Can an API Steal Data?

In a very lively forum thread over at Flickr there's a discussion/debate about the Flickr API, data ownership, copyright, and mashups. In a nutshell, a Flickr member, Austen Haines, noticed that some of his photos were appearing in the mashup Adactio Elsewhere even though he had flagged them All Rights Reserved (ARR). The mashup developer, Jeremy Keith, replied and noted that this was just the behavior of the API and that it "sounds like there's a glitch in the system". The discussion is still ongoing, and the initial thread kicked-off a second thread, this with the provacative title Flickr photos stolen by the thousands through the Flickr API. (And interesting to note that our Adactio mashup profile is one of the earliest mashups listed on ProgrammableWeb and is consistently ranked in the top 20 of our all-time most popular mashups.)

In his own blog post on this "shitstorm", Lock up Your Data?, Jeremy talks more about how this also becomes a Google search-related issue because his mashup gets deep-linked by the search engine which in turn makes the photos much more accessible. To address some of Flickr members' concerns he has now blocked any indexing on pages that show their photos and then asks:

As sites like Flickr and move from having early adopters into the mainstream, this issue becomes more important. What isn’t clear is how the moral responsibility should be distributed. Should Flickr provide clearer rules for API use? Should Google index less? Should the people publishing photos take more care in choosing when to mark photos as public and when to mark photos as private? Should developers (like myself) be more cautious in what we allow our applications to do with the API?

Flickr has a good track record of supporting both their developers and their passionate community. They're paying attention to this issue. Flickr's Paul Hammond noted that "There's a healthy debate going on at Flickr HQ as to what our response should be...Our hands are also tied slightly by the huge number of applications that rely on the existing behaviour of the API. If we make changes too quickly, we'd break a lot of things (like, say, fd's flickr toys) that a lot of flickr users love...We're interested in hearing everyone's point of view." [via]

Be sure to read the next Security article: How to Tell if a User is Logged In to Netflix


Comments (7)

[...] Check it out! While looking through the blogosphere we stumbled on an interesting post today.Here’s a quick excerptIn a very lively forum thread over at Flickr there’s a discussion/debate about the Flickr API , data ownership, copyright, and mashups. [...]


Flickr users can easily opt out their pictures from being accessible by the API or public searches on Flickr - without locking away their pictures as private. It's just one mouse click in the preferences...

@Fabian the API opt out option is only to remove your images from the API search results. It will still show your images when accessing your username directly with the API.

[...] las ik op een artikel met de titel “Can an API Steal Data”. Een Flickr gebruiker is erachter gekomen dat zijn foto’s in een Mashup (Adactio Elsewhere) [...]

[...] enter a Flickr username (Preferably your own, if you don’t want to go into lengthy arguments with Flickr-users about whether or not an API can steal data) [...]

[...] Eigenlijk draait alles om een dieperliggend probleem met de Flickr (zoek) API - je vindt hier de insteek van Jeremy en van ProgrammableWeb [...]