"privacy considerations" for SPARQL protocol

Persuant to ACTION EricP: propose "privacy considerations" for SPARQL
protocol, I cribbed a bit of wording from RFC 2616 (HTTP 1.1) and
dreamed up some more. I aggressively promo privacy policies in this
text. I think that's a good idea, others may think I went too far:



As with any query protocol, query servers must take care that facts
disclosed in, or implied by, query results do not violate applicable
privacy or secrurity policies. Conversely, it is good practice to
consider query interfaces when gathering data and to publish a
realistic privacy policy for the benefit of anyone contributing data.

It is impossible to identify all private or sensitive information
here. Addresses and credit card numbers are clearly sensitive,
however, even the language constraints on literal queries can
associate the client with a particular ethnic group. There is no a
priori method of determining the sensitivity of any particular piece
of information within the context of any given request. SPARQL servers
SHOULD supply as much control over this information as possible to the
provider of that information.

Query URLs and server logs contain information about clients' areas of
interest. This information is clearly confidential unless otherwise
indicated in a privacy policy. Storage and distribution of this data
can be constrained by law in some countries.

Under-constrained queries can result in huge numbers of results, and
thus are one possible source of denial of service attacks. Query
services may choose to detect under-constrained queries, impose time
or memory limits on queries, or impose other restrictions to reduce
the service's vulnerability to denial of service attacks.
-- 
-eric

office: +81.466.49.1170 W3C, Keio Research Institute at SFC,
                        Shonan Fujisawa Campus, Keio University,
                        5322 Endo, Fujisawa, Kanagawa 252-8520
                        JAPAN
        +1.617.258.5741 NE43-344, MIT, Cambridge, MA 02144 USA
cell:   +81.90.6533.3882

(eric@w3.org)
Feel free to forward this message to any list for any purpose other than
email address distribution.

Received on Tuesday, 22 March 2005 13:46:23 UTC