openstreetmap
Make contribution heat map opt in
Problem
There have been several critical comments about the new contribution heat map feature. Some users see the publication of their contribution patterns as a violation of their privacy or even a breach of GDPR.
Some of the discussions can be found here:
- https://community.openstreetmap.org/t/umfrage-aktivitatskalender-auf-jeder-osm-user-seite/127294
- https://en.osm.town/@osm_tech/114160805593628586
Description
Make this feature opt-in. Users need to activate it in their preferences for the heat map to be displayed.
Screenshots
No response
The OSMF privacy policy guarantees that contribution meta data will only be shown to logged in users https://osmfoundation.org/wiki/Privacy_Policy#Who_has_access_to_the_data (yes, the OSMF violates this all over the place, but that doesn't give anybody a free get out of jail card to add to those violations).
So either the privacy policy needs to be changed, iffy because this changes the basic tenants it is built on and not a question that is of a technical nature, or the feature needs to only be available to logged in users as I pointed out in the relevant PR back in January.
Making the feature configurable is a good idea in any case, heck even Microsoft (github) does that.
How about hiding pages osm.org/user/username from not registered users by default? And after that, you can add a setting of the visibility of the profile data. Yes there is more osm.org/user/username/*, but at least it will be consistent with the API, which does not show profile descriptions without authorization.
As I understand it, this should still be done to comply with the privacy policy, so why limit yourself to configuring the heat map.
p.s. despite my position on the situation, here I write without sarcasm and exaggeration p.p.s. in theory, this could also make OSM less attractive to SEO spammers
See https://wiki.openstreetmap.org/wiki/GDPR/Affected_Services iirc at the time it was assumed that the the the user page would only contain content that the user had added with the intent of making it public, see https://osmfoundation.org/wiki/Privacy_Policy#Data_you_may_voluntarily_add_to_your_profile_or_diary_posts
I would argue that by signing up to the project it's your intent to make your edits public - building a public data set is the entire point of the project after all but what do I know.
I certainly don't see any point in showing things to logged in users that isn't shown to logged out users given there is no barrier at all to signing up.
I would argue that by signing up to the project it's your intent to make your edits public - building a public data set is the entire point of the project after all but what do I know.
It is rather pointless to try to re-litigate something that was discussed to death 7 years ago, but that is exactly the point: users expect that the geodata that they created or edited to be public, not, for example, their sleeping habits.
As this issue is likely to attract a lot of traffic, here's the link to the wiki page with a number of resources on the topic https://wiki.openstreetmap.org/wiki/GDPR , the paper linked there goes over the arguments for the solution that was chosen.
I would suggest to try to limit the discussion of this ticket to my specific feature request. The heat map is a newly added feature that is kind of a gadget: It doesn't directly benefit the OSM project. But it does have privacy issues as it shows editing patterns of users at a glance. Users have stated that they don't want to have it on their profile page without their consent. So I think we should make it optional.
Don't get me wrong: I do think it is important to also discuss other privacy related aspects like what information should be visible to logged-in users only, if publishing data to a public database includes consent to aggregate that data to create user profiles out of it and if the OSMF violates its own privacy policy. But maybe these should be better discussed in the community forum.
The OSMF privacy policy guarantees that contribution meta data will only be shown to logged in users https://osmfoundation.org/wiki/Privacy_Policy#Who_has_access_to_the_data
And this page says that metadata should be shown only to those who accepted the terms of use: https://wiki.openstreetmap.org/wiki/GDPR/Affected_Services . Some users will just never accept them despite being logged in. Privacy Policy describes the simplified/ideal end goal. If you want users to be able to indicate that they accept the terms, see #5706.
As a temporary measure the heatmap can be hidden for non-logged-in users, if it's actually necessary. But then you can say the same thing about user edits page, user notes page and so on. And then you'll have a situation where all of this data is still available for everyone via the api and on some pages, but not on some other pages.
After reading this discussion, my two cents on this is that a settings option so registered users can show their heatmap (or other relevant metadata that can have privacy concerns) to all users / registered users / no one can be a good idea.
I think we should make it optional.
That's what users say about many changes. I wanted the heatmap to be collapsed by default, which would probably have removed some of "this is my page" complaints. And I also wanted it as a navigation tool with clicking on dates opening the edit history at that date. Making it optional in this case will be like making other links like edits, notes, diary optional.
And this page says that metadata should be shown only to those who accepted the terms of use:
The discrepancy is due to you still being able to login even though you haven't agreed to the ToS if you have an account pre-dating the introduction of the terms. The OSMF board simply never did its job to communicate that this would have to change and set a date for the change (for a while I sent the board regular reminders that this was still pending, now days I can't be bothered).
