." That is pretty broad and basically tells you to shut up or put up. Not that I see that as the last in this discussion though. Maarten ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
Am 05.05.2017 um 00:39 schrieb Michał Brzozowski: > ... > Also, I see no reasonable way that upcoming EU privacy rules would > affect us. Would they consider OSM as a special case or what? > Everything mappers do, as has been said, is consensual and explicit. > > ... Well I don't remember giving Pascal permission to process my data, and I believe nobody else has :-) And that is the crux of the matter, in a scenario in which a) any such processing needs to be opt-in, and b) the permission for processing needs to be explicit both wrt the entity doing the processing and what is being done with the data, most such community activities become impractical. Which vandal is going to actively consent to their edits being feed in to an osmcha instance outside of one run by the OSMF? We just may be able to make giving such permission to the OSMF a required condition of getting an account but that is likely going to be it. And there are lots of other aspects that I would rather not go in to right now, as it is just asking for trouble. Simon signature.asc Description: OpenPGP digital signature ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
It's nice to know where this is coming from, because I was a bit confused about this too. In what way is my privacy protected if 2 million people can see my profile; oh and also everyone who bothers to make an OSM account? Putting a somewhat pointless access limitation to HDYC is counterproductive, as it might give people a false sense of security. One thing it might add is that it's now easier to trace who has been looking at your profile in case there is a suspicion of abuse. Pascal's own argument (on Twitter) seemed to be that "it"s not just data, it's computed intelligence". Well yes. HDYC shows how much info you release about yourself through your OSM edits. The only way to solve this, is with a behavior change of the mapper themselves, or with a radically different way to share OSM data (as seems to be one of the ideas in the linked discussion). For example by using multiple accounts. A blog post about what an ill-intentioned analyst could do with your data would seem more productive than a half-measure protecting what a well-intentioned analyst learns. A more general discussion like the one you linked, but in a language more of us understand, might also help. That said, obviously HDYC is the most elaborate individual analysis tool around, so it does make snooping very easy. A system to opt-out of being included in this particular system might be reasonable. This could technically work in a way similar to the opt-in you can do to link your HDYC profile to your osm-related profiles (by including links in your OSM profile). While I would also have liked to see a more inclusive discussion about this, ultimately, it doesn't matter where and how Pascal came to his conclusion. It is his tool, so the decision is his alone. I would really love to see tools like this integrated into the core OSM systems, where we would theoretically all have a say. Unfortunately, that's not the case. ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
Hi, On 05/05/2017 12:39 AM, Michał Brzozowski wrote: > Many national communities use their own change monitoring tools that > will break, for instance greeting and monitoring new mappers. Why? Would it be so hard to adapt the tools to log in to OSM to access user information? > We use one site in Poland and the Dutch community also uses another site. > There's also Overpass API. Sure, all these would have to change in the long run but it is such a big deal? Even today, Overpass only gives you user names if you explicitly ask for it. > This is not feasible on a technical level IMO I don't agree, I think it would be quite easy. > and would require > significant effort to satisfy just these paranoid people. I don't think it is fair to talk of "just these paranoid people". Our mappers are not enemies; they trust us with their data and it is our moral duty to handle the data they trust us with responsibly. (And I'm not even starting to talk about what our legal duties are!) > I don't > trust OSMF to accommodate everyone's needs on change monitoring. I don't know what "everyone's needs" are but if these needs include "I must be able to download personal user data without logging in" and "I must be able to distribute personal user data without taking any safeguards as to its further use" then I'm not sure if these needs *should* be accommodated. I am sure that all existing quality control measures can be kept up even if we start saying that username data is for internal use only. > Also, I see no reasonable way that upcoming EU privacy rules would > affect us. Would they consider OSM as a special case or what? > Everything mappers do, as has been said, is consensual and explicit. As I said, I think that even in a world without data