Ever wonder how you can use your Facebook account or Google account to log in to one of your accounts on an entirely unrelated website, like a retail site? An application programming interface — or API — allows you to do that.
Consumers may know that tech giants like Facebook and Google share their personal data with third-party advertisers, but they may not know how that process works, or why tech platforms share certain personal data sets with certain advertisers and developers.
At a privacy event hosted by AT&T in Washington, D.C. on Tuesday, tech and advertising experts discussed how APIs allow data-sharing to take place between tech platforms, advertisers and web developers, and how a federal privacy law might address API malpractice.
APIs are the linchpin in the data-sharing machine. Not only do they integrate services between tech platforms and other companies, but they also track users from website to website, app to app, and from website to app to website. APIs allow companies to better target potential customers with relevant ads based on search history, site history, location, past purchases, and a host of other identifiers.
Of the top one million websites visited by consumers in 2016, 75% use Google Analytics and 25% use Facebook Analytics, both of which use analytics APIs to track users and offer insight and statistics to web developers, according to an opening presentation from Florian Schaub, assistant professor at the University of Michigan’s School of Information, and the Fordham Center’s Executive Director Thomas Norton.
Schaub also helped author a report on APIs featured on AT&T’s Policy Forum website. Part of understanding consumer data protection and privacy, they said, requires an understanding of APIs.
“Companies are now service providers, and more importantly they’re data aggregators and function as data brokers, and all these roles are enabled by the use of APIs,” Norton said at the event. “As a consumer you must really consider what companies might learn about you from the information you provide directly to them but also implicitly through products or services.”
Despite the private sector’s eagerness to address privacy issues, Schaub said, many don’t think about the relationship between APIs and privacy, partly because APIs drive revenue for companies with an online presence by connecting advertisers to consumers.
“I don’t think [privacy] is at the forefront of companies in how they make APIs,” he said.
David DeLuc, vice president of public policy for the Network Advertising Initiative (NAI) and a panelist during the Q&A session of the event, said one way companies might be able to better protect sensitive consumer data is to only use non-identifiable data — or “pseudonymous data” — that doesn’t link back to a specific individual.
Some U.S. privacy law drafts, as well as Europe’s GDPR, already include this kind of restriction on companies’ use of consumer data.
“There’s a lot of good in the ecosystem and a lot of value to [data-sharing] but we can talk more about transparency,” DeLuc said.
As companies use consumer data to enhance the consumer experience with relevant ads and product or service recommendations, companies are more adept than ever at giving consumers what they want. Therefore, companies should be willing to to give consumers the privacy they want, according to panelist John Verdi, vice president of policy for the Future of Privacy Forum.
“Privacy policies need to be really closely aligned with consumer preferences,” he told event attendees. “What doesn’t delight consumers is learning that recorded audio of parents’ conversations with children was uploaded to the internet and made public, or their financial information was breached or leaked through a company with which they have no connection at all.”
But Verdi also said a federal privacy law probably won’t adequately address all the intricacies of every industry in how they use APIs to monitor, track and learn about consumers. The notion that a precise law will get it right the first time, he said, is “unlikely.”
Panelist Maureen Ohlhausen, a law partner at Baker & Botts in antitrust practice, said the Federal Trade Commission (FTC) will have a pretty big role to play whenever Congress does pass a federal privacy law, but already has its hands full taking care of industry-specific laws regarding consumer data protection, like HIPPA.
“The FTC has been pretty active on this front, there’s been more than a hundred cases,” she said. “So at the end of the day, is that enough? Do we need more? Do we need stronger remedial tools or does the FTC need more resources?”
At the FTC’s most recent oversight hearing, the agency did ask for more resources to address privacy and data protection concerns.
But until the FTC gets what it needs and Congress passes a federal privacy law, the panelists agreed educating consumers about how APIs and different apps, companies, platforms and websites use their data could help consumers take control of their own privacy. But as DeLuc said, the tech industry also needs to rein in its often exploitative use of consumer data.
“I think at times we’ve gotten ahead of ourselves as an industry,” he said.