Accepting the Terms of Use

This entire document is a long way to ask the question Should there be a page on the OpenStreetMap website that has an "I accept the Terms of Use" checkbox, which can be visited by users who haven't yet indicated that they accept the Terms of Use? Unfortunately this question can't be answered to everyone's agreement for months. Notice that this is a simpler question compared to Should all users be forced to accept the ToU?, because you can't force anyone to accept the ToU if there's no mechanism to accept the ToU.

The Request from EWG

It's still not clear what is supposed to be done about GDPR. The smaller part of it is "to make accepting the terms of use a requirement", which is a quote from the EWG, the thing that they want to happen next. The obvious two questions about it are:

A requirement for what?
How this requirement is supposed to manifest itself?

Possible answers to question 1 are:

to log in to the osm website
to do anything on the website that requires login
to do some things that don't yet require login by making them first require login
(probably other options, we don't care about the details of question 1 here, they are mostly addressed by GDPR Position Paper)

Doing any of this requires an answer to question 2 because you won't be able to fulfill the requirement otherwise. An answer to question 2 is likely that there should be a webpage that you can either voluntarily visit or you are force-redirected to when you try to log in. That webpage probably has a link to the terms of use and a checkbox that says "I'm accepting the ToU". You tick that checkbox, click the submit button and you've fulfilled the requirement. Or at least it seemed to be the plan when this pull request was made in 2018.

That pull request changed the new account registration page, or actually one of the pages because you had to complete two pages. One of the pages showed you the contributor terms and had a checkbox "I have read and agree to the above contributor terms". The pull request added a similar checkbox for the ToU: "I have read and agree to the Terms of Use", which you had to tick in order to create an account (see the first screenshot below). So it was considered that after the pull request was merged, all newly created accounts had agreed to the ToU, but older accounts had not, hence the requirement. Making the ToU acceptance mandatory for older accounts was supposed to happen later, before other restrictions go into force.

But things have changed since. There was a redesign of the sign-up flow that removed the "I agree" checkboxes from new account registration pages, and removed the terms page, replacing it with links to terms. So now new users don't have to tick any checkboxes to accept the ToU. All they have to do is to click the Sign Up button that has the following text above: "By signing up, you agree to our Terms of Use, privacy policy and contributor terms." Does it mean that old accounts also don't need checkboxes, and if they don't, what do they need for the requirement?

However the terms page is not completely gone. It is still shown to even older accounts, those that predate the 2012 license change and haven't accepted the contributor terms. The terms page still has the two checkboxes for CT/ToU, and those users have to tick them in order to get write access to osm. So the situation currently looks like this for those who haven't accepted the terms:

pre-2012 accounts: have to tick the two terms checkboxes and click Continue:
post-2018 accounts: no checkboxes, have to click a button:
2012-2018 accounts: no requirements, and this is what's supposed to change

The easiest thing to do is still to use the same terms page as for pre-2012 accounts and lead to it those who haven't accepted the ToU, make them tick the checkbox and click continue. That's what I tried to do in this pull request. But turns out there's a completely different opinion coming from the OWG members: [OWG 1] [OWG 2]. Their logic seems to be this:

Terms of Use don't cover just the osm website, but rather all "services officially operated and provided by the OSMF". If you're not even using the website, how are you going to accept the terms by ticking a checkbox? Where's the checkbox on a tile server? It doesn't exist.
Instead of using a checkbox or a button you agree to the ToU by continuing to use the services. That's what the ToU already says.

By this logic active 2012-2018 accounts have already accepted the terms and fulfilled the requirement. Inactive accounts will fulfill the requirement as soon as they become active, which is going to happen if they do anything that could be the answer to question 1. Great, we don't need to do anything about the GDPR! But that seems to be not what the EWG wants. Also it's not what a former LWG member who happened to write the 2018 pull request wants.

