alecm, 19 hours ago to AdobePhotoshop

Zuckerman vs: Zuckerberg: why and how this is a battle of the public understanding of APIs, and why Zuckerman needs to lose and Meta needs to win

Imagine that you’re a cool, high-school, technocultural teenager; you’ve been raised reading Cory Doctorow’s “Little Brother” series, you have a 3D printer, a soldering iron, you hack on Arduino control systems for fun, and you really, really want a big strobe light in your bedroom to go with the music that you blast-out when your parents are away.

So you build a stepper-motor with a wheel and a couple of little arms, link it to a microphone circuit which does a FFT of ambient sound, and hot-glue the whole thing to your bedroom lightswitch so that the wheel’s arms can flick the lightswitch on-and-off in time to the beat.

If you’re lucky the whole thing will work for a minute or two and then the switch will break, because it wasn’t designed to be flicked on-and-off ten times per second; or maybe you’ll blow the lightbulb. If you’re very unlucky the entire switch and wiring will get really hot, arc, and set fire to the building. And if you share, distribute, and encourage your friends to do the same then you’re likely to be held liable in one of several ways if any of them suffer cost or harm.

Who am I?

My name’s Alec. I am a long-term blogger and an information, network and cyber security expert. From 1992-2009 I worked for Sun Microsystems, from 2013-16 I worked for Facebook, and today I am a full-time stay at home dad and part-time consultant. For more information please see my “about” page.

What does this have to do with APIs?

Before I begin I want to acknowledge the work of Kin Lane, The API Evangelist, who has been writing about the politics of APIs for many years. I will not claim that Kin and I share the same views on everything, but we appear to overlap perspectives on a bunch of topics and a lot of the discussion surrounding his work resonates with my perspectives. Go read his stuff, it’s illuminating.

So what is an API? My personal definition is broad but I would describe an API as any mechanism that offers a public or private contract to observe (query, read) or manipulate (set, create, update, delete) the state of a resource (device, file, or data).

In other words: a light switch. You can use it to turn the light on if it’s off, or off if it’s on, and maybe there’s a “dimmer” to set the brightness if the bulb is compatible; but light switches have their physical limitations and expected modes of use, and they need to be chosen or designed to fit the desired usage model and purpose.

Perhaps to some this definition sounds a little too broad because it would literally include referring to (e.g.) “in-browser HTML widgets and ‘submit’ buttons for deleting friendships” as an “API”; but the history of computing is rife with human-interface elements being repurposed as application-interfaces, such as banking where it was once fashionable to link new systems to old backend mainframes by using software that pretends to be a traditional IBM 3270 terminal and then screen-scraping responses to queries which were “typed” into the terminal by the new system.

The modern equivalent for web-browsers is called Selenium WebDriver and is widely used by both automated software testers and criminal bot-farms, to name but two purposes.

So yes: the tech industry — or perhaps: the tech hacker/user community — has a long history of wiring programmable motors to light switches and hoping that their house does not catch on fire… but we should really aspire to do better than that… and that’s where we come to the history of EBay and Twitter.

History of Public APIs

In the early 2000s there was a proliferation of platforms that offered various services — “I can buy books over the internet? That’s amazing!” — and this was all before the concept of a “Public API” was invented.

People wanted to “add-value” or “auto-submit” or “retrieve data” from those platforms, or even to build “alternative clients”; so they examined the HTML, reverse-engineered the functions of Internal or Private APIs which made the platform work, wrote and shared ad-hoc tools that posted and scraped data, and published their work as hackerly acts of radical empowerment “on behalf of the users” … except for those tools which stole or misused your data.

