qos_token cookie

Hello everyone.

Could someone tell me the purpose of the qos_token cookie? I can see it in browser developer tools, it says the cookie comes from the domain openstreetmap.org. My boss wants to know what it does so he can inform our users about their privacy.

Thanks a lot
Petr Kovács

I don’t see this cookie, however I think there is a serious issue here, OSM is hosted in the EU, and some of the cookies I do see do not seem to be exempt under EU cookie law, and http://wiki.osmfoundation.org/wiki/Privacy_Policy#Cookies seems to be far from adequate in explaining their use. In particular, “navigation state” seems to be used as a catch all.

Best practice is to name each cookie and describe its purpose, even if it is technically exempt.

On the other hand, it does look as though OSM is exceptionally free of third party cookies. Most sites would need to describe many third party cookies.

The privacy page does have a contact address. I’d suggest using it for this question and also, if you agree, pointing out that the current description of how cookies are used is inadequate.

As the name says qos stands for quality of service and is used as a means to rate limit access to tile servers and other services provided by osm.org. It’s based on ruby on time passwords, hence no reason for any privacy concerns with this particular one imho.

BTW: this information is publicly available on the osm github repository, in particular the chef repo.

That comes under the category of helpful or convenient but not essential for operation of the service, so it must, in my view, be specifically documented in the privacy policy for the web site to comply with EU and UK law. See https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/

Note this also says it is best practice to document essential cookies, as well, and that would generally be understood as giving the specific purpose.

Thanks mmd for the explanation. I was googling and searching some forums, but I didn’t check the github repo. The name was pointing at Quality of Service, which I told my boss, but he wanted to be 100% sure :-). Once again, thank you.

And yes, hadw, I think OSMF should give the information about their cookies in the Privacy Policy wiki page. The current information is not sufficient. I will write them an email.

This is the reply from OSMF (legal-questions@osmfoundation.org):

Best practice is to document anyway.

I am not clear from the descriptions given of the cookie that it does fall under the exemptions. I think the closest exemption would be where a proxy diverts traffic to a particular worker and it is necessary for the whole session to be routed to that server. The description makes me think this is more about the load balancing decisions, than about how those decisions are actioned.