Details about iD editor users get publicly, permanently and silently logged with every edit – a privacy breach
Posted by aseerel4c26 on 1 May 2015 in English. Last updated on 18 May 2015.Since the recent (estimated: two days ago) update to version 1.7.1 (“Add basic browser and platform info to changeset tags (#2559, #2449)”) of our editor iD it publicly, permanently and silently logs operating system, browser and language details (+ more) for every user, for every edit by adding those tags to a changeset (example values follow; or see /history and pick a random one until you get one by iD):
browser = Chrome 37.0
locale = it-IT
platform = Linux
- I could imagine good uses for this big pile of data … e.g. * it may help in debugging the editor * one could potentially make nice statistics of our user base in total from this data (from a dump), or * use it for quality assurance heuristics (e.g. it may be more suspicious if a foreign language user edits at a specific place),
- But I also could imagine bad uses for this big pile of data: * it also enables everybody to create detailed statistics about a single user’s browser update habits and browser name * or operating system switching over time. Which all is not why people contribute to OSM. * Language, Browser name, exact version and operating system name may make a contributor identifiable among a big group of persons, especially if some of those details are not very usual (think of someone speaking Lithuanian using Epiphany under Linux and editing in an Argentinian city – the expectation of only contributing under a pseudonym user name is quickly broken. * Furthermore, the users are not even asked (and also not even notified) if they agree to permanently, publicly publish this private data. The iD editor just asks for the changeset comment. All other tags are added automatically and silently. This breaks the Privacy Policy (“All edits made to the map are recorded in the database with the user ID of the user making the change, and a timestamp at the time of change upload.”) if we assume that the users do not intentionally choose this editor and are aware that it does whatever things. Assuming that every contributor finds the small entry in the iD release notes at github is totally unreasonable. I only noticed the problem because I was viewing other contributors’ changesets. * The users have practically no chance to ever remove this information about them.
In the linked issues (found via the release comments) 2559 and 2449 I see no rationale at all why all this data needs to be saved 1. publicly, 2 permanently and 3. silently. Just reasons why the data could be useful are mentioned (similar to my ideas above) but not why the privacy and trust of our contributors needs to be hurt in this extent. Note: I have messaged the three involved developers/issue reporters via OSM mail about this post.
I think this recent change is really over the top and is doing harm, because to outsiders our project may seem as if it does not care about our contributors’ privacy and fools new users by silently publishing information about them. I would hate it if, in the future, I would need to pass along a big warning about privacy when I try to attract new contributors.
Of course a simple workaround is to use another editor, e.g. JOSM, which I suggest doing for other reasons anyway.
Please, let’s quickly remove this personal data canon before even more data is collected. By the way, I am intentionally not writing in a hidden bug tracker to make everybody aware of the problem and hopefully sensitise the developers a bit.
Update: on 16th May (15 days after writing this diary entry) iD’s main code was modified and browser (browser name), version (browser version), platform (operating system) were removed again. Still, the locale (user’s language setting) and host (the website at which iD is running at) are silently saved into the changeset tags. See https://github.com/openstreetmap/iD/pull/2643
Likely it will take some days until this new, partly fixed iD version appears on osm.org.