Why I am moving against the flow again? Why all around are getting excited about APIs and I don’t?
Probably, this is because of negative post-taste after DOT-COMs and global webinisation of industry 15 years ago when the most sensitive information was offered to anyone, including competitors and simply not good people or it is because I know for sure that developers understand business in quite different ways than it actually is. APIs is a nirvana for developers while I prefer to be a consumer of providers.
I used to trust IBM in their definitions and have turned to it in this case as well. Here is their explanation of API Economy (right from the Red Book “The Power of the API Economy: Stimulate Innovation, Increase Productivity, Develop New Channels, and Reach New Markets”): “The API Economy is the commercial exchange of business functions, capabilities, or competencies as services using web application programming interfaces (APIs). APIs drive the digital economy and companies that do not embrace the API economy will be left behind”. If this really about an API Economy, it smells an absence of professional business knowledge. Since such competence comes from IBM, the whole thing is, probably, dangerous to consumers. Particularly, business organisations never exchange functions – they exchange the results of function execution. Business never exchanges capabilities because it is physically impossible without losing own capabilities; capabilities may be engaged, not exchanged. When we use services we never exchange competences – every service nurtured its competencies by all means; again, we only engage the services and their competencies/capabilities. BTW, for those who do not know, “using web application programming interfaces” is only one of the possible ways of service invocation and it is optional for Business Services. APIs are servants or means regarding services; an attention paid onto them is certainly overemphasised.
“APIs drive the digital economy and companies that do not embrace the API economy will be left behind” – behind what? Who has said that APIs is an economically feasible solution? APIs do not drive anything – the DOT-COM experience has proved that APIs have zero business value if there is nothing behind them. These“behind them” are the driver and APIs are just a fragment of accessibility to the real ‘worker’. Any API can be thrown away and replaced. The only a simplified, well oversimplified form of engagement of the capabilities. Consumers do not care about APIs, they care about capabilities. Recently we had another buzz – Public Cloud. Nowadays, I know that Australia practically ruled out Public Cloud from its financial sector and EU is going to join this club. Why? – Because Public Cloud APIs hide the fact that this type of Cloud is too risky for the businesses, especially financial, in compliance and regulations. This is what I’d like to elaborate more in this post.
The risk. Who cares about the risk? Well, nobody except those who have suffered when the risk materialised. In one conference the audience was asked a question: would you buy from a company that you know lost a lot under the cyber-attack before. Only a few people denied buying in this case; others said that they were sure their personal information had been stolen already and buying from the compromised provider would not do more harm. Believe me on my word – those people had not exercised the trauma when their personal information was used by the thieves; if that happened, the name of the robbed provider would become the taboo for the person.
With APIs, we can quickly buy; APIs do not leave us a time to think about what we are doing, do we have necessary assets and what we would do after we spend our moneys … Many people are irresponsible even without the opportunities that APIs open; now they can easily get into a trap of digital economy that does not have and preserve human emotions. This alone is enough to think the second time before engaging with APIs in the consumer world.
I’d like to illustrate the risks that evangelists of API try to hide or ignore deliberately, or they care about their own job forgetting about consumers, or because they are not smart enough. There are a few benefits of API explained, probably, to house-wives who have no clue about technology (thanks God, there are less and less such ladies nowadays). Thus,
- “APIs cut down on distractions. They allow you to outsource parts of your operations and infrastructure to other companies that are domain experts”* – A terrible previous experience with blind technology outsourcing pushed developers of SOA standards in OASIS to define an off-online Service Description and Contract models that persuades consumers to learn about the provider before engaging its services… via the APIs. The APIs themselves are failing this consumer care. If you have found an API that claim they lead you to certain functionality, why do you trust it right away? Why do you believe that this API and promised functionality is created by professionals and not by a hacker team? A Service Description gives you enough information to make your mind whether it can meet your needs or not; no API does this
- “APIs help you acquire knowledge. Allowing parts of your application infrastructure to be handled by experts puts you in the position to learn from said experts”* – If “parts of your application infrastructure to be handled by” somebody else, you have to be responsible for their service in front of your consumers. Do you want this, especially considering that you do not control your suppliers and have no contracts other than intangible APIs? Also, what can you learn beside the APIs themselves? In many cases, and the number of such cases grows, the APIs are deliberately made opaque to hide how the providers delivers the value to you. IMHO, with a blind API, you acquire unmanageable dependency instead of knowledge
- “APIs help you tap a broader application ecosystem for value. The more that you allow experts to help you with non-core parts of your application infrastructure, the more nodes of a network of experts you are connected with”* – this is a tricky statement. In the most of the cases, API lead to other applications, not to infrastructure. We cannot say that those applications are responsible services because you bypass all service-related preconditions to be checked when hop on APIs only. If so, your application becomes dependent on unknown, supposed-to-be-expert-though-not-justified applications of others. What is the value to you if “more nodes of a network of experts you are connected with”; why do you think that this increase in complexity of your solution/application adds you robustness, stability, survivability? Are you sure you can handle a responsibility for the unknown and uncontested application? What if at one moment the application owner stops its system behind the API? What you gonna do?
