(Ed. Note: The “Innovation Fact of the Week” appears as a regular feature in each edition of ITIF’s weekly email newsletter. Sign up today.)
Application programming interfaces (APIs) are among the most important technologies for Internet the today, enabling software-based systems to automate tasks and redraw the lines between organizations, suppliers, customers, and partners in ways not seen since the birth of the web. Rob and Jackie sat down with Rob Dickinson, co-founder and CEO of Resurface Labs, to discuss the future of APIs and the implications for public policy.
- Ashley Johnson and Daniel Castro, “Improving Accessibility of Federal Government Websites,” (ITIF, June 2021).
- Daniel Castro and Michael Steinberg, “Blocked: Why Some Companies Restrict Data Access to Reduce Competition and How Open APIs Can Help” (ITIF, November 2017).
- Daniel Castro, “Improving Consumer Welfare With Data Portability” (ITIF, November 2021).
- “Accelerating the Digital Transformation of Healthcare, With Pat Combes” (ITIF Podcast, June 2020).
Rob Atkinson: Welcome to Innovation Files. I’m Rob Atkinson, founder, and president of the Information Technology and Innovation Foundation. We’re a DC-based think tank that works on technology policy.
Jackie Whisman: And I’m Jackie Whisman, I handle outreach at ITIF which I’m proud to say is the world’s top ranked think tank for science and technology policy.
Rob Atkinson: This podcast is about the kinds of issues we cover at ITIF from the broad economics of innovation to specific policy and regulatory questions about new technologies. And today we’re going to talk about APIs. I know everybody knows what APIs are, actually in this case, application programming interfaces. And I know sounds really technical and boring. Trust me, it’s not, it’s like one of the coolest, most important internet technologies around and it’s going to really affect, is affecting our lives and continue to affect our lives. So we’re really excited to talk today about it.
Jackie Whisman: Our guest is Rob Dickinson, who’s co-founder and CEO at Resurface Labs, a platform helping tech companies observe and log API activity. Rob’s work around observability, cybersecurity, and the Internet of Things has set him out as a thought leader in this part of the tech world. The mission of his work is to realize a future where all APIs can be easily and responsibly monitored to power data science, customer support, auditing, and compliance and production debugging. You’re busy, Rob, welcome.
Rob Dickinson: Very busy, but not too busy to be here. Thanks so much for having me.
Jackie Whisman: We’re happy you’re here because I think we should start small for you.
Rob Atkinson: Jackie, I just got to say, I think this is going to be a confusing thing because when you say Rob, I’m not sure which one of us should say something.
Jackie Whisman: I’m only going to be talking to Rob Dickinson during this session.
Rob Atkinson: Good. I will ignore you.
Jackie Whisman: Perfect. But I do think we should start by defining the term at the center of the Internet of Things, which is an API. This isn’t a term a lot of us are familiar with other than you and my co-host in this session, but it probably should be. So could you define it for us?
Rob Dickinson: Absolutely. And unfortunately the Wikipedia definition literally repeating what those letters stand for application programming interface, does that help?
Jackie Whisman: No.
Rob Dickinson: Not really. Right? What we really mean by that, and one of the things you’ll hear me do on this talk multiple times hopefully is we’ll try to make some analogies to things in the real world, in the physical world, kind of understand what the analogs are. So when I think about an API, I think about an API as being a phone call between two programs or between two applications across the internet. The same way two people would’ve carried out a conversation over the phone, over a physical carrier network. We’re basically doing the same thing.
And what does that mean from a macro perspective, though? It means from a macro perspective, we’re moving from a world of telephony where we used to use voice and facts to interact with each other. And it was mostly human to human interaction to an internet that was originally built as an entertainment vehicle to now an internet that’s being rebuilt as a way for computers and autonomous systems as well as humans to interact with each other in a very point to point kind of conversational way. So the takeaway there is APIs really don’t have to be mysterious. An API call is really like a phone call in a lot of ways. There’s a conversation that’s going on between those two parties and the term API is really just referring to that conversation.
Rob Atkinson: So it’s to use, to continue with the analogy to the physical world, Rob it would be kind of like I call you up, but you don’t know who I am so I have to authenticate myself with you and say, “No, I’m really is. It’s Rob Atkinson. I’m not faking this here.” And then I would say, “Oh, I have the right to get some data could you automatically transmit some data into my computer system?” So in other words it goes from your system into my system. Is that pretty much it?
