OpenStreetMap
Four years ago on May the 25th 2018 the, then new, EU-wide General Data Protection Regulations (GDPR) went in to force. It is therefore quite fitting that nearly to the day 4 years later, the OSMF has given up any pretense of ever fulfilling the legal requirements arising from the regulation and, perhaps more important, undertaking the ethically and morally indicated steps to protect the privacy of our contributors.
It isn’t as if the OSMF was caught by surprise in May 2018. The topic was by far the best researched, documented and planned change in its history. And it isn’t as if the quality of the work or the conclusions were in doubt, completely independent and unaware of what had been prepared by the LWG three years earlier, at last years SOTM there was a talk by Robert Riemann that came essentially to the same conclusions.
But, four years later, with the sole exception of new users having to accept the OSMF terms of service on sign up (added by yours truly), none of the required changes to the APIs and data access have even been started on OSMF properties.
To make the situation worse, OSM isn’t simply static, new services, third party and OSMF operated are being added, existing operations are changed and rarely are the data protection impacts and consequences considered.
Ironically some organizations in OSM-space have taken required steps, for example Geofabrik, OSMcha and Pascal Neis’s HDYC, that the OSMF has not.
Why have we ended in this fraught with legal and financial danger place? On the one hand there are no brownie points to be won with championing the changes to the OSM website, the API and data distribution. Since Frederik has left the board no director has been willing to show any support for the matter.
On the other hand, the technical community is full of data protection flat earthers. Some just believe that data privacy isn’t and shouldn’t be a thing, others believe that OSM has a get out of jail free card in such matters. As a consequence there is both passive resistance to making the changes and at the same time no volunteer developers that are going to code them.
All things given, I don’t believe that without making the matter a priority of the board and tasking an outside organisation any progress is going to be made. But I’m not holding my breath for anything to happen without the police banging on the door.
GDPR on the wiki has links to more material.
讨论
mmd 于 2022年06月13日 18:17 的评论
Why on earth would any volunteer developer spend time on a task that the OSMF board decided to outsource to a paid contractor?
SimonPoole 于 2022年06月13日 18:40 的评论
@mmd you’ve got that the wrong way around. Volunteer interest in doing these tasks hasn’t been forthcoming (for more that 4 years) and is never likely to (for the reasons mentioned). That’s why the OSMF should completely outsource them.
mmd 于 2022年06月13日 19:08 的评论
You probably still recall the discussion we’ve had in https://github.com/zerebubuth/openstreetmap-cgimap/issues/144 and concerns that have been raised there, in particular by zerebubuth, which questioned the whole approach.
In the end, I didn’t see much convincing arguments how we could possibly implement the suggested changes without causing at least some breakage in the ecosystem. The proposal is unfortunately very light on this very important change management topic (I hope I don’t misrepresent this part, it’s been a while since I last looked into it).
I truly hope someone finds a way forward that works for everyone involved. Maybe talk to the EWG, they’re always looking for new exciting topics for subcontracting.
SimonPoole 于 2022年06月13日 20:57 的评论
‘In the end, I didn’t see much convincing arguments how we could possibly implement the suggested changes without causing at least some breakage in the ecosystem. ‘
This is a bit of a straw man because nobody was suggesting that there would be no breakage, just that nearly all changes would be limited to non-authenticated use.
As to questioning the approach, yes the earth is really really flat.
SimonPoole 于 2022年06月13日 21:19 的评论
PS: osm.wiki/w/images/8/88/GDPR_Position_Paper.pdf page 11 contains an an analysis of who would have been impacted in which way by the changes.
Zverik 于 2022年06月14日 06:59 的评论
The OSMF policy of “do anything but in your own sandbox” along with repos’ maintainers behaviour has pushed the community into a state of learned helpnessness. It’s easier to do GDPR changes at Geofabrik or for private projects than to even start thinking of changing the OSM infra. We have been told for many years that any change to OSM requires a committee, and also pushing pull requests through the hoops. And committes do not appear from the thin air, they need either to be created (by the OSMF Board, since there’s nobody else), or grow organically (which we have successfully prevented).
So yeah, unless the OSMF Board makes it their #1 priority, there will be no GDPR compliance in OSM.
mmd 于 2022年06月14日 07:29 的评论
As I see it, GDPR support is a multi-month project that requires a lot of coordination and communication with all possible stakeholders. What we have right now is a description of the “to be” state, but we don’t know yet how to get there with the least amount of disruption.
To make that happen you need a proper project plan, i.e. a detailed plan of how these changes will be implemented and in what order, by whom, etc. And most importantly, you need someone to coordinate the overall effort and have overall responsibility for the outcome (yes, that would be you, OSMF board). It’s just ridiculous to put that burden on the maintainers or any third-party contractor, and everyone knows it.
Mateusz Konieczny 于 2022年06月15日 09:58 的评论
Unfortunately, GDPR may result in significant breakage imposed on OSM by law.
“no breakage allowed” in this case may be requirement that must be waived
Mateusz Konieczny 于 2022年06月15日 10:02 的评论
Has it happened? I was looking at things a bit and I apparently missed this.
From EWG notes that I remember decision that GDPR compliance is not a priority project
woodpeck 于 2022年07月18日 07:55 的评论
In mmd’s defence, they have been the major contributor to osm.wiki/w/index.php?title=GDPR/Affected_Services since 2018 - that page is as close as we get to a step-by-step implementation manual for GDPR related changes. So, with the groundwork having been laid, it’s a now a SMOP ;)
SimonPoole 于 2022年07月18日 08:11 的评论
@woodpeck there are lots of bits and pieces that could have been done 4 years ago with minimum effort and programming, for example restricting access to planet files with PI. This would have been totally unproblematic and with minimal or even no impact (as most consumers immediately throw the problematic data away in the 1st place).
But instead of doing that, distribution of the problematic dumps has actually been increased via torrents and mirrors (9 in 2018, now 17) making the issue worse instead of better.