Abstract
The paper shows that information leaks are inherent in object models based on subtyping and inclusion polymorphism. Web services interact with other systems across organizational boundaries using such an object model. In the context of web services, information leaks pose serious security and privacy concerns. A safe web service is one which neither is a source of any information leak nor exploits any information leak. The paper defines properties of such a safety model and proposes mechanisms to enforce the safety requirements. Leaks inherent in the programming paradigm however cannot always be completely masked while keeping the desired interoperability and flexibility of services intact, especially in compositional scenarios. Therefore the paper also proposes use of processes of service certification and versioning aided by data flow analysis as measures against, and a cost estimation model in case of information leaks.