Yes - the use of the WiFi is intended for customers/visitors (this is implied by having the password indoors, not visible to the public passing by): Computer Misuse Act 1990
2 Likes
I got forwarded to this thread from the wiki Key:internet access:password: Revision history - OpenStreetMap Wiki
This wiki change did not represent the world like it is. And OSM is just representing the world.
I am a person who configure such WLAN networks for the public internet access. The implementations at server side are complete mess many times.
Here a example. The back end of one WLAN implementation did not get any updates since about 8 years. But the laws in the country have changed since then and for years there is no captive page required by law. To summarize it simplified: It can configure in this implementation two options. One of it is ‘nopassword+captive-page’ and the other one is ‘password+no-captive-page’
The CEO of the place want the wifi to be ‘nopassword+no-captive-page’. Why? Because IoT-devices that have no browser to show captive page for just displaying the weather forecast should be connected to the same public WLAN and put all over the place on the wall. Why the public WLAN? Because it have full coverage at the area and the private WLAN with normal free configurable WLAN-hardware is just available in the CEO-office. Of course some standalone weather forecast devices are not privacy relevant. So if they get hacked from a person in the public wifi it does not matter. There is no private data on them.
But ‘nopassword+no-captive-page’ is impossible to configure. The WLAN-company that have developed the WLAN implementation does not exist any more. The WLAN implementation is not Open Source.
So either the CEO have to
- Spend few thousand Euro to let someone rewrite the whole software
- Spend few thousand Euro to order from a new company everything new (and produce huge amount of e-waste)
- Let me configure ‘password+no-captive-page’ and tell me to print out the password 100 times and stick it everywhere outside and inside the building
I think you are not surprised to know that number 3 have been chosen because the additional cost for the company was compared to the option 1 and 2 at about 0 Euro.
I sticked it also right at the main door where every customer enter the building. Next to the information with the opening hours. And i can not imagine OSM-mapping people would name this WLAN password private. I get told from the CEO that it should not be private. It should be as public available as possible. Its now as public as the opening hours at the main door.
How should i map such things now after the newly wiki change?
The poll at the beginning of this thread @Matija_Nalis created does not explain any background of real world implementations. Its also sort of sarcastic to lead some people into choosing what @Matija_Nalis wants them to choose by writing “always put […] passwords in OSM, why not”.
Its not always. And nearly all people have learned that passwords have to be kept private. So of course the poll result looks now like it does. Just a tiny fraction of people have ever met such a place with public wifi where the password have been shared fully public and is not private.
Great! I fully confirm this.
And to give deeper information about this:
For higher clouded public wifi networks without encryption people often order from aliexpress a ESP8266 wifi jammer. There you can whitelist your own MAC address and say to jam (force deauthentication) for all other public wifi clients. This have the result that the jamming person is at the end the only possible user of the wifi network and have full download speed.
Turning on WPA3 enables the frame-encryption of the packages. The deauthentication frames are then encrypted. Those aliexpress ESP8266 jammer does not support jamming WPA3 networks with known passwords.
How can i map the world like it is instead of how @Matija_Nalis wants it to be after the Wiki change?
1 Like
Well, you can map it just like you did before you become aware of the wiki change. OSM does not have “forbidden tags”, see ATYL policy.
That wiki change just documents potential issues, so people can look up the references (like you did) and make an informed decision for themselves.
Its also sort of sarcastic to lead some people into choosing what @Matija_Nalis wants them to choose by writing “always put […] passwords in OSM, why not”.
Its not always
Well, the poll had three options: “never”, “always”, and “sometimes”. If it is not always and not never, then it is sometimes (called “It’s complicated” in the poll; if you don’t object to the wording there too). Poll is still open, so feel free to choose that option if you didn’t yet.
2 Likes
I voted “It’s complicated” based on this guidance of “it’s complicated” = “sometimes”, so I’ll leave a comment, but also I would like to comment that I don’t think it’s complicated at all:
If the password is private, then don’t add it. If it’s not, feel free to add it.
Around here in Ontario, most coffee shops’ customer wifi password is on public view visible to anyone who walks in. That isn’t private or a secret in any meaningful way.
Some would only give it out printed on the receipt after you pay for something, or if you ask. I would suggest not adding those to OSM.
I looked at internet_access:password | Keys | OpenStreetMap Taginfo and I see there:
- most common value is
bicicletabikepoawhich is tagged on bikeshare stations in Porto Alegre which apparently also serve as wifi stations. That’s not a secret nor private, that’s a technical implementation detail. - other common values are
12345678,1234567890, andfreewifi. I sincerely doubt those are meant to be a secret. - another pattern is using the establishment’s name (1, 2, 3, 4) or phone number (1, 2, 3) as the password - these are not used by anyone worried about people guessing the password and getting free wifi
In my experience coffee shop passwords change far less frequently than opening_hours. Just yesterday I connected to a network with password Espresso2019.
(I personally don’t add wifi passwords to OSM, but I see no reason not to.)
2 Likes
The wording in the wiki page as modified by @Matija_Nalis reads really draconian to me:
Please do not use this (or any other) tag to specify verbatim WiFi passwords used to connect to the network!
It is generally frowned upon to publish private information (such as passwords) in OSM.
There might perhaps be exceptional circumstances where:
- the owner has given you written, perpetual, royalty-free, sublicensable, transferable, non-revocable permission to publish the password for the whole world to see, or
- you are the owner who wishes everybody to use it and you are sure that it does not break ToS of your ISP or any other contractual obligation or legislation
where it might be permissible to publicly publish verbatim passwords, but note that it is still not a good idea to publish them in OSM, as it is (at the very least) frowned upon. See limitations on mapping private information and community discussion on the subject
What happened here?
The common use case for this tag is to specify a cafe’s or restaurant’s public guest wifi password (or, in the case of Porto Alegre mentioned in my post above, a public wifi system’s “password”), but the wiki page reads like we’re publishing people’s dates of birth.
Should we expect to have a poll on whether phone=* is bad because someone might use it to tag a person’s phone number which is personally identifiable information?
By all means let’s add a note not to document people’s actually private networks, but let’s also acknowledge the actual use: overpass turbo of "internet_access:password"=* and "internet_access:password"!=no and "internet_access:password"!=yes and "internet_access:password"!=ask global is basically all public-facing: restaurants, cafes, hotels, or outright public internet
1 Like
Two points about this:
- When written with the words in the wiki like you wrote them there, this did not encourage the people to do it like they did it before. Mostly only people who do not care about how it should be done use things the opposite way then described in the wiki. And that are in general not people who try to make things perfect and at the end we have a bad quality map or a edit war between people.
- There are endless amount of people who would read the OSM wiki and then delete things that are ‘wrong’.
Yes, perfect. Whole discussion done.
Yes, i can confirm this. I also find it somehow funny why companies decide to use years in their wifi passwords but from the start on never planned to change the password any time later. And no, its mostly not the year of the first opening from the place they want to celebrate but the year of the WLAN setup.
That is reason why i spend time writing all that here.
But it is. There is enormous difference between visibility of a password inside a coffee shop (available to few hundred or thousands of the locals) and a worldwide global digital publishing of passwords (available to dozen billions of people and AIs).
Just like there is no problem of people putting their personal names on their postboxes or intercoms, but putting those same personal names on houses in OSM is a big no-no.
So, IMHO:
-
one definitively shouldn’t put password that is visible only inside cafe or hostel or whatever!
-
I wouldn’t even put it if it is available only on the outside door (see previous discussions why).
-
I would say it is only OK to put in OSM if the establishment also publishes it publicly on their worldwide available webpage of public Facebook profile or similar, or authorizes you in email etc.
If they don’t do any of that, it means that they most likely do NOT want whole world to have digital access to that information, but only locals.
