Opinions on internet_access:password=*?

I map only “privacy sensitive” information, which has been active published by the operator/owner (flyer, receipt, website, social media, …) or can be easy guessed from internet searches. So it is already public known.

Information, such as passwords for internet_access:fee=customers or other services which are restricted to defined person groups or provide any kind of financial benefit at the end, should never be published in OSM, even if you find it somewhere on the internet.

At least for situation in Germany, it is not a break-in, if you lock the front door and hang the key on a nail beside it, so that everyone can see it and “break in” with it.
Same applies to wireless networks.

So WLAN passwords, can be added to OSM, but as an informed personal decision and not with newbie-apps like SreetComplete. This option is mission in the poll.

There is really many broken/limited hardware out there! So maybe someone think, that turning on encryption makes sniffing a bit harder or non-technical business people think that WLAN encryption is a replacement for turning on e.g. client isolation, if supported.

2 Likes

Well, I was never there so I don’t know, it depends on where you acquired that password. E.g.

  • if it is written on bikeshare station itself, add source:internet_access:password=written on bikeshare station table, or
  • if you have to call a phone number and they tell you the password, then source:internet_access:password=you have to call their customer center phone at +xxxxx and they'll tell you the password, or
  • if it is only available in official app after you login into it, then say source:internet_access:password=only shown in official mobile phone app after authorization when you click on a station on the map, etc.
    It is a simple human-readable text, no special format.

no, because there is no majority opinion that phone=* should not be published, so it is not important that people who do publish it try to defend why they think they should put that tag in against community consensus.

Yes, they are sometimes not public, which is why I tried to clarify it by saying public Facebook profile or similar” (by which I meant “those subset of Facebook profiles which are public”. And that was just a random popular example, it could be public Mastodon account or whatever else internet service published by the owner which is available to public globally without restrictions)


To summarize - republishing in OSM:

  • Password published on website and public social media by the owner sounds fine probably (and is listed on a wiki as being one of acceptable exceptions).
  • Password on flyers (which are analog and local and limited quantity) are not a good idea for re-publishing globally and digitally; they were not intended for that for all the reasons mentioned before (if they were, owner would also do the above public global digital publishing if they have one)
  • Password on receipt is absolute no-no, and people who might think it is fine to publish those globally are main reason for that strong wording on the wiki discouraging using verbatim password.
    Receipt is intended for the customer, as is password there as a reward for paying (otherwise, the password would be shown to you on entry door and website and social, and not only on receipt). It is certainly not intended to be shared with everyone in 99.9% of the cases! When your bank send you a PIN for debit card, it is not “public information” just because it was printed on paper and given to one person!

or can be easy guessed from internet searches. So it is already public known.

FYI, building a database of “publicly known” information about a subject and intentionally releasing such a compilation of data is a practice known as doxxing, and is generally not viewed in the most positive light. Just because it can be done, does not mean it should be done. Just sayin’.

What, really? :open_mouth: [Citation needed]. And if you leave unlocked bicycle (or locked with a key in a bag), it is not stealing if someone takes it? How about if you leave a car for a minute with a key in ignition and without locked doors (e.g. on a fuel station), are those cars also free for the taking without legal consequences?

This option is not “missing”, but is clearly covered by “It’s complicated” (as it is not “Always” and not “Never”). Which only got 8% of the votes (even after all the arguments and effort to convince the people to change their vote)

I’ve given up on this thread, but —

That very page disagrees with your claim regarding “publicly known” information:

“The aggregation and provision of previously published material is generally legal, though it may be subject to laws concerning stalking and intimidation.”

Also the first sentence: “Doxing or doxxing is the act of publicly providing personally identifiable information about an individual or organization…” but a SSID/password of the kind we’re discussing here (the examples I gave of business name or phone number or “Espresso2019” used as the password) is not PII.

You got your community consensus, congrats – no need to accuse other editors of supporting crimes.

Nobody is accusing anyone of crimes; that doxxing aside was intended as an analogy to debunk the idea that (paraphrasing) “because some information can be found / is publicly known, it is allowed (and a good idea) to do whatever you want with that information” by giving relatively well-known example to the contrary.

