<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Archiving and Interchange DTD v1.0 20120330//EN" "JATS-archivearticle1.dtd">
<article xmlns:xlink="http://www.w3.org/1999/xlink">
  <front>
    <journal-meta>
      <journal-title-group>
        <journal-title>Workshops and Tutorials
$ philipp.rohde@tib.eu (P. D. Rohde); maria.vidal@tib.eu (M. Vidal)</journal-title>
      </journal-title-group>
    </journal-meta>
    <article-meta>
      <title-group>
        <article-title>Towards Certified Distributed Query Processing</article-title>
      </title-group>
      <contrib-group>
        <contrib contrib-type="author">
          <string-name>Philipp D. Rohde</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
          <xref ref-type="aff" rid="aff1">1</xref>
          <xref ref-type="aff" rid="aff2">2</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Maria-Esther Vidal</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
          <xref ref-type="aff" rid="aff1">1</xref>
          <xref ref-type="aff" rid="aff2">2</xref>
        </contrib>
        <aff id="aff0">
          <label>0</label>
          <institution>L3S Research Center</institution>
          ,
          <addr-line>Hannover</addr-line>
          ,
          <country country="DE">Germany</country>
        </aff>
        <aff id="aff1">
          <label>1</label>
          <institution>Leibniz University of Hannover</institution>
          ,
          <addr-line>Hannover</addr-line>
          ,
          <country country="DE">Germany</country>
        </aff>
        <aff id="aff2">
          <label>2</label>
          <institution>TIB Leibniz Information Centre for Science and Technology</institution>
          ,
          <addr-line>Hannover</addr-line>
          ,
          <country country="DE">Germany</country>
        </aff>
      </contrib-group>
      <pub-date>
        <year>2023</year>
      </pub-date>
      <volume>000</volume>
      <fpage>0</fpage>
      <lpage>0002</lpage>
      <abstract>
        <p>In recent years, knowledge graphs (KGs) have gained more and more importance. As a consequence of that, the number of publicly accessible KGs is increasing. Due to their adoption in many areas, KGs are used in numerous diferent applications. However, these knowledge graph applications are not developed by the data owners and they might collect data from several linked KGs. It is therefore essential that systems accessing KGs are certified, i.e., each component is certified for a specific use by an entity or agency. In addition, a trace of the performed operations and used data is needed in order to verify that all requirements were met, e.g., some data cannot be transferred from the source to any other component due to privacy restrictions. This work describes the vision of certified distributed querying in the context of an analytics platform. Challenges for such systems are identified and discussed.</p>
      </abstract>
      <kwd-group>
        <kwd>eol&gt;Certification</kwd>
        <kwd>Privacy</kwd>
        <kwd>Access Control</kwd>
        <kwd>Distributed Query</kwd>
      </kwd-group>
    </article-meta>
  </front>
  <body>
    <sec id="sec-1">
      <title>1. Introduction</title>
      <sec id="sec-1-1">
        <title>1.1. Certified Distributed Query System</title>
        <p>In the context of this paper, a system is called a distributed query system if the system answers
queries from several data sources. These data sources might be heterogeneous and hosted in
diferent physical locations. An alternative term is federated querying. It is assumed that a
distributed query system is empowered with the means to control the access to the data sources
available to the system. A distributed (or federated) query engine is part of the system and
responsible for query decomposition, source selection, and planning the execution of the query.
Depending on the user request, the necessary data is collected from several sources and combined
to form the final answer within the system. While these two steps are usually performed by
a query engine, they are explicitly mentioned as the data collection and answer generation
component, respectively. The data sources accessible via the system are also considered to
be a component of said system. A distributed query system is called certified if it meets the
following requirements. (i) Each component of the system is certified by a third party, i.e.,
another entity or agency. These certifications may impose restrictions, e.g., a query engine
might only be certified to work on medical data. (ii) Each component has to document the
performed actions in a way that any third party is able to trace what the component did and
verify that the component is working correctly, i.e., the result is sound, and is meeting all further
restrictions, e.g., no private data was presented to the user. Throughout this paper, systems of
this kind are called certified distributed query system .</p>
      </sec>
      <sec id="sec-1-2">
        <title>1.2. Certified Distributed Querying Scenario</title>
        <p>
          Given an online platform for analytics as presented in Figure 1 which retrieves data from several
KGs through a SPARQL [
          <xref ref-type="bibr" rid="ref4">4</xref>
          ] query engine; the SPARQL Protocol and Query Language is the W3C
recommendation language to query RDF data. A user of the platform submits the request to
visualize the life expectancy and population of Germany for the past ten years. This data is
available in the KGs accessible from the analytics platform and requires requesting data from at
least two diferent sources. However, the life expectancy data can only be accessed by people
from the same country, i.e., Germany in this example. Additionally, the population data must not
be changed, e.g., additions and subtractions are prohibited. Currently, there are no mechanisms
that ensure access is only granted to authorized users and trace what happened with the data. In
the context of the presented scenario this means that there is no guarantee that the population
data is not manipulated. The following section identifies challenges in current systems similar
to the one presented in this scenario in order to become a certified distributed query system.
        </p>
      </sec>
    </sec>
    <sec id="sec-2">
      <title>2. Challenges in Certified Distributed Querying</title>
      <p>Creating a certified system for distributed querying brings challenges in all the components
of such a system. Not only the certification of the components is challenging but also the
verification. As described above, for the verification, each component needs to document what
it is doing so that another entity or agency can trace back all the performed steps and verify
that all restrictions have been met and the result is correct.</p>
      <sec id="sec-2-1">
        <title>2.1. Challenge: Access Control</title>
        <p>
          In terms of access control in a certified distributed query system, a big challenge is the validation
of access control policies. The Open Digital Rights Language (ODRL) [
          <xref ref-type="bibr" rid="ref5">5</xref>
          ] is designed for licensing
but also used for defining access policies. Hence, the evaluation of access policies in ODRL is
not defined and external data cannot be used. Access control policies can be seen as integrity
constraints which is why the Shapes Constraint Language (SHACL) [
          <xref ref-type="bibr" rid="ref6">6</xref>
          ] seems to be a more natural
choice since the semantics of its evaluation is well-defined [
          <xref ref-type="bibr" rid="ref7">7</xref>
          ]. However, SHACL requires the
data to be in RDF. So in order to use SHACL for access control policies, a knowledge graph with
the data to be considered needs to be created. Usually, the relevant data is small, and, therefore,
the knowledge graph can be created eficiently on the fly [
          <xref ref-type="bibr" rid="ref8">8</xref>
          ]. Complementary, some systems
like Solid Pods [
          <xref ref-type="bibr" rid="ref9">9</xref>
          ] implement a per-user access control mechanism directly at the access layer
of the RDF graph. Extensions for enabling the use of access control policies are available for
some of these systems but they implement diferent policy languages. Hence, the access control
policies need to be re-implemented when used in another system. Since this is time-consuming,
it might prevent data owners from keeping their systems up-to-date. While there is some work
aiming to solve access control over knowledge graphs, e.g., the fine-grained access control
model by Valzelli et al. [
          <xref ref-type="bibr" rid="ref10">10</xref>
          ], there is no standard for doing so yet.