- “In the simplest terms, becoming a consumer of APIs simplifies building your application or your business”* – first, this statement twists the reality – a simplification in building applications does not necessarily simplifies building your business. Then, an ease of building can be overcome with terrible difficulty in owing your application. Referring to ease of building is typical for IT practice that separates development from the maintenance/support and, in too many cases, pushes up the TCO.
- “That is, when you integrate with an open API to help manage infrastructure and operational concerns – even if it’s something you know how to do – it frees you up to focus on what matters most – your own product”* – this is absolutely correct. However, to protect yourself from the troubles of uncontrolled dependencies, i.e. thinking at the enterprise level, you have to engage the services with all due diligence controls and contracts rather than take APIs blindly. When the contract is in place, then you can play with the APIs as much as you like
- “The fact is that for most of what an application needs to do, someone or some company has already solved for it”* – yes, this is more likely to be correct. But you have to remember that the solution was done not for you, not for your business and technical execution context and not for your stakeholders. If you are lucky to find a provider who offers these solutions to you, it still will come from an external business entity. This means that your provider will maintain its own benefits above yours does not matter what – this is business, not IT any more.
In the provider world, there is a risk of another nature. Many executives jump on the API train because it is fashionable and ‘cool’, and they do not check if their companies, systems and operations are ready to keep up with the storm of requests that the API can bring. Consider a data security and regulation compliance on the top of this and you will be ready to call a multi-weeks research or consultations before seriously planning for APIs. Never forget what A. Einstein has said: “Everything should be made as simple as possible, but not simpler”.
APIs are simple and very convenient, especially for the new generations. They used to the APIs. They do not think twice to use an API or not, indeed, ‘let’s try it’! They are not concerned with where they can end up with particular API – the simpler the API, the easier it is for you and for the intruders.
APIs, besides connecting people and business, open the door to the API Hell.
One letter difference in the Web API, and you can connect to the underworld – to a wolf in the sheep skin “provider”; many have suffered because of this trick already. I do not think that people are reckless or stupid. But they have inherited respect to professionals. If these professionals, and marketers around them, talk about the good things of API and never mention the risks brought by those APIs, this appears almost as a lie, do we want this or not.
In the recent history, Information Technology has lost its business credibility once due to the DOT-COM bubble. It took more than a decade to restore the IT reputation a bit. If now a digital economy throws us in the business mess again, nobody will be happy. Some technologists promote so-called IoT – internet of things – behind the APIs. We cannot keep and protect out information on current limited number of Web Sites (e.g. an information from the US for the last several weeks repeatedly points that the personal data of Government workers and pensioners is compromised and stolen, yesterday story points to the US Census Bureau that has lost citizens’ data under the cyber attack). You cannot imagine how vulnerable we will be if our personal and private information, including our households, would be dispersed over millions of ‘things’/devices…, but developers of Digital Economy push us further into the hell only because they can and are currently paid for the hasty work.
The only what I can do to help people is to say and repeat – beware of APIs and teach your kids to take care of their own security.