API Regulation News

These are the news items I've curated in my monitoring of the API space that have some relevance to the API definition conversation and I wanted to include in my research. I'm using all of these links to better understand how the space is testing their APIs, going beyond just monitoring and understand the details of each request and response.

An Auditing API For Checking In On API Client Activity

Google just released a mobile audit solution for their Google Apps Unlimited users looking to monitor activity across iOS and Android devices. At first look, the concept didn't strike me as anything I should write about, but once I got to thinking about how the concept applies beyond mobile to IoT, and the potentially for external 3rd party auditing of API and endpoint consumption--it stood out as a pattern I'd like to have in the filing cabinet for future reference.

Using the Google Admin SDK Reports API you can access mobile audit information by users, device, or by auditing event. API responses include details about the device including model, serial numbers, user emails, and any other element that included as part of device inventory. This model seems like it could easily be adapted to IoT devices, bot and voice clients.

One aspect that stood out for me as a pattern I'd like to see emulated elsewhere, is the ability to verify that all of your deployed devices are running the latest security updates. After the recent IoT launched DDOS attack on Krebs on Security, I would suggest that the security camera industry needs to consider implementing an audit API, with the ability to check for camera device security updates.

Another area that caught my attention was their mention that "mobile administrators have been asking for is a way to take proactive actions on devices without requiring manual intervention." Meaning you could automate certain events, turning off, or limiting access to specific API resources. When you open this up to IoT devices, I can envision many benefits depending on the type of device in play.

There are two dimensions of this story for me. That you can have these audit events apply to potentially any client that is consuming API resources, as well as the fact that you can access this data in real time, or on a scheduled basis via an API. With a little webhook action involved, I could really envision some interesting auditing scenarios that are internally executed, as well as an increasing number of them being executed by external 3rd party auditors making sure mobile, devices, and other API-driven clients are operating as intended.

Politics of APIs: Talk Of API Driven Regulation Is Increasing

When I started API Evangelist, I was all about the Business of APIs, something I still focus on, but increasingly over the last couple years I am focusing more on what I call the politics of APIs. In my opinion, the politics of APIs can be anything from terms of service and privacy policies, to rate limits, pricing, and security, all the way up to court cases, patents, and government regulation.

Today I want to focus on the very top of that spectrum—government regulation. The government isn't just getting into the API game, by deploying their own APIs, they are going to also increasingly be getting more involved with private sector APIs. In my weekly monitoring I'm seeing more chatter across several industries, like the UK treasury getting involved in banking API standards, and a push in the healthcare industry for more interoperability via APIs--just to highlight two recent stories.

This isn’t anything new, governments been defining API standards and pitching them to industries for a while now. I personally have been involved in healthcare and energy related standards, as part of Blue Button and Green Button data services. In coming years, what is going to increase, is the number of industries that the government is helping define standard, as well as beginning to get a little more heavy handed about mandating APIs as part of the regulatory process..

Personally I’m not the biggest fan of government regulation, something I feel gets abused on both sides of the tracks, but I understand it is a necessary actor when it comes to balance in markets. To help address some of the abuse that occurs, I think APIs could significantly help bring much needed transparency, and self-service access to the process, for both the public and private sector. I feel the conversation in coming years will move beyond the government just defining industry API standards, but also pushing for real-time interoperability, and execution by companies who operate in heavily regulated industries.

I’ll continue to keep track of the patterns I see emerging when it comes to API driven regulation, and try to stay informed regarding what is coming down the pipes across business sectors. At various points along the way, I’ll do roundups of regulator related news, analysis, and API definitions, or platforms that focus on industry regulation. When it comes to API driven regulation, there will be no black or white, just high a high frequency blur, which will need transparency, and a machine readable interface to make any sense of.

If you think there is a link I should have listed here feel free to tweet it at me, or submit as a Github issue. Even though I do this full time, I'm still a one person show, and I miss quite a bit, and depend on my network to help me know what is going on.