My apologies if that was misunderstood as personal attack and/or allegations of crime-doing; that was certainly not my intention. :heart:

1 Like

Found some private information! All it took was a walk down my main street. The shop’s operator is very concerned about keeping it for customers only :slight_smile:

Now for the legal experts in this thread… did I dox them by posting this picture on the internet without asking for a written, perpetual, royalty-free, sublicensable, transferable, non-revocable permission to publish the password for the whole world to see?

1 Like

no

next question please

(note that noone claimed that posting photos of shops will be doxxing - doxxing would be applying if you would say start posting where shop owner lives and where they children go to school etc)

Doxing - Wikipedia may be not great but it should improve your knowledge what this term means

Well since you asked…

What other kinds of publicly visible, verifiable data about customer-facing businesses do we consider unsuitable for OSM on privacy grounds?

(I do know about things like people’s names on residential mailboxes in Germany, these aren’t businesses)

Right, sorry, I misinterpreted Matija’s mention “building a database of “publicly known” information about a subject and intentionally releasing such a compilation of data is a practice known as doxxing” - I missed that it probably refers to “subject” as in a person. I’m not entirely sure why they brought it up in the topic about tagging businesses, but that’s still my bad.

Exactly. Great example for a second thing that is public. This place everyone can enter at any time can be then mapped open 24/7 and access=yes. The door is accessible from public place and the key also can be used by anyone from the same public place. So its public.

I am against mapping private swimming pools in OSM when you cant see them from outside but only on for example satellite or drone pictures. Mapping such things is creepy. When the people create high walls you cant look through, then do you think they want that you then circumvent those protective thing with a satellite or a drone to still get those information?

What the heck? Cant you make the most basic comparison every typical person can do? The WiFi of a cafe is not private. There is no personal information about a person. Just a information about a thing (the wifi router). Not a person. You are talking about money. Money is not a public thing. There is nearly no existing Money with access=yes (the coin on the street maybe, but until you mapped it, someone would have already taken it). And i hope you understand it now. Money with access=yes would be money you can take. WiFi in a place with access=yes is not something you can take home with you.

Do you have ANY legal experience in your life? From the legal point of view its exactly the opposite everywhere in the world. The internet is not the most access=yes thing in the world like you probably think of. You have often to pay for internet at your home for example. Or on public wifi there is a captcha page that from the legal point of view create a contract with you that you should not upload illegal things from this wifi. And so on.
So what is the more access=yes thing then internet? The normal world! You wake up, go outside and walk somewhere. When you can get there by walking a public street, then this is by far more public then something somewhere on the internet.

I confirm this. But this was never a discussion point here. Its always: You walk somewhere where its public access=yes to walk, and as a fully random person (not customer) you see something. Then this what you have seen is public.

This is still a movable thing like the money coin. This is not something you map in OSM. I hope no one here is mapping bikes in OSM and every time the person puts the bike on a different place, the person create a new OSM edit with the new place to not forget where the bike have been parked.
But yes, there are community bikes that are unlocked. They have qr-codes on them that explain more in detail about the whole story of the community bike. But also without visiting the page its in as short as possible written on the bike that its free to use for everyone.
But why are you talking about this point? Its fully unrelated to the topic here.

No. Why do you talk about such nonsense that is even clear for 7 year old children?

This discussion should be closed. We’re not mapping passwords of wifi networks, no matter who comes up with which comparisons and how broken they are. We’re just not doing it. Case closed.

2 Likes

Should this thread be closed?

Threads should never be closed in OSM
Sure, let’s always close threads, why not
It’s complicated (leave comment)

3 Likes

At the end, this is, what I wrote before with:

The medium where e.g. the password is published in/on is not relevant.

Here it is:

German Criminal Code (StGB):
Section § 202a - Spying on data

(1) Anyone who, without authorisation, obtains access for himself or another person to data which is not intended for him and which is specially secured against unauthorised access, by overcoming the access security, shall be liable to a custodial sentence not exceeding three years or to a monetary penalty.

(2) Data within the meaning of paragraph 1 are only data that are stored or transmitted electronically, magnetically or otherwise not directly perceptible.

Source: § 202a StGB - Einzelnorm