[Osmf-talk] hosting in the UK and "anti-terror legislation"
kakrueger at gmail.com
Mon Sep 9 15:18:10 UTC 2013
On 09/09/2013 05:22 AM, Frederik Ramm wrote:
> On 09/09/2013 12:39 PM, Martin Koppenhoefer wrote:
>> With recent news it seems inappropriate for privacy reasons to host the
>> db (users db but also the rest because of IP logging) in the UK. Has
>> this been discussed on the board?
> Personally, I'd like the OSMF to take a couple other, much smaller, data
> protection related steps.
Indeed, I think there are likely many internal things that OSM(F) can
(and some of it should) do long before moving hosting becomes an issue
and the "limiting" factor.
- At the moment passwords still often get transmitted entirely
unprotected in clear over the network. Although with OAuth there is an
alternative to doing this, I suspect many API calls still use basic auth
(does someone have numbers for this?). So OSM(F) could for example make
the policy decision to deprecate basic auth for the API, or only accept
it via SSL (which at the moment it doesn't support).
- Enable https on more of the services. The wiki supports https for a
while, but it isn't enabled by default, not even for login. The forums
don't support https at all and therefore transmit all passwords in the
clear. As Grant mentioned in his SotM talk that there do seem to be
plans to much improve this point, and indeed there have been a number of
changes to this today already by the looks of things. Great!
- Have a policy of which server logs (with full IP information) gets
stored for how long.
- Have a policy of which private data (e.g. IP addresses) is allowed to
be leaked to third parties. E.g. is it acceptable to use things like
google analytics? I don't know to what degree google analytics is still
used, as much of it seems to have been replaced with internal pywik
statistics. There are other third party services in use though as well
if I am not mistaken. E.g. the website still uses gravatar, which leaks
IP address and the email address (in hashed form) of every logged in
user to gravatar.com
- Have a policy of what OSM(F) is allowed to track about the user. There
is a justified interest to understand the users and in return e.g.
improve the site design to cater for these use cases, or validate that
changes to the site design have indeed improved things. But too what
degree is it acceptable to do this in terms of privacy?
- Currently there are a number of "third party" services running under
the openstreetmap.org domain that are not under OSMFs control. E.g.
forum.osm.org, ci.osm.org, taginfo.osm.org, hot.osm.org. All of them are
as far as I can tell are run by trusted individuals of the OSM
community, but a more formal policy what is and isn't acceptable might
- Formal policies of sys admins how they are allowed to use private
information they have access to. So far, as far as I can tell, the sys
admins have been very protective of this data and have done a good job
at ensuring that access to private data remains very limited and only to
trusted people. But in case operations expands, having something in
place might be beneficial.
- Reintroduce anonymous accounts
Privacy and security always also has disadvantages though and so a
careful consideration of what we can and can't protect against and what
we should try and protect against and what we are willing to cost this
is an important debate to have.
But overall, if there isn't anything stored by OSM(F), then there is
nothing for the "anti-terror legislation" to subpoena out of the server
hosting in the UK. Also, despite the recent claims, good encryption and
https is likely to still considerably help keep information private.
I welcome the debate, as the first important step to ensure privacy is a
strong awareness of the issues.
For example, much of our current internal
> email uses Google's mail systems, and board as well as many working
> groups make heavy use of Google docs. If it hadn't been for the paper
> ballots filled out in person in Birmingham, Google would have known
> Saturday's election results before any of us. It is not impossible that
> a GMail user who has voted for a certain candidate is shown "relevant
> advertising" (whatever that may mean). This is an undesirable situation
> and something that we could rectify with easier means than moving our
> hardware to Iceland.
Those are also good points of to which degree all of the OSMF internal
communication is done via cloud services, often enough without any real
consideration to privacy. Convenience very often triumphs over security.
> (Btw. I think that Grant mentioned in his DevOps talk that he was hoping
> to be able to offer SSL support on all OSM services soon.)
More information about the osmf-talk