Only problem is that Privacy is not a boolean always/never; it is a spectrum. E.g. one might be fine with their extended family and doctors know about their illness, but not want whole world (or even just whole city) to know. Or for some things you may want only your wife to know, and not even extended family. Or personal names - one might be fine with using their real name in this forum, but would object to being doxxed. Or the mentioned date of birth you might easily give to your friend (and even invite them to the birthday party!), but you might not want it to be available globally on the Internet tied to your name. etc.
Yes, that was kind of the point, to discourage it generally (given the most prevalent “never” answer in the poll).
I did include wording that is might sometimes be OK in some situations, and gave few examples of such extraordinary circumstances, and pointed people to where they can find more information.
I’ve expanded that examples now and tried to clarify a little more that there are (very rare) cases where it might be OK - let me know if you find it better, or how would you improve it, while keeping in with that general consensus of discouraging.
Well, the wiki does explain when the password might be OK, so removing it in those cases is not OK, so you should contact the user and revert the deletions.
I’d suggest using source:internet_access:password=* to indicate source of that password (e.g. “visible inside a cafe”, “visible on the outside doors”, “published on www.example.com”, “authorized by the owner on 2024-09-23” etc.) if you record verbatim password; which should give extra reason to keep (or remove, as the case might be) those passwords.
That is because it was not intended to be “funny”, but the intention was to change it periodically (to prevent people knowing using the old password, for all the reasons mentioned earlier in the discussion), but the person responsible for that change went away or forgot before transferring the knowledge how to do it their successors. So, as nothing broke, people didn’t notice they need to change it even if they absolutely wanted to.
Kind of like the situation where people do not apply security updates regularly unless there is a popup nagging them, even when they almost always absolutely want to keep their computer secure (instead of getting “hacked” and blackmailed).
5 Likes
We do not need a poll there, as phone=* wiki page already states that you should not publish personal phone numbers.
Difference in visibility of warning in those two wiki pages is that:
-
vast majority of
phone=*numbers in OSM are publicly published phone numbers by owners (on their websites, public facebook pages etc.) thus indicating it is intended to be available globally worldwide in digital form -
While in case of the publishing passwords it is absolutely tiny minority which publicly publishes their passwords on their websites/facebook pages indicating that vast majority of them do not want those passwords available globally worldwide in digital form
IMO, people have a much higher expectation of privacy than businesses that by design serve the public.
I wouldn’t add the password of the network of an office=company, even if it was visible to non-employees in the entrance lobby. But a cafe wifi is not like a person’s name.
Yes, of course. But having your business name as the wifi password is IMHO very far on the “public” end of the privacy spectrum.
What source:access:password value would you suggest for the bikeshare stations in Porto Alegre?
Or because they thought they needed a number in the password.
Hm, well… Vast majority of phone=* values here in Ontario are from businesses posting it on their storefront signs. Many of these businesses don’t have any “publishing” of their own, other than the signs. Do you suggest we should be adding source:phone=* to POIs like Node: AQ Barber & Hairstylist (6493349393) | OpenStreetMap ? Or asking businesses if they would give an written, perpetual, royalty-free, sublicensable, transferable, non-revocable permission to publish their phone number for the whole world to see?
2 Likes
Have you talked with the owners of such businesses? Not with the person who serves you but the owner/CEO of the place. I do this the whole time in such setups because its regular in the job to setup such things.
And their answer is simple: The Wifi should work. Its not working now. Please fix it. Some times i replace capacitors inside the Wifi routers in 5 Minutes and its fixed in extreme cost efficient way or some broken configuration after they changed the ISP for a cheaper one or things like that.
The question about why the public password looks like how it looks gets answered from the operators that make the wifi password public: I do not care how it looks like, its public. What i print out on paper and make public visible for all people i do not care.
