Facebook's Business Model Is Out Of Alignment With Their API Management Layer

March 21, 2018

All the controls for Facebook to have done something about the Cambridge Analytics situation are already in place. The Facebook API management layer has everything needed to have prevented the type of user data abuse we’ve experienced, and honestly the user data abuse that has happens in many other applications, and will continue to occur. The cause of this behavior is rooted in Facebook’s business model, and a wider culture that is fueled by venture capital investment, and backdoor data brokering. It is just how the big data / app economy is funded, and when your business model is all based upon advertising, user engagement to generate data / signals, and being about leveraging that behavior for targeting–you are never going to reign in your API management layer.

In alignment with my other story today around lack of investment in security, Facebook just doesn’t have the incentive to invest in policing their API management layer. There is no motivation to thoroughly vet new applications, let alone regularly review and audit what each application is doing as they approach 10K tokens, 100K, or 270K tokens. Sure you can’t get at all the friends data anymore, so they did work tighten things down at the API management schema layer, but most action we’ve seen is in response to bad situations, and not preventative. If you are properly managing the access to your APIs, and have the resources to monitor and respond to activity in real time, you are going to see the bad actors, and respond accordingly. Minimizing the damage that occurs to end-user, developing a robust set of patterns to keep an eye out for, and just get better at keeping your platform data consumption tight.

The problem is when your primary business model is centered around advertising, and providing a wealth of controls around targeting users based upon the data points they provide, you want as many apps, as many data points, and as many users as you possible can. You have no incentive to police what your applications are doing, as long as it drives the bottom line. You won’t invest in properly mapping out and restricting your schema, understanding what applications are doing, and sorting out the good from the bad. If it is fueling the delivery of advertising, allowing for more data points to target users based upon, driving clicking, sharing, and the eye balls on advertising, then it is by definition good. Investment in your API management becomes an extra cost that doesn’t need more investment, especially when it will ultimately hurt the bottom line.

We see this same behavior playing out via Twitter, Google, and other platforms. They will only manage their APIs if it directly competes with them, or makes for bad publicity. This is why Twitter hasn’t reigned in their bot networks until recently, and why Google doesn’t reign in the fake news, conspiracy, and propaganda networks. When advertising is your business model, you want the API faucet open wide, with very little filter on what flows. It isn’t a question of what mechanism we can put in place to bring some balance, these are already in place in the form of API management layers. The challenge is bringing business models in alignment with this layer, and incentivizing platforms to behave differently. Use Amazon as an example of this. Imagine if Amazon EC2 or S3 were advertising-driven, what type of bad behavior would we see? I’m not saying bad things don’t happen on these platforms, but they are managed much better, with different incentive models in play.

This conversation reflects one of the reasons I do API Evangelist. I don’t believe everyone should be doing APIs. However, the cat is out of the bag. The APIs are in place, and driving the web, mobile, and device applications across our Internet connected lives. The mechanisms are in place to monitor, limit, control, and understand what applications are doing with platform data. We just have to push for more observability at the API layer, and acknowledge that the business model for these platforms, and the wider technology sector is out of balance. This will prove to be the biggest challenge in changing all of this behavior, is that entrepreneurs and investors have gotten a taste of the value that can be generated at this layer, and it won’t be something they will give up easily. There is a lot of money to be via platforms when you can easily look the other way and say, “I didn’t know that was happening, so I shouldn’t be responsible.”

Read more...

Previous Article
Investment In API Security Will Continue To Fall Short While There Is No Breach Accountability
Investment In API Security Will Continue To Fall Short While There Is No Breach Accountability

I have a lot of conversations with folks down in the trenches about API security, and what they are doing ...

Next Article
SendGrid Managing Their OpenAPI Using Github
SendGrid Managing Their OpenAPI Using Github

This is a post that has been in my API notebook for quite a while. I feel it is important to keep showcasi...