Kin Lane particularly describes the launch of the Public APIs for EBay in November 2000 and for Twitter in September 2006; about the former he writes:

The eBay API was originally rolled out to only a select number of licensed eBay partners and developers. […] The eBay API was a response to the growing number of applications that were already relying on its site either legitimately or illegitimately. The API aimed to standardize how applications integrated with eBay, and make it easier for partners and developers to build a business around the eBay ecosystem.

link

---

…and regarding the latter:

On September 20, 2006 Twitter introduced the Twitter API to the world. Much like the release of the eBay API, Twitter’s API release was in response to the growing usage of Twitter by those scraping the site or creating rogue APIs.

link

---

…both of which hint at some issues:

1. an ecosystem of ad-hoc tools that attempt to blindly and retrospectively track EBay’s own platform development would not offer standardisation across the tools that use those APIs, and so would thereby actually limit potential for third-party client development; each tool would be working with different assumed “contracts” of behaviour that were never meant to be fixed or exposed to the public, and would also replicate work
2. proliferation of man-in-the-middle “services” that would act “on your behalf” — and with your credentials — on the Twitter and EBay platforms, presented both a massive trust and security risk to the user (fraudulent purchases? fake tweets? stolen credentials?) with consequent reputational risk to the platform

Why do Public APIs exist?

In short: to solve these problems. Kin Lane writes a great summary on the pros-and-cons of Public APIs and how they are used both to enable, but also to (possibly unfairly) limit, the power of third party clients that offer extra value to a platform’s users.

But at the most fundamental level: Public APIs exist in order to formalise contracts of adequate means by which third-parties can observe or manipulate “state” (e.g.; user data, postings, friendships, …) on the platform.

By offering a Public API the platform frees itself also to develop and use Private APIs which can service other or new aspects of platform functionality, and it’s in a position to build and “ring-fence” the Public API service in the expectation of both heavy use and abuse being submitted through it.

Similarly: the Private APIs can be engineered more simply to act like domestic light-switches: to be used in limited ways and at human speeds; it turns out that this can be important for matters like privacy and safety.

Third parties benefit from Public APIs by having a guaranteed set of features to work with, proper documentation of API behaviour, and confidence that the API will behave in a way that they can reason about, and an API lifecycle management process with which will enable them to make their own guarantees regarding their work.

What is the Zuckerman lawsuit?

First, let me start with a few references:

• The Tweet
• The Announcement
• The Legal Complaint
• The Wired Article
• Some Background from 2021
• A Relevant Podcast

The shortest summary of the lawsuit that I have heard from one of its ardent supporters, is that the lawsuit:

[…] seeks immunity from [the Computer Fraud and Abuse Act] and [the Digital Millennium Copyright Act] [for legal] claims [against third parties or users] for automating a browser [to use Private APIs to obtain extra “value” from a website] and [the lawsuit also] does not seek state mandated APIs, or, indeed, any APIs

(private communication)

---

To make a strawman analogy so that we can defend it’s accuracy:

Let’s build and distribute motors to flick lightswitches on and off to make strobe lights, because what’s the worst that could happen? And we want people to have a fundamental right to do this, because Section 230 says we have such a right. We won’t be requiring any new switches to be installed, we just want to be allowed to use the ones that are already there, so it’s easy and low-cost to ask for, and there’s no risk to us doing this. But we also want legal immunity just in case what we provide happens to burn someone’s house down.

In other words: a return to the ways of the early 2000s, where scraping data and poking undocumented Private APIs was an accepted way to hack extra value into a website platform. To a particular mindset — especially the “big tech is irredeemably evil” folk — this sounds great, because clearly Meta intentionally prevents your having full, automated remote control over your user data on the grounds that it’s terribly valuable to them, and their having it keeps you addicted, so it helps them make money …

And you know what? To a very limited extent I agree with that premise — or at least that some of the Facebook user-interface is unnecessarily painful to use.

E.g. I feel there is little (some, but little) practical excuse for the heavy user friction which Facebook imposes upon editing of the “topics you may be interested in receiving adverts about“; but the way to address this is not to encourage proliferation of browser plugins (of dubious provenance regarding privacy and regulatory compliance, let alone uncertain behaviour) which manipulate undocumented Private APIs.

Apart from any other reason, as alluded above, Private APIs are built in the expectation of being used in a particular way — e.g. by humans, at a particular cadence and frequency — and on advanced platforms like Facebook they are engineered with those expectations enforced by rate limits not only for efficiency but also for availability, security and privacy reasons.

