[OSM-dev] GDPR implementation on planet.osm.org

Frederik Ramm frederik at remote.org
Thu Jun 21 08:35:23 UTC 2018


the changes that I proposed mean that your Overpass API will, if it
wants to continue downloading user data from OSM, at some point in the
future have to identify itself to OSM with an OSM account as proof of
your acceptance of the Terms of use.

This is the *technical* requirement for having access to OSM user data
in the future, and it is easy to do. I'm happy to provide the necessary
script for that when the time comes.

Overpass already differentiates between output with and output without
meta data. The output without meta data, which IMHO is totally
sufficient for the overwhelming amount of Overpass use cases, would
continue unchanged.

So these use cases are all covered without any of us investing any work,
without a "development backlog of more than a year" or killing the
project entirely.

Let's look at those use cases where Overpass users would like to
download user data.

You seem to assume that this not only requires the overpass user to have
an OSM account but also that the overpass user somehow goes through an
OAuth process with OSM every time they want to access Overpass.

This is *not* intended to be a requirement.

The ToU will require - in wording that is yet to be defined - that you
take care to only distribute OSM user data for purposes that the OSMF
considers legitimate. Now it is clear that you cannot actually *control*
what users do with data - but you will be expected to inform them that
they have to conform to the OSMF's rules when they process this data.

One *possible* way of doing that would be to simply have them prove that
they have an OSM account, because if they have an account, then they
also have accepted the ToU, and then you don't have to explain anything
to them. This *could* be done with OAuth, either with every request they
send, or you could have your own database of Overpass API keys where
people have to prove they have an OSM account when they register.

But you could also run a scheme completely independent of OSM, where
anyone can register for an "Overpass account" and you show them some
text that says "By signing up for an Overpass account you promise to
always stick to OSM's terms of use" or so.


Frederik Ramm  ##  eMail frederik at remote.org  ##  N49°00'09" E008°23'33"

More information about the dev mailing list