I recently wrote a post about requiring APIs for social and other applications that have more then 1 million users. Now that is an approach to the problem of market power that adds new regulations. There is an alternative that would go the route of removing existing laws which I want to discuss today.
What prevents someone today from creating their own programmatic control over services? Why can’t I simply write code that interfaces on my behalf with say Facebook? After all, Facebook’s own app uses an API to talk to Facebook. Well in order to do so I would have to “hack” the existing Facebook app in order to figure out what the API calls are and also how to authenticate myself to those calls. Unfortunately, there are laws on the books that make those necessary steps illegal.
The first is the anti-circumvention provision of the DMCA. The second is the Computer Fraud and Abuse Act (CFAA). The third is the legal construction that by clicking “I accept” on a EULA (End User License Agreement) or a set of Terms of Service I am actually legally bound. The last one is I believe a civil matter, but as far as I know criminal convictions under the first two carry mandatory prison sentences.
So if we were willing to remove all three of these legal obstacles, then hacking an app to give you programmatic access to systems would be possible. Now people might object to that saying those provisions were created in the first place to solve important problems. That’s not entirely clear though. The anti circumvention provision of the DMCA was created specifically to allow the creation of DRM systems for copyright enforcement. So what you think of this depends on what you believe about the extent of copyright.
The CFAA too could be tightened up substantially I believe without limiting its potential for prosecuting real fraud. The same goes for what kind of restriction on usage a company should be able to impose via a EULA or a TOS. In each case if I only take actions that are also available inside the company’s app but just happen to take these actions programmatically (as opposed to manually) why should that constitute a violation?
Sadly I am not optimistic that we will get these kind of changes or anything close to it. We are generally terrible at removing or even just tightening laws once we have them. So even though I would love to see us do this and write about it in the Informational Freedom section of my book World After Capital, it seems more likely that we could get new regulation requiring API access.
