OpenStreetMap
Four years ago on May the 25th 2018 the, then new, EU-wide General Data Protection Regulations (GDPR) went in to force. It is therefore quite fitting that nearly to the day 4 years later, the OSMF has given up any pretense of ever fulfilling the legal requirements arising from the regulation and, perhaps more important, undertaking the ethically and morally indicated steps to protect the privacy of our contributors.
It isn’t as if the OSMF was caught by surprise in May 2018. The topic was by far the best researched, documented and planned change in its history. And it isn’t as if the quality of the work or the conclusions were in doubt, completely independent and unaware of what had been prepared by the LWG three years earlier, at last years SOTM there was a talk by Robert Riemann that came essentially to the same conclusions.
But, four years later, with the sole exception of new users having to accept the OSMF terms of service on sign up (added by yours truly), none of the required changes to the APIs and data access have even been started on OSMF properties.
To make the situation worse, OSM isn’t simply static, new services, third party and OSMF operated are being added, existing operations are changed and rarely are the data protection impacts and consequences considered.
Ironically some organizations in OSM-space have taken required steps, for example Geofabrik, OSMcha and Pascal Neis’s HDYC, that the OSMF has not.
Why have we ended in this fraught with legal and financial danger place? On the one hand there are no brownie points to be won with championing the changes to the OSM website, the API and data distribution. Since Frederik has left the board no director has been willing to show any support for the matter.
On the other hand, the technical community is full of data protection flat earthers. Some just believe that data privacy isn’t and shouldn’t be a thing, others believe that OSM has a get out of jail free card in such matters. As a consequence there is both passive resistance to making the changes and at the same time no volunteer developers that are going to code them.
All things given, I don’t believe that without making the matter a priority of the board and tasking an outside organisation any progress is going to be made. But I’m not holding my breath for anything to happen without the police banging on the door.
GDPR on the wiki has links to more material.
Discussion
Comment from mmd on 13 June 2022 at 18:17
Why on earth would any volunteer developer spend time on a task that the OSMF board decided to outsource to a paid contractor?
Comment from SimonPoole on 13 June 2022 at 18:40
@mmd you’ve got that the wrong way around. Volunteer interest in doing these tasks hasn’t been forthcoming (for more that 4 years) and is never likely to (for the reasons mentioned). That’s why the OSMF should completely outsource them.
Comment from mmd on 13 June 2022 at 19:08
You probably still recall the discussion we’ve had in https://github.com/zerebubuth/openstreetmap-cgimap/issues/144 and concerns that have been raised there, in particular by zerebubuth, which questioned the whole approach.
In the end, I didn’t see much convincing arguments how we could possibly implement the suggested changes without causing at least some breakage in the ecosystem. The proposal is unfortunately very light on this very important change management topic (I hope I don’t misrepresent this part, it’s been a while since I last looked into it).
I truly hope someone finds a way forward that works for everyone involved. Maybe talk to the EWG, they’re always looking for new exciting topics for subcontracting.
Comment from SimonPoole on 13 June 2022 at 20:57
‘In the end, I didn’t see much convincing arguments how we could possibly implement the suggested changes without causing at least some breakage in the ecosystem. ‘
This is a bit of a straw man because nobody was suggesting that there would be no breakage, just that nearly all changes would be limited to non-authenticated use.
As to questioning the approach, yes the earth is really really flat.
Comment from SimonPoole on 13 June 2022 at 21:19
PS: https://wiki.openstreetmap.org/w/images/8/88/GDPR_Position_Paper.pdf page 11 contains an an analysis of who would have been impacted in which way by the changes.
Comment from Zverik on 14 June 2022 at 06:59
The OSMF policy of “do anything but in your own sandbox” along with repos’ maintainers behaviour has pushed the community into a state of learned helpnessness. It’s easier to do GDPR changes at Geofabrik or for private projects than to even start thinking of changing the OSM infra. We have been told for many years that any change to OSM requires a committee, and also pushing pull requests through the hoops. And committes do not appear from the thin air, they need either to be created (by the OSMF Board, since there’s nobody else), or grow organically (which we have successfully prevented).
So yeah, unless the OSMF Board makes it their #1 priority, there will be no GDPR compliance in OSM.
Comment from mmd on 14 June 2022 at 07:29
As I see it, GDPR support is a multi-month project that requires a lot of coordination and communication with all possible stakeholders. What we have right now is a description of the “to be” state, but we don’t know yet how to get there with the least amount of disruption.
To make that happen you need a proper project plan, i.e. a detailed plan of how these changes will be implemented and in what order, by whom, etc. And most importantly, you need someone to coordinate the overall effort and have overall responsibility for the outcome (yes, that would be you, OSMF board). It’s just ridiculous to put that burden on the maintainers or any third-party contractor, and everyone knows it.
Comment from Mateusz Konieczny on 15 June 2022 at 09:58
Unfortunately, GDPR may result in significant breakage imposed on OSM by law.
“no breakage allowed” in this case may be requirement that must be waived
Comment from Mateusz Konieczny on 15 June 2022 at 10:02
Has it happened? I was looking at things a bit and I apparently missed this.
From EWG notes that I remember decision that GDPR compliance is not a priority project
Comment from woodpeck on 18 July 2022 at 07:55
In mmd’s defence, they have been the major contributor to https://wiki.openstreetmap.org/w/index.php?title=GDPR/Affected_Services since 2018 - that page is as close as we get to a step-by-step implementation manual for GDPR related changes. So, with the groundwork having been laid, it’s a now a SMOP ;)
Comment from SimonPoole on 18 July 2022 at 08:11
@woodpeck there are lots of bits and pieces that could have been done 4 years ago with minimum effort and programming, for example restricting access to planet files with PI. This would have been totally unproblematic and with minimal or even no impact (as most consumers immediately throw the problematic data away in the 1st place).
But instead of doing that, distribution of the problematic dumps has actually been increased via torrents and mirrors (9 in 2018, now 17) making the issue worse instead of better.