Opinions on internet_access:password=*?

I’ve recently become aware (SC #5805 & SCEE #603) of:

internet_access:password=* may be added to specify the network password or just the values ‘yes’ or ‘no’

mentioned at internet_access=wlan wiki page. While yes/no are perhaps not controversial, the specifying of actual WiFi password seems problematic to me (even while Limitations on mapping private information - OpenStreetMap Wiki does not specifically mention that situation, the general ideas seems to be to not share private information on OSM).

So, quick poll (or comment):

Relevant Overpass Turbo link

OSM Tag History

Yes or No is enough. First of all a password (even if shared with other people) is private information and second it is often changed quite frequently - and would probably be outdated in our database in many cases.

Organisations do not enjoy a right to privacy under the guidelines of this Wiki page. They mainly apply to living persons.

Would UK law prohibit storing and sharing WiFi passwords of organisations in OSM?

Is it, though? Plenty of organisations publish WiFi passwords on signs or on request for the benefit of their visitors/customers.

Exactly. They decide who can obtain the password and the way to get it. They don’t post it on their website, they don’t put it on ads. The access is meant for (paying) customers, not for random people sitting outside and reading the password on some web page.

I vaguely recall seeing that somewhere, and besides, having it on a sign already satisfies our principle of verifiability.

Not always. I’ve experienced cases where any visitor, paying or not, is given access to the password.

If these businesses are happy for everyone to know the password, why do they have a password? Is “a password published to the whole world” more secure, or more advantageous in some way, compared to “no password”?

(Genuine question, I don’t know much about the topic and maybe there is some difference).

That’s an interesting question. Next time I find a place that has the Wifi password displayed at a very visible place like the front window, counter or reception desk, I’ll ask the owner or operator about it.

I’m pretty sure it’d be possible to construct a scenario in which that was illegal, yes. Whether it applies to the regular “wifi password on a board behind the bar” I’ve no idea (usual advice - ask an actual lawyer). However OSM has always (due to limited funds) been very careful to avoid legal conflict. If someone added a wifi password to OSM and a business owner complained to the DWG, I can’t imagine us picking that as a hill to die on. We’d probably just redact the data and move on.

Even if it’s acceptable, the format is broken if both boolean and actual password freeform text is allowed. Those passwords seem to be mass added in 2022, and 2024. osm tag history
However, a shared password pattern might be useful. Eg internet_access:password:description= =Your room number , =Your school account password , etc.
Whether the wifi requires registration could be added, including ones that asks you to create your passwords. Furthermore, there are wifi systems that require you to call, message, or email to receive an individual credential.

There is difference security-wise with WPA3. Different encryption scheme is used when WiFi is used without password. So traffic between clients and router is safer even if WiFi password is trivial/guessable/public than without password

I did not mean “privacy” in GDPR sense, but as in private (i.e. non-public) information.

Would UK law prohibit storing and sharing WiFi passwords of organisations in OSM?

I don’t know UK law, but many countries have laws which prohibit things like “unauthorized access to computer systems/networks”, “circumventing digital access controls”, “leaking company secrets” etc. , which sharing private passwords might come under. (I’m not claiming it will be the case in 100% of the cases, but it might in many)

Plenty of organisations publish WiFi passwords on signs or on request for the benefit of their visitors/customers

Even in such cases (which are rather in minority in my experience), publishing something visible to local community is not authorization to republish it worldwide. I seem to recall similar discussion on that point a year or so ago (back than it was IIRC about businesses self-publishing information like “owned and operated by woman/minorities/black people” and things in that vein)

I’ve experienced cases where any visitor, paying or not, is given access to the password.

Sure. I’ve seen cases when people were offered free drinks at times. But all of that is anecdotal evidence though, and extreme outliers, and not a default case…

typically, limiting use to customers is the goal

for example hostel may prefer its wifi to be used by people using it, not by people from outside catching its wifi signal and connecting using password from some freewifimap.

This raises another question about the tag. Does internet_access:password=yes and no add anything that isn’t already clear from (the much more widely used) internet_access:fee=no vs. =customers?

We have plenty of non-public information on the map. See for example the 15 million access=private tags. I don’t see why "non-public"ness would be a limiting factor for OSM mapping (besides of course what is mentioned on the “limitations to mapping private information” Wiki page).

The legality of storing passwords is certainly an interesting angle. The way I see it is that OSM is only strictly bound to UK law as long as the OSMF is based in the UK, and besides that we should be fine by following SomeoneElse’s reactive approach to redacting/removing passwords from OSM. Many countries also prohibit the mapping of military bases, but this has never stopped us either (except maybe in active conflict zones), so I don’t see why passwords would be a different story.

Unless stated otherwise (UK law or owner’s complaint) I don’t see why we would require such authorisation.

All evidence is anecdotal until you have a research paper in hand that contains statistical significance

Typically this is indeed the case, although I have seen cases (anecdotally, as Matija_Nalis likes to point out) where the password is distributed even to passersby.

We should take into consideration other factors though, and not just UK law…

For example, if it happens that some actions would make OSM use illegal in whole of USA (or whole of EU), it should be weighted quite seriously, even if it happens to be legal in UK.
Yet, if it makes it illegal just in North Korea, it is probably much less of an issue. (and I don’t know if OSM use is legal in North Korea as it is)

Regardless, IANAL (and especially not an UK lawyer), but quick search would seem to indicate to me (as a layman) that there is high risk of publishing passwords without explicit owner permissions even under UK law.

Depends on what you mean by “stopped”, but there are prominent notices about those legal issues on those wiki pages like Key:military - OpenStreetMap Wiki

Well, you can do statistical analyses even without publishing a peer-reviewed academic paper, but fine. I was more trying to point out that existence of outliers should not be taken to refute the vast majority of the cases. (as the saying goes, “exception proves the rule”. IOW, the sides of bell curve do not have nearly the same weight as the bulk of it)

Even if we go by personal experiences, in my experience (mostly central EU), it is predominant case that cafes/hotels/etc. don’t advertise their WiFi password on outside doors or their web / facebook / etc. pages for everyone to use. In fact, majority of owner goes to extra trouble to periodically change the passwords to discourage sharing / publicizing / reusing indefinite access to WiFi resources for anyone not being current customer.

Is your experience in your region opposite to mine? (i.e. do you claim that majority of cafes / hotels / etc. publish their WiFi passwords on outside doors / web&facebook pages etc. for everyone to see and use, and that only a minority disclose it only to their customers / people entering their premises)?

Or are those “free for all” cafe/hotel WiFis still a minority even in regions you frequent @Friendly_Ghost ?

Good question. I’d wager “yes, but only in very limited number of situations” - like the examples given by @Friendly_Ghost where WiFi network is protected by password, but the password is publicly posted for everyone (not just paying customers) to use.

Then it would be internet_access:fee=no + internet_access:password=yes (which is different than internet_access:fee=no + internet_access:password=no for classic open-network, as without the knowledge of the password you won’t be able to use it, and if the password is published say only on facebook, you’d need internet to get access to the internet, a Catch-22 situation)