apis and your privacy - the policy forum at at&t · • apis allow companies to exchange...
TRANSCRIPT
APIs and Your PrivacyThomas NortonExecutive DirectorFordham Center on Law and Information Policy
Florian SchaubAssistant ProfessorUniversity of Michigan School of Information
ApplicationProgrammingInterfaces
2
3
APIs at the core of many privacy headlines
New York Times
New York Times
Slate
The Guardian…
• Companies are tightening API Access
– Facebook revoked API access to thousands of apps
– Twitter tightens vetting of third-parties seeking data
– GDPR spurred companies to evaluate data practices
4
APIs at the core of many privacy headlines
5
• How APIs work• How websites and apps use APIs
to gather, share, and utilize data• What companies learn about
users
Report: APIs and Your Privacy
6
• How APIs work• How websites and apps use APIs
to gather, share, and utilize data• What companies learn about
users
Focus:• APIs for third-party developers• APIs for advertisers
Report: APIs and Your Privacy
7
Facebook (social media website/app)
Google Search (online search engine)
Google Maps (location-based service)
Amazon.com (online shopping)
Netflix (video streaming)
Candy Crush Saga (mobile game)
Pandora (music streaming)
CNN.com (online news)
ESPN.com (sports website)
Tinder (dating mobile app)
Venmo (mobile payment app)
Approach
Analyzed APIs of popular services in different categories
8
• A predefined way for two services or components to communicate and interact with one another
• APIs are the common way for interconnecting two or more services
What Are APIs?
9
• A service may have a feature or tool it wants to make available to other websites or applications
• Service defines set of allowed interactions and a protocol for using the feature/tool – the API
• Other websites/ applications use the API to use the service
How Do APIs Work?
10
We use predefined protocols in many parts of our lives
How Do APIs Work?
https://www.wikihow.com/Mail-a-Letter
11
Similar: using APIs to have online services interact
How Do APIs Work?
12
Similar: using APIs to have online services interact
How Do APIs Work?
13
Similar: using APIs to have online services interact
How Do APIs Work?
1. You visit KayakRental.com
14
Similar: using APIs to have online services interact
How Do APIs Work?
1. You visit KayakRental.com
2. KayakRental.comneeds data from GetWeather.com
15
Similar: using APIs to have online services interact
How Do APIs Work?
1. You visit KayakRental.com
2. KayakRental.comneeds data from GetWeather.com
3. KayakRental.comrequests weather for
zip code 12345 through GetWeather API
16
Similar: using APIs to have online services interact
How Do APIs Work?
1. You visit KayakRental.com
2. KayakRental.comneeds data from GetWeather.com
3. KayakRental.comrequests weather for
zip code 12345 through GetWeather API
4. GetWeather.comsends weather data
17
• Developers of websites, apps, and other platforms may access your data through APIs
• Advertisers on these platforms may also access information about you from popular websites and apps
How Do APIs Work?
18
• Developers of websites, apps, and other platforms may access your data through APIs
• Advertisers on these platforms may also access information about you from popular websites and apps
• In addition, websites and apps may learn more information about you from those developers and advertisers utilizing their APIs
How Do APIs Work?
