APIs and Your PrivacyThomas NortonExecutive DirectorFordham Center on Law and Information Policy

Florian SchaubAssistant ProfessorUniversity of Michigan School of Information

ApplicationProgrammingInterfaces

2

3

APIs at the core of many privacy headlines

New York Times

New York Times

Slate

The Guardian…

• Companies are tightening API Access

– Facebook revoked API access to thousands of apps

– Twitter tightens vetting of third-parties seeking data

– GDPR spurred companies to evaluate data practices

4

APIs at the core of many privacy headlines

5

• How APIs work• How websites and apps use APIs

to gather, share, and utilize data• What companies learn about

users

Report: APIs and Your Privacy

6

• How APIs work• How websites and apps use APIs

to gather, share, and utilize data• What companies learn about

users

Focus:• APIs for third-party developers• APIs for advertisers

Report: APIs and Your Privacy

7

Facebook (social media website/app)

Google Search (online search engine)

Google Maps (location-based service)

Amazon.com (online shopping)

Netflix (video streaming)

Candy Crush Saga (mobile game)

Pandora (music streaming)

CNN.com (online news)

ESPN.com (sports website)

Tinder (dating mobile app)

Venmo (mobile payment app)

Approach

Analyzed APIs of popular services in different categories

8

• A predefined way for two services or components to communicate and interact with one another

• APIs are the common way for interconnecting two or more services

What Are APIs?

9

• A service may have a feature or tool it wants to make available to other websites or applications

• Service defines set of allowed interactions and a protocol for using the feature/tool – the API

• Other websites/ applications use the API to use the service

How Do APIs Work?

10

We use predefined protocols in many parts of our lives

How Do APIs Work?

https://www.wikihow.com/Mail-a-Letter

11

Similar: using APIs to have online services interact

How Do APIs Work?

12

Similar: using APIs to have online services interact

How Do APIs Work?

13

Similar: using APIs to have online services interact

How Do APIs Work?

1. You visit KayakRental.com

14

Similar: using APIs to have online services interact

How Do APIs Work?

1. You visit KayakRental.com

2. KayakRental.comneeds data from GetWeather.com

15

Similar: using APIs to have online services interact

How Do APIs Work?

1. You visit KayakRental.com

2. KayakRental.comneeds data from GetWeather.com

3. KayakRental.comrequests weather for

zip code 12345 through GetWeather API

16

Similar: using APIs to have online services interact

How Do APIs Work?

1. You visit KayakRental.com

2. KayakRental.comneeds data from GetWeather.com

3. KayakRental.comrequests weather for

zip code 12345 through GetWeather API

4. GetWeather.comsends weather data

17

• Developers of websites, apps, and other platforms may access your data through APIs

• Advertisers on these platforms may also access information about you from popular websites and apps

How Do APIs Work?

18

• Developers of websites, apps, and other platforms may access your data through APIs

• Advertisers on these platforms may also access information about you from popular websites and apps

• In addition, websites and apps may learn more information about you from those developers and advertisers utilizing their APIs

How Do APIs Work?

19

Four main types:

• Content-focused APIs• Feature APIs• Unofficial APIs• Analytics APIs

Developer APIs

20

• Provide access to content, such as news stories• Do not directly share user data with the developer

Content-focused APIs

ESPN API shutdown 2014

21

• Allow websites or apps to integrate other services’ features

Feature APIs

22

• Some of these APIs share your data with the third-party developer:

– Facebook Login: your public profile and email address– Amazon In-App Purchases: User ID, location, currency

• But this is conservative

Feature APIs

23

• Internal APIs that are discovered, documented, and used by third-parties for an unintended purpose

Unofficial APIs

Tinderbox

24

• Internal APIs that are discovered, documented, and used by third-parties for an unintended purpose

Unofficial APIs

25

• Note: if you use a third-party application to sign into your account that application will have complete access to your account

• Also true for official third-party applications

Unofficial APIs

26

• Note: if you use a third-party application to sign into your account that application will have complete access to your account