        </p>
      </sec>
      <sec id="sec-2-2">
        <title>2.2. Challenge: Distributed Query Processing</title>
        <p>
          Distributed query processing is an active research area. While the main focus is on performance
improvements through new algorithms for source selection, query planing, and optimizing
the operators, privacy is considered more and more in recent work [
          <xref ref-type="bibr" rid="ref11">11</xref>
          ]. Privacy needs to
be considered during all steps of query processing. The source selection has to consider the
privacy restrictions of the attributes of the data source. During the query planning phase, the
restrictions must be taken into account since certain conditions might impose the use of a
specific operator or prohibit the use of it. This might also lead to rearranging the order of the
operators due to the restricted access. Operations over attributes that cannot be transferred
need to be performed at the source level. This imposes new challenges to query optimization
since the performance of an operator implemented at source level is unknown to the query
engine. Further, some data can be transferred to the query engine, but it cannot be sent to other
sources. In this case, a nested join cannot be used. Privacy in distributed query engines needs
to be studied further and existing engines have to implement privacy policies. This opens the
research area of privacy-aware distributed query optimization.
        </p>
      </sec>
      <sec id="sec-2-3">
        <title>2.3. Challenge: Data Collection</title>
        <p>The data collection in a certified distributed querying system needs to document which data
in which data source has been accessed and transferred. While the data collection could be
documented by storing the query plan, there is no guarantee that the query engine actually
executed that plan. This needs to be certified and verified in order to ensure the correct use
of the data. At the point of writing, there is no standard for representing the query plan of a
distributed SPARQL query. While the previously discussed issue deals with the correct use of
the data, in a certified distributed querying system, also the data sources that are accessed need
to be certified so that the retrieved data can be trusted. This is crucial especially when collecting
external data for the evaluation of an access control policy since the use of not certified and
manipulated data might lead to granted access even though the access should have been denied.
The distributed query engine should only consider certified and verified data sources.</p>
      </sec>
      <sec id="sec-2-4">
        <title>2.4. Challenge: Answer Generation</title>
        <p>The component that generates the final query result needs to ensure that the answer is correct.
Hence, the answer generation component needs to be certified stating that indeed only correct
results are generated. Additionally, privacy restrictions have to be ensured since it might be
the case that specific data is allowed to be transferred to the answer generation component
but cannot be presented to the user. Adding metadata to the query result as a trace of how the
answer was generated could help in the verification of the correctness of the result. Such a trace
would have to include the information about the source data that was used for generating the
answer as well as the operators that produced the output. However, since the answer generation
might include private data, not all triples contributing to the answer can be included in the
trace. So far, privacy-preserving verifiable query results are an open challenge.</p>
      </sec>
      <sec id="sec-2-5">
        <title>2.5. Ethical &amp; Legal Challenges</title>
        <p>While the previous sections describe technical challenges for certified distributed query systems,
there are also ethical and legal aspects that need to be considered. Obviously, the systems need
to adhere to the GDPR. While technical solutions for preserving privacy might be in place, it is
not clear how the compliance with the GDPR can be enforced. Another open question regarding
the GDPR is about who is responsible in the case of a violation of the GDPR; is it the entity
who certified the violating component, the entity who deployed the component, or maybe the
entity who developed the component. The certification process also must be regulated in order
to prevent entities from issuing wrong certifications. Assume there are two entities A and B
that are tightly coupled. Entity A developed an answer generation component that respects
the privacy in the context of the generated answer but stores all the private data in a database
owned by entity A. Since entity B profits from the malicious acts of entity A, entity B issues a
certification for the answer generation component stating that is respects all regulations. In
case like this, there needs to be a regulation so that entities A and B can be sued and sentenced.
The presented ethical and legal challenges are only two examples to raise awareness for this
non-technical aspect of certified distributed query systems, e.g., usage control and certification.</p>
      </sec>
    </sec>
    <sec id="sec-3">
      <title>3. Conclusion</title>
      <p>This paper describes the vision of certified distributed querying and analyses the challenges
of such systems as access control, operators for distributed query processing, data collection,
and answer generation. Ethical and legal challenges are also discussed briefly using usage
control and certification as two examples for these aspects of certified systems. A well-defined
standard for expressing and validating access control policies is needed in terms of access
control. Distributed query engines need to implement privacy policies, and privacy-aware
distributed query optimization has to deal with the impact of privacy on the query execution
performance. Data collection presents the challenge of documenting the data access and use
as well as certifying and verifying the data sources in order to eliminate the risk of retrieving
manipulated data. When it comes to query answer generation, privacy-preserving metadata
about how the query result was generated is mandatory to achieve the vision.</p>
    </sec>
  </body>
  <back>
    <ref-list>
      <ref id="ref1">
        <mixed-citation>
          [1]
          <string-name>
            <given-names>F.</given-names>
            <surname>Manola</surname>
          </string-name>
          , E. Miller, RDF Primer,
          <source>W3C Recommendation</source>
          ,
          <year>2004</year>
          . URL: https://www.w3.org/ TR/2004/REC-rdf-primer-
          <volume>20040210</volume>
          /.
