Harpocrates: A Statically Typed Privacy Conscious Programming Framework

TL;DR

Harpocrates is a Scala framework that enforces privacy policies at data creation, centralizing policy management and allowing data to flow freely within applications while ensuring policies are upheld during access and mutation.

Contribution

It introduces a novel compiler plugin that binds privacy policies to data via oblivious membranes, simplifying policy enforcement and maintenance in Scala applications.

Findings

Ensures data can only exist in protected form, preventing raw data exposure.

Centralizes policy checking at declaration sites for easier maintenance.

Allows policy updates without changing dependent applications.

Abstract

In this paper, we introduce Harpocrates, a compiler plugin and a framework pair for Scala that binds the privacy policies to the data during data creation in form of oblivious membranes. Harpocrates eliminates raw data for a policy protected type from the application, ensuring it can only exist in protected form and centralizes the policy checking to the policy declaration site, making the privacy logic easy to maintain and verify. Instead of approaching privacy from an information flow verification perspective, Harpocrates allow the data to flow freely throughout the application, inside the policy membranes but enforces the policies when the data is tried to be accessed, mutated, declassified or passed through the application boundary. The centralization of the policies allow the maintainers to change the enforced logic simply by updating a single function while keeping the rest of the application oblivious to the change. Especially in a setting where the data definition is shared by multiple applications, the publisher can update the policies without requiring the dependent applications to make any changes beyond updating the dependency version.