APIs And oAuth In A Future Where You Control All Your Data
22 Apr 2014
Open Authorization or oAuth, is a standard used by API providers to identify who is accessing data made available via APIs, in a way that allows for granular access to this data, and empowers end users who created and own the data, with some control in the process.
As a Facebook user, you get to decide who has access to your Facebook content via the Facebook API. If you are using a mobile application that desires access to your Facebook, using oAuth you can give access to the developer of the application, and decide exactly what data they can have access to.
If done right, API access, secured using oAuth can give platforms like Facebook control over their platforms data, while also opening it up to developers to build new applications on top of, while giving the right amount of control and decision making to the platform’s end users—a seemingly perfect balance!
In reality, oAuth gets used only as identification, not fully realizing the potential for granular control over data, and rarely gives developers and end-users the tooling and control that would truly bring balance to operations. There are some really good uses of oAuth out there, but there are also some really bad uses, and obviously not enough use of oAuth overall.
While I’m not delusional in thinking that oAuth is a perfect solution, it holds one potential blueprint for what the future could look like. The reason our digital landscape looks like it does right now, with NSA spying, and tech companies taking in billions, is things are not balanced, all the way up the data food chain.
The users of applications like Facebook, Instagram and other leading online platforms are not at all educated about the value they generate each day, and given very little control over their what they generate. The average user generates data, is completely ignorant, and has no ability to access, manage or own their data.
When building web and mobile applications, developers are not always given the benefit of oAuth access, required to play mediator between users and the platform, knowing their login credentials, and having full access to users data. When oAuth is available, developers are required to employ as part of development, but given very little oAuth education, best practices, or the granular level control oAuth affords—distilling oAuth down to just authentication, and not about access at all.
Online platform are not using oAuth to its fullest, only using as basic identity, if they are using at all. oAuth access and flows are rarely master planned, considering all 3 legs of the oAuth flow, leaving a platform that tilts in a providers favor. Many of the business models of these platforms depend on keeping end-users generating valuable content with as little control and ownership, developers building applications with as little education and skin in the game, treating user generated content as purely the intellectual property of a platform.
That represents the 3 legs of oAuth as we know it today. I paint a somewhat grim picture to showcase the systemic illness that exists in a space that is often painted as all positive by tech companies and their investors. What is more worrisome, is right behind the curtain, there are other players lurking who don’t even play by oAuth rules, even when it is in place.
Right past your field of vision, beyond the horizon on your Facebook home page are a growing wave of big data opportunists. All this data you generate on Facebook, your friends, your wall posts, the latitude and longitude given by your mobile phone is all gathered and used to generate revenue for these platforms. Either a platform themselves have various big data projects going on, or they are working with other external partners to extract revenue from the data you generate.
Beyond the next mountain range, in this new digital landscape, beyond where you can see, our government is pulling data across the Internet, introducing another actor, that doesn’t play by the oAuth rules, even when it is in place. Post Snowden, we all now know that the NSA is using all of our online data--to protect us, right?
None of the big data projects or government projects that exist show up as a blip on oAuth, and it is unlikely that they ever will. First, not all systems use APIs, and rely on traditional network and database connections to exchange and move data around. Second, even if there are APIs and oAuth in place, platforms aren’t going to give up their core revenue generator, and the government doesn’t want to give away what they are doing, because they are all hush, hush secret.
Let’s try looking at this differently. Let’s play the record above, backwards. What does this look like, in a utopian API-oAuth land?
Government of all levels would be required to use APIs for accessing online content, leaving entries in oAuth registry for all access, and what was accessed. Of course if this is part of an ongoing investigation it wouldn’t show up immediately, but always with the understanding that at some point a user would have access to who accessed their information, and what they looked at. As soon as a citizen gets online, they should begin interacting with their government to get healthcare, education, and ultimately become a taxpaying citizen—trust is essential to the lifecycle.
Projects of all shapes and sizes would have to register the usage of data, even if it is anonymized and / or used in aggregate. If my social profile is part of your big data study I should know, and have the opportunity to opt in or out. Hell, I’m playing this record backwards in my utopia—I want all users to get a piece of the action. There are plenty of co-op models to choose from. You generate data for a report that gets sold for 10K? 50% of that revenue should be divided up and paid out to all participants who shared data. (oh yes, Silicon Valley will love this idea).
I am a big fan of platforms like Twitter, Flickr, Evernote, and other online platforms I depend on, and generate data through daily. I’m all for them making money through their innovation, algorithms and secret sauces, but I also want them to acknowledge where a portion of the value comes from. Imagine if all online platforms had data portability and APIs by default? Imagine if they all didn’t just have oAuth, but designed and deployed oAuth with developers and end-users in mind? A world where oAuth is the default for any online platform, not because they are told to, but because it helps them meet their mission, the company bottom line, with a nod towards the greater good.
oAuth can be hard, and developers need to be brought up to speed, educated, and provided with the resources they need to properly implement oAuth on behalf of a platform. So much education of end-users can be achieved through empowering developers to implement properly, using intuitive oAuth flows, and consistent, granular level access to resources. This type of empowerment of developers, will not just deliver value to end-users, it will deliver value to the core platform—driving a positive value and revenue generation that will keep things growing in a healthy way.
Whether its sharing a random thought on Facebook or applying for student financial aid from the Department of Education, end-users should be educated about the platforms they use, with an understanding of what data is generated as part of the process, and given control over who has access to this data, with control over how they can use it. As more of our lives move online, and are managed via our mobile phones, the need for APIs with oAuth to deliver valuable data, content and other resources has grown exponentially. To make this sustainable, end-users need to be educated—platforms will benefit from it.
We have to begin to look at content and data access online in this new API economy, in the same ways we look at the other legacy aspects of the economy. Markets don’t work if we don’t have a large base of educated investors, making trades and investments. The financial world ceases to operate if consumers aren’t literate in how to manage their finances, making investments, and generating savings.
APIs are touching all aspects of our economy from healthcare and education to the new sectors like cloud computing, and Internet of things(Iot). While this story may seem crazy to many technologists and people who are heavily invested in the current silicon valley paradigm—it shows two possible futures that are within our grasp. I don’t know about you, but after a taste of what the NSA and Silicon Valley has dished up, I like some of whats on the menu, but most of it is shit that I’m not interested in being fed.
I don’t mind companies making money off my use of their platforms (paid or free), but acknowledge my role in the algorithm that generates your revenue. If I’m the product, give me some revenue share and say in the process. If you don’t, just as you were the disruptive innovator, so will you be disrupted. You can’t extract value out of a platform, without generating and giving value back. Shit moves too fast on the Internet in 2014, you need to balance things out with your developers, as well as your end-users.
I don’t mind the government tracking on what their citizens are doing, but acknowledge us as citizens. We do need to be protected, but we also need to be responsible for the role we play in society. Leave a trail of what you are doing so it can be audited by your watchers, whoever they are, and be accountable. Last time I checked, this was how our country operates. Stop being such douche bags and treating us like children. If you are pulling data, at some point we should know as a country, and as an individual, and you the government should know you are never above this, and at some point have to answer for what you are up to.
We have the technology to make all of this possible, we just have to have the will. In all of this I do not see APIs or oAuth as the solution, I see the will of governments, enterprise, startups, developers and end-users as the solution. This isn’t technical solutionism, its human solutionism. We just need to position technology in the right way, augment the best that is all of us, and work together, and we will find a balance that can work.