Rob Dickinson: Yeah, that’s absolutely right. And another way to say that is the kind of old internet was an internet that was built for web browsers and web servers. And the medium of exchange there was HTML or human readable information. And you can really see that like even in some of the recent directives from the Biden administration that we need to move away from that model to a model where that information is accessible to programs just as easily as it’s accessible to human eyes. And that’s really exciting, right? Because that means that we’re going to see an entire generation of software agents that are able to act on our behalf online and carry out actions for us online as those trusted agents and be able to in interact with those systems, even though you’re not actually pulling up a web browser and doing it manually. So I think the possibilities there are really fabulous.
Jackie Whisman: And why are they so important and what else do they enable?
Rob Dickinson: Well, why it’s really important is you think about, so again kind of going back to an analogy in the real world, there’s only so many phone calls that I can make as a human in unit time before Zoom fatigue really sets in, right? So part of it is just that I can create software systems that can do that work much quicker than I can. Much more repeatably than I can, can do that at higher scale. And it allows me to use automation as a force multiplier and in a way that that can be really, really dramatic. And that’s a huge shift in terms of how we think about these systems.
The other kind of consequence of that is you’re going to see more software-based systems that carry more responsibilities. And I think that’s an interesting area for policy setting. When an autonomous car makes a mistake, who’s at fault? Is it the manufacturer? Is it the programmer? Is it the network? All of those things could have contributed it to that failure. I think one of the interesting things about the API economy is that we’re fundamentally redrawing the lines between organizations and their suppliers and their customers and their partners in a way that we really haven’t seen since the birth of the web. I mean, it really is at that level in terms of the disruptive nature that’s happening there, and it really does affects how we think about privacy, security, ethics, standards of care. It really is a fundamental reset across a lot of these things.
Rob Atkinson: So a lot of companies have designed... They moved into the internet world, they have intranets and really great databases, but there are still most companies they design these systems in a proprietary way so that they can communicate within the organization, but not necessarily communicate seamlessly across organizations. And it seems like that’s a big part of the API revolution is to allow that and you correct me if I’m wrong, Rob, that middleware to enable much more seamless communication from your FinTech application to your other bank or a government database to some app you have on your phone or whatever that might be.
Rob Dickinson: Yeah, absolutely right. Couldn’t agree more. So the early web as an entertainment vehicle was really based around the idea that I’m sharing pictures, I’m sharing videos, I am providing my data for free to a platform that takes that data. And then I’m going to share that data with other people, and maybe it’s monetized at the backend for other purposes, but kind of the primary motivation of that was as an entertainment vehicle and sharing data with other people. But we’re moving from that to the internet as an operational system, as a backbone for all of our living systems, all the things that we depend on, on a daily basis, not just our entertainment but for things actually working. When AWS goes down, you know it because all kinds of things break, right? That’s the world that we’re operating in.
And in that world, we’re not really sharing data with humans, we’re sharing data with other systems, and now it’s the interconnections and the network effects between those systems exactly the way that you’re describing. And so we’ve seen a lot of organizations who used to have a lot of their customer interactions through their websites. Now their dominant customer interactions are through their APIs and that’s really great because just like we talked about out, it provides speed and automation and kind of that force multiplier around the capabilities. But of course, there’s also a dark side of that, which is you’re vulnerable and you increase your risk by doing that. And now you’re susceptible to certain kinds of mal-behaviors that you wouldn’t have been otherwise. And unfortunately, that comes in on the same coattails.
Rob Atkinson: Yeah. And I don’t want to follow up on the security part, but before we get there, can you explain to our listeners what’s an open API? Tech people talk about open API interfaces what’s unique about that?
Rob Dickinson: I think from this perspective, it’s the word open is really about the intent of how that API is going to be used. So a lot of the folks that we talk to they might consider like let’s take the case where you’ve got a mobile application that talks to a backend API. You might consider that API to be private, that API might really be only for the use of your mobile applications. And you don’t really want it used directly by the public, but it’s there for a specific purpose, which is to power your mobile apps. And a lot of folks actually started with APIs really from that perspective, we’re going to have a website and then we’re going to have an API that’s primarily for our mobile apps. And that’s still a domain where you have a lot of control because you have that concept of a genuine client or a genuine experience that you’re trying to enforce.
When you say open API to me, that means now you have an API that can be called by any kind of client. And there’s a power that comes with that flexibility. But at the same time, it’s a loss of control because now you’re saying I’m intentionally leaving it open for new kinds of software, new kinds of client that haven’t even been invented yet to be able to come back and use this interface. That’s very, very different than saying I’ve got a web browser and I can instrument the web browser, or I’ve got a mobile application and I can instrument the web application. I have some layer of control there over that to a truly API-centric company, API-first company like Twilio or SendGrid, for example, where literally their customer interface is an API. At that point, you’re open in terms of you don’t have control over the clients. And that really shifts the intent of those systems.