This is something which I partially described in a presentation on behalf of Facebook at PasswordCon in 2014, but the short version is: if an API is expected to be used primarily by a human being, then for security and trust purposes it makes sense to limit it to human rates of activity.

If you start driving these Private APIs at rates which are inhuman — 10s or 100s of actions per second — then you should and will expect them to either be rate-limited, or else possibly break the platform in much the same way that flicking a lightswitch at such a rate would break that lightswitch or bulb.

With this we can describe the error in one of the proponent’s claims: We aren’t requiring any new [APIs] to be installed, we just want to be allowed to use the ones that are already there — but if the Private API is neither intended nor capable of being driven at automated speeds then either something (the platform?) will break, or else there will be loud demands that the Private APIs be re-engineered to remove “bottlenecks” (rate limits) to the detriment of availability and security.

But if you will be calling for the formalisation of Private APIs to provide functionality, why are you not instead calling for an obligation upon the platform to provide a Public API?

Private APIs are not Public APIs, and Public APIs may demand registration

The general theme of the lawsuit is to demand that any API which a platform implements — even undocumented Private ones — should be legally treated as a Public API, open for use by third party implementors, without reciprocal obligation that the third-party client obtain an “API Key” to identify itself, nor to abide by particular behaviour or rate-limits.

In short: all APIs, both Public and Private, should become “fair game” to third party implementors, and the Platforms should have no business to distinguish between one third-party or another, even in the instance that one or more of them are malicious.

This is a dangerous proposal. Platforms innovate new functionality and change their Private API behaviour at a relatively rapid speed, and there is currently nothing to prevent that; but if a true “right to use” for a Private API becomes somehow enshrined, what happens next?

Obviously: any behaviour which interferes with a public right-to-use is illegal, so it will therefore become illegal to change or remove Private APIs — or at very least any attempt to do so will lead to claims of “anticompetitive behaviour” and yet more punitive lawsuits. The free-speech rights of the platform will be abridged by compulsion to never change APIs, or to support legacy-publicly-used-yet-undocumented APIs forever more.

So, again, why not cut this Gordian knot by compelling platforms to make available a Public API that supports the desired functionality? After all, even Mastodon obligates developers of third-party apps to register their apps before use; but somehow big platforms should accept and and all non-human usage of Private APIs without discrimination?

Summary

I don’t want to keep flogging this horse, so I am just going to try and summarise in a few bullets:

1. Private APIs exist to provide functionality to directly support a platform; they are implemented in ways which reflect their expected (usually: human) modes of use, they are not publicly documented, they can come and go, and this is normal and okay
2. Public APIs exist to provide functionality to support third-party value-add to a platform; they are documented and offer some form of public “contract” or guarantee of behaviour, capability, and reliability. They are often designed in expectation of automated or bulk usage.
3. Private APIs do not offer such a public contract; they are not meant to be built upon other than by the platform itself. They are meant to be able to “go away” without fuss, but if their use is a guaranteed “right” then how can they ever be deprecated?
4. If third parties want to start using Private APIs as if they were Public APIs then the Private APIs will probably need to be re-engineered to support the weight of automated or bulk usage; but if they are going to be re-engineered anyway, why not push for them to become Public APIs?
5. If Private APIs are not re-engineered and their excessive automated use by third party tools breaks the platform, why should the tool-user or the tool-provider not be held at least partly responsible as would happen in any other form of intentional or unintentional Denial-of-Service attack?
6. If some (in-browser) third party tools claim to be acting “for the public good” then presumably they will have no problem in identifying themselves in order to differentiate themselves from (in-browser) evil cookie-stealing malware and worms; but to differentiate themselves would require use of an API Key and a Public API — so why are the third-party tool authors not calling to have the necessary Public APIs?

