This paper introduces the notion of a secure data capsule, which refers to an
encapsulation of sensitive user information (such as a credit card number)
along with code that implements an interface suitable for the use of such
information (such as charging for purchases) by a service (such as an online
merchant). In our capsule framework, users provide their data in the form of
such capsules to web services rather than raw data.