AWS S3 API: In today’s world of de-facto standards, can you protect data from vendor lock-in?
Having encouraged the creation of ecosystems around their APIs, can IT giants like AWS use them to lock users in?
This article first appeared in February 2020 in the Journal du Net (in French)
The domination of the digital world by a handful of industry giants has allowed some of their APIs to become de facto standards. This is not unprecedented in the history of technical progress: many pioneers have gained a dominant position thanks to the standards they have managed to impose on the market. However, what is special about APIs is that they are neither a closed standard nor a standard that is completely free of intellectual property rights. Let’s start by looking at how we got here.
The emergence of de facto standards
Increasingly, the applications we use every day are a sophisticated combination of software components supplied by third parties. The same is true when a company builds an IT infrastructure using various cloud services (IaaS, PaaS, FaaS, etc.). The combination of these different components is made possible by APIs.
There has already been much debate about the languages, standards and communication protocols that underpin the Internet and facilitate the exchange of data. Much of this discussion has taken place in multi-stakeholder international standardization committees, such as the Internet Engineering Task Force (IETF) or the World Wide Web Consortium (W3C). But the rapid development of digital services over the last twenty years, and the dominant position acquired by a handful of players, have undermined this attempt at governance. The APIs designed by a few IT giants have become de facto standards, around which vast ecosystems have been built. Vast, but vulnerable ecosystems.
The S3 API was created by Amazon Web Services (AWS) to interact with Simple Storage Service, its public cloud storage service. It has become the most common way to consume data hosted in object mode. It has been called the “lingua franca” – the universal language – of object storage, and has inevitably become an interoperability standard.
In order to be adopted by new users, object storage solutions are therefore forced to speak with the S3 API. To avoid or eliminate it, developers would have to partially rework their application code.
Is the company that publishes an API all-powerful?
Most Cloud APIs are called open or public, but the name is misleading: the company that publishes the API remains the owner of its design. So far, the GAFAMs (Google, Amazon, Facebook, Apple, Microsoft) have encouraged the use of their APIs by third parties. If, to strengthen its position of market dominance, AWS decided to license the S3 API, could anyone oppose it? Such a move would hamper the development of data storage solutions that conform with the principles of European digital sovereignty, solutions such as OpenIO.
Is this such an improbable scenario? Remember the legal case between Oracle and Google that has been rumbling since 2010. That case concerns the exploitation of the Java API, used by the Mountain View giant for its Android mobile operating system. Oracle took the dispute to court, for “infringement of its intellectual property rights on the basis of copyright and patent law”. The issue remains unresolved, with the US courts holding that the “structure, sequence and organization” of an API could be subject to copyright, while referring to the doctrine of fair use. The IT industry is eagerly awaiting the Supreme Court’s decision, which will set a precedent.
In a tweet dated 31 December 2019, Octave Klaba, the founder of cloud provider OVHcloud, revealed that his company had negotiated an agreement with AWS to offer the S3 protocol on its Public Cloud Storage offers “without legal risks”. Doesn’t this confirm our concerns?
Encouraging the emergence of European leaders: a necessary, but insufficient response
We have already waited too long to act, and political calls for the creation of European tech giants will not be enough. Regulators have always intervened to prevent the creation of monopolies in strategic sectors, which are detrimental to both innovation and users. The cloud, which provides “digital energy” to businesses, is now one of these strategic sectors. Of course, regulation will always lag behind innovation, especially given the rate at which innovation is emerging in a digital economy that is guided by the principle of “winner takes all”. But does this mean that legislators should give up? Aren’t the Americans themselves thinking about breaking up some of their tech giants? If it were not for the threat of Asian competition, they would probably have already applied their antitrust laws.
Securing API-dependent ecosystems: our proposals
So, what is to be done? The most idealistic voices will advocate for the development of open standards. The latest attempt by the Storage Industry Consortium (SNIA) to define a standard (CDMI), failed. Alternatives from the open source world, such as the Swift API (OpenStack), have also failed to compete with the de facto standard that S3 has become.
One solution could be to extend to APIs the interoperability obligation that is applicable to software under Article L122-6-1 of the French Intellectual Property Code. Another option, which deserves to be analyzed in more detail, is to consider whether the act of making an API public renders it no longer protectable, and therefore freely usable.
What we need today is legal clarification. We cannot wait for possible case law. Europe has (finally) understood the importance of protecting its data. Take for example the comments by Thierry Breton, the new European Commissioner for the Internal Market, in a recent interview for newspaper Les Echos: “It is true that for the current generation of services, based on personal data, the US and China are ahead of the game. (…) America and China have caught the first wave. For the most part, the wave of personal data. Let’s focus on the second coming one, that of B2B, and let’s do it with a clear principle: Europeans must own their data and it must be processed in Europe, according to our rules and values.”
Data is indeed the fuel of the 21st century economy. The battle for this resource has only just begun. There is a need to regulate the use of data, the geographical area where it is hosted, but also the protocols that allow it to be manipulated. Otherwise, we offer foreign players the means to re-establish (albeit in a different way) a dependency that we now know is difficult to shake off.