Then i explain them that the minimum password length is 8 characters by design and explain in few seconds why its beneficial from the service point of view to take the lowest possible length to avoid customers making errors while typing it in their phones and bothering then the service with this topic. CEO is happy to know that because that is what the CEO care about. The place should run as cost effective as possible. Having to do less things for the service is better because otherwise they have to hire additional people and this is bad for profit.
And now the main relevant legal point of view because like i said i do this for work and have to know it : Its the accessibility to the password. In technical osm words: Key:access - OpenStreetMap Wiki set to access=yes.
You are making things public. The same like opening hours of the place. What do you thing the judge would say when you comply in court about such a situation? The answer is simple: You made it public so its public available. The access to the password is not restricted to anyone because everyone is allowed to walk into and look. The place is not blocking a single person from walking into it. So the information there is public like the opening hours. Its visible from outside like your advertisements about your recent menu.
You mix things up. Facebook is not by default public. The pages are often only available to Facebook users. This is different ‘public’ thing then the general public. For more simple understanding again a OSM example: access=facebook is not access=yes.
A public place where you are free to walk in is public by legal definition in about all countries in this world.
A general though: the password is only useful if you are physically close to the hotspot. And if you’re physically close to the hotspot, you can easily find the password anyway? (Assuming it isn’t intended to be secret.)
So while I don’t see anything horribly wrong with recording public/signed passwords in OSM, I don’t really see the benefit either?
This is the exact opposite of a phone number, which you’d typically need when you aren’t physically at the business
1 Like
Incidentally though, that’s one of the reasons why I don’t think recording the password in a “worldwide global digital [database] available to dozen billions of people and AIs” (per Matija) is a big problem either, and doesn’t warrant the scary warnings currently in the wiki page.
So a dozen billion people and AIs know that a wifi network that can be reached within 15 m of a specific spot in one place on earth has password “freewifi”? Wow, next thing they might find out there’s a restaurant there – someone mapped it – without checking if it has a Facebook page!
1 Like
This discussion is getting out of hand. The simple question was, should we record the Wifi password, and the response is a clear no. If a place wants their Wifi to be open to everyone they can simply not set a password; if they do set a password, that is a clear sign that they intend to retain some control over Wifi access (maybe by altering the password and deciding whom they show it, whatever). We should respect that.
8 Likes
If you don’t set a password the traffic goes unencrypted on the network level, so some people may prefer to set a password (and let everyone else know about it) rather than setting no encryption at all
3 Likes
While that is technically true, I extremely doubt that majority of cafe owners are so well versed in 802.11 technical implementation details that it would affect their choice there.
So for vast majority of cafe owners and such, they set a wifi password to restrict access (as for why they may want to do that has been mentioned several times before). And yes, there are few exceptions, but they are the minority.
2 Likes
At least i use OSM for planing trips. I like to be able to plan as detailed as possible. And this include adding SSID and password already to my configuration. When i am at the destination, i just turn on my device and its just connected. I can do then for what i am at the place instead of having to type from a paper a password and having to do something else then what i am there for. Also i am not a fan of analog information. You can not copy it by marking it.
No, its not. Its just a normal discussion where people name their points and deliver facts about the discussion point.
Wtf! I really do not like when points that i named are just kept ignored. You can not just ignore parts of a discussion when you want to be part of a discussion.
@woodpeck You have to add this information to the basics of what you are telling and not just ignore it. You know how discussions between humans work, right?
I can confirm this. None of the cafe owners i talked with did know that.
But what is your point? Cafe owners knowing this wont be cafe owners calling someone like me to fix/setup their network. When they know that much about networking, then they would just configure their network on their own and in case of problems they have the knowledge of fixing their problems on their own.
Yep, so just do not write in the wiki that none of the people are allowed to do that. You say majority . So you already expect that there would be at least one single person in the world who would like to setup it the way to make the password public in OSM. So represent this option in the wiki.
And you are always talking about cafe. Yes, this is most common place. But what about other places that are extreme tech savvy? Places where maybe some of the designers of the 802.11 protocol are spending their free time in? Like List of active Hacker Spaces - HackerspaceWiki ? Of course they know the benefits of such a WPA3 based setup because they designed the specifications. Those places are in general also access=yes.
