Details about iD editor users get publicly, permanently and silently logged with every edit – a privacy breachPosted by aseerel4c26 on 1 May 2015 in English (English)
Since the recent (estimated: two days ago) update to version 1.7.1 ("Add basic browser and platform info to changeset tags (#2559, #2449)") of our editor iD it publicly, permanently and silently logs operating system, browser and language details (+ more) for every user, for every edit by adding those tags to a changeset (example values follow; or see /history and pick a random one until you get one by iD):
browser = Chrome 37.0 locale = it-IT platform = Linux
- I could imagine good uses for this big pile of data ... e.g.
- it may help in debugging the editor
- one could potentially make nice statistics of our user base in total from this data (from a dump), or
- use it for quality assurance heuristics (e.g. it may be more suspicious if a foreign language user edits at a specific place),
- But I also could imagine bad uses for this big pile of data:
- it also enables everybody to create detailed statistics about a single user's browser update habits and browser name
- or operating system switching over time. Which all is not why people contribute to OSM.
- Language, Browser name, exact version and operating system name may make a contributor identifiable among a big group of persons, especially if some of those details are not very usual (think of someone speaking Lithuanian using Epiphany under Linux and editing in an Argentinian city – the expectation of only contributing under a pseudonym user name is quickly broken.
- The users have practically no chance to ever remove this information about them.
In the linked issues (found via the release comments) 2559 and 2449 I see no rationale at all why all this data needs to be saved 1. publicly, 2 permanently and 3. silently. Just reasons why the data could be useful are mentioned (similar to my ideas above) but not why the privacy and trust of our contributors needs to be hurt in this extent. Note: I have messaged the three involved developers/issue reporters via OSM mail about this post.
I think this recent change is really over the top and is doing harm, because to outsiders our project may seem as if it does not care about our contributors' privacy and fools new users by silently publishing information about them. I would hate it if, in the future, I would need to pass along a big warning about privacy when I try to attract new contributors.
Of course a simple workaround is to use another editor, e.g. JOSM, which I suggest doing for other reasons anyway.
Please, let's quickly remove this personal data canon before even more data is collected. By the way, I am intentionally not writing in a hidden bug tracker to make everybody aware of the problem and hopefully sensitise the developers a bit.
Update: on 16th May (15 days after writing this diary entry) iD's main code was modified and browser (browser name), version (browser version), platform (operating system) were removed again. Still, the locale (user's language setting) and host (the website at which iD is running at) are silently saved into the changeset tags. See https://github.com/openstreetmap/iD/pull/2643
Likely it will take some days until this new, partly fixed iD version appears on osm.org.