You are not logged in.

#1 2017-07-03 15:16:54

Petr Kovács
Member
Registered: 2017-07-03
Posts: 3

qos_token cookie

Hello everyone.

Could someone tell me the purpose of the qos_token cookie? I can see it in browser developer tools, it says the cookie comes from the domain openstreetmap.org. My boss wants to know what it does so he can inform our users about their privacy.

Thanks a lot
Petr Kovács

Offline

#2 2017-07-03 15:47:25

hadw
Member
Registered: 2014-09-02
Posts: 1,081

Re: qos_token cookie

I don't see this cookie, however I think there is a serious issue here, OSM is hosted in the EU, and some of the cookies I do see do not seem to be exempt under EU cookie law, and http://wiki.osmfoundation.org/wiki/Priv … cy#Cookies seems to be far from adequate in explaining their use.  In particular, "navigation state" seems to be used as a catch all.

Best practice is to name each cookie and describe its purpose, even if it is technically exempt.

On the other hand, it does look as though OSM is exceptionally free of third party cookies.  Most sites would need to describe many third party cookies.

The privacy page does have a contact address.  I'd suggest using it for this question and also, if you agree, pointing out that the current description of how cookies are used is inadequate.

Offline

#3 2017-07-03 17:55:24

mmd
Member
Registered: 2010-11-06
Posts: 1,772

Re: qos_token cookie

As the name says qos stands for quality of service and is used as a means to rate limit access to tile servers and other services provided by osm.org. It's based on ruby on time passwords, hence no reason for any privacy concerns with this particular one imho.

BTW: this information is publicly available on the osm github repository, in particular the chef repo.

Last edited by mmd (2017-07-03 18:02:35)

Offline

#4 2017-07-03 19:26:42

hadw
Member
Registered: 2014-09-02
Posts: 1,081

Re: qos_token cookie

That comes under the category of helpful or convenient but not essential for operation of the service, so it must, in my view, be specifically documented in the privacy policy for the web site to comply with EU and UK law.  See https://ico.org.uk/for-organisations/gu … hnologies/

Note this also says it is best practice to document essential cookies, as well, and that would generally be understood as giving the specific purpose.

Offline

#5 2017-07-04 09:01:28

Petr Kovács
Member
Registered: 2017-07-03
Posts: 3

Re: qos_token cookie

Thanks mmd for the explanation. I was googling and searching some forums, but I didn't check the github repo. The name was pointing at Quality of Service, which I told my boss, but he wanted to be 100% sure :-). Once again, thank you.

And yes, hadw, I think OSMF should give the information about their cookies in the Privacy Policy wiki page. The current information is not sufficient. I will write them an email.

Offline

#6 2017-07-10 11:27:21

Petr Kovács
Member
Registered: 2017-07-03
Posts: 3

Re: qos_token cookie

This is the reply from OSMF (legal-questions@osmfoundation.org):

All the cookies we use clearly fall under the 'information society
service' exemptions including the referenced qos_token_cookie which
serves as a session cookie for visitors of openstreetmap.org so that we
can provide a better UI experience (faster loading tiles).

As we state in the privacy policy all our cookie use is limited to use
that is  covered by above mentioned exemptions, it is a futile
undertaking to ask us to restate that again for specific cookies,
because it is valid for all cookies that we control.

Offline

#7 2017-07-10 14:37:55

hadw
Member
Registered: 2014-09-02
Posts: 1,081

Re: qos_token cookie

Best practice is to document anyway.

I am not clear from the descriptions given of the cookie that it does fall under the exemptions.  I think the closest exemption would be where a proxy diverts traffic to a particular worker and it is necessary for the whole session to be routed to that server.  The description makes me think this is more about the load balancing decisions, than about how those decisions are actioned.

Offline

Board footer

Powered by FluxBB