This is a very important point, Lutz, thanks for raising.
I've opened a JIRA as a discussion point for this.
https://projects.tmforum.org/jira/browse/AP-4711
------------------------------
Jonathan Goldberg
Amdocs Management Limited
Any opinions and statements made by me on this forum are purely personal, and do not necessarily reflect the position of the TM Forum or my employer.
------------------------------
Original Message:
Sent: Nov 18, 2023 09:08
From: Lutz Bettge
Subject: Privacy-related data in URL imposes GDPR violation
In the discussion thread "TMF GET / Query Operations" @Jonathan Goldberg proposes to use POSTing a task resource instead of putting complex and possibly custom search criteria into the URL;
There is also another reason why that might be necessary:
It is a substantial security and/or privacy problem to put data like a customer number that can be used to identify an individual person into the URL; although you might use HTTPS, i.e. encryption on the wire, at least the URL is decrypted e.g. in Proxys, API Gateways etc., and also stored e.g. in logfiles, which can be valued as a violation of European GDPR regulations.
So putting query criteria into the body, which requires a POST, is necessary.
We are currently validating options how to realise pagination in sich cases. Are there any suggestions how Pagination could be combined with a "search" task resource?
------------------------------
Lutz Bettge
Deutsche Telekom AG
------------------------------