Organisations across the world are recognising that APIs are fuelling e-commerce and becoming the building blocks of the online economy. The New Zealand federal government has recently launched an API portal to encourage businesses to integrate with government services. Closer to home, more and more businesses in Ireland are becoming reliant on APIs which operate in the background of many of the software and mobile apps we use every day. APIs also hit the news headlines last year when hackers used an altered API to steal Snapchat images from a third-party app that allows users to retrieve their photos from Snapchat’s server. But what is an API, and how can organisations ensure that they are legally protected when taking advantage of this new technology?

What is an API?

In its simplest terms, an Application Programming Interface (API) is a series of instructions that allows one computer program to interact and communicate with another computer program. Almost every digital interaction in Web 2.0 involves an API being called to gather data or invoke an action.

From a practical perspective, APIs provide customers or developers with a standardised way of accessing a third party’s products or functionality, other than through a traditional website. The benefit of using an API is that the market will be able to come to your business through your API in a kind of self-service model, as opposed to the traditional model of requiring traffic to come directly through your website.

For example, a real estate agent could use an API published by Google to embed a customised Google Map in its mobile app, allowing customers to search for the exact locations of properties and to interact with those listed on the map. Similarly, PayPal’s API allows a developer of a mobile app, say a fashion retailer, to build an app around PayPal mobile payments functionality to create a more efficient user experience when checking-out.

Copyright in an API?

To date it has not been clear whether an API and its constituent specifications are protectable under Irish intellectual property law. In the US, Oracle and Google have been involved in an extremely complex billion dollar copyright battle in relation to whether interfaces, including APIs, can be protected by copyright. The dispute concerns Oracle's copyright and patent claims against Google's Android operating system. Oracle claims that when Google was developing Android it infringed Oracle's intellectual property related to Java software (which Oracle obtained by buying Sun) by, among other things, violating various patents and copying APIs. Google, on the other hand, argues that APIs are different from traditional software code that implements a program. Google’s view is that APIs are more functional in nature like a street sign guiding traffic and therefore not copyrightable.

Current US Position on API copyright

The US Federal Circuit ruled in Oracle’s favour, ruling that copyright subsists in Oracle’s Java API. The US Supreme Court has refused to review that decision. The case now returns to the US District Court for a new trial that will decide whether to uphold Google’s last ditch defence of ‘fair use’ of the APIs in question. (Under US law, in certain circumstances, ‘fair use’ is a defence to copyright infringement).

However, for many in the software industry, the ‘fair use’ defence is problematic. Even if the defence is successful, the issue is that although Google has the financial resources to fund expensive litigation over fair use of an API, many technology start-ups do not. The Federal Circuit decision may therefore dissuade many start-ups from using the APIs of large technology companies and stifle competition due to the potential of the start-up being served with a copyright infringement claim.

Key terms for an API licence agreement

Given the US Federal Circuit decision, it is prudent for a technology owner publishing an API to also publish an API licence agreement setting out the terms upon which it licenses its API to users. A properly drafted API licence agreement will help protect the technology owner and also has benefits for users as well, as many will want to know any restrictions upfront before they start developing an application that uses the API.

In addition to the usual risk provisions in a standard software licence, such as limitation of liability, disclaimer of warranties, or right to modify the agreement, an API licence should address the following specific areas:

  • type and scope of licence, licence restrictions and acceptable use obligations;
  • ownership of IP and permitted use of your business’s branding and trade marks in the end-user interface;
  • allocation and flow-through of risk between third party providers (such as API managers and cloud hosting providers), your users and you;
  • if you or your third party providers collect user information through the API, the privacy and data protection obligations of each party (including any privacy policy and cookies policy that are incorporated);
  • the scope of any support, availability targets or other service levels you are offering in respect of the API; and
  • if you will provide any documentation with your API then the licence terms should also apply to that documentation.

Depending on the complexity of the services, the business may also need to provide a developer licence and secure access keys.

Importance of licence terms

A large volume of e-commerce and online transactions today take place through APIs. This makes APIs the new business channel of choice for an organisation engaging with partners and customers. As with any contract, an API licence agreement helps communicate an organisation’s business model and API development model to its developers and sets expectations of what developers are permitted to do, including in relation to copying the API. Incidents like the Snapchat API hack also serve as a reminder for businesses to have appropriate layers of security protecting API access and user data, as well as robust licence terms in place that govern how users and developers are permitted to use their API and access data through it.