protection, it would be our duty to think about how to protect the privacy of our contributors. Just saying "you've signed this here, ha ha ha, your fault if you haven't read the small print" is not enough. Certainly not morally; maybe even not legally. If you start looking at the legal side there are many aspects that need to be evaluated. I am not a lawyer but I have a feeling that even today there's a lot of issues not directly related to the above topic where we fall foul of data protection rules, for example the way we continue to offer old planet files for download complete with user names, even if people have asked us to delete their personal information. (Remember, even if people should have agreed to the distribution of their personal data on signup, they can - as far as personal data is concerned - always withdraw their agreement; we cannot then say "har har it is too late now the data is already released under ODbL".) It is also totally unclear if this "metadata" is even part of the ODbL licensed database. Another issue is that there's no way for downstream users mirroring our data to know that "user XY has revoked permission to distribute their user name". Another big issue at least for European users is likely that many governemnt institutions and large companies have strict house rules on working with personal data; if your random government agency importing a planet file into a database were told that this actually contains a ton of personal data, they'd probably have to stop their machines immediately and ask for permission from the relevant data protection commissioner or whomever. But I don't want this to become discussion about "how low can we go with data protection to still be legal". I want this to be "how high can we go with data protection to still be useful", and I think there's a lot that can be done that will make our project better, friendlier, and a safer place to be for everyone. > When I said spirit, I though for instance mapping parties which were > once very popular and still somewhat are. It was customary to make > animated progress maps colored by user. I think that a viable middle ground could be to make user data available to signed-up project members only, and they'd have to promise to only use that data for project-internal purposes. Hence, anyone with an OSM account could make such an animated progress map, and it could be shown to anyone with an OSM account. Only if you want to distribute it outside of OSM you'd either have to remove/pseudonymize the user names or get explicit permission (as in: "I am ok with you publishing this particular work with my name in it") from the participants. Would that really be such a big issue? I think you're making this into a much bigger issue than it needs to be. Bye Frederik -- Frederik Ramm ## eMail frede...@remote.org ## N49°00'09" E008°23'33" ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
On Thu, May 4, 2017 at 11:33 PM, Frederik Rammwrote: > I have personally talked to people who said they don't want to > contribute to OSM because Pascal Neis' page was "inviting stalkers". > > Those people were not the geek elite who have made it a habit to > thoroughly think about what gets published and how to ensure that > there's no link between their online identity and their private live if > they don't want their privacy violated. Those were people from groups > currently underrepresented in OSM, people whom we would like to see more > of in OSM, but who felt unsafe making themselves visible like that. How many people? I think we would make it worse for many just to have a handful of people happy. I don't think we should strive to catch mappers at any cost. I know the intentions are good, but reality has often taught me otherwise. Many national communities use their own change monitoring tools that will break, for instance greeting and monitoring new mappers. We use one site in Poland and the Dutch community also uses another site. There's also Overpass API. This is not feasible on a technical level IMO and would require significant effort to satisfy just these paranoid people. I don't trust OSMF to accommodate everyone's needs on change monitoring. Also, I see no reasonable way that upcoming EU privacy rules would affect us. Would they consider OSM as a special case or what? Everything mappers do, as has been said, is consensual and explicit. When I said spirit, I though for instance mapping parties which were once very popular and still somewhat are. It was customary to make animated progress maps colored by user. Long story short: weigh "benefits" to all the far-reaching implications. I really hope this won't come through. Really. Michał ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
