Wednesday, April 03, 2013

Nothing says privacy risk more than an API

Less than a handful of years ago, mention the three letter acronym 'API' to a regular Internet user and you'd have got the look of "stay away from me, you scary unwashed software geek who is about to bore me to tears" (that's the bleeped version of the internal dialog). Now everything has changed. Not only is API part of the regular semi-tech word-dropping of web users, lack of one can raise questions about the viability of a modern web application. A publicly available API is a badge of honor for startup web apps that says "the information we have is worth being consumed by other apps, so its got to be good enough for you too". 

The Application Programming Interface, or API, is the technical Lego brick that lets developers from across the globe plug into an application, to use the data and functionality of the website without the annoying user interface of that website getting in the way. It makes it easy for other applications to see the data that you as a regular logged in user can see, as long as you click the OK button to authorize it to do so. If you can see details of your friends lives, there is a good chance that by authorizing that app by entering your password that app can see the details of your friends lives too.

A well thought out API is not technically the problem. Many APIs recognize that they are a great way to trawl through far more data than could be done by just browsing the website and protect really private stuff effectively. The problem is still that an API can allow a fairly anonymous developer to collect tons of data, process it and store it extremely rapidly. That developer has their very own, possibly limited privacy policy that you as a user of the primary web service have no control over. Your friend who clicked an OK button authorized a developer to access to your data as a proxy of what they could do on the website. You had no say in the matter that a third party app now has access to the data your friend sees on the website.

In the majority of cases the API itself is not the problem. It is what it stands for in terms of the sheer amount of data a web service has. Re-phrasing what I said at the beginning:
"API" says that a web app collects, stores and makes accessible a lot of potentially personal information that any number of third-party applications might find valuable to consume and reuse

The real problem is that in most cases the information web apps have is not original data and a work of exceptional creativity. It is data collected from its users who enjoy sharing details of their lives with their friends and occasional strangers. It is the data stored in LinkedIn, Facebook, Twitter, et al. The data is largely personal and untouched, beyond being transformed in a way that allows it to be retrieved in an instant. When you read "API" on a social networking site, consider this: the website in question probably collects a lot of personal information about its users and their daily habits and actions. Can you trust the developers that tap into your data through the API as much as you trust your friends?

A post from the Improving It blog
Let us help you improve your business today. Visit

No comments: