Surveillance is the dark shadow of the API economy, the use of the same APIs that connect and empower us to collect, monitor, and analyze human behavior at scale. Every API that tracks who’s calling, what they’re doing, and what data they’re accessing is, in a sense, surveillance infrastructure — and the line between legitimate operational awareness and invasive surveillance is thinner and more politically charged than the industry likes to admit. I’ve spent years pointing at this shadow, because the API economy I’ve evangelized is also the technical substrate of surveillance capitalism, and an honest account has to reckon with that. APIs are how data about people is collected, aggregated, sold, and analyzed; they’re how platforms watch their users and how governments watch their citizens. The politics of API surveillance is about who is watching whom, with what data, and whether anyone is watching the watchers.
The point where management becomes surveillance is the conceptual heart of this, and I named it precisely in 2017. I wrote about that point where API session management becomes API surveillance — because the same API management infrastructure that legitimately identifies consumers, tracks usage, and provides observability can, with a shift of intent and scale, become a surveillance apparatus. The keys, the logs, the analytics, the session tracking — these are operational necessities that are also, fundamentally, mechanisms for watching what people do. There’s no bright technical line between knowing who’s using your API for legitimate operational reasons and surveilling them; the difference is in intent, scale, retention, and what you do with what you learn. This is what makes API surveillance so insidious: it’s built from the same components as legitimate API operations, which means the surveillance capability is latent in every well-instrumented API, waiting to be turned to surveillance ends.
The data-harvesting dimension is where APIs become the engine of surveillance capitalism. APIs are how the vast machinery of personal-data collection actually works — the digital self, as I wrote about in 2017, is an exploited resource, assembled from data flowing through APIs and sold in a marketplace where you are the product. The data-enrichment, discovery, prospecting, risk, and reveal APIs that I documented form a pipeline for assembling detailed profiles of individuals from scattered data. This is surveillance as a business model: collect data about people through APIs, aggregate it, analyze it, and sell the insights or the access. The Cambridge Analytica scandal was this pipeline made visible — Facebook’s API enabling the harvesting of tens of millions of profiles for behavioral analysis and manipulation. APIs are the plumbing of surveillance capitalism, the technical mechanism through which the economy of watching people operates.
The government and law-enforcement dimension adds the power of the state to commercial surveillance. I wrote in 2016 about transparency in police access to social platforms using OAuth and APIs — the Geofeedia case, where law enforcement used social media APIs to surveil activists and protesters. APIs are how government accesses the data that commercial platforms have collected, which means the surveillance capability of the state is built substantially on the surveillance infrastructure of private companies. I wrote in 2018 about how government has benefited from the lack of oversight at social API management layers — because the same opacity that lets companies surveil their users also lets government access that surveillance data with insufficient accountability. When mayors, governors, and lawmakers should be asking how tech companies are getting rich mining their constituents’ data, as I argued in 2018, they’re confronting the reality that the surveillance economy operates at every level of government and commerce, with APIs as the connective tissue.
The weaponization and inequality dimensions are where API surveillance produces concrete harm. I wrote in 2020 about conducting API weaponization audits — examining how platforms and their APIs can be turned to surveillance, manipulation, and harm. And I wrote in 2018 about automating inequality and APIs — drawing on the recognition that the data-mining and algorithmic decision-making that APIs enable can systematically reproduce and amplify inequality, surveilling and scoring the vulnerable in ways that entrench disadvantage. The world where every camera is connected to the internet via APIs, which I wrote about in 2014, was an early warning about the surveillance infrastructure being built into the physical world through APIs. The harms aren’t abstract: API-enabled surveillance is used to police, to score, to discriminate, to manipulate, and to disadvantage, with the people surveilled rarely aware of it and almost never able to contest it.
The accountability response is where the politics of surveillance meets the politics of transparency, and it’s where I’ve tried to point toward solutions. The FTC lawsuit against Facebook, with APIs at its center, was the regulatory system finally treating API-enabled data practices as the harm they are. The transparency mechanisms I’ve advocated — transparency reports, disclosure of who has access to data, algorithmic auditing through APIs — are attempts to build accountability into the surveillance infrastructure, to make the watching visible and contestable. GDPR forcing organizations to ask hard questions about their data is regulation pushing back against unchecked surveillance. The deeper point is that the same APIs that enable surveillance can, if governed and made transparent, also enable accountability for that surveillance — the audit logs that surveil can also be the audit logs that hold surveillers accountable, if the political will exists to turn the instruments of watching back on the watchers.
The honest reckoning I’ve tried to bring is that the API economy and the surveillance economy are built from the same components, and that this is one of the most important and most uncomfortable political realities of the field. I believe in APIs, in their power to connect, empower, and democratize. And I cannot ignore that the same technology is the engine of the most pervasive surveillance apparatus in human history. Every API that tracks usage is surveillance-capable; every platform that collects data through APIs is a potential surveillance operation; every government that accesses that data is extending state surveillance through private infrastructure. The politics of API surveillance is about whether we build the API economy with accountability, transparency, and limits on surveillance baked in, or whether we let the surveillance capability latent in every API operate unchecked. APIs collect, monitor, and analyze human behavior at scale — that’s simply what they do. The question is whether that capability serves the people whose behavior is being analyzed or is turned against them, and whether anyone is watching the watchers. That question is one of the defining political challenges of the API age, and pointing at it honestly, refusing to let the celebratory narrative of the API economy obscure its surveillance shadow, has been some of the most important work I’ve tried to do.
References
- A World Where Every Camera Is Connected To The Internet Via APIs
- Transparency In Police Access To Social Platforms Using OAuth And APIs
- The API Driven Marketplace That Is My Digital Self
- That Point Where API Session Management Becomes API Surveillance
- Facebook, Cambridge Analytica, And Knowing What API Consumers Are Doing With Our Data
- Mayors, Governors, And Lawmakers: Tech Companies Are Getting Rich Mining Your Constituents’ Data
- Automating Inequality And APIs
- Conducting API Weaponization Audits
- APIs Are At The Center Of The Federal Trade Commission (FTC) Lawsuit Against Facebook