On Thursday 04 May 2017, Michał Brzozowski wrote: > > > Well - HDYC is a tool offered by Pascal Neis, AFAIK it is not even > > open source. Pascal could turn it off any time if he wanted to and > > of course he can also put up constraints. > > Keep in mind that I don't make it appear that my requests are based > on something formal, they're not. I simply hope that people will tell > him they don't agree with me and two already did ;) I can only say if i was in Pascal's position here and i had decided to add the requirement of authorization to my tool because i am convinced this is important for the privacy of mappers (and i don't want to imply that i would see it that way nor that this was actually Pascal's motivation) users not liking my decision but having no convincing arguments w.r.t. the basis of my decision would not have any bearing on the matter. > I think it also emphasizes how open-source tools are important. There > are tons of obscure analysis pages which don't have their source > available. Yes - and the situation about HDYC would have different dynamics obviously if it was open source. But also keep in mind that the functionality of HDYC is not really that complex. Writing a replacement for it would certainly be quite a bit of work but it is not really rocket science. -- Christoph Hormann http://www.imagico.de/ ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
Hi, On 05/04/2017 09:33 PM, Michał Brzozowski wrote: > I don't like the idea how this was never introduced and discussed > outside of the German forum. > I think that such "privacy" measures are futile and go against the > spirit of OSM - transparency. I think that what we mainly want to create in OSM is a geo database, not a database of where a particular OSM mapper was at a particular time, or whether a particular OSM mapper tends to stay up long at night editing OSM. I have personally talked to people who said they don't want to contribute to OSM because Pascal Neis' page was "inviting stalkers". Those people were not the geek elite who have made it a habit to thoroughly think about what gets published and how to ensure that there's no link between their online identity and their private live if they don't want their privacy violated. Those were people from groups currently underrepresented in OSM, people whom we would like to see more of in OSM, but who felt unsafe making themselves visible like that. We are currently doing far too little to protect the privacy of our mappers, and our methods of educating mappers about the privacy consequences of their actions in OSM are laughable at best. That your contributions to OSM can lead to a detailed analysis of your online behaviour like the one produced by Pascal Neis is obvious to the tech-savvy among us but certainly not to everyone who signs up. We have a duty to, at the very least, educate new mappers about what happens to their data, and ideally we should also do more to protect their data. The "metadata" of *who* edited what when is not a necessary part of our database proper; someone just wanting to *use* the data does not have to know. We use this information inside of OSM to improve quality, to contact mappers, to find vandalism and so on. But I don't think that the broader public necessarily needs to know about such internal aspects. I am very much in favour of limiting at least the value of the "user name" field to project-internal use. Pascal has made a first step in that direction. Currently, anyone can download the planet file with all user information intact and thereby circumvent the (extremely low) barrier of having to provide an OSM username; I hope that in the long run, we will stop making username information available to the public, and instead make the user name only available "for project internal purposes", i.e. to logged in users. I think this will not hurt any legitimate use case, while at the same time making clear that we consider this information privileged and not for general consumption. It doesn't matter that anyone can sign up and then view that data; we can at least make people promise to only use the data for project internal use when they sign up. > Maybe this is due to some "moral panic" in Germany revolving around > privacy, just like StreetView ban - except it's made clear that your > edits are public and you agree to it! It is made clear that your edits are public, and we even explain about the meta data (the Privacy Policy says: "All edits made to the map are recorded in the database with the user ID of the user making the change, and a timestamp at the time of change upload. In general all of this information is also made available to everyone via the website, including links to allow everyone to easily cross-reference which user has made which edit. "). But we are hiding this like the small print in a contract; there are many people who have signed up to OSM and who are shocked to find their life reflected in Pascal's analyses. You might say it's their fault, they are stupid not to read what they signed up to; I say it's out fault, we have a duty of explaining to them what they are signing up to. Every single person who signs up to OSM and who doesn't understand what they are publishing about themselves is our fault. Pascal has recevied numerous legal threats about his pages. Making them "for project internal use only" considerably improves his legal standing should anyone ever actually try and sue him. It's his service, his legal risk, and his decision. New EU data protection regulations announced for 2017 will make things even stricter, and we will have to spend serious thought on how we can protect the privacy of our mappers if we want to expand the project past the group of geeks who know how to manage their privacy online. And it is not just a legal issue; you might call it a "moral panic", I call it a moral duty to do everything we can to ensure that our mappers don't suffer disadvantages from contributing to OSM. Bye Frederik -- Frederik Ramm ## eMail frede...