Your Garage's Hidden API Platform Battle

Net API Notes for 2023/12/19, Issue 228

Your Garage's Hidden API Platform Battle

It has been a fascinating year for public API platforms. In January, I wrote about Twitter killing its developer ecosystem. Restricting API access was one in a shockingly long (and increasingly bizarre) list of things that collapsed that platform's "activity", resulting in a $1.5 billion drop in advertising revenue. The shocking reversal of fortune is already the stuff of whitepapers.

In June, Reddit also significantly increased the price for API access. The move effectively ended the development of useful bots and moderation tools by 3rd parties. While several of the largest and most influential "subreddits" boycotted the action, six months later, it could be argued that the site has mostly resumed normal operation.

Twitter and Reddit are social media sites that, admittedly, aren't everyone's cup of festering battery acid. But what if I told you that there was an API platform installed in a majority of American households that was undergoing its own user revolt? Software so tangled up in current architectural practice and modern finance that basic, essential features are disappearing with each release? And that Taylor Swift is (very, very tangentially) involved?

I'll cover that and more in this edition of Net API Notes.

A Speedrun of the Chamberlain Group's API Platform

The Chamberlain Group was founded in 1954. From humble beginnings, the garage door opening company grew to own nearly 70% of the United States market. While you might not be familiar with the Chamberlain name, you probably know - and own - an opener from one of their many subsidiaries: Liftmaster, Craftsman, and Raynor.

Chamberlain launched the MyQ home automation system in 2011. MyQ-connected garage door openers were the market's first connected garage door controllers. The integrations continued through CES 2019, where Chamberlain announced a partnership with Amazon. Throughout this time, home automation hobbyists and IOT tinkerers began to reverse engineer MyQ's undocumented APIs to produce new capabilities.

In September 2021, Blackstone, a private equity company, acquired the Chamberlain Group. Almost immediately things began to change. For example, MyQ discontinued its connection with Apple's HomeKit, meaning users could no longer control their garage door with Siri voice control or from their Apple Home app.

By mid-October of this year, a new API change added OAuth to logins (as I previously described, Chamberlain felt it necessary to mature to Level 3 Authentication). Forum posts alleged usage of Cloudflare's bot protection, a scheme utilizing machine learning to analyze API call behavior and contrast against a 'legitimate' use pattern provided by the original API developer. The homebrew community, which had spent hours of trial and error till this point, were stymied.

Dan Phillips, Chamberlain's CTO, justified the move in a corporate statement:

"Unauthorized app integrations, stemming from only 0.2% of myQ users, previously accounted for more than half of the traffic to and from the myQ system, and at times constituted a substantial DDOS event that consumed high quantities of resources."

Owners could still open their garage doors via their phones but only with Chamberlain's official MyQ app which now also served in-app ads.

2023's Word of the Year: Enshittification

If you read any software press in 2023, you've probably heard of "enshittification". Writer Cory Doctorow coined the term in late 2022. It was increasingly invoked in the subsequent year whenever a digital platform extracted more from its "core interaction" - the transaction between sides - than what was deemed necessary or useful. Got a free game engine? Demand retroactive royalties from any game published with it. Got a music platform beloved for its editorial choices and customer support? Sounds like a lot of expensive overhead you could automate (at least while coasting in the short term).

Doctorow even covered the Chamberlain situation:

"Every company has had that one weaselly asshole at the product-planning table who suggests a petty grift like breaking every one of the company's customers' property to sell a few ads. But historically, the weasel lost the argument to others, who argued that making every existing customer furious would affect the company's bottom line, costing it sales and/or fines, and prompting customers to permanently sever their relationship with the company by seeking out and installing alternative software. Take away all the constraints on a corporation's worst impulses, and this kind of conduct is inevitable"

Doctorow and others characterize this API result as inevitable. It is a tidy, very plausible sequence of events. It's the kind of news we hear, condemn, and promptly forget under the next morning's outrage clickbait.

Unmasking the Real Villain

But if you're reading Net API Notes, you're not here for nitpicks. You're here for nuance.

What is important to remember about Cory Doctorow is that, among other things, he's an author. He excels at creating compelling antagonists with clear and easily understood motivations. Casting every listed organization as a mustache-twirling villain creates a David and Goliath narrative. But just because that feels right doesn't make it true. And without clear headed thinking, we won't be able to diagnose what's really happening here.

