But there is evidence of Organic Maps not having been respecting open source protocol since a few months ago. I quote from comaps [.] app/news/2025-04-16/1/
The user’s privacy is (or was, until the GitHub reveal) compromised by the Metaserver component which was closed source until very recently (and it was most certainly closed source at the time of reveal).
Through web server commands, this Metaserver component has remote access over the user-downloaded app. The app is programmed to periodically visit the server for new updates. The most insidious aspect of it is that the user does not know about the existence this component because it was, to quote the link above, “source code of so-called metaserver, that previously was available only to few people of the team.”
Please visit the GitHub discussion above for a clearer explanation, it was written by a whistleblower who is/was one of the 3 cofounders of Organic Maps. I am sorry for not explaining it well.
This is not part of the client. It’s a server, like what you just said. A lot of the open source services recommended here only have open source clients, not servers (e.g. Protonmail, Tutamail, etc).
On a separate note, I was looking at Recommended Maps and Navigation Apps - Privacy Guides where it states that 1 of the minimum requirements for a map app to be recommended is that the app mustn’t collect PII per their privacy policy.
Is geographic location considered PII? Because in the GitHub discussion linked above, I quote “The purpose of so-called metaserver is to dynamically redirect users to the most suitable CDN servers containing requested map version based on their geographic location. For example, users in North America are routed to servers in the U.S., ensuring faster map downloads.”
I am unsure if this satisfies the recommendation criteria.
I believe “collect” here means store/log, which I don’t think this server does. It only infers your rough geographical location from your IP address, which is presumably deleted afterwards.
At least that’s what should happen since an IP address is PII, and their privacy policy states they don’t collect any PII.
I am sorry for sounding uneducated again, but I remember learning about this term “triangulation” where mobile apps can access GPS + pinging of our phones from cell towers + IP, so is it possible that geographical location here could mean all three in combination?
The privacy policy is very vague and it was effective as of 2021, while the copyright of the website says 2024. I am not educated on these matters, but does this mean that the privacy policy holds true from 2021 (date of publishing) to copyright date of website (2024) but is not confirmed after 2024?
Thank you for answering my questions and helping me learn.
I doubt Organic Maps needs anything like this at all, All it needs is the country which can be inferred from the IP, it doesn’t need triangulation, cellular or utilize the permission to do so.
As they said, they don’t collect anything PII Period, if they didn’t update it then the Privacy Policy stays true, If they had anything to disclose they collect that we don’t know they would have to legally disclose it and if they’re in the legal right and didn’t change their methods, they just didn’t.
Contact them if you’re this concerned not us.
I think we should be more concerned about this than whenever organic maps collects Location data or not:
I have asked them in Telegram before but they did not answer me. I apologize for taking up your time. I trust the recommendations of Privacy Guides and hoped that the team would update the maps guide because I am unsure if I want to uninstall Organic Maps.
Maybe try the legal email shown on the Privacy Policy, where it says:
“If you have any questions or suggestions, please contact us at [email]”.
(since they protect it with cloudflare or something).
But as I said before there’s a bigger concern with Organic Maps now which is the future with the shareholders above than this right now. And we might recommend CoMaps if they establish themselves enough.
This is an absolute non-issue as either you aren’t using a VPN and then the State/Region you live in can be infered from the maps you download, or you use a VPN in which case they will be a discrepancy but it wouldn’t matter since your real location is hidden anyway.
The above is theoretical though, no evidence they do this.
GPS requires permission, which fair enough you will give to a GPS app. But apps cannot ping cell towers, that’s something only your ISP can do.
Anyway a GPS app has your location, so if you are concerned about them being malicious 1)Look at the source code and build from source or
2)Don’t give the apps the network permission after setup
I had a friend that translated the internal beef from Russian to my native language, and it seems like the so-called whistleblower was in fact a power tripper. He revoked cofounders access from to the organisation, which coincidentally triggered GitHub to ban the repo due to only him being the owner and residing in Russia. He then proceeded to move the entire project to a Self-hosted instance, which proved to be buggy and unreliable despite the community being against such a move. There are far more sinister things such as him confiscating the omaps domain and reading co-founders emails, asking for a cover-up pay for him to exit through the legal counselo, manipulating people into thinking it’s about the FOSS ideas when in fact it was about control etc… This was a mess and I’m happy omaps survived and kicked him out. I don’t think comaps would stay for long.