Can an API Steal Data?

In a very lively forum thread over at Flickr there's a discussion/debate about the Flickr API, data ownership, copyright, and mashups. In a nutshell, a Flickr member, Austen Haines, noticed that some of his photos were appearing in the mashup Adactio Elsewhere even though he had flagged them All Rights Reserved (ARR). The mashup developer, Jeremy Keith, replied and noted that this was just the behavior of the API and that it "sounds like there's a glitch in the system". The discussion is still ongoing, and the initial thread kicked-off a second thread, this with the provacative title Flickr photos stolen by the thousands through the Flickr API. (And interesting to note that our Adactio mashup profile is one of the earliest mashups listed on ProgrammableWeb and is consistently ranked in the top 20 of our all-time most popular mashups.)

In his own blog post on this "shitstorm", Lock up Your Data?, Jeremy talks more about how this also becomes a Google search-related issue because his mashup gets deep-linked by the search engine which in turn makes the photos much more accessible. To address some of Flickr members' concerns he has now blocked any indexing on pages that show their photos and then asks:

As sites like Flickr and move from having early adopters into the mainstream, this issue becomes more important. What isn’t clear is how the moral responsibility should be distributed. Should Flickr provide clearer rules for API use? Should Google index less? Should the people publishing photos take more care in choosing when to mark photos as public and when to mark photos as private? Should developers (like myself) be more cautious in what we allow our applications to do with the API?

Flickr has a good track record of supporting both their developers and their passionate community. They're paying attention to this issue. Flickr's Paul Hammond noted that "There's a healthy debate going on at Flickr HQ as to what our response should be...Our hands are also tied slightly by the huge number of applications that rely on the existing behaviour of the API. If we make changes too quickly, we'd break a lot of things (like, say, fd's flickr toys) that a lot of flickr users love...We're interested in hearing everyone's point of view." [via]

Be sure to read the next Security article: How to Tell if a User is Logged In to Netflix