In 2011, when MyQ debuted, building cloud-connected apps was a sign of engineering acumen - you could claim you were in the same big leagues as Amazon or Netflix. It was a flex to demonstrate devices operable by the latest iPhone or the new Android devices. Soon, everyone from the family's connected TV to the mesh router to my hybrid vehicle was bouncing packets off hyperscalers' infrastructure - even if I was within Bluetooth range one room over.

There are clear and powerful reasons for building software this way. Chief among them is that companies no longer have to have a huge, upfront capital expenditure associated with building, staffing, and maintaining data centers.

The flip side, however, is that these same companies will rent their infrastructure for the lifetime of their service. They'll never own it. Many APIs price this reality into ongoing subscription fees. Others, like car manufacturers, have a considerable margin that can be redirected to this ongoing fee (although, increasingly, manufacturers are attempting their subscription shenanigans). In other cases, the API is part of a "razor and blades" model - yes, the API costs money to maintain and operate, but the "blades" are sold often enough that the overall product is profitable.

Most garage door openers have a lifespan of 10-15 years. That's too long a timeframe for a razor model to be practical.

Chamberlain's products cost between $150 and $500 a piece. Unlike a connected car, there's no margin cushion that can be redirected to monthly cloud bills in perpetuity.

And they have nearly 70% of the market. Their dominance actually works against them here, as there aren't new sales (and thus new revenue) to 'go get'.

Again, speculation from user forums essentially came to the same conclusion:

"I'm confident Chamberlain's stance is 100% cost/revenue driven. Several years ago they were struggling with cloud costs and keep their infrastructure up with the traffic volume. They don't want to provide infrastructure resources to applications that aren't generating revenue for them."

Should those behind the MyQ launch have done that math in the beginning? Perhaps they did, and there's an additional variable I'm not accounting for that makes it make sense. However, API product managers that would crunch these numbers, the kind I talked about earlier this year, are challenging to find. I wouldn't be surprised if they weren't present when these decisions were made.

And now, unfortunately, re-architecting a platform like MyQ is prohibitively expensive. What's left is ending unauthorized access and adding advertising, an 11th-inning, consumer irritating attempt to create a supplemental revenue stream and offset ongoing cloud costs.

Is this all disappointing? Absolutely. Is this the cruel work of capitalist vampires, the kind we should write several thousand-word revenge fantasies about? No, probably not; the business reality is much more banal than the fiction we might imagine.

Alternatives (?)

The thing about IoT is that cloud integration is optional. Many devices can be run locally with MQTT protocol. This provides useful functionality without sending data to the cloud.

Technically savvy community members are working on alternative arrangements to MyQ, like the Ratgdo Wi-Fi control board by Paul Wieland (Ratgdo stands for "Rage Against The Garage Door Opener"). It allows you to control the door opener locally and integrate it with Home Assistant via a local API, which opens access to other platforms such as Apple HomeKit and Amazon Alexa.

And as for Blackstone, the greedy private equity firm supposedly pulling the strings behind this dastardly, anti-consumer plot? Well, they just released a Taylor-Swift-inspired year-end video. The singing starts at the 4:09 mark. Merry Christmas and Happy Holidays!


Wrapping Up

There was a time when Google Groups was a decent place to find API community members willing to share info and answer questions. Those forums have been quiet for some time, however. Imagine my surprise when I started getting email digest updates from api-craft and collectionjson groups in the past month.

Sadly, these aren't old-school communities returning to life after 2023's great social media fragmentation. Instead, they're yet another spam vector.

What's not sad is Net API Notes' newest paid subscriber, Manian! Subscribers like Manian are enjoying the latest APIcryphal piece, "SOA is Dead: What Anne Thomas's 2009 Declaration Has to Say About Modern API Practice". Paying subscribers also get access to audio versions of Net API Notes - something that I need to catch up on recording due to a head cold at the beginning of the month. With the holiday slowdown, I should have those recorded and posted before the end of the year - with some possible surprises, to boot.

Paying subscribers ensures that Net API Notes editions remain free of paywalls, advertising, and list selling. They also encourage special projects, like the upcoming one in January. We're almost there!

If you want to support Net API Notes, head to the subscription page. For more info about what benefits paid sponsorship includes, check out this newsletter's 'About' page.

Till next time,

Matthew (@matthew in the fediverse and on the web)

Subscribe to Net API Notes

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.