Dreaming of the Ethical Treatment of APIs

Anyone following me on Twitter is well aware of my stance on AddressBookGate. While the tech world’s initial outrage was being directed at Path, I felt that a more balanced conversation would also lay some culpability at the feet of Apple and other API platforms that were exposing data to applications like Path without any controls in the first place.

Some great investigative work has revealed just how widespread the practice (problem) is. And while everyone has promptly responded to the firestorm by announcing a myriad of fixes, patches and CYA statements, it still feels very reactive. Sure, we’re taking care of location and address book data, but is there a MessageGate, PhotosGate and PlaylistGate on the horizon? Surely we need to look at this holistically, which led me to ask:

Does #AddressBookGate move the onus for ensuring responsible and ethical use of APIs from consumers to providers? /cc @defrag

Ian Glazer’s inital reaction led to a more elaborate response in the form of a blog post titled “Free-ranged Ethically Treating APIs“. His conclusion is that the need for services to innovate and the desire for platforms to become ubiquitious simply cannot be balanced with the need for usability and privacy controls for users. There is too much of a conflict at the intersection of these concerns. That may well be true, but I refuse to believe that as I don’t think we’ve actually tried to address this particular problem. Yes, users can only get so many warnings and alerts from the applications/OS before it becomes meaningless and they start accepting them blindly. But that model originates from the same old construct of thinking about privacy in terms of opt-in and opt-out controls.

Surely some time devoted to creating a usability model for privacy policy enforcement can yield some smarter controls. Is anyone really going to install the Foursquare app without giving access to Location Services? And why would the Pandora app ever need access to the same? The app review process (ostensibly done to ensure security, among other things) should be able to catch this and enforce more than just a ToS or Developer Guidelines. Similarly, allowing users to create Privacy Profiles, much like the Sound Profiles (Silent, Meeting, etc) in the platform could open up some creative ways to address this.

Maybe it is a dream. I acknowledge the distinct possibility that ideas like these have been considered and discarded for good reasons. But one thing is clear – addressing this is going to require work and co-operation on each side of the equation, something that I believe can happen. It’s a copycat industry (as AddressBookGate has amply illustrated), and if a workable solution emerges that gets acclaim, others will be quick to adopt it.

Maybe what we really need to do is add the treatment of user data and APIs to the manifesto for the first ethical iPhone. A topic for Glue Conference, maybe?

[Cross posted to the Identropy Blog]