In today's digital world, application programming interfaces (APIs) play a rapidly growing role in meeting the need for interconnectivity. APIs are software intermediaries that allow different programs and applications to share data, communicate and interact with each other to expand business functionalities. As society grows increasingly reliant on remote access for work, APIs will continue to serve as an essential facilitator of business and everyday life. To that end, every business must consider how best to protect this valuable resource. This article discusses several ways in which legal issues surrounding APIs arise and how businesses can better protect them.
Computer programs are protected as literary works under US copyright law. Even though software can be considered functional, Congress provided in the Copyright Act that software code itself is protected by copyright and can be registered as a textual work. This includes API code.
The Supreme Court has granted certiorari in the long-running Oracle v Google case involving Google's use of Java API in creating Android. The case is set to decide two key issues relating to API – namely, whether:
- the structure, sequence and organisation of the Java API packages are copyrightable;(1) and
- Google's use of the Java API packages was fair use (for further details please see "Federal Circuit overturns fair use ruling in Oracle v Google").
The briefing in this case is complete, including from dozens of amici, and oral arguments were set to occur on 24 March 2020. However, the argument has been postponed in light of COVID-19 restrictions. Once argued and decided, there may be further clarity on the scope of API copyrightability, although it is generally expected that APIs will remain protected by copyright.
Since APIs are copyrightable, the typical bundle of rights exists for the copyright owner, including the right to limit the use, copying, distribution and creation of derivative works. That is, only copyright owners have the right to make 'derivative' works' (ie, works based on or derived from one or more pre-existing works). For instance, in the API context, a party which copies an API and uses it without permission, such as by incorporating it into their own code, infringes that API (Oracle v Google).
Trademarks are words, logos or other designations that identify the source of a product or service. The trademark owner has the right to control the use of the trademark to prevent consumers from becoming confused as to the source, sponsorship or affiliation of goods or services associated with the mark.
Trademark issues also arise with APIs – for instance, when a developer incorporates an API into their code and then advertises or claims interconnectivity with the API and its source. If the API was used without permission and the interconnectivity is not authorised, the trademark use is also unauthorised as it creates a false association or endorsement.
A contract is a legally binding agreement, written or oral, between two parties that creates mutual obligations. Contract law is usually implicated in the API world in two forms:
- API licensing agreements; and
- a website or application's terms of use (TOUs).
API licensing agreements
A licensing agreement is a written contract between two parties, in which a property owner allows another party to use that property under defined parameters. The ability to develop third-party APIs using a company's data is usually heavily regulated through API licences. API licences are important because they allow data owners to set the expectations and standards for third-party developers. Most licences allow data owners to unilaterally amend the terms at any time, which can protect data owners if, down the road, changes need to be made to the data itself or to the type of access that developers have. Companies should be wary of allowing developers liberal access to their data as circumstances can quickly change in the ever-evolving API world. For example, in 2011 Twitter originally gave developers liberal access to its API, but some developers started copying the API interface to compete with Twitter. Twitter later had to change the terms of its API licence to restrict developer use.
TOUs
Companies can be vulnerable to third parties reverse engineering APIs or scraping data from websites or applications to create their own API without a licence. Data scraping is a method in which a computer program extracts data from the output generated from another program. Any information that can be viewed on a website or application is vulnerable to scraping. Aside from implementing security measures to block data scraping, companies can legally protect themselves by having TOUs that expressly prohibit reverse engineering and the scraping of information or data. A developer that engages in reverse engineering and data scraping is legally bound by those terms and could be liable for breach.
Where API developers do not have a data owner's permission to use its data or integrate with its programs or applications, or when they engage in data scraping, such integration and scraping may serve as the basis of a Computer Fraud and Abuse Act (CFAA) claim. The CFAA prohibits the intentional unauthorised access or exceeding authorised access to a protected computer and obtaining information from that computer. The CFAA is generally a criminal statute, and to qualify as a civil action, the violation must have resulted in a loss of at least $5,000 during any one-year period. 'Loss' has been defined as:
any reasonable costs to any victim, including responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service [18 USC, Section 1030].
When analysing CFAA claims, courts typically consider whether a defendant has violated a website, program or application's TOU as part of the unauthorised access or exceeding authorised access analysis. For example, in Craigslist, Inc v Naturemarket, Inc, the court found that the "[p]laintiff alleged that [d]efendants accessed its computers in violation of the TOUs, and therefore without authorization". In contrast, in Cvent, Inc v Eventbrite, Inc, the court found that the TOUs were "not displayed on the website in any way in which a reasonable user could be expected to notice them" because they were "buried at the bottom of the first page, in extremely fine print". Thus, to strengthen the basis for a CFAA claim, data owners should have TOUs that clearly deny users' ability to integrate with, modify, make derivative works of or access information and data on their website, program or application, including explicit provisions against data scraping, unless users have been granted such rights in a licensing agreement. It is also worth ensuring that the TOUs are conspicuous and agreed to by the user.
With the rapidly increasing reliance on remote access and interconnectivity, businesses must take a second look at how they are protecting, and how they can better protect, APIs as a valuable resource.
Endnotes
(1) For more information, please see Oracle Am, Inc v Google Inc, 750 F.3d 1339 (Federal Circuit 2014).