It was always envisioned that this would be fixed before the API and data access changes going active. With other words while the language in the privacy policy is technically not quite correct, at the time the assumption was this would just be a short blip.
Given that we can now conclude that the board is so scared stiff of doing anything that could be even remotely unpopular that the above change is never ever going to happen, the solution is likely to change the wording on the policy to refer to logged in accounts that have accepted the ToS (and implement the changes in that way). It's insane but it is what it is.
PS: there has been discussion of simply allowing users to accept the ToS 'manually' in their preferences. However I don't believe that is reflected in the EWGs current plans.
Who is this widget’s intended audience and what’s its purpose? https://github.com/openstreetmap/openstreetmap-website/issues/5373#issue-2714677416 frames it this way:
The current user profile page provides a detailed summary of contributions but lacks a visual representation of activity trends. A calendar heatmap, similar to GitHub's user contribution calendar, would make it easier to understand user engagement over time at a glance.
Going back further, https://github.com/openstreetmap/openstreetmap-website/issues/5356#issue-2691128594 opens with this problem statement:
We want to enhance the OSM profile pages with more engaging and informative features, similar to HDYC.
I’m not sure I agree with the premise that the profile page had a detailed summary in the first place. But putting that aside, all I see is a desire to match the visual attractiveness of GitHub profile pages and Pascal Neis’s How Did You Contribute? tool, and to track “user engagement”. As user engagement isn’t a meaningful metric for OSM as a project, I think this feature could’ve benefited from more detailed consideration of use cases, which could’ve led to a different design. For example:
-
If it’s for the user to track their own edits, it probably belongs on their dashboard, which is visible only to them. That should mitigate the privacy concerns expressed here, even if we extend the feature to make it easier to reminisce about a changeset by date.
-
If it’s for the user to show off their editing streak to others, as a light form of gamification, then there should be an option about that. At the very least, some community members don’t view their changeset history as a fair portrayal of their value to the community. I hear griping about that almost every year when OSMF board candidates’ heatmaps get posted on the wiki for all to see (even nonmembers).
-
If it’s for others to gauge at a glance whether the user is actively editing these days, then I don’t think this level of granularity helps very much. I don’t need to know whether the user edits on weekends in order to predict whether they’re likely to respond to a direct message promptly or complain about their work getting reverted, or to decide whether I should be concerned that my ~~friend~~ follow is drifting away from the project. A simpler all-time line graph with aggressive smoothing would convey this information more effectively (irrespective of any privacy considerations).
But putting that aside, all I see is a desire to match the visual attractiveness of GitHub profile pages and Pascal Neis’s How Did You Contribute?
It should be noted that contrary to the OSMF, Pascal requires users to login before they can access his site (since 2018). With other words he complies with the OSMFs privacy policy and ToS, and the OSMF doesn't.
Some users see the publication of their contribution patterns as a violation of their privacy or even a breach of GDPR.
By way of an update, the LWG was asked about this specific point earlier this year. They’ve determined that the contribution heatmap may continue to be displayed publicly for several reasons and would be consistent with the OSMF privacy policy. However, a user’s objection to displaying their own heatmap would outweigh OSMF’s legitimate interests. Therefore, we need to at least provide an opt-out, but neither the privacy policy nor the GDPR would require us to make it an opt-in. #6606 would implement the opt-out.
Somewhat relatedly, the LWG also asked us to more actively notify older users about the Terms of Use: #6610.
I'm fairly sure the LWG didn't consider the representations the OSMF makes in the privacy policy wet to the profile page.
Although the question posed to the LWG only cited the GDPR, the decision also makes reference to portions of the privacy policy, including but not limited to “facilitating the communication between OpenStreetMap contributors”. It also considers the heatmap to be a presentation of information already available via the profile that doesn’t present a heightened privacy risk compared to other information there.
To be clear, I’m just going off of what has been communicated to me and not attempting to put words in the LWG’s mouth. I can try to relate your concerns back to them, but if you believe you have information they didn’t consider, it might be easier to reach out to them directly.
To reiterate https://github.com/openstreetmap/openstreetmap-website/issues/5804#issuecomment-2726753639, regardless of the fate of this option, I’d also be interested in a more direct way of accomplishing some of what this heatmap apparently facilitates, such as a more discreet indicator of whether someone’s activity is generally trending up or down these days. I think approaching the profile design from the standpoint of user experience, rather than legal compliance, would actually open up more possibilities for addressing the sentiments here.