gRPC is at the heart of modern distributed system architectures. Based on HTTP/2 and Protocol Buffers, it provides highly performant, standardized, and polyglot communication across loosely coupled microservices and is increasingly preferred over REST- or GraphQL-based service APIs in practice. Despite its widespread adoption, gRPC lacks any advanced privacy techniques beyond transport encryption and basic token-based authentication. Such advanced techniques are, however, increasingly important for fulfilling regulatory requirements. For instance, anonymizing or otherwise minimizing (personal) data before responding to requests, or pre-processing data based on the purpose of the access may be crucial in certain usecases. In this paper, we therefore propose a novel approach for integrating such advanced privacy techniques into the gRPC framework in a practically viable way. Specifically, we present a general approach along with a working prototype that implements privacy techniques, such as data minimization and purpose limitation, in a configurable, extensible, and gRPC-native way utilizing a gRPC interceptor. We also showcase how to integrate this contribution into a realistic example of a food delivery use case. Alongside these implementations, a preliminary performance evaluation shows practical applicability with reasonable overheads. Altogether, we present a viable solution for integrating advanced privacy techniques into real-world gRPC-based microservice architectures, thereby facilitating regulatory compliance ``by design''.

翻译：gRPC是现代分布式系统架构的核心。基于HTTP/2和Protocol Buffers，它在松散耦合的微服务之间提供了高性能、标准化且多语言兼容的通信方式，在实践中正日益取代基于REST或GraphQL的服务API。尽管被广泛采用，gRPC除了传输加密和基本的基于令牌的身份验证外，缺乏任何高级隐私技术。然而，此类高级技术对于满足监管要求日益重要。例如，在响应请求前对（个人）数据进行匿名化或其他形式的最小化处理，或根据访问目的对数据进行预处理，在某些用例中可能至关重要。因此，本文提出了一种新颖的方法，以实际可行的方式将这些高级隐私技术集成到gRPC框架中。具体而言，我们提出了一种通用方法及工作原型，该原型利用gRPC拦截器，以可配置、可扩展且原生gRPC的方式实现了数据最小化和目的限制等隐私技术。我们还展示了如何将该贡献集成到一个真实的外卖配送用例中。除了这些实现之外，初步的性能评估表明，该方法在实际应用中具备合理的开销。总之，我们提出了一种可行的解决方案，用于将高级隐私技术集成到基于gRPC的实际微服务架构中，从而从"设计之初"便于实现法规遵从。