May 12, 2019.
The internet is alive and changing. This change is driven by technology constraints (ipv6), increasingly clear privacy concerns (GDPR) and the lively intersection of economics and politics known as data localization, which is playing out in China, the European Union, Russia, India, among many others.
Folks working at Silicon Valley technology companies sometime view these regulations as driven by protectionism, aiming to promote domestic competitors against most mature global companies. Certainly there some of these laws are driven from that perspective. My view is that just as many are concerned with preserving the national sovereignty of economic infrastructure, avoiding dependence on the pricing whims and legal constraints of global companies, many of whom are operating out of the United States, and whose sudden absence or rate hikes could cause significant harm. (Particularly in the unlikely scenario that the United States’ foreign policy sudden became far less predictable.)
Personally, I think the aims of these data privacy and localization bills to increase privacy and and preserve sovereignty are worthy and important. Indeed, my feelings on this topic are more acute than usual, having spent a number of hours cleaning up an identity theft over the last few weeks, caused by a large data breach. Navigating a dozen phone trees isn’t the most onerous task in the world, but it certain is one I’d generally prefer to avoid.
Unfortunately, the unintended consequence of many current regulatory approaches drive consolidation into fewer, more powerful companies, and make it increasingly expensive for upstarts to satisfy the legal and regulatory requirements to challenge those behemoths.
To satisfy these regulations requires implementing abstract requirements, with little enforcement precedent, and that change frequently. Navigating these shifts requires teams of lawyers, introduces unexpected product constraints, and requires ongoing engineering investment. Small companies often simply can’t sustain those invests as the requirements continue to shift, which compels them to operate domestically to reduce exposure, perpetuating the moat of scale for existing entrants.
There are some compelling paths forwards. One of Lyft’s novel responses to Uber’s global scale was to create the so-called Lyft Alliance, which established a shared API for four regional companies to allow their users to cross-interact. That incarnation didn’t entirely work out, but the strategy is a marvel–can networks of domestic companies out-compete large global companies through standardized APIs?
The European Union has taken this idea a step further, with legislating shared APIs with it’s Open Banking program. If governments are able to do this well–in particular limiting churn in their API design–this will be an extraordinary leveling, allowing upstarts to compete as equals within established ecosystems. Imagine if a single approval could allow you to integrate with the entire existing ecosystem? This concept of API design and access is also central to Elizabeth Warren’s calls to break up tech. There is a clear allure in platforms being obliged to provide access to their data when authorized by their users.
Designing and maintaining APIs is, however, notoriously difficult, with few companies demonstrating sustained success in this arena, let alone governments. So many of these regulations are approved with specified requirements and unspecified design, an approach whose flaws are epitomized by the struggles of Brexit.
In sum, we seem to be entering a new era of the internet, which has the potential to significantly lower the barriers to competition, but only to the extent that governments across the world are able to design effective, usable APIs. This is an extraordinary shift! If you want to change the world in 2020, perhaps you ought to be finding a way to participate in governmental API design.