GDPR compliance

[mvexel]

We need to ensure that MapRoulette complies with the new European regulations regarding personal information.

GDPR may apply to us if we collect any personal information about citizens in the EU. The regulations may apply to MapRoulette even if we think they won't.

I'll research and follow up.

[mgcuthbert]

The only potentially personal user information that we may collect is the users location. And this is something that is collected from OpenStreetMap and not directly from us. Otherwise the only reference we have to the user is their OSM id and their OSM username. So if collecting their location falls under the regulations, we can easily remove that.

[mvexel]

Resources I'm working through:

• https://www.smashingmagazine.com/2018/02/gdpr-for-web-developers/
• https://techblog.bozho.net/gdpr-practical-guide-developers/
• https://www.ctrl.blog/entry/gdpr-web-server-logs

@mgcuthbert are we retaining web server logs indefinitely currently?

[mvexel]

I started writing a diary post on how we deal with privacy and PII that should clarify things for users. I am planning to post this on the OSM diary site.

Here is the draft. @nrotstan @mgcuthbert could you check for factual correctness and completeness? And make any suggestions for additional things to cover?

[nrotstan]

Here are a few thoughts that pop into my head:

• I think it might be worth mentioning the Leaderboard opt-out, in case users wish to avoid the possibility of public visibility.

• When #360 is completed, challenge owners will be able to see which users (OSM usernames) completed which tasks within their challenges, and in theory there is nothing preventing challenge owners from sharing that data or even making it public. Depending on a user's habits, that could represent a significant part of their task history.

• I don't think you should restrict yourself from storing database backups off-site, in case anything ever happens to that linode instance.

• Additional clarification of the details around deleting a user's data may be worthwhile. For example, would everything the user did actually be deleted, or would their personally-identifiable information instead be replaced with dummy data (or some combination of the two)? And again, regarding #360, we won't have control over what challenge owners do with any data they may have exported prior to the user's deletion.

• This might be obvious, but edits and other data sent to OSM are beyond our control.

[mvexel]

Keeping this open as something to monitor and for the user community to voice concerns around GDPR and MapRoulette.

[mvexel]

Checking in on this ticket. I'm going to keep this open since it's something that may still come up but we won't pro-actively pursue this.