Why APIs Should Be Regulated

Alphabet, Apple, Facebook, Amazon, Alibaba, Tencent, and Baidu are today’s digital titans: Their services accelerate innovation and enable new business models, but also create expansive data empires that allow them to control and shape the digital world. Given their rapid growth and dominance, concerned citizens and regulators in Western markets are asking: How should these digital titans be regulated?

The need for regulation is clear: among Western companies, at least 79% of the American public uses Facebook. Similarly, Google accounts for 90% of search traffic. With access to large volumes of user data, these companies are able to create fine-grained, multidimensional views — what we call digital replicas — of consumers that pose several challenges to society’s stakeholders:

• For consumers, use of these digital replicas by the digital titans and third parties compromises individual privacy.
• For regulators, these digital replicas are impossible to monitor and track.
• For service providers, titans control access to consumers and act as a “competitive bottleneck” to their ability to reach millions of customers.
• For competitors, digital replicas create unfair hurdles that tilt the playing field toward companies with the most data and limit competitors’ access to data.

To address these issues, regulators need to focus not only on market dominance, but also on data dominance — specifically, how these companies integrate the vast quantities of data to which they have access and how they share their data or insights with third parties. Given the broad consequences of digital titans’ unbridled behavior, we need sweeping regulatory reforms.

Models already exist for the kind of regulatory schemes we need. The EU’s General Data Protection Regulation (GDPR), which aims to protect EU citizens from privacy and data breaches, regulates all organizations collecting data on EU consumers, issuing guidelines and rules on how these companies should protect privacy. Other models include the current U.S. system for monitoring the use of medical records (HIPAA), and the central bank’s system for tracking regional banks. Reforms of this magnitude — that are practically feasible — need corresponding infrastructures and investments to implement policies and regulations.

We argue that data audits are one of the best tools available to regulators for reining in the influence of these companies, improving transparency, and leveling the playing field for other companies. Data audits that focus on application programming interfaces (APIs) will give auditors and customers the full picture of these companies’ influence over society. With the arrival of cloud computing, APIs have become the lingua franca for the exchange of data and services between companies. Digital titans use APIs to dominate the digital world.

How Will Regulating Data Through APIs Help?

APIs are capabilities that allow two or more systems to connect and exchange data, both internally and externally, in a controlled manner. These APIs provide companies with well-defined and easy access to data and services from third parties. Currently, there are very few regulations for what data can be shared with third parties. If these APIs were monitored within the digital titans, we could get a complete picture of what data exists and which projects are using the data.

Subjecting APIs to monitoring will provide the following changes to the current system:

• Auditing APIs will allow third parties to track the flow of data both within and between organizations, thus permitting regulators to decide if this flow is permissible or not.
• Regulators can prevent digital titans from sharing data with the business units that are competing with new entrants. Without this advantage, the titans will have to compete solely based on the innovative products they bring to market, leveling competitive playing fields.
• Consumers will be able to check on the accuracy of their data and correct it when appropriate, thereby increasing the accuracy of data.
• Requiring digital titans to seek user permission to integrate user data will allow users to understand and control their digital replicas, putting them in charge of their data.
• When the titans enter new markets or acquire a company, they could be forced to license their digital replicas to new entrants to assure fair play, thus taking away the overwhelming advantage they have over the new entrants.

The U.S. government has taken no action on monitoring and regulating how data flows occur within digital titans and among their third-party partners. Currently, neither EU nor American regulators are regulating the use of APIs. To protect consumers and to ensure a fair competitive landscape, the data troves of digital titans need to be more transparent to regulators. The best way to do that is to give auditors access to the digital titans’ APIs.

Currently, U.S. regulators are doing little to constrain the data dominance of digital titans. We want to see these digital titans grow, but as responsible companies that protect the larger interests of society. Self-regulation is an insufficient solution. Until companies begin providing access to their data to level the playing field, monitoring APIs is the logical next step.