Hook-in Privacy Techniques for gRPC-based Microservice Communication

TL;DR

This paper introduces a practical method for integrating advanced privacy techniques like data minimization and purpose limitation into gRPC-based microservices, enhancing privacy compliance without significant performance costs.

Contribution

It presents a novel gRPC-native privacy extension using interceptors, with a prototype and performance evaluation demonstrating practical viability.

Findings

Privacy techniques can be integrated into gRPC with reasonable overheads.

The approach supports regulatory compliance by design.

A working prototype demonstrates real-world applicability.

Abstract

gRPC is at the heart of modern distributed system architectures. Based on HTTP/2 and Protocol Buffers, it provides highly performant, standardized, and polyglot communication across loosely coupled microservices and is increasingly preferred over REST- or GraphQL-based service APIs in practice. Despite its widespread adoption, gRPC lacks any advanced privacy techniques beyond transport encryption and basic token-based authentication. Such advanced techniques are, however, increasingly important for fulfilling regulatory requirements. For instance, anonymizing or otherwise minimizing (personal) data before responding to requests, or pre-processing data based on the purpose of the access may be crucial in certain usecases. In this paper, we therefore propose a novel approach for integrating such advanced privacy techniques into the gRPC framework in a practically viable way. Specifically, we present a general approach along with a working prototype that implements privacy techniques, such as data minimization and purpose limitation, in a configurable, extensible, and gRPC-native way utilizing a gRPC interceptor. We also showcase how to integrate this contribution into a realistic example of a food delivery use case. Alongside these implementations, a preliminary performance evaluation shows practical applicability with reasonable overheads. Altogether, we present a viable solution for integrating advanced privacy techniques into real-world gRPC-based microservice architectures, thereby facilitating regulatory compliance ``by design''.