Just because an academic says “I wrote a script and I think it will work and that I [or one of your users] should be allowed to run it against your service without fear of reprisal even though [we] don’t understand how the back end system will scale with it”— does not mean that they should be permitted to do so willy-nilly, not against Facebook nor against your local community Mastodon instance.

https://www.addtoany.com/add_to/copy_link?linkurl=https%3A%2F%2Falecmuffett.com%2Farticle%2F109757&linkname=Zuckerman%20vs%3A%20Zuckerberg%3A%20why%20and%20how%20this%20is%20a%20battle%20of%20the%20public%20understanding%20of%20APIs%2C%20and%20why%20Zuckerman%20needs%20to%20lose%20and%20Meta%20needs%20to%20winhttps://www.addtoany.com/add_to/threads?linkurl=https%3A%2F%2Falecmuffett.com%2Farticle%2F109757&linkname=Zuckerman%20vs%3A%20Zuckerberg%3A%20why%20and%20how%20this%20is%20a%20battle%20of%20the%20public%20understanding%20of%20APIs%2C%20and%20why%20Zuckerman%20needs%20to%20lose%20and%20Meta%20needs%20to%20winhttps://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Falecmuffett.com%2Farticle%2F109757&linkname=Zuckerman%20vs%3A%20Zuckerberg%3A%20why%20and%20how%20this%20is%20a%20battle%20of%20the%20public%20understanding%20of%20APIs%2C%20and%20why%20Zuckerman%20needs%20to%20lose%20and%20Meta%20needs%20to%20winhttps://www.addtoany.com/add_to/whatsapp?linkurl=https%3A%2F%2Falecmuffett.com%2Farticle%2F109757&linkname=Zuckerman%20vs%3A%20Zuckerberg%3A%20why%20and%20how%20this%20is%20a%20battle%20of%20the%20public%20understanding%20of%20APIs%2C%20and%20why%20Zuckerman%20needs%20to%20lose%20and%20Meta%20needs%20to%20winhttps://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Falecmuffett.com%2Farticle%2F109757&linkname=Zuckerman%20vs%3A%20Zuckerberg%3A%20why%20and%20how%20this%20is%20a%20battle%20of%20the%20public%20understanding%20of%20APIs%2C%20and%20why%20Zuckerman%20needs%20to%20lose%20and%20Meta%20needs%20to%20winhttps://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Falecmuffett.com%2Farticle%2F109757&linkname=Zuckerman%20vs%3A%20Zuckerberg%3A%20why%20and%20how%20this%20is%20a%20battle%20of%20the%20public%20understanding%20of%20APIs%2C%20and%20why%20Zuckerman%20needs%20to%20lose%20and%20Meta%20needs%20to%20winhttps://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Falecmuffett.com%2Farticle%2F109757&linkname=Zuckerman%20vs%3A%20Zuckerberg%3A%20why%20and%20how%20this%20is%20a%20battle%20of%20the%20public%20understanding%20of%20APIs%2C%20and%20why%20Zuckerman%20needs%20to%20lose%20and%20Meta%20needs%20to%20winhttps://www.addtoany.com/add_to/mastodon?linkurl=https%3A%2F%2Falecmuffett.com%2Farticle%2F109757&linkname=Zuckerman%20vs%3A%20Zuckerberg%3A%20why%20and%20how%20this%20is%20a%20battle%20of%20the%20public%20understanding%20of%20APIs%2C%20and%20why%20Zuckerman%20needs%20to%20lose%20and%20Meta%20needs%20to%20winhttps://www.addtoany.com/share

⊞

https://alecmuffett.com/article/109757

#apis #ethanZuckerman #kinLane #meta #scraping

accessibleandroid, 1 day ago to android

New game added to the Accessible Android apps directory: Cricket Masters accessible https://accessibleandroid.com/app/cricket-masters/ #Android #Game #App #Accessibility

metin, 2 days ago to mastodon

A question for Android users…

I've been using Tusky for quite a while now, and I wonder if the official Mastodon app has become better than Tusky in the mean time.

In case there's a new superstar Mastodon app for Android, that'd also be interesting to know. 🙂

Thanks in advance.