Rob Atkinson: Yeah, that’s really interesting. I know the one case that my colleague Daniel Castro wrote about was that there are certain FinTech companies that you get on your phone, or your device or whatever. And then as part of what they do is they interact with your other accounts and then they aggregate it all into one place. But some of the accounts, some of the banks, for example, they don’t like that. They think it takes away control and so they won’t allow an API interface, even though they can still do it through web scraping, which isn’t as good. And it seems to me that you can make an argument that that’s anti-competitive, that it’s the customer’s data I’m not asking for Jackie’s data. That’s my data, I can get it if I just put my credentials in there, why can’t I give another party my credentials to have them get the data too? Anyway, thoughts on that whole question of how do you enable open or I shouldn’t say open, how do you enable more of an API economy?
Rob Dickinson: You know I don’t think there’s a one size fits all solution. I think every organization as they go on this journey it’s an opportunity to kind of redraw those boundaries and figure out like what that new normal looks like. And we certainly see both patterns and I think there’s a whole continuum, right? We see folks that are very progressive and running at this full speed. We see other folks that are taking a more conservative approach, more of a wait and see approach. Let’s see how this really shakes out. Let’s our competitors fall down on this stuff a couple times.
For example, if I was doing a fitness company right now, I’d be looking very closely at Peloton and asking myself as a non-technology company, as a fitness technology, how much should we be exposing our brand to those kinds of issues, if we’re not really going to be masters in that domain? These are hard issues to sort through. And I think anybody would be wise to take a very measured, thoughtful approach, because as someone who works in the industry, for example, when I hear about the Biden administration and say, let’s make all of our healthcare data available online. Part of me is like, oh, yes, yay. Let’s do that. Finally, let’s move forward. And at the same time, I’m like, oh, crap. Like, well, what happens when literally all the health data about every American leaks. Like that’s going to happen, right? And how do we prepare for that? So the history of technology is the history of the combination of enthusiastic overbearance and unintended consequences. So [crosstalk 00:16:03]
Jackie Whisman: I just was going to say ITIF would suggest we prepare for it without too much overbearing regulation.
Rob Atkinson: To your point, Rob, that’s a really good one. Because that really, I think, hits everybody right at home where you think about where all your health data is, and it’s in a 50 different systems. Half of them aren’t even on computer they’re still on paper and folders. I would love to be able to get all of my health data through APIs into some master app that Google sells me or Apple or Microsoft or a startup company, I don’t care. And it seems like APIs are really the way that could happen. I guess, on the security part, it seems, in some ways it’s more of a kindie you put all your money into a vault and you lose it all, or you can put it in 50 piggy banks and you can lose some of it because there’s still risk of data if it’s in these other systems, I guess it’s not. Putting it in an API thing doesn’t maybe change the risk, maybe changes the value, but maybe not the risk is that how you’d look at it?
Because somebody could hack... I get my blood work done and I don’t know, you know one of those labs or whatever. And it’s nice now, because they actually give you your record online, which is nice. So if somebody wanted to, they could hack in there maybe if they’re lucky they could find my blood results, which I really don’t care. But if I put it all into one API, they could do the same thing too.
Rob Dickinson: Well, I think you’re absolutely right. And I think there’s two things there that I worry about. I worry about what we see as threats, what we see as hacks, what we see as breaches, that’s a moving target. Those attacks are becoming more sophisticated over time, more novel over time. There’s new categories of attacks that we’re seeing this year that have really never been seen before. And so the goal posts there are moving very quickly in terms of thinking about how to actually secure these systems. The other thing from a policy perspective that makes me nervous is always that the lifetime of that data. This data tends to live longer even than the organization that created them.
So who owns that company in the future? Who owns that data set in the future? Is actually something that I think we have to keep a very careful eye on because there’s a lot of markets that originally worth hundreds of different providers that then consolidated down to just a few. And I think we’re going to see that here as well. And so the consolidation of that data overtime through acquisition, I think even if we don’t see those actors exactly formed that way, it won’t be that way forever. That too is also a moving target.
Jackie Whisman: And as government agencies start to deploy more and more APIs, how should they measure quality, performance and security?