19
Four main types:
• Content-focused APIs• Feature APIs• Unofficial APIs• Analytics APIs
Developer APIs
20
• Provide access to content, such as news stories• Do not directly share user data with the developer
Content-focused APIs
ESPN API shutdown 2014
21
• Allow websites or apps to integrate other services’ features
Feature APIs
22
• Some of these APIs share your data with the third-party developer:
– Facebook Login: your public profile and email address– Amazon In-App Purchases: User ID, location, currency
• But this is conservative
Feature APIs
23
• Internal APIs that are discovered, documented, and used by third-parties for an unintended purpose
Unofficial APIs
Tinderbox
24
• Internal APIs that are discovered, documented, and used by third-parties for an unintended purpose
Unofficial APIs
25
• Note: if you use a third-party application to sign into your account that application will have complete access to your account
• Also true for official third-party applications
Unofficial APIs
26
• Note: if you use a third-party application to sign into your account that application will have complete access to your account
• Also true for official third-party applications
Unofficial APIs
27
• Open APIs
Unofficial APIs
Public by Default, Hang Do Thi Duc
28
• Facebook and Google offer analytics APIs:– Third-party developers add invisible code to their website or app– Facebook or Google tracks visitors and shares aggregate
statistics with the developer
Analytics APIs
29
• Developers are incentivized by audience insights to use these analytics APIs
• Analytics platforms track users across the web– Of top 1m websites (in 2016):
• 75% have Google Analytics• 25% have Facebook Analytics
Engelhard & Narayanan CCS 2016 (https://webtransparency.cs.princeton.edu/webcensus/)
Analytics APIs
30
• Some services offer no third-party APIs– They may wish to keep their content only within their own
products
No APIs Offered
31
• APIs allow companies to exchange functionality and data, some of which is about you
• By using a service’s APIs, developers allow those companies to see more of your online browsing habits
• Because their APIs are so popular, large companies like Google and Facebook have an insight into most of what you look at online
Developer APIs Summary
32
• APIs can help generate advertising revenue:– Platforms collect and organize your information into categorized
profiles– Advertisers refine audience selection for marketing products and
services– Platforms generate revenue by permitting advertisers to reach
their desired audience
APIs and Advertising
33
• APIs allow advertisers to target their intended audience more precisely
• Two benefits:– Showing interesting products– Reduce costs while increasing conversion rates
• Additionally, platforms often make user data analytical tools available to advertisers
APIs and Advertising
34
• Revenue-sharing between platform and content creators
Internal Monetization
35
• Placing a price on products and services– Add-ons– Indirect monetization– Direct monetization
External Monetization
36
• Create user profiles based on users’ online behavior• By collecting and sifting through your data, marketing APIs
enable advertisers to target you and collect your information
Marketing APIs
37
• APIs allow platforms to collect data to narrowly categorize their users
• Advertisers pay platforms to target specific audiences with their advertisements
Advertiser Access
Audience-specific targeting options of ComCast Spotlight (used by CNN.com and ESPN.com)
38
• Advertisers may access your data through APIs: – Some platforms make data available for targeting– Advertisers can also embed tools, like cookies, into their ads to
share and collect more of your data– Advertisers may also receive your data through analytics tools
offered by platforms
Advertiser Access
39
• APIs help platforms collect data about you and categorize you into user profiles marketable to advertisers.
• APIs allow advertisers to target specific audiences and may enable them to access your data.
Advertising APIs Summary
40
• APIs are essential for integration of online services
Observations and Conclusions
41
• APIs are essential for integration of online services
• APIs can be used by developers and advertisers to collect your personal data from popular websites and apps
Observations and Conclusions
42
• APIs are essential for integration of online services
• APIs can be used by developers and advertisers to collect your personal data from popular websites and apps
• APIs can be used by websites and apps to get information about you from platforms and advertisers
Observations and Conclusions
43
• APIs enable enhanced user tracking– website to website – app to app – website to app to website
Observations and Conclusions
44
• APIs enable enhanced user tracking– website to website – app to app – website to app to website
• This data is aggregated by online services and advertisers– Large companies can compile all data about you in one place– Companies offer advertisers thousands of audience filters
Observations and Conclusions
45
• Companies may play several different roles– Service provider– Data aggregator and profiler– Advertising platform provider– Data broker
Observations and Conclusions
46
• APIs are an inherent part of the online ecosystem
• Their privacy implications deserve closer scrutiny
Observations and Conclusions
47
• What can consumers do?– consider what companies might learn about you
• from data you provide directly to them• From data they might be gathering implicitly about you
– use privacy settings – if available – to limit data use and sharing
Observations and Conclusions
APIs and Your Privacy
Thomas NortonExecutive DirectorFordham Center on Law and Information Policy
Florian SchaubAssistant ProfessorUniversity of Michigan School of Information
Download the report: http://law.fordham.edu/apiprivacy