What does the EWG want? Currently they want what's written in Make OSM comply with the GDPR project description. It includes the phrase "all users will be required to accept the Terms of Service" (emphasis mine). So currently the users are not required to accept the terms but they should be, in contrast with the OWG opinion where the users have already accepted the terms. The project description also refers to:

GDPR Position Paper which says "the contributors will need to be logged on and have agreed to a set of ToU", without saying how exactly the agreement is supposed to happen. Note "will need" here.
list of affected services, which has a 2x2 table at the beginning, containing a claim that ToU being "not accepted/unknown" is "the standard case for access through the web interface by a non-logged in user". This claim implies that accessing the website doesn't make you implicitly accept the terms.

Here's the 2x2 table from list of affected services:

	ToU accepted	ToU not accepted/unknown
logged in	frequent case: This will be the standard case for access by logged-in users through the web interface once all users have accepted the ToU.	rare case: For a transition period, there will be old user accounts that have not yet accepted the ToU. These would not be given access to "sensitive" material.
not logged in	rare case: If, at some point, we offer some kind of API access with an API key where registration of the API key requires accepting the ToU, then even non-logged-in accesses that come with an API key would be given access to "sensitive" material.	frequent case: This is the standard case for access through the web interface by a non-logged in user.

This table wasn't produced by the LWG, unlike GDPR Position Paper. In fact it was added by a DWG member. Note that the entire not accepted column is impossible under the OWG interpretation. Looks like most parties disagree with the OWG on this and users have to do at least something to accept the ToU.

The version of the OWG interpretation that is more compatible with other interpretations would contain only the frequent case cells in the table above. This is going to happen if we equate the ToU acceptance not with any use of osm services but with authorized use. You are logged in, we know you accepted the ToU. You are not logged in, we don't know if you accepted the ToU. Anything that supposed to be hidden from those who didn't accept the ToU (mostly metadata) will be hidden from those who are not logged in. But it will be shown once they log in, no matter what checkboxes they have previously checked. Under this interpretation we don't need any checkboxes or anything else "to make accepting the terms of use a requirement". The 2018 pull request was mostly useless in this case.

Yet another interpretation of [OWG 2] is that it talks about changes to the existing terms while I'm saying that going from no terms to some terms is also a change. Whatever the meaning of that comment is, the pull request is not getting merged since February. For it (or any other pull request) to get merged, an osm-website maintainer has to be convinced that this is the way to go. This maintainer also can't be the person who wrote the pull request.

The Question to LWG

Now the actual question to the LWG: What do we do next about the GDPR-related changes? How are the users supposed to indicate that they accept the Terms of Use? The options are:

Do nothing because the entire job was done just by writing about continued use in the ToU. Users indicate their acceptance of the ToU by continuing to use osm services. In this case the most likely further development is that instead of checking ToU acceptance we'll be checking if the user is logged in / authorized. Or maybe we won't have to make any changes at all, but this is unlikely.
Display a banner on the website that says that from now on if you continue to use the osm services, you're agreeing to the ToU. The problem is, if you don't visit the website and keep editing osm data using some app, you won't see the banner.
Send an email to every active user that says that from now on if you continue to use the osm services, you're agreeing to the ToU. Someone will have to write the email in this case, and maybe prepare the translated versions with some threshold of available translations before the plan can be executed. (Same could be true for the banner option, but the banner is likely to be shorter and thus easier to translate.)
Let the users accept the ToU using a checkbox, as done in my pull request. In this case we need to convince another osm-website maintainer to merge the pull request, which is probably achievable by a LWG member going there and commenting. (Actually forcing the users to tick the checkbox may happen later, and we may want it to happen later because of translations. That's unlike the email option where the translations are better be done before sending anything.)
Let the users visit some other kind of terms page without a checkbox but with something that tells about the terms, and count the page visit as accepting the terms. Or maybe place a button there and count pressing the button. This is if we want accepting the ToU for 2012-2018 accounts to be similar to the current sign-up flow.
Postpone answering question 2 and proceed with implementing the GDPR restrictions with some configurable settings. The settings would allow to decide if/when the restrictions are enabled. This is what I'd like to do anyway and have already started, but there's a common objection that it makes things more complicated, whereas a hard requirement to tick the checkbox on login is seen as a simpler solution. That simpler solution requires answering question 2 first by going with another option.

