Whether you can’t remember a world without internet or you are still trying to navigate the benefits of a connected world, you need to know what happens behind the scenes when you access your favorite internet on-ramp. So if you use or have ever used mobile games, search engines, social media platforms, news, sports, or shopping websites, video and music streaming services, dating apps and mobile payment systems, this is for you.
Every major website uses Application Program Interfaces (API) to work behind the scenes to gather, share, and utilize your data. Regardless of where you stand on the digital continuum, you should at least know what happens when you press send. Given the headlines of late, even “digital natives” need to know a lot more about how their privacy is used, shared, and ultimately monetized by third parties.
To help explain how this occurs, academics from Fordham Law School and the University of Michigan, from disciplines including law, information, and engineering, have recently issued a report on “APIs and Your Privacy.” APIs refers to “Application Programming Interfaces,” defined as the specific “way through which different online services, websites, and applications can exchange data and interact with each other.”
The purpose of the report is to explain what APIs are and what they do in a manner that is accessible to most internet users. The authors identify four principal types of APIs. First, “content-focused” APIs “provide access to data published by the original service” – think news or weather reports, unedited. Second, “feature” APIs “allow other websites or mobile apps to integrate another service’s existing feature” – think logging in to a website via Google or Facebook. Third, “unofficial” APIs are not part of an actual service but may still access data under certain conditions. Finally, “analytics” APIs “enable developers to gain information about the visitors to their websites,” often for purposes of selling and targeting advertising.
Each API functions according to its goal: gathering, sharing, and or utilizing data, specifically your data when you access the primary site. This does mean that APIs are created for nefarious purposes, because many offer useful information to consumers. The study cites as an example: a widget giving a weather forecast might be a very useful addition to a website for renting outdoor equipment – but the site will need to know a person’s location to accurately forecast the weather. Sometimes, as in the case of Cambridge Analytica obtaining information about millions of Facebook users through one of Facebook’s API tools, the issues are quite serious. This is why it is so important to understand what data APIs might be learning about you.
Just logging into a website using Facebook, for example, gives the website, at a minimum, access to a user’s public Facebook profile and email; developers can then get more personal information, such as friends, likes, and groups on request once Facebook approves the website and the user consents. Something similar occurs with unofficial APIs; a third-party application could get a full profile and matches on Tinder. Or connecting a Venmo account to a third-party service will give that other service “access to all the data and transactions in your Venmo account” – also raising the possibility that it could be stored and used for data mining. This is in addition to Venmo’s own open API of public transactions.
In other words, if you are neither aware nor careful, you will give away far more data than you intend, to those you do not intend to have it.
Analytics APIs are dominated by Google and Facebook. Google gets information about you from other sites that use Google Analytics, thereby allowing Google to develop its profile for advertising. As the authors report, as of 2016, “Google tracking services were being used by about 75% of the one million most popular websites, and Facebook tracking services appeared on 25% of those websites…the vast majority of websites you visit will contain some code from Google or Facebook or both, allowing these companies to develop extremely complex and detailed profiles of you as an internet user.” Your user profile can be used directly or in more subtle ways that track the nature of your website search by drawing conclusions about why you need specific information, vendors, or products.
The paper stops short of making policy recommendations, but it does provide insight and clarity on the precarious nature of individual privacy on the internet. Just as APIs can be used for good, it is equally clear that they can be used to create harm. The authors conclude, “APIs enable the rich and interactive websites and mobile apps of today.” But they also permit much easier access to consumer data than sites could normally gain on their own. Some major sites, including Facebook and Twitter, are revising their policies to try to avoid misuse of consumer data via APIs.
Still, the policy issue looms. Once you know that your data is being used in ways you did not intend, protecting your privacy is likely the next step. But that means there has to be a single standard by which to protect our privacy regardless of where or how you use the internet. We should be able to share our data on terms that allow us to choose where, how, and with whom we share our data. Ultimately, it is clear that we need to press send on a simple message to Congress: The time is ripe to develop comprehensive, uniform data privacy legislation. More is at stake than just knowing the weather before you go kayaking.
Kim Keenan is co-chair of the DC-based Internet Innovation Alliance (IIA).