In this paper, we introduce Harpocrates, a compiler plugin and a framework pair for Scala that binds the privacy policies to the data during data creation in form of oblivious membranes. Harpocrates eliminates raw data for a policy protected type from the application, ensuring it can only exist in protected form and centralizes the policy checking to the policy declaration site, making the privacy logic easy to maintain and verify. Instead of approaching privacy from an information flow verification perspective, Harpocrates allow the data to flow freely throughout the application, inside the policy membranes but enforces the policies when the data is tried to be accessed, mutated, declassified or passed through the application boundary. The centralization of the policies allow the maintainers to change the enforced logic simply by updating a single function while keeping the rest of the application oblivious to the change. Especially in a setting where the data definition is shared by multiple applications, the publisher can update the policies without requiring the dependent applications to make any changes beyond updating the dependency version.

翻译：本文介绍Harpocrates——一个用于Scala的编译器插件与框架组合，它通过无感知封装膜的形式在数据创建时将隐私策略与数据绑定。Harpocrates从应用程序中消除受策略保护类型的原始数据，确保其仅能以受保护形式存在，并将策略检查集中至策略声明点，使得隐私逻辑易于维护和验证。与从信息流验证角度处理隐私的传统方法不同，Harpocrates允许数据在策略封装膜内自由流动于整个应用程序中，仅在尝试访问、修改、解密或跨越应用边界传递数据时强制执行策略。策略的集中化使维护者仅需更新单个函数即可修改执行逻辑，而应用程序其余部分无需感知此变更。特别是在多应用共享数据定义的场景中，发布者更新策略时，依赖应用仅需更新依赖版本而无需进行其他修改。