Re: [OSM-dev] GDPR implementation on planet.osm.org

Hi Roland, Am 2018-06-20 um 20:16 schrieb Roland Olbricht: > On the technical side, things are even worse. The elephant in the room > is OAuth. OAuth is built on in particular the assumptions that > - the consumer ("the website") acts stateful > - sessions are relatively long-lived, i.e. some

Re: [OSM-dev] GDPR implementation on planet.osm.org

Roland, the changes that I proposed mean that your Overpass API will, if it wants to continue downloading user data from OSM, at some point in the future have to identify itself to OSM with an OSM account as proof of your acceptance of the Terms of use. This is the *technical* requirement for

Re: [OSM-dev] GDPR implementation on planet.osm.org

On Wed, Jun 20, 2018 at 2:33 PM Christoph Hormann wrote: > > I assume if this is actually the case will depend on the specifics of > the OSMF ToU. I would also assume that (b) most likely would not > require you to use OAuth with every request, you probably could just > use OAuth when people

Re: [OSM-dev] GDPR implementation on planet.osm.org

On Wednesday 20 June 2018, Roland Olbricht wrote: > [...] > Taking GDPR serious means every data processor must decide which use > cases they make simple, which use cases they make hard, and tailor > the documentation according to that. For example, for that reason > Overpass API has no feature to

Re: [OSM-dev] GDPR implementation on planet.osm.org

> On the technical side, things are even worse. The elephant in the room is > OAuth. OAuth is built on in particular the assumptions that > - the consumer ("the website") acts stateful > - sessions are relatively long-lived, i.e. some seconds to some hours > - the identity provider has the

Re: [OSM-dev] GDPR implementation on planet.osm.org

Just as a clarification: - we do intend to have ToS for both the website and the API, that among other things address privacy aspects (a 1st draft went out for comment to the OSMF board and the WGs today, and if no major blockers are found will be available for public comment rsn). - I expect

Re: [OSM-dev] GDPR implementation on planet.osm.org

Hi, brief and frank: The suggested way that users of Overpass API have to sign up as OSM users would cause a downtime of some months and a development backlog of more than a year, or kill the project entirely. Because this sounds harsh, I will explain that further down. The key point is:

Re: [OSM-dev] GDPR implementation on planet.osm.org

Am 20.06.2018 um 16:50 schrieb Jochen Topf: > On Wed, Jun 20, 2018 at 03:08:52PM +0200, Frederik Ramm wrote: >>> instead of arguing that this data needs to be public for everyone. >> Any judge will laugh at you if you say that the information that user >> John Smith has mapped something at 4:23

Re: [OSM-dev] GDPR implementation on planet.osm.org

20. Jun 2018 16:50 by joc...@remote.org : > The law shouldn't be applicable to what we > are doing here If you think that law is wrong and should be modified I suggest lobbying elsewhere than on mailing list discussing technical issues related to OSM.   > we

Re: [OSM-dev] GDPR implementation on planet.osm.org

On Wed, Jun 20, 2018 at 03:08:52PM +0200, Frederik Ramm wrote: > > instead of arguing that this data needs to be public for everyone. > > Any judge will laugh at you if you say that the information that user > John Smith has mapped something at 4:23 on the 3rd of January needs to > be public for

Re: [OSM-dev] GDPR implementation on planet.osm.org

Hi, On 06/20/18 11:38, Jochen Topf wrote: > And if you actually want to make sure that redacted data (because the > user wanted it to be deleted) is deleted downstream also, We will not try to "make sure" that this happens, but we plan to offer help for downstream data processors, likely by

Re: [OSM-dev] GDPR implementation on planet.osm.org

If OSM metadata is believed by OSMF to be personal data, so should be photos added to Wikimedia Commons with a geotag. If anything, it's a stronger proof that the user was there. I wonder what their legal team thinks of it. śr., 20 cze 2018, 11:41 użytkownik Jochen Topf napisał: > On Wed, Jun

Re: [OSM-dev] GDPR implementation on planet.osm.org

2018-06-20 9:26 GMT+02:00 Simon Poole : > There are still some open questions on > exactly what needs to be done, in particular wrt transfers of data to > countries where the EU hasn't made an equivalence determination, but we > are slowly firming that up. > For reference, the countries that

Re: [OSM-dev] GDPR implementation on planet.osm.org

On Wed, Jun 20, 2018 at 09:03:01AM +0200, Frederik Ramm wrote: > > All of > > this needs to be tied in the OAuth stuff and it has to be done in a way > > that 3rd party services using OSM data can ask *their* downstream users > > to identify in the same way which allows OSM to track everybody who

Re: [OSM-dev] GDPR implementation on planet.osm.org

On Wednesday 20 June 2018, Frederik Ramm wrote: > > In my view, this is not "cargo cult". If someone comes to us, today, > and complains that their OSM contributions are being used to stalk > them, then we cannot even point to a rule that says you cannot do > this. The stalker is, as far as OSMF

Re: [OSM-dev] GDPR implementation on planet.osm.org

Am 20.06.2018 um 07:58 schrieb Jochen Topf: > [ a lot of stuff that is (technically) reasonably easy deleted ] > > On Tue, Jun 19, 2018 at 10:54:07PM +0200, Frederik Ramm wrote: >> 3a. issue guidelines about what you are allowed to do with the user data >> files, >> 3b. ensure that everyone who

Re: [OSM-dev] GDPR implementation on planet.osm.org

Hi, On 20.06.2018 08:32, Christoph Hormann wrote: > Such agreement would not be an agreement to process your own data given > by individuals to the OSMF (which is the kind of agreement you would > normally expect in the GDPR context). You probably mean some kind of > contractual agreement

Re: [OSM-dev] GDPR implementation on planet.osm.org

Hi, On 20.06.2018 07:58, Jochen Topf wrote: >> 3a. issue guidelines about what you are allowed to do with the user data >> files, >> 3b. ensure that everyone who has an OSM account agrees to these >> guidelines one way or the other, > This is the part that's not easy and where there is a lot of

Re: [OSM-dev] GDPR implementation on planet.osm.org

On Tuesday 19 June 2018, Frederik Ramm wrote: > [...] > 3b. ensure that everyone who has an OSM account agrees to these > guidelines one way or the other, This is the point that looks very fuzzy to me. Could someone point out the legal concept behind this idea for me? Such agreement would not

Re: [OSM-dev] GDPR implementation on planet.osm.org

[ a lot of stuff that is (technically) reasonably easy deleted ] On Tue, Jun 19, 2018 at 10:54:07PM +0200, Frederik Ramm wrote: > 3a. issue guidelines about what you are allowed to do with the user data > files, > 3b. ensure that everyone who has an OSM account agrees to these > guidelines one

[OSM-dev] GDPR implementation on planet.osm.org

Hi, as you probably know, the EU data protection rules compel us to be a bit less open in handing out personal data to everyone. Following LWG's analyses and recommendations, the OSMF has decided to implement restrictions on publishing user names and changeset IDs. The general plan is to allow