MHC Tech Law: Is your online business ready for the API economy?


18 Apr 2016

What is an API, and how can organisations ensure that they are legally protected when taking advantage of this new technology? Mason Hayes and Curran has some answers.

Organisations across the world are recognising that APIs are fuelling e-commerce and becoming the building blocks of the online economy.

The New Zealand federal government recently launched an API portal to encourage businesses to integrate with government services. Closer to home, more and more businesses in Ireland are becoming reliant on APIs, which operate in the background of many of the software and mobile apps we use every day.

APIs also hit the news headlines in 2014 when hackers used an altered API to steal Snapchat images from a third-party app which allowed users to retrieve their photos from Snapchat’s server.

What is an API?

In its simplest terms, an application programming interface (API) is a series of instructions that allows one computer program to interact and communicate with another computer program. Almost every digital interaction in Web 2.0 involves an API being called to gather data or invoke an action.

From a practical perspective, APIs provide customers or developers with a standardised way of accessing a third party’s products or functionality, other than through a traditional website. The benefit of using an API is that the market will be able to come to your business through your API in a kind of self-service model, as opposed to the traditional model of requiring traffic to come directly through your website.

For example, a real estate agent could use an API published by Google to embed a customised Google Map in its mobile app, allowing customers to search for the exact locations of properties and to interact with those listed on the map. Similarly, PayPal’s API allows a developer of a mobile app – say, a fashion retailer – to build an app with PayPal mobile payments functionality for a more efficient user experience when checking-out.

Copyright and APIs

To date, it has not been clear whether an API and its constituent specifications are protectable under Irish intellectual property law. In the US, Oracle and Google have been involved in an extremely complex billion-dollar copyright battle in relation to whether interfaces, including APIs, can be protected by copyright.

The dispute concerns Oracle’s copyright and patent claims against Google’s Android operating system. Oracle claims that, when Google was developing Android, it infringed Oracle’s intellectual property related to Java software by, among other things, violating various patents and copying APIs. Google, on the other hand, argues that APIs are different from traditional software code that implements a program. Google’s view is that APIs are more functional in nature, like a street sign guiding traffic, and therefore not copyrightable.

The US Federal Circuit ruled in Oracle’s favour, asserting that copyright subsists in Oracle’s Java API. The US Supreme Court has refused to review this decision and the case now returns to the US District Court for a new trial that will decide whether to uphold Google’s last-ditch defence of ‘fair use’ of the APIs in question.

Under US law, in certain circumstances, ‘fair use’ is a defence to copyright infringement. However, for many in the software industry, this defence is problematic. While an international tech heavyweight like Google has the financial resources to fund expensive litigation over fair use of an API, many technology start-ups do not. The Federal Circuit decision may therefore stifle competition by dissuading many start-ups from using the APIs of large technology companies due to the underlying risk of being served with a copyright infringement claim.

API licence agreements

Given the US Federal Circuit decision, it is prudent for a technology-owner publishing an API to also publish an API licence agreement setting out the terms upon which it licenses its API to users.

A properly drafted API licence agreement will help protect the technology-owner and also has benefits for users as well, as many will want to know any restrictions upfront before they start developing an application that uses the API.

In addition to the usual risk provisions in a standard software licence – such as limitation of liability, disclaimer of warranties, or right to modify the agreement – an API licence should address the following specific areas:

  • Type and scope of licence, licence restrictions and acceptable use obligations
  • Ownership of intellectual property and permitted use of your business’s branding and trade marks in the end-user interface
  • Allocation and flow-through of risk between third-party providers (such as API managers and cloud hosting providers), your users and you
  • The privacy and data protection obligations of each party (including any privacy policy and cookies policy that are incorporated) in cases where you or your third party providers collect user information through the API
  • The scope of any support, availability targets or other service levels you are offering in respect of the API

If you will provide any documentation with your API then the licence terms should also apply to that documentation.

Depending on the complexity of the services, the business may also need to provide a developer licence and secure access keys.

Importance of licence terms

A large volume of e-commerce and online transactions today take place through APIs. This makes APIs the new business channel of choice for an organisation engaging with partners and customers.

As with any contract, an API licence agreement helps communicate an organisation’s business model and API development model to its developers, and sets expectations of what developers are permitted to do, including in relation to copying the API.

Incidents like the Snapchat API hack also serve as a reminder for businesses to have appropriate layers of security protecting API access and user data, as well as robust licence terms in place that govern how users and developers are permitted to use their API and access data through it.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

Tech Law is a weekly series brought to you by Irish law firm Mason Hayes & Curran, whose legal tech team advises the world’s top social media organisations and emerging start-ups. Check out www.mhc.ie for more.

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.

App development image via Shutterstock