Rob Dickinson: The most important part of that is to actually pay attention to it and actually do the measurement piece to actually have metrics. This is something that we’ve said in DevOps for a long time, the most dangerous thing is not knowing. So generally, step one is let’s make sure we have monitoring plans in place. Let’s make sure we have those systems in place. Let’s make sure that we actually have an empirical approach. That we actually know what those numbers look like. If I could tell a quick story, I had the opportunity to meet some of the folks that worked on the Obama campaign. And when they joined the Obama campaign originally, the website was not in great shape at all. And part of the reason for that was they literally had no monitoring on.
They knew the performance was bad, but they didn’t know like how bad it was. And they couldn’t really tell when they made an optimization, if it made much of a difference. So that was really the first thing they put in place was we need to really understand where this thing is working when it’s failing, how long it’s taking and get those KPI established and then we can actually work on improving them. It’s not rocket science, but I think a lot of the biggest mistake to make is just not paying attention to the need. And just assuming that things are working and kind of underappreciating the risk of that.
Rob Atkinson: Yeah, we do a report, we’ve done it a couple times where we measure federal website and state website performance on things like page load speed and security, accessibility. And it’s striking how well, maybe it’s not striking that the government sites are not as good as the best-in-class private sector sites, but what’s striking is how, when we did it one year, and then we did it like 18 months later, there was almost no change. You’d think that that performance, obviously it was an outside group doing it but to your point, if you can’t measure it, you’re not going to be able to fix it.
Rob Dickinson: Absolutely.
Jackie Whisman: What are the biggest, maybe one or two applications that consumers might benefit from? We’re going to end on a positive note.
Rob Dickinson: In terms of the API economy?
Jackie Whisman: Yeah.
Rob Dickinson: I think one, one example that’s very dear to my heart, it would be something like the Colorado telemetry project. If I can give them a shout out. So let’s say that we have this health data available to us, and let’s say that we can then aggregate that health data, make that health data available to intelligent systems and to researchers. One of the things that that lets us do is it lets us look for patterns in that data that are otherwise very, very difficult to find. And I’m not a physician, obviously I’m a technologist, but let’s take ovarian cancer as a very specific case here. By the time that ovarian cancer is detected, it’s usually very late stage. And that’s why there’s such a high mortality rate associated with that. If we had the ability to correlate and advocate telemetry data across a large enough group of people, we could start to uncover what are the leading indicators associated with that?
So think about ultimately, you do identify cancer and then you can back test that against all the blood work that you have, all the other telemetry that you have, ideally going back a decade or two. That’s going to unlock ways of identifying precursors and now we’re not just talking about improving quality of life, but we literally are talking about saving lives. That’s I think an amazing future to think about that kind of data sharing and that kind of telemetry as a foundations for new kinds of medicine as well as new kinds of business interactions and commercial vehicles.
There really are some, I think very, very far reaching implications here for providing this data, if we can balance these things properly, if we can properly balance the needs for privacy and the needs for security around kind of the promise of aggregation and intelligent inspection that goes with that. I think that’s going to be really amazing to see how that shakes out.
Rob Atkinson: Rob, you’re preaching to the converted. This is something we’ve been pushing for years and years and years it’s a pet passion of mine. It just drives me crazy that we’re not doing that faster because as you rightly point out every year we delay results in certainly human suffering and death. You know I kind of use the word... I like to use the phrase we live in a stupid world that could be intelligent. And by that, I’m not talking about people’s intelligence. I’m talking about just what we know. There’s so much out there that we could know, but we don’t bother to collect it the right way and analyze it the right way. And APIs to me are like the engine, it’s almost like the industrial role of the steam engine, APIs can play that pretty critical role.
Rob Dickinson: Absolutely. Couldn’t agree more.
Rob Atkinson: Rob, thank you so much for being really, really interesting. And I know that as I said beginning, it can seem kind of a little bit of an esoteric technical topic, but it’s almost like saying... It’s almost like having a discussion like this in 1994. Well, what’s this internet thing all about? It turns out it’s really, really big. And so I think APIs are in that ballpark, if you will, and hopefully will lead to help us having a much better life for every everybody in the world.
Rob Dickinson: That’s my hope too. Thanks so much for having me and giving me this chance.
Jackie Whisman: And that’s it for this week, if you liked it, please be sure to rate us and subscribe. Feel free to email show ideas or questions to [email protected]. You can find the show notes and sign up for our weekly email newsletter on our website itif.org and follow us on Twitter, Facebook and LinkedIn @ITIFdc.
Rob Atkinson: We have more episodes and great guests lined up. New episodes drop every other Monday so we hope you’ll continue to tune in.
Jackie Whisman: Talk to you soon.