@remote.org ## N49°00'09" E008°23'33" ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
This seems to be derailing rather fast. The background is that we are publishing a fair amount of meta data about our contributors that could at least be seen as not totally harmless from a privacy and data protection point of view. This includes all the changeset meta data, user ids and display names in the data and last but not least timestamps, distributed in the data dumps and the website. It is currently rather simple to generate a profile for a specific editor and likely even finger print contributions over multiple accounts. Most of us, I would hope, are aware of the potential consequences and accept the risk that contributing out in the open implies, but this is definitely not universally true. It has been suggested that one possible approach to resolving this is to remove all the relevant meta data from places where it can be accessed without an OSM account (that would imply no changeset dumps, and no user-ids etc in the planet dumps, and re-working the website to only show such information to logged in users). This would have to be accompanied by a new set of ToS that would clearly lay down how such meta data can be used. Naturally the above will not stop the bad guys, but it would make it slightly less trivial to misuse OSM. Pascal, who has in the past been threatened with legal action wrt privacy issues, reacted very promptly to the discussion and implemented such a login-only access model, I don't really see how he can be faulted for that given that it doesn't limit community access at all, and he is fully responsible for what he is publishing. Now the other aspect is the upcoming (2018) changes in privacy regulations in the EU. They will undoubtedly impact any such discussion and future policy and the LWG has budgeted a fair bit of money exactly to investigate and potentially implement any such required changes, which could very well include all of above and more. Personally I'm not very happy with the concept of reducing the availability of contribution meta data as it will make lots of things harder (vandalism detection and fighting for example) and likely require many things to move to OSMF run tasks that are currently done by the community at large, but it may be something that we can't avoid. Simon signature.asc Description: OpenPGP digital signature ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
As Michal said, forcing login wont stop "those that want to cause harm". They will just login and harvest the data. They can also just scrape the osm data, so I dont think this is an issue with HDYC as much it is a privacy concern with OSM data itself. If you dont want to be associated with your edits: create a generic account that has nothing to do with your usual usernames i.e. AnonymousUser001 or OSMUser001 and never communicate about the work done on that account with your main profile/email. That way you dissociate yourself from that user and your social media accounts. If people cant find a link between personal identifyable info(facebook, twitter, email, linkedin) and the editing user there is no cause for alarm. Worst case they will say: Oh there's an osm user that lives in this areaso do 35 other users. Basic internet anonymity 101... On May 4, 2017 4:51 PM, "Christoph Hormann"wrote: > On Thursday 04 May 2017, Nicolás Alvarez wrote: > > > > > Just to make this clear since there are likely quite a few people > > > reading here who will not be able or willing to parse the > > > discussion on the German forum - discussion there was about privacy > > > concerns w.r.t. editing metadata, which is what is the basis of > > > Mixing this with the subject of openness of geodata and > > > privacy concerns reagarding geodata (like mappers recording names > > > from the doors of private homes etc.) is not really appropriate - > > > two very different matters which need to be considered separately. > > > > I don't think Michał was mixing those two different matters. > > Michał made a connection to privacy concerns regarding Google StreetView > which were exclusively about the recorded data and not about the > recording metadata (which Google obviously has no interest in > publishing). > > -- > Christoph Hormann > http://www.imagico.de/ > > ___ > talk mailing list > talk@openstreetmap.org > https://lists.openstreetmap.org/listinfo/talk > ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