#mastodon #android #app #fediverse #mobile

thomas, 2 days ago to lemmy

Trying Sync for Lemmy

https://play.google.com/store/apps/details?id=io.syncapps.lemmy_sync

#lemmy #reddit #android #app

sengi_app, 3 days ago to mastodon

Small #wip of what next #Sengi update might bring. 😉

Still lots of work to do, and it's clearly not really fun stuff. But I know some of you will be happy to get it. 🙂

(If you want to get it sooner, buy me some coffee via my patreon!)

#mastodon #pleroma #client #app

light theme preview

kubikpixel, 4 days ago to mastodon German

:mastodon: Bis jetzt nutze ich nicht das original #Mastodon App um hier zu kommunizieren. Ich nutze auf meinem #Smartphone schon lange @Tusky aber es gibt auch @moshidon, hat jemensch von euch Erfahrungen damit und wie sind die?

📱 Beide sind auch über @fdroidorg und/oder dessen #App-Erweiterung vom @IzzyOnDroid auf #Android installierbar.

83r71n, 5 days ago to Cybersecurity

Google's passkeys, introduced in 2022, have become a popular and secure alternative to traditional passwords, being used over 1 billion times across 400 million-plus Google accounts. These passkeys, which rely on fingerprints, face scans, or PINs for authentication, are faster and more resistant to phishing than passwords. Google plans to integrate passkeys into its Advanced Protection Program, enhancing security for high-risk users. Additionally, third-party password managers like Dashlane and 1Password can now support passkeys, further expanding their use. The technology is supported by major companies like eBay, Uber, PayPal, and Amazon, indicating a shift towards passkey-based authentication as a more secure and efficient method.

https://blog.google/technology/safety-security/google-passkeys-update-april-2024/

#cybersecurity #google #passkeys #password #pin #phishing #app #dashlane #1password #ebay #uber #paypal #amazon

ThatOneGuyT_T, 5 days ago to music

God i love open source

https://flathub.org/apps/com.github.neithern.g4music

#music #app #linux #opensource

badrihippo, 6 days ago to AdobePhotoshop

#App developers, is there an easy way to securely share sensitive data (eg. login credentials) locally between two #apps on the same device? And if not, what about non-sensitive data (like how the #SimpleApps or whatever they're called now share themes)? 🔏

Basically it's a family of apps with a common login and we're trying to avoid the user having to log in separately on each one. We're using #Capacitor, if that matters ⚙️

(If all this was on #Mobian it'd be so simple 😑)

Linux, 7 days ago to opensource

⚠️ GitLab Security Flaw (exploit) ⚠️

No matter if you host your own copy of GitLab Software or use GitLab's servers directly, you should enable 2-step Verification - NOW (right now, do not wait). There is a current exploit that allows someone to hijack GitLab Accounts, who are not using 2-step verification.

#GitLab #OpenSource #Floss #Linux #Windows #Apple #Android #iOS #App

accessibleandroid, 7 days ago to android

New game added to the Accessible Android apps directory: Azmar Quest https://accessibleandroid.com/app/azmar-quest/ #Android #App #Game

aral, 7 days ago to fediverse

Tusks is a little indie Mastodon app by @bardi that lets you see just your posts and compose new ones (with a focus on making it easy to compose threads).

Just bought myself a lifetime license.

Check it out at https://thirdculture.app/tusks

Love to see indie devs making useful little tools that do what they say on the tin and nothing more (check out the privacy policy in the attached screenshot).

#tusks #fediverse #mastodon #indie #app #iOS #macOS

kubikpixel, 8 days ago to web

Today is a good day to explain the Fediverse to peoples and share this text about it!

