Subject: Overpass API developpement
Re: [overpass] General Data Protection Regulation (GDPR)
- From: Roland Olbricht <>
- To: , Norbert Renner <>
- Subject: Re: [overpass] General Data Protection Regulation (GDPR)
- Date: Tue, 22 May 2018 06:48:27 +0200
what are the plans for Overpass API regarding GDPR?
First of all and most important: we are in no hurry.
There is a substantial risk to break things. And it is not even clear whether we process personal data at all: Wikimedia has concluded in a quite similar setting that they do not process personal data at all.
I'm currently preparing a document to clarify the situation of Overpass API. Please note that there are substantial differences to the setting of openstreetmap.org. Most account-related data is not present at all. But on the ohter hand, openstreetmap.org does not even bring node coordinates and "historic" ways together.
Overpass API never had a feature to track user activity and probably never have to. One reason for the design decision to work with time slices has been that it is privacy-friendly: you have no know beforehand at what timestamp something intereting happens.
The recommendation regarding meta data seems to be to limit access to logged-in users. So Achavi would require authentication, but so would any query with 'out meta'?
At the moment, I suggest not to require any authentication at all. The same logic as above applies: you have to know beforehand the changeset id of interest. Traversing all changesets that way is not possible, not even all changesets of a really active user within reasonable time.
The first two steps and the moment are to ensure that minute updates continue to work and to find a practical solution for the clone feature.
Permission management for the database will follow later.
Currently, I doesn't look useful to use the opensteetmap.org OAuth at all. That way, we pile up a new category of personal data, which is precisely the opposite of what the GDPR intended. In addition, there is no clean solution to ensure that people have read the Overpass API privacy declaration, and the framework is for our purpose disproportionately heavyweight.
- [overpass] General Data Protection Regulation (GDPR), Norbert Renner, 05/20/2018
- Re: [overpass] General Data Protection Regulation (GDPR), Roland Olbricht, 05/22/2018
Archive powered by MHonArc 2.6.19+.