On Thu, May 4, 2017 at 10:48 PM, Christoph Hormannwrote: > Michał made a connection to privacy concerns regarding Google StreetView > which were exclusively about the recorded data and not about the > recording metadata (which Google obviously has no interest in > publishing). Yes, these matters are separate, but I was talking about the sentiment towards privacy and over-exaggeration of it. Hence I wrote "moral panic". I think any of us here knows how Streetview and OSM work. Michał ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
On Thursday 04 May 2017, Nicolás Alvarez wrote: > > > Just to make this clear since there are likely quite a few people > > reading here who will not be able or willing to parse the > > discussion on the German forum - discussion there was about privacy > > concerns w.r.t. editing metadata, which is what is the basis of > > Mixing this with the subject of openness of geodata and > > privacy concerns reagarding geodata (like mappers recording names > > from the doors of private homes etc.) is not really appropriate - > > two very different matters which need to be considered separately. > > I don't think Michał was mixing those two different matters. Michał made a connection to privacy concerns regarding Google StreetView which were exclusively about the recorded data and not about the recording metadata (which Google obviously has no interest in publishing). -- Christoph Hormann http://www.imagico.de/ ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
> So you think the German community should be required to proactively > communicate any subject they discuss in German language channels to the > international community? We have to do this for imports, the least you could have done is brought it up on the talk mailing list. On May 4, 2017 4:41 PM, "Michał Brzozowski"wrote: > So you think the German community should be required to proactively > communicate any subject they discuss in German language channels to the > international community? I think the tools are _de facto_ used by the whole OSM community worldwide, that's why I think any sort of announcement would be appropriate. I am realistic. > Well - HDYC is a tool offered by Pascal Neis, AFAIK it is not even open > source. Pascal could turn it off any time if he wanted to and of > course he can also put up constraints. Keep in mind that I don't make it appear that my requests are based on something formal, they're not. I simply hope that people will tell him they don't agree with me and two already did ;) I think it also emphasizes how open-source tools are important. There are tons of obscure analysis pages which don't have their source available. For starters, there's a little known program called ChangesetMD which allows you to load changeset and discussion metadata to Postgres. However, this is changeset only and one won't be able to do all of the analyses (bboxes alone often are inaccurate, also no info on tags). Michał ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
> So you think the German community should be required to proactively > communicate any subject they discuss in German language channels to the > international community? I think the tools are _de facto_ used by the whole OSM community worldwide, that's why I think any sort of announcement would be appropriate. I am realistic. > Well - HDYC is a tool offered by Pascal Neis, AFAIK it is not even open > source. Pascal could turn it off any time if he wanted to and of > course he can also put up constraints. Keep in mind that I don't make it appear that my requests are based on something formal, they're not. I simply hope that people will tell him they don't agree with me and two already did ;) I think it also emphasizes how open-source tools are important. There are tons of obscure analysis pages which don't have their source available. For starters, there's a little known program called ChangesetMD which allows you to load changeset and discussion metadata to Postgres. However, this is changeset only and one won't be able to do all of the analyses (bboxes alone often are inaccurate, also no info on tags). Michał ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
2017-05-04 17:21 GMT-03:00 Christoph Hormann: > On Thursday 04 May 2017, Michał Brzozowski wrote: >> Maybe this is due to some "moral panic" in Germany revolving around >> privacy, just like StreetView ban - except it's made clear that your >> edits are public and you agree to it! > > Just to make this clear since there are likely quite a few people > reading here who will not be able or willing to parse the discussion on > the German forum - discussion there was about privacy concerns w.r.t. > editing metadata, which is what is the basis of HDYC. Mixing this with > the subject of openness of geodata and privacy concerns reagarding > geodata (like mappers recording names from the doors of private homes > etc.) is not really appropriate - two very different matters which need > to be considered separately. I don't think Michał was mixing those two different matters. "Your edits are public" also means the fact that *you* edited *that particular* piece of data is public, from which someone could infer eg. where you live; it's not mixing the subject of privacy concerns with the data itself. -- Nicolás ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