        </mixed-citation>
      </ref>
      <ref id="ref2">
        <mixed-citation>
          [2]
          <string-name>
            <given-names>N. F.</given-names>
            <surname>Noy</surname>
          </string-name>
          ,
          <string-name>
            <given-names>Y.</given-names>
            <surname>Gao</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Jain</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Narayanan</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Patterson</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J.</given-names>
            <surname>Taylor</surname>
          </string-name>
          ,
          <article-title>Industry-scale knowledge graphs: lessons and challenges</article-title>
          ,
          <source>Commun. ACM</source>
          <volume>62</volume>
          (
          <year>2019</year>
          )
          <fpage>36</fpage>
          -
          <lpage>43</lpage>
          . doi:
          <volume>10</volume>
          .1145/3331166.
        </mixed-citation>
      </ref>
      <ref id="ref3">
        <mixed-citation>
          [3]
          <string-name>
            <given-names>D. N.</given-names>
            <surname>Nicholson</surname>
          </string-name>
          ,
          <string-name>
            <given-names>C. S.</given-names>
            <surname>Greene</surname>
          </string-name>
          ,
          <article-title>Constructing knowledge graphs and their biomedical applications</article-title>
          ,
          <source>Comput Struct Biotechnol J</source>
          .
          <volume>18</volume>
          (
          <year>2020</year>
          )
          <fpage>1414</fpage>
          -
          <lpage>1428</lpage>
          . doi:
          <volume>10</volume>
          .1016/j.csbj.
          <year>2020</year>
          .
          <volume>05</volume>
          .017.
        </mixed-citation>
      </ref>
      <ref id="ref4">
        <mixed-citation>
          [4]
          <string-name>
            <given-names>E.</given-names>
            <surname>Prud</surname>
          </string-name>
          <article-title>'hommeaux, A. Seaborne, SPARQL Query Language for RDF</article-title>
          ,
          <source>W3C Recommendation</source>
          ,
          <year>2008</year>
          . URL: https://www.w3.org/TR/2008/REC-rdf
          <string-name>
            <surname>-</surname>
          </string-name>
          sparql-query-
          <volume>20080115</volume>
          /.
        </mixed-citation>
      </ref>
      <ref id="ref5">
        <mixed-citation>
          [5]
          <string-name>
            <given-names>R.</given-names>
            <surname>Iannella</surname>
          </string-name>
          , S. Villata,
          <source>ODRL Information Model 2</source>
          .2,
          <string-name>
            <given-names>W3C</given-names>
            <surname>Recommendation</surname>
          </string-name>
          ,
          <year>2018</year>
          . URL: https://www.w3.org/TR/2018/REC-odrl-model-
          <volume>20180215</volume>
          /.
        </mixed-citation>
      </ref>
      <ref id="ref6">
        <mixed-citation>
          [6]
          <string-name>
            <given-names>H.</given-names>
            <surname>Knublauch</surname>
          </string-name>
          ,
          <string-name>
            <given-names>D.</given-names>
            <surname>Kontokostas</surname>
          </string-name>
          ,
          <article-title>Shapes Constraint Language (SHACL)</article-title>
          ,
          <source>W3C Recommendation</source>
          ,
          <year>2017</year>
          . URL: https://www.w3.org/TR/2017/REC-shacl-
          <volume>20170720</volume>
          /.
