As a consequence of the recent FTC investigation, Facebook cut off friend data access for Microsoft and Sony and announced an overhaul of its API. Facebook’s privacy changes will impact dozens of partners that have been using the Facebook API to build experiences on third-party apps and devices. Here are three essential considerations for API providers, consumers, and end-users to avoid a scandal like Facebook’s and protect the privacy of user data.
Facebook’s API overhaul and the FTC’s privacy investigation has caused a ripple effect for API providers, consumers, and end-users. API providers are scrambling to avoid data breaches like Facebook and must think through the ethical issues and legal obligations related to sharing data. API consumers, such as developers who build on open APIs, are reconsidering who to partner with. They have to be wary of building relationships that are too deep and irreplaceable to avoid getting caught in any privacy crossfire, or even worse, getting slapped with fines from people’s data being exploited.
As users of digital services, our data is already being commoditized and in some cases jeopardized. Does anyone read the T’s and C’s before clicking “I agree,” or check the permissions they give third party apps when signing in through Facebook or Google?
Privacy of user data is a major issue and one that needs to be addressed by all stakeholders in the API economy. Before exploring how to best protect the privacy of users’ data, it’s worth exploring how we got here in the first place.
Two to tango: developers and APIs
Developers love APIs. In the race to meet the demand for more applications, the global community of developers is relying on APIs to provide quick access to data and services that would otherwise need to be created from scratch. A developer writing a mobile app for a retailer can automatically email personalized recommendations to customers, enable payment services, and purchase items directly from their favorite influencers’ social media account simply by accessing the Gmail API, Apple Pay APIs, and Instagram Graph API. This is the main reason for the ongoing boom in web APIs—they are fueling technology trends in workplace productivity, cloud computing, social networking, and artificial intelligence.
The relationship between the app developers who consume APIs and the organizations that provide APIs has been around since Salesforce introduced the first web API in February 2000. Amazon, eBay, and other providers quickly followed suit. Today, there are more than 22,000 public APIs and nearly every major tech company has a developer ecosystem. The mutual benefits of APIs–consumers opening new channels for providers, providers offering a faster route to market for consumers–fuelled this spectacular growth. The platform companies who built the biggest customer base during this period–companies like Facebook, Google, and Twitter–recognized that they could not only use APIs as a channel to extend the reach of their services but also as a way of monetizing their customer base. In the fever pitch to exploit this opportunity, the concerns of another key API stakeholder–the end-user–was overlooked.
Three’s a crowd: end-users and privacy
Today, issues related to the end user’s privacy dominate the API relationship stage. These end-users, whose data was the fuel these API ran on, got wise about companies using their data for their own financial gain without explicit consent to do so. In addition to Facebook, a number of APIs have recently been shut down or restricted, leaving API consumers and end-users stranded. Google recently locked down access to Gmail data when using their OAuth API, effectively killing some third party applications that had been built using the service. Likewise, Twitter deprecated API access to key features of popular streaming apps, such as push notifications and auto-refreshing timelines, to focus instead on its own native apps.
Not all breakups are bad from an end-user perspective. Netflix, for example, simply outgrew the need for channel partners who might be found through their open API back in 2014. Nonetheless, developers and in many cases, entire companies have been impacted by these decisions.
Steps in the API triangle dance: providers, consumers, users
APIs open up a unique set of user data privacy considerations. They must be secure yet accessible. To avoid the negative impacts of an API shutdown on your end-users, consumers, and partners, developers, and enterprises alike should take a moment to reevaluate their API strategy. Below are three recommendations for the OGs of open APIs: API consumers (often developer-driven), API providers (whole companies), and end-users (you and me!).
3 ways for API providers to evaluate data privacy
Facebook’s ongoing struggle to reign in personal data usage by third-party partners, spurred by the Cambridge Analytica breach investigation, has three clear takeaways for API providers.
- No. 1: Review your API data sharing policy now. Are there ethical issues and legal obligations that may violate new regulations, such as GDPR, that require policy updates?
- No. 2: Make sure your terms and conditions for API usage are truthful and clearly communicated to prospective developers.
- No. 3: Are you the authoritative source for the data you will be providing? If not, there’s a good chance that regulatory policies will render your open API useless or your service will be viewed as redundant.
3 ways for developers to evaluate third party APIs
Do your app or device experiences require building on Facebook’s API or other third-party APIs? Here are three key considerations to ensure those APIs and your own are built to protect end-user data.
- No 1: Reevaluate your API strategy. Do you understand how vital this API is to the value proposition of your application? If it is too vital, you are creating a risky dependency, and your app’s value proposition may not be very strong to begin with.
- No. 2: Is the API provider’s business value proposition tied closely to the user —either controlling the user experience or directly managing the user relationship? If so, there is a risk that they will pull up stakes at some point and try to own that relationship.
- No. 3: Are there any alternative providers of the same service or the same data? In the business world, you always need a Plan B.
3 ways to protect your own personal data
While we’re on the subject, remember that we are all API end users too. Here are some ways you can protect your own data:
- No. 1: Read the terms and conditions before you sign up. It’s tedious, but these days it’s warranted.
- No. 2: Be wary of free services on the web. As the old adage goes, if you’re not paying for the product, you are the product.
- No. 3: Make sure the services you sign up for are transparent about the data they use so you can check and modify privacy settings. And make sure you can completely remove your data if needed.
Facebook is just one example of how API security and data sharing has gone wrong. Check out this webinar on the top API security fails and how to fix them.
This blog post was written in collaboration with Matt McLarty, Global Leader of API Strategy at MuleSoft.