Even the idea of a designer of 802.11 protocol could be to make the password public in OSM to see if everyone is able to connect to a wifi in such a place because the designer of the 802.11 device/protocol would like to try out something in the software/hardware/protocol implementation and can not buy the about over 100000 available different wifi devices that are out there on the market.
Why are people here like @Matija_Nalis and @woodpeck trying to tell how the world should look like instead of accepting it just like how it is and representing that in OSM map data?
I am not telling anyone how the world should look like. They can put their passwords out on posters if they want. I am just saying, let’s not publish these passwords in OSM because it feels wrong to me. You say you would like to have access to this information for your extremely detailed trip planning, and I understand that you would like to have it, but I think you will just have to live with this information not being in OSM. (Just like it would not make much sense to record how much a cup of coffee costs at the place - even if someone with a very detailed trip planning habit would like to have the correct coins already available.)
1 Like
I think that i have to get to your feelings now because its not wrong to do so by fact (legal and OSM definition wise).
Maybe this example helps for your feelings:
You seem to be a more active person in OSM. So OSM seem to be something you love (using extra feelings related words). That is why when your friends (friends are in general also feelings related) visit you in your fresh opened coffee shop you spend the last two months painting the walls and making all the things there looking really nice (also feelings related), you are proud (also feelings related) to provide them from now on the password to your guest WiFi network over a OSM-Link. They have to visit and look at OSM data to get that password. This would be the only way you provide all of your guests the password. When everyone who visit you at your coffee shop have to open the OSM map on their devices, this would bring you joy and a smile on your face (also feelings related). You also thought about Steve, this one guy who’s phone broke yesterday when you was together in a pub drinking (also feelings related) and now he is walking around with his notebook that do not have mobile data. You have a computer at your place Steve where also can open up the OSM website and look up the WiFi password to enter in his notebook. This computer you connected to a projector to show pictures to all of your friends that visit you this day at your new opened coffee shop and then you plan to sing some karaoke later (also feelings related).
And now the breaking point: Someone on the Internet forbid you to do how you planned. Someone on the internet forbids you to put your WiFi password in OSM. But you say: I want to make this public only on OSM. I love OSM. I spend so much time on OSM data. I spend so much time on OSM community. I want that everything that is public is also on OSM. Everyone should use OSM instead of other maps. You even hang up OSM maps in this coffee on the walls and you smile every time when you show to the people what parts of the map you have done work on.
Did this fully made up example based on just feelings now finally changed up your mind? Have you now other feelings about that?
I wrote this here in this way, because feelings does not make sense when we are talking about facts. I can just hope that this make sense now to people that are more feelings related.
You were unable to convince me that publishing passwords on OSM is a good course of action. Your reasons for doing so seem contrived to me; you might feel better on a trip if you know the password of the WiFi in advance but I think the danger of acting against the owner’s wish and enabling the abuse of their infrastructure is more relevant than an individual’s edge use case. In fact it seems to me that you’re unable to accept that you are in a minority here - you desperately want to debate someone but there’s nothing to debate.
My doubts against publishing passwords could be lifted by an - ideally written - confirmation of the owner/operator of the WiFi network that says “I agree to this password being published on the Internet, visible to everyone.” But this would be on a case-by-case basis; you won’t be able to convince me that somehow it would be good for OSM to publish all passwords that are visible to customers.
3 Likes
but deciding on what we are mapping and how we represent it in OSM data is a decision
for example there is broad agreement that mapping private swimming pools in OSM is fine
and there is broad agreement that mapping income of households and names of residents is not fine
the question is whether WIFI passwords are closer to first or second category, and it is not exactly the same as accepting world as it is
(or to be more exact, where on gradient of “it is 100% fine” to “you will be banned for persistently doing this” it falls, likely it is somewhere in between these two)
2 Likes