• Also true for official third-party applications

Unofficial APIs

27

• Open APIs

Unofficial APIs

Public by Default, Hang Do Thi Duc

28

• Facebook and Google offer analytics APIs:– Third-party developers add invisible code to their website or app– Facebook or Google tracks visitors and shares aggregate

statistics with the developer

Analytics APIs

29

• Developers are incentivized by audience insights to use these analytics APIs

• Analytics platforms track users across the web– Of top 1m websites (in 2016):

• 75% have Google Analytics• 25% have Facebook Analytics

Engelhard & Narayanan CCS 2016 (https://webtransparency.cs.princeton.edu/webcensus/)

Analytics APIs

30

• Some services offer no third-party APIs– They may wish to keep their content only within their own

products

No APIs Offered

31

• APIs allow companies to exchange functionality and data, some of which is about you

• By using a service’s APIs, developers allow those companies to see more of your online browsing habits

• Because their APIs are so popular, large companies like Google and Facebook have an insight into most of what you look at online

Developer APIs Summary

32

• APIs can help generate advertising revenue:– Platforms collect and organize your information into categorized

profiles– Advertisers refine audience selection for marketing products and

services– Platforms generate revenue by permitting advertisers to reach

their desired audience

APIs and Advertising

33

• APIs allow advertisers to target their intended audience more precisely

• Two benefits:– Showing interesting products– Reduce costs while increasing conversion rates

• Additionally, platforms often make user data analytical tools available to advertisers

APIs and Advertising

34

• Revenue-sharing between platform and content creators

Internal Monetization

35

• Placing a price on products and services– Add-ons– Indirect monetization– Direct monetization

External Monetization

36

• Create user profiles based on users’ online behavior• By collecting and sifting through your data, marketing APIs

enable advertisers to target you and collect your information

Marketing APIs

37

• APIs allow platforms to collect data to narrowly categorize their users

• Advertisers pay platforms to target specific audiences with their advertisements

Advertiser Access

Audience-specific targeting options of ComCast Spotlight (used by CNN.com and ESPN.com)

38

• Advertisers may access your data through APIs: – Some platforms make data available for targeting– Advertisers can also embed tools, like cookies, into their ads to

share and collect more of your data– Advertisers may also receive your data through analytics tools

offered by platforms

Advertiser Access

39

• APIs help platforms collect data about you and categorize you into user profiles marketable to advertisers.

• APIs allow advertisers to target specific audiences and may enable them to access your data.

Advertising APIs Summary

40

• APIs are essential for integration of online services

Observations and Conclusions

41

• APIs are essential for integration of online services

• APIs can be used by developers and advertisers to collect your personal data from popular websites and apps

Observations and Conclusions

42

• APIs are essential for integration of online services

• APIs can be used by developers and advertisers to collect your personal data from popular websites and apps

• APIs can be used by websites and apps to get information about you from platforms and advertisers

Observations and Conclusions

43

• APIs enable enhanced user tracking– website to website – app to app – website to app to website

Observations and Conclusions

44

• APIs enable enhanced user tracking– website to website – app to app – website to app to website

• This data is aggregated by online services and advertisers– Large companies can compile all data about you in one place– Companies offer advertisers thousands of audience filters

Observations and Conclusions

45

• Companies may play several different roles– Service provider– Data aggregator and profiler– Advertising platform provider– Data broker

Observations and Conclusions

46

• APIs are an inherent part of the online ecosystem

• Their privacy implications deserve closer scrutiny

Observations and Conclusions

47

• What can consumers do?– consider what companies might learn about you

• from data you provide directly to them• From data they might be gathering implicitly about you

– use privacy settings – if available – to limit data use and sharing

Observations and Conclusions

APIs and Your Privacy

Thomas NortonExecutive DirectorFordham Center on Law and Information Policy

Florian SchaubAssistant ProfessorUniversity of Michigan School of Information

Download the report: http://law.fordham.edu/apiprivacy