»Web – The fediverse, explained:
The buzziest new thing in social networking is a big deal. It’s also very confusing. And it’s not actually new. Let’s talk about it.«

:BoostOK: https://www.theverge.com/24063290/fediverse-explained-activitypub-social-media-open-protocol

—
#web #internet #fediverse #netapp #app #socialmedia #socialweb #social #inet

gestalter, 8 days ago to AdobePhotoshop German

i made a little #delta #app #icon for your homescreens. 🎮

grab it here:
https://drive.google.com/drive/folders/1h5vo1bZdW6Z9Rv1fT05dmKYe26Y1KJK8?usp=sharing

#MadeWithSketch #iOS

craiggrannell, 9 days ago to iPhone

Fancy a nice afternoon read about a cracking #iPhone #app? The latest entry in my classics series is Cs Music Pro (formerly Cesium Music Player): https://www.tapsmart.com/features/classics-cs-music/

🎶

jezlyn, 9 days ago to fountainpens

Bummer this is not available on Android.

https://www.penaddict.com/blog/2024/4/29/penedex-your-digital-pen-cup-sponsor

#FountainPens #database #tracker #iOS #app

penguin86, 10 days ago to GNOME

#studying #mobile #gnome #app #development before work. I'm developing Lumos, an incident light #exposimeter for #photography that reads light values from the #phone light sensor and converts it in #aperture values or #shutter speeds, depending on the mode.

#gnomeBuilder #gobject #python #adwaita #gtk #dbus #gnomeshell #linuxonmobile #gnomemobile

kubikpixel, 10 days ago (edited 10 days ago) to internet German

Abgesehen davon, dass ich TikTok nicht mag weil ich deren Zweck nicht einsehe, nutzen es sehr viele und vor allem sehr junge Menschen und dies auch kommerziell. Wie eben YouTube & Co. und eigentlich nicht viel anders aber auch als politische Propaganda eine Konkurenz zusätzlich.

📺 Hype um TikTok – Lieben oder löschen?
https://www.srf.ch/play/tv/dok/video/hype-um-tiktok---lieben-oder-loeschen?urn=urn:srf:video:6b2838d3-7f05-4dc3-897d-dfc68b7430c7
(Hochdeutsch Untertitel über 🗨️ einstellbar)
—
#internet #video #youtube #tiktok #politik #china #propaganda #konkurrent #politik #propaganda #jungemenschen

joeo10, 11 days ago to photography

If you have a #EyeEm account, please read this and delete your photos one by one, then your account by May 1st or your photos are going to be sold to AI models. https://techcrunch.com/2024/04/26/photo-sharing-community-eyeem-will-license-users-photos-to-train-ai-if-they-dont-delete-them/

I didn't realize that they were bankrupt and then sold off. They used to be a nice alternative that crashed and burned. I went ahead and deleted my account today.

#photography #app #SocialMedia

BigAngBlack, 11 days ago to relationships

How a New Dating App Will Help Scientists Understand Romantic Relationships | U-M LSA Department of Psychology

https://lsa.umich.edu/psych/news-events/all-news/faculty-news/how-a-new-dating-app-will-help-scientists-understand-romantic-re.html

> Romantic #relationships are surprisingly poorly understood by science, partly because they are so difficult to study. Amie Gordon and her lab hope a new #dating #app they are developing will help change that

#romance

Buy Android App Reviews (dreamjobit.com)

Buy Android App Reviews...

rodentapp, 12 days ago to AdobePhotoshop

New app update: a few fixes and small improvements plus, finally, image descriptions, including text recognition!
I'll add automatic AI image captioning if this post gets enough traction.
(I'll probably add it anyways so don't feel obligated to boost 😆).
#app #mastodonapp

Appel aux communautés : proposez vos tags pour les décrire French

TLPL...

metin, 13 days ago to design

If my MagicaCSG modeling posts have attracted your interest in the SDF modeling method, you might like to have a look at Womp, a free online SDF editor (with a "Pro" subscription option).

I've just played with it for a few minutes, and you can export your scene as an OBJ file, complete with textures for recreating the Womp materials in Blender, as you can see in the screenshot.

https://womp.com

#SDF #design #artwork #sculpture #modeling #3DModeling #art #DigitalArt #GraphicDesign #3D

mnmlist, 29 days ago to random German

Schade .. mit #firefish funktioniert #fedilab scheinbar noch nicht optimal 🤔