​Facebook, Spotify API Abuses Highlight Open Platform Security Risks

On Friday, Spotify revoked the API key for SpotLister, a service that had billed itself as a Platform for "artists & curators on Spotify to promote their work, get reviews, grow their audience and monetize their passion." An investigation conducted by Daily Dot, however, revealed that SpotLister was effectively facilitating a pay-for-play scheme on the popular music service.

Using SpotLister, artists and their representatives could pay to have their music considered by Spotify users with popular playlists. Since being added to a popular playlist can result in significant exposure for an artist's music, SpotLister's service reportedly became very popular and profitable.

SpotLister used Spotify's API to help identify the Spotify users its customers' submissions should be directed to. The problem: since 2016, Spotify has prohibited "selling a user account or playlist, or otherwise accepting any compensation, financial or otherwise, to influence the name of an account or playlist or the content included on an account or playlist." Such activity would be reminiscent of payola, the practice of a record company paying a radio station to play specific songs without disclosure. This is illegal in the U.S. and certainly, Spotify wanted no part of any activity that resembled it.

Spotify wasn't the only high-profile company that was forced to ban a large user of its API last week. Also on Friday, Facebook created headline frenzy when it revoked API access from SCL Group and an associated firm, Cambridge Analytica.

As The New York Times detailed, Cambridge Analytica is a voter profiling firm that rose to prominence after it was used by the campaign of Donald Trump in the 2016 U.S. presidential election.

Cambridge Analytica made extensive use of personal information it acquired from a researcher who collected it from Facebook users through a Facebook personality quiz app. Users and Facebook were told that the app was collecting information for academic purposes. According to the New York Times, Facebook never verified this claim.

All told, information from some 50 million Facebook users was harvested even though just a small portion – just over quarter of a million – consented to it. With the data, Cambridge Analytica developed detailed psychographic profiles for individuals that were used to aid its clients' campaigns.

Facebook eventually caught wind of the situation and quietly scrambled to address it. In August 2016, the social networking giant contacted Cambridge Analytica contractors, telling them "This data was obtained and used without permission. It cannot be used legitimately in the future and must be deleted immediately."

But now, Facebook is facing one of the fiercest backlashes it has ever faced after a New York Times investigation has shined light on the full scope of Cambridge Analytica's Facebook operation and revealed that not all of the Facebook data it obtained was deleted.

Who is at Fault?

Facebook claims that it is a victim and was lied to by Cambridge Analytica. It says that it has taken significant steps, including instituting a more rigorous app review process, to prevent abuses like this from happening again. The company insists that the Cambridge Analytica situation does not represent a data breach, as some have suggested, because "People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.", wrote Paul Grewal, deputy general counsel for Facebook.

But labels aside, the optics are not good for Facebook. In the past year and a half, scrutiny of the world's largest social network has only intensified following the revelation that it was used to spread fake news, some of which was apparently published by foreign operatives seeking to influence politics and elections in the U.S. Facebook's responses to the scrutiny have been deemed by some observers, including lawmakers, as being unsatisfactory and there are growing bipartisan calls for a regulatory crackdown on Facebook and other major internet companies such as Google.

With this backdrop, the emerging story of Cambridge Analytica's abuse of Facebook's API could be the worst blow to the company yet because it not only involves a form of theft of a large amount of detailed user data, but raises questions about whether Facebook's popular developer platform is even viable in its current form going forward.

While Facebook says that it now conducts random audits of apps and engages in "proactive monitoring of the fastest growing apps", the size and popularity of Facebook's platform means that Facebook realistically can't keep an eye on every developer and every app. In addition, it's not clear how Facebook could possibly prevent another organization from lying to it the way Cambridge Analytica did. Given the value of the data that developers can gain access to via Facebook's APIs, third parties with nefarious goals have a great deal of incentive to misrepresent themselves to Facebook and its users.

And once such a third party gains access to Facebook user data, the Cambridge Analytica situation highlights the fact that even a powerful company like Facebook is all but powerless to ensure that it's deleted.

A Game-Changer for Open APIs?

While companies like Facebook and Spotify have no doubt benefited substantially from the open developer ecosystems they've cultivated, it is now clear that open platforms are vulnerable to abuse and have been abused, perhaps far more than we still even know.

As abuses come to light, and consumers, lawmakers and industry experts alike begin to demand greater transparency and protection of their data, companies operating open APIs will likely need to reevaluate the functionality of those APIs and how they protect them from abuse. In some cases, they might be forced to consider that their platforms have become too big and popular to police, and contemplate whether they can maintain them in their current form without jeopardizing their entire business.

Be sure to read the next API Management article: solo.io's Gloo Now Supports JSON-to-gRPC Translation