        </mixed-citation>
      </ref>
      <ref id="ref7">
        <mixed-citation>
          [7]
          <string-name>
            <given-names>J.</given-names>
            <surname>Corman</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J. L.</given-names>
            <surname>Reutter</surname>
          </string-name>
          ,
          <string-name>
            <given-names>O.</given-names>
            <surname>Savković</surname>
          </string-name>
          ,
          <article-title>Semantics and validation of recursive shacl</article-title>
          ,
          <source>in: The Semantic Web - ISWC</source>
          <year>2018</year>
          ,
          <year>2018</year>
          , pp.
          <fpage>318</fpage>
          -
          <lpage>336</lpage>
          . doi:
          <volume>10</volume>
          .1007/978-3-
          <fpage>030</fpage>
          -00671-6_
          <fpage>19</fpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref8">
        <mixed-citation>
          [8]
          <string-name>
            <given-names>E.</given-names>
            <surname>Iglesias</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S.</given-names>
            <surname>Jozashoori</surname>
          </string-name>
          , M.-E. Vidal,
          <article-title>Scaling up knowledge graph creation to large and heterogeneous data sources</article-title>
          ,
          <source>J. Web Semant</source>
          .
          <volume>75</volume>
          (
          <year>2023</year>
          ). doi:
          <volume>10</volume>
          .1016/j.websem.
          <year>2022</year>
          .
          <volume>100755</volume>
          .
        </mixed-citation>
      </ref>
      <ref id="ref9">
        <mixed-citation>
          [9]
          <string-name>
            <given-names>S.</given-names>
            <surname>Capadisli</surname>
          </string-name>
          ,
          <string-name>
            <given-names>T.</given-names>
            <surname>Berners-Lee</surname>
          </string-name>
          ,
          <string-name>
            <given-names>R.</given-names>
            <surname>Verborgh</surname>
          </string-name>
          ,
          <string-name>
            <given-names>K.</given-names>
            <surname>Kjernsmo</surname>
          </string-name>
          , Solid Protocol, Solid Community Group Submission,
          <year>2021</year>
          . URL: https://solidproject.org/TR/2021/protocol-20211217.
        </mixed-citation>
      </ref>
      <ref id="ref10">
        <mixed-citation>
          [10]
          <string-name>
            <given-names>M.</given-names>
            <surname>Valzelli</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Maurino</surname>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Palmonari</surname>
          </string-name>
          ,
          <article-title>A Fine-grained Access Control Model for Knowledge Graphs</article-title>
          ,
          <source>in: Proceedings of the 17th International Joint Conference on e-Business and Telecommunications (ICETE</source>
          <year>2020</year>
          ),
          <year>2020</year>
          , pp.
          <fpage>595</fpage>
          -
          <lpage>601</lpage>
          . doi:
          <volume>10</volume>
          .5220/0009833505950601.
        </mixed-citation>
      </ref>
      <ref id="ref11">
        <mixed-citation>
          [11]
          <string-name>
            <given-names>M.</given-names>
            <surname>Goncalves</surname>
          </string-name>
          ,
          <string-name>
            <surname>M.-E. Vidal</surname>
            ,
            <given-names>K.</given-names>
          </string-name>
          <article-title>M. Endris, PURE: A Privacy Aware Rule-Based Framework over Knowledge Graphs</article-title>
          ,
          <source>in: Database and Expert Systems Applications</source>
          ,
          <year>2019</year>
          , pp.
          <fpage>205</fpage>
          -
          <lpage>214</lpage>
          . doi:
          <volume>10</volume>
          .1007/978-3-
          <fpage>030</fpage>
          -27615-7_
          <fpage>15</fpage>
          .
        </mixed-citation>
      </ref>
    </ref-list>
  </back>
</article>