Skip to content
This repository was archived by the owner on Nov 6, 2025. It is now read-only.

Data Rights and Safety

Jump to bottom
Lorinda Brandon edited this page Jul 30, 2015 · 4 revisions

Session Leader: Lorinda Brandon

Attendees: Jason Hammond, Ryan Galen

We've entered a time when data is shared between systems at an alarming rate and often without the knowledge of the consumers. APIs are natural enablers of this transaction so it seems important that we take a hard look at the mechanisms we put in place to transfer and track data, as well as how we communicate to the end-users and protect them from data abuse.

  • Has technology outpaced the legal system?
  • Recent 23nMe example of a developer using their public API to block people from viewing his website based on their genetic profile

Is there enough legal oversight involved?

  • Signing Terms of Use doesn't expose enough of the risk and most people don't understand what they're agreeing to. Does that make it ok?
  • Who is liable for situations like 23nMe? API Provider? API Consumer? Both?
  • should there be legislation or regulation around public APIs? Just certain types? Ex, if you're exposing personal information, esp financial & medical
  • If you attach a disclaimer to your public API, does that cover you legally? (maybe but does it cover you ethically)
  • Default on the side of more protection for the individual, not less
  • How does the IoT fit in? The spread of data becomes more abundant?

Defining the slippery slope

  • At what point does convenience or benefit outweigh risk? Examples are Google Now and FitBit - gathering data and providing useful information back to the consumer, sometimes via third-parties... but at what cost?
  • And where does the individual choice even come in? Privacy policies basically state 'don't like it? don't use our products' (Samsung is an example)

What's on us to make this better?

  • API security needs to be included in every programs
  • using real-time monitoring and data analysis - recording all requests and responses to analyse for misuse and security breaches
  • should some APIs be 'regulated' and have to pass security audits? APIs to be considered as separate products and audited by themselves not as part of a larger solution
  • PCI compliance, for example, is a very light audit - just some Q&A, not actually checks. Is that enough?
  • Legal coverage not the same as ethical coverage
  • How do other countries deal with this on the API side? Germany, for example... how do they manage the IoT data safety question (connected cars, etc)? How do they deal with tracking an individual's data footprint?
  • One reason people don't want to discuss data safety and data rights is because oversight and regulation squash innovation. But at what cost innovation?

History tells us that we usually wait till there's an issue that has to go to the courts

*can we be more proactive?

  • as the people developing this technology, what is our responsibility to push this issue into the light rather than wait till the damage is done?
  • can we form a coalition of interested technologists who can come up with some proactive solutions?
  • maybe need to shake people up a bit to get them interested - we have a foot in both camps as individuals using technology and technologists building these systems

Clone this wiki locally