REST API Notes for 2018-03-27: Facebook, Salesforce, and more
Esteemed API patron saint, Ferris Bueller, once said "Life moves pretty fast." A couple of weekends ago, I groomed a handful of topics to share in the newsletter. Then, last Monday came and Facebook news, which had API takeaways, was everywhere. I delayed the newsletter as the post continued to grow with each new wrinkle. Meanwhile, the 2018 microXchg conference popped off in Berlin, publishing tons of notable content to the inter-webs that just begged to be covered.
Oh yeah. And Salesforce is buying Mulesoft for $6.5 billion.
Life moves pretty fast. Let's get into things.
FACEBOOK AND LESSONS FROM THE GRAPH 1.0 API
I haven't been a fan of Facebook's practices for years. But the direction that the regulatory wind is blowing has me concerned. I published my thoughts on Facebook and the coming regulatory disappointment on my personal site.
Kin Lane did a fine job identifying the mechanisms most companies already have in place to mitigate the kind of bad behavior displayed by Cambridge Analytica. It is a good starting point.
However, I do want to challenge one of his assertions. Kin implies that OAuth consent is a sufficient control for folks to manage their data. While better than nothing, I maintain that most consumers are incapable of making informed decisions. It's not a question of their intelligence. It is a question of complexity and incentives for the business to be deliberately opaque.
When presented with a request for consent, people have to not only consider the case before them, but extrapolate possible future deviations, some of which might not even be obvious. For example, Facebook requested Android users of Messenger and Facebook Lite agree to import their phone contacts. That is a reasonable request for a communication app. However, Facebook subsequently used the permission to log all phone records.
On one hand you can say that this is the user's fault for not reading between the lines on the EULA. Or, as techo-sociologist Zeynep Tufekci stated, this is less a mechanism of user enablement and more a means to shift risk of tech to users. Individual consent doesn't scale.
Also, as I researched the Facebook story from a variety of angles, I was shocked with how little practical resources on handling Personally Identifiable Information (PII) there were. A gross number of low-quality search results conflated security with PII data, bizarrely recommending things like 'make users use a strong password'. Identifying the necessary consent gathering, notification, logging, and access management is not trivial. With every Equifax and Facebook story, the regulatory pressure for companies to adopt sound practices will only grow. I see few readily available, accessible starting points, however. Developers creating APIs need better information on how to handle PII information in their systems.
Got European customers? GDPR goes into effect May 10th. Some, like AWS services, are ready. However, I'm guessing more than a handful of small to mid-sized businesses may only be hearing about this the first time.
Finally, this incident will further strain 'open' API programs for all but the most trivial of use cases. I've talked, at regular intervals, about how external API programs have beat a steady retreat from 'build it and they will come' to only serving semi-closed strategic partnerships. The PR nightmare from the unintended exploitation of business data outweigh potential benefits for all but the platform-iest of platforms.
We're only at the beginning of a new phase. It will be fascinating how this plays out.
MICROXCHG 2018
Huge props to the team behind the microXchg conference. Held last week, the videos for the notable sessions have already been posted to their YouTube channel. If microservices are your thing, you could marinade in that for hours. However, if you only have time for some highlights, here are some of my favs:
- Stefan Tilkov on Microservice patterns and antipatterns (slides are also available)
- Uwe Friedrichsen on Life after Microservices (also, more slides)
SALESFORCE PURCHASES MULESOFT FOR $6.5 BILLION
Around this time last year Mulesoft IPO'd. It was a positive exit for one of the larger brands in the API management space. This past week, Salesforce announced its intention to purchase Mulesoft for $6.5 billion. If it goes through, it would be the biggest acquisition in Salesforce's history.
Many analysts agree that Salesforce is paying a premium for the acquisition. That implies that this this is a strategic maneuver for growth, and not based on current revenue. There's an adage that "no CIO operates in a vacuum". Mulesoft (or any API management layer) links business apps, databases, and corporate IT infrastructure. If a company already has that plumbing installed, why wouldn't they also take a look at Salesforce's Client Management System (CMS)? Or vice versa?
MILESTONES
There's a couple of additional items from the last few weeks.
RAPIDAPI
RapidAPI raised $9M from Andreessen Horowitz investment firm, A16Z. RapidAPI is "a startup that helps app builders find, use, pay for and track calls on those APIs". It started as an efficient way to discover and use the wider range of APIs when coding something quickly.
The fragmentation of API design approaches is a barrier to getting started, simultaneously, with multiple APIs. However, middlemen, like RapidAPI, have a difficult road in front of them when it comes to 'serious' integrations (those that also happen to be the paying kind). Mashape, which attempted to be a similar integration abstraction, pivoted to focusing on Kong, their open source API Gateway. Algorithmia was originally a marketplace dealing algorithms via standardized API interfaces. It has, since, become a service that deploys machine learning models to various flavors of the cloud.
If you are dependent on an integration for your business, are you going to increase the number of dependencies by inserting another party? Or are you going to negotiate SLAs and support models with the originating source? It is great to see investment in the space and hope they succeed. But it will be a challenge.
NOTABLE SHUTDOWNS
WRAPPING UP
I love how many events have been logged to webapi.events. 2018 is turning out to be a surprisingly active year. If you have an event that isn't listed either respond to this note directly or send me an email at 'hello@matthewreinbold.com'. APIs are built on connections.
Til next time,
Matthew