GDPR changes coming to OSMCha

Posted by wille on 7 August 2018 in English (English)

It’s been a long time since our last post about OSMCha… In this period, we have implemented few features in the frontend, nevertheless we have done a lot of work on backend and prepared OSMCha to be compliant with the GDPR.

This backend work was necessary to avoid technical debt, make the system run faster and to have a good base to the future improvements. We updated the OSMCha backend to run with Django 2.0, Python 3 and Django Rest Framework 3.7.7. Other backend dependencies were updated as well.

GDPR Changes

It’s not on production yet, but we have already started testing a new version of OSMCha with the modifications required by the GDPR. The API and the frontend will show user metadata only to authenticated requests. It means that, if a request is unauthenticated, the fields 'user', 'uid' and 'check_user' will not be present. Furthermore it will not be possible to filter changesets by one of these three fields. The anonymous requests will not return an error, but the results won’t take in consideration these filter fields.

If you use the OSMCha API, our staging server is available to your tests, so you can verify the modifications needed by your software (Be aware that the staging server has only changesets older than 2017-09-26). To make authenticated requests, add to the header: Authorization: Token <your_token>. Your user token is available in the user page of the staging server (soon in the user page of the production too).

The saved filter (AoI) RSS feeds will have a different authentication method that we need to implement yet. The features API is yet exposing user metadata, but very soon we will do a big change to it. Instead of exposing a lot of information about the features, it will return just the id, type and suspicion_reasons of each feature.

The GDPR requires some additional changes in other pieces of software that are used by OSMCha. The osm-comments-api and the changeset-map will be closed for public use and available only to OSMCha and some other softwares that are GDPR compliant.

We are planning to put the GDPR compliant version of OSMCha on production on August 27th. If you have some issue or need some help with the changes in the API, don’t hesitate on contacting us by our mailing list or opening issues on github. The new API documentation is available at

Talk at State of the Map

I presented a talk in State of the Map 2018 in which I spoke about how we are improving OSMCha for the OpenStreetMap community. It was amazing to meet with a lot of OSMCha users and receive new feedback and ideas. You can check the slides or watch the video on YouTube.

Comment from Nakaner on 7 August 2018 at 17:22

Are you aware that the OpenStreetMap Foundation considers changesets themselves as sensitive information, too? Even if you remove the username and user ID from the changesets, one can link changesets to pseudonymous profiles because users tend to have certain editing pattern (e.g. tag combinations, changeset comments etc.). Please keep in mind that pseudonymised data is still personal data and subject to the GDPR.

That’s why I think that you should put all of OSMCha behind an OSM login.

Comment from wille on 16 August 2018 at 08:33

Thanks for the comment, Nakaner! We have decided to put everything behing a login. I will post an update when the modifications are ready.

Comment from Kevin Kofler on 20 August 2018 at 23:13

How does putting things behind an OSM login protect anybody’s privacy? Anybody can get an OSM account and use that to access the “hidden” information. You are just handling more personal data, the one of the users who are logging in.

Comment from wille on 21 August 2018 at 08:56

Kevin Kofler, those are the recommendations of the OSMF Legal Working Group about the GDPR:

Login to leave a comment