Open APIs

 View Only

  • 1.  Privacy-related data in URL imposes GDPR violation

    TM Forum Member
    Posted Nov 18, 2023 09:09

    In the discussion thread "TMF GET / Query Operations@Jonathan Goldberg proposes to use POSTing a task resource instead of putting complex and possibly custom search criteria into the URL;

    There is also another reason why that might be necessary:

    It is a substantial security and/or privacy problem to put data like a customer number that can be used to identify an individual person into the URL; although you might use HTTPS, i.e. encryption on the wire, at least the URL is decrypted e.g. in Proxys, API Gateways etc., and also stored e.g. in logfiles, which can be valued as a violation of European GDPR regulations.

    So putting query criteria into the body, which requires a POST, is necessary.

    We are currently validating options how to realise pagination in sich cases. Are there any suggestions how Pagination could be combined with a "search" task resource?



    ------------------------------
    Lutz Bettge
    Deutsche Telekom AG
    ------------------------------


  • 2.  RE: Privacy-related data in URL imposes GDPR violation

    TM Forum Member
    Posted Nov 19, 2023 01:23

    This is a very important point, Lutz, thanks for raising.

    I've opened a JIRA as a discussion point for this.

    https://projects.tmforum.org/jira/browse/AP-4711



    ------------------------------
    Jonathan Goldberg
    Amdocs Management Limited
    Any opinions and statements made by me on this forum are purely personal, and do not necessarily reflect the position of the TM Forum or my employer.
    ------------------------------

    Original Message