������Ƶ

Despite the benefits of interoperability described above, there are some unique privacy and security implications that arise when platforms implement interoperability. This makes sense: Any time that a system is opened to the outside network, you create an opportunity for potential attacks. Two major categories of risk arise. The mere existence of a service designed to interact with other devices over the internet creates the potential for lapses in security that would not otherwise exist. That service therefore requires comprehensive systems of security and authentication to ensure its own protection. An interoperable service also runs the risk that its users will end up, either by accident or through malicious deception, granting access to personal information to an unintended recipient. The former is a known problem to which there are a variety of solutions that are outside the scope of this paper.¹ The latter, however, is a more nuanced challenge that is worth exploring further.

Failure to protect users from malicious interoperability was a crucial element in the leaking of Facebook users’ information to Cambridge Analytica, as revealed to the public in 2018.² The data that Cambridge Analytica used in its operations came from a researcher who collected personal information from Facebook users through Facebook’s app API. Users who wished to take the “This is Your Digital Life” quiz offered by the app were required to hand over not just their own personal information, but also that of their friends.

On the surface, that may seem to be an odd trade for a person to make. What online quiz could possibly be worth handing over so much information about yourself and your entire social network? This disconnect reflects the unfortunate reality that many people do not understand the enormous complexity of what access to data actually means in any given instance (or how it shifts from context to context). Nor do they comprehend the difference between access that is requested because it is needed to enable functionality and that which is simply going to be collected and sold. It does not help that that difference is often hidden or minimized in the name of profit.

Variations on these issues have been present since the early days of the internet. They even apply to some of the most basic internet functionalities, such as email. An email protocol that predates browser-based email services and that is still widely used allowed a mail application (such as Apple Mail, or Mozilla’s Thunderbird) to gain access to all of the person’s messages and, using a second protocol, the ability to send emails on behalf of the person. Of course, mail applications used by most did so on behalf of the account’s owner, but the potential existed for malicious uses as well. We might expect attacks that exploit access via APIs or protocols to increase as more services allow robust interoperability, but there are steps that both companies and users can take to limit exposure while gaining the competitive benefits.

For example, as a society we are still developing our “common sense” about the internet. People have learned to spot email spam, corporate training to protect employees from phishing is a regular practice, and we are learning to distinguish “fake news” from the real thing. One area of online common sense that has seen less development is how we share our personal data.

As noted above, it’s not easy for an average person to analyze the tradeoff between the permissions that an app using an API is asking for, the functionality it provides, and the personal information it accesses. Services offering interoperability to their users can help on this front by striking a more cautious tone when presenting users with choices about allowing apps access to data. They could also begin highlighting for users those apps that, like the quiz in the Cambridge Analytica example, demand permission to collect far more information than is relevant to the operation of the service. There is also a role for government, educators, parents, and society more broadly to translate common sense lessons like “don’t take candy from strangers” to the internet age.

…it’s not easy for an average person to analyze the tradeoff between the permissions that an app using an API is asking for, the functionality it provides, and the personal information it accesses. Services offering interoperability to their users can help on this front by striking a more cautious tone when presenting users with choices about allowing apps access to data.

There is also a category of solutions aimed at deterring people who aim to use interoperability to steal data. Services can learn from the fight to contain email spam and start tracking and blocking bad actors, as well as sharing information about those bad actors with other services, so that blocking begins to happen at an ecosystem level, instead of service-by-service. Finally, as a society, we may begin combating the incentives to engage in data theft by strictly limiting and regulating the sale of personal information. There are already laws and proposals circulating that would regulate and limit markets for personal information.³ If there is no market for the data gleaned through abusing interoperability, many of the risks to privacy are much easier to manage.

It can be tempting to view interoperability and privacy as purely at odds with each other. In reality, both are important aspects of personal data control. Interoperability has the potential to cause privacy harms, but the mitigations that are available mean that it is still an attractive way to increase competition in online marketplaces.