Timeline since 2018

2018-04-17: The LWG publishes GDPR Position Paper. It recommends to "Add Terms of Use for the API and website for logged in users that covers the privacy aspects" and to "Confirm consent to privacy terms and new ToU for existing users", but doesn't say how this consent confirmation should be implemented.

2018-05-02: The GDPR/Affected Services wiki page is created by Frederik Ramm. Next day mmd joins, and they stay as the main editors of that page. The page is still serves as the main technical reference on possible GDPR-related changes. mmd is the main contributor to CGImap, an osm api service run in parallel with the osm-website. CGImap is also going to be affected by the GDPR changes.

2018-05-04: Geofabrik, Frederik Ramm's company known for providing osm data extracts, makes downloads with metadata accessible only to users who are logged in to their osm account.

2018-10-20: Simon Poole, the LWG Chair at the time [1] [2], opens the pull request to add ToU links and checkboxes to the terms page. The terms page was part of the new account registration flow.

2019-05-19: Tom Hughes, the long-time osm-website maintainer, merges the pull request.

2020-10: Simon Poole leaves the LWG which may affect the LWG's views on ToU acceptance.

2023-07-31: Microsoft developers, working on now-abandoned MapBuilder, propose to simplify sign-up screens. The proposal includes removing the terms page with CT/ToU checkboxes, replacing it with a link to the text of the terms "with a note that setting up the account implicitly assumes that user agreed to the terms".

2023-09-11: The LWG seems to be fine with "By signing up, you agree to our terms of use and the OpenStreetMap Foundation’s Contributor Terms", removing the checkboxes.

2024-01-03: A Microsoft developer opens a pull request to "Merge Signup screen and Terms screen during signup process" and "Use links to Contributor terms and Terms of use instead of in-place edit box". Note also that "Terms screen used for accepting the new terms left unchanged", this is for pre-2012 users who didn't accept the CT back then. They still get to see the terms checkboxes.

2024-01-07: The EWG publishes a proposal for the GDPR project, but notes that "the exact deliverable is still quite unclear".

2024-05-06: Tom Hughes merges the Microsoft pull request.

2024-05-24: During their discussion of the GDPR project, the EWG notes that "There is a box to tick, at least from new users", supposedly in response to the question from the LWG "whether [it's possible to] confirm that ever user has seen and accepted the Terms of Use". However by this time the box was gone, as a part of the Microsoft pull request, which the LWG agreed to. Old users still can't access the box, unless they are pre-2012 users who didn't agree to 2012 CT.

2024-07-08: According to LWG Minutes The EWG have updated GDPR/Affected_Services and would like to ask for bids to implement it. Note that the GDPR/Affected Services page was still mostly edited by Frederik Ramm and mmd. The entire EWG update is here, it mostly marks some items as "done".

Answer to the question asked on 2024-05-24

Here's a quote from EWG Minutes, with typos:

The LWG has responded that they are asking an expert to look at the details, but the plan in general appears solid. The have asked the EWG whether it can confirm that ever user has seen and accepted the Terms of Use.

There is a box to tick, at least from new users. The EWG has to check whether the consent is recorded in the database, i.e we have preponderance of evidence who has agreed to the Terms of Use. Andrew volunteers to give that feedback to LWG and tell them that we wait for the legal advice they have seeked out.

The question probably was:

The (= they = the LWG) have asked the EWG whether it can confirm that ever (= every) user has seen and accepted the Terms of Use.

The answer to this question is NO for the current situation. User accounts registered prior to 2019-05-19 that have already accepted the Contributor Terms can't visit the Terms page again and indicate their agreement with the Terms of Use. There's nothing else on the website that's going to tell them about the ToU. Some of those users may genuinely know nothing about the ToU.

Now to address the EWG response:

The EWG has to check whether the consent is recorded in the database

The consent is recorded, for those who create their account after 2019-05-19, and for those few that still haven't accepted the CT, should they choose to accept them.

There is a box to tick

Only for those who didn't accept the CT. New accounts indicate their acceptance by clicking Sing Up.