On Thursday 04 May 2017, Michał Brzozowski wrote: > > https://forum.openstreetmap.org/viewtopic.php?id=57813 > > I don't like the idea how this was never introduced and discussed > outside of the German forum. So you think the German community should be required to proactively communicate any subject they discuss in German language channels to the international community? > I think that such "privacy" measures are futile and go against the > spirit of OSM - transparency. Well - HDYC is a tool offered by Pascal Neis, AFAIK it is not even open source. Pascal could turn it off any time if he wanted to and of course he can also put up constraints. If you think that is against the spirit of OSM that is up to you but don't forget that there are tons of tools based on OSM data developed and run with restricted access you never hear about. It is not really conceivable how in case of HDYC making such a tool available for all mappers based on authentification with an OSM account makes this less in the spirit of OSM than a private tool that is not even known to the public. > Maybe this is due to some "moral panic" in Germany revolving around > privacy, just like StreetView ban - except it's made clear that your > edits are public and you agree to it! Just to make this clear since there are likely quite a few people reading here who will not be able or willing to parse the discussion on the German forum - discussion there was about privacy concerns w.r.t. editing metadata, which is what is the basis of HDYC. Mixing this with the subject of openness of geodata and privacy concerns reagarding geodata (like mappers recording names from the doors of private homes etc.) is not really appropriate - two very different matters which need to be considered separately. -- Christoph Hormann http://www.imagico.de/ ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
+1 both James & Michal's comments. Thanks Michal for bringing up this undiscussed topic to the mailing list. *~~* *Denis Carriere* *GIS Software & Systems Specialist* On Thu, May 4, 2017 at 3:42 PM, Jameswrote: > What Michal said. Any body can download the OSM data and run the same > analysis. You agreed to contribute to OSM, if you want your online > footprint to be non-existant: unplug your internet. > > On Thu, May 4, 2017 at 3:33 PM, Michał Brzozowski > wrote: > >> Many know Pascal Neis' site HDYC which displays detais about an OSM >> user, like first created node, activity area, edit stats and so on: >> >> http://hdyc.neis-one.org/ >> >> Today to view any stats of a user you have to login with OSM. >> Pascal replied to me that this is related to this discussion on the >> German users forum: >> >> https://forum.openstreetmap.org/viewtopic.php?id=57813 >> >> I don't like the idea how this was never introduced and discussed >> outside of the German forum. >> I think that such "privacy" measures are futile and go against the >> spirit of OSM - transparency. >> >> Maybe this is due to some "moral panic" in Germany revolving around >> privacy, just like StreetView ban - except it's made clear that your >> edits are public and you agree to it! >> >> Michał >> >> ___ >> talk mailing list >> talk@openstreetmap.org >> https://lists.openstreetmap.org/listinfo/talk >> > > > > -- > 外に遊びに行こう! > > ___ > talk mailing list > talk@openstreetmap.org > https://lists.openstreetmap.org/listinfo/talk > > ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] HDYC, login requirement and "privacy"
What Michal said. Any body can download the OSM data and run the same analysis. You agreed to contribute to OSM, if you want your online footprint to be non-existant: unplug your internet. On Thu, May 4, 2017 at 3:33 PM, Michał Brzozowskiwrote: > Many know Pascal Neis' site HDYC which displays detais about an OSM > user, like first created node, activity area, edit stats and so on: > > http://hdyc.neis-one.org/ > > Today to view any stats of a user you have to login with OSM. > Pascal replied to me that this is related to this discussion on the > German users forum: > > https://forum.openstreetmap.org/viewtopic.php?id=57813 > > I don't like the idea how this was never introduced and discussed > outside of the German forum. > I think that such "privacy" measures are futile and go against the > spirit of OSM - transparency. > > Maybe this is due to some "moral panic" in Germany revolving around > privacy, just like StreetView ban - except it's made clear that your > edits are public and you agree to it! > > Michał > > ___ > talk mailing list > talk@openstreetmap.org > https://lists.openstreetmap.org/listinfo/talk > -- 外に遊びに行こう! ___ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk