Overpass API developpement

[Roland Olbricht <>]

Hi,

> what are the plans for Overpass API regarding GDPR?

First of all and most important: we are in no hurry.

There is a substantial risk to break things. And it is not even clear 
whether we process personal data at all: Wikimedia has concluded in a 
quite similar setting that they do not process personal data at all.

I'm currently preparing a document to clarify the situation of Overpass 
API. Please note that there are substantial differences to the setting 
of openstreetmap.org. Most account-related data is not present at all. 
But on the ohter hand, openstreetmap.org does not even bring node 
coordinates and "historic" ways together.

Overpass API never had a feature to track user activity and probably 
never have to. One reason for the design decision to work with time 
slices has been that it is privacy-friendly: you have no know beforehand 
at what timestamp something intereting happens.

> The recommendation regarding meta data seems to be to limit access to 
> logged-in users. So Achavi would require authentication, but so would 
> any query with 'out meta'?

At the moment, I suggest not to require any authentication at all. The 
same logic as above applies: you have to know beforehand the changeset 
id of interest. Traversing all changesets that way is not possible, not 
even all changesets of a really active user within reasonable time.

The first two steps and the moment are to ensure that minute updates 
continue to work and to find a practical solution for the clone feature.
Permission management for the database will follow later.

Currently, I doesn't look useful to use the opensteetmap.org OAuth at 
all. That way, we pile up a new category of personal data, which is 
precisely the opposite of what the GDPR intended. In addition, there is 
no clean solution to ensure that people have read the Overpass API 
privacy declaration, and the framework is for our purpose 
disproportionately heavyweight.

Best regards,

Roland