This morning I ran headfirst into the picket line for the Reddit Blackout which hindered some research I was doing into a technical solution.
While I empathize with the impact to indie devs and SMBs dependent on the Reddit API, I can't support the protest. Reddit's API is not a public good; we are not entitled to freely access it. While I could cite capitalist talking points to support my position, I'd rather focus instead on a different narrative, one which I suspect is underestimated by many indie devs and SMBs - risk.
Risk Management
Risk Management was originally defined as part of the ISO 31000 Standard and can be summarized as:
the identification, evaluation, and prioritization of risks, followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events, or to maximize the realization of opportunities.
For mature technology companies like WorkTango, we are required to invest in Risk Management, and one way we meet this obligation is by maintaining an artifact known as a Risk Register. A Risk Register is a ledger which captures all of the criteria outlined in the definition of Risk Management. We add to this register as risks are identified, and engage in a quarterly exercises to brainstorm new risks. This provides the business as a whole with an understanding of potential risks for resource planning (feature development) and strategic decision making.
So why bring up risk management and the risk register in the context of the Reddit Blackout? If WorkTango was in the business of creating a client app for Reddit's platform, we would have identified Reddit's free API as a dependency risk.
Dependency Risk
Dependency Risk is a category of risk you take on whenever you have a dependency on something (or someone) else. When we build client apps wholly dependent on a third party platform, a dependency risk is created. That third party could cease operating, or as both Reddit and Twitter have demonstrated, stop giving away their resources for free.
Open APIs are free, as in beer
As a developer, it's best to think of Open APIs as free, as in beer:
- The API resource (beer) cost you nothing
- But APIs aren't free, somebody paid for the API (reddit)
The 2010s was a golden age in capital investment and the technology industry benefited significantly, enabling a lot of free resources as a draw to build audiences and engagement. However, the 2020s so far have proven to be more challenging. Money is no longer free and as a result, many companies are having to mature their business models to be more self-sustaining. This means reducing expenses and finding additional sources of revenue. Monetizing previously open APIs is an unfortunate intersection that addresses both needs. Expect less free beer on the internet as we progress through these tougher economic times.
Mitigating the Risk
The only way to mitigate a dependency risk is to add a layer of redundancy, but when you build apps on top of platforms like Reddit or Twitter; you can't fail over to a different platform to access the same content. So how would I mitigate this risk?
- Accept that if this risk is realized, it's game over for the app. Since I do not own the backend which my app depends on, losing access to it means my app can no longer function. Draw up a plan to wind down the product gracefully in the event this risk is ever realized.
- Diversify. If I can't prevent a game-over situation, the next best mitigation strategy is to diversify my revenue streams. That means building a second app on a different platform (ex: slack app), or building an app without the platform dependency risk. That way, if I lose one app, I take a financial hit, but hopefully the other app can support myself while a new app is conceived to replace the lost revenue.
Did you find this post insightful, or perhaps you disagree with my risk points in regards to Open APIs? Share your thoughts in the comments below.
Top comments (28)
To your opening point on why you cannot support the protest, Reddit app developers like Apollo’s Christian do not take issue with Reddit wanting compensation for their API, it’s the incredibly short timeframe they were given, as well as the exorbitant cost that was clearly designed to eliminate all 3rd party apps. Developers for apps like Apollo and RiF have poured their heart and soul into their Reddit readers for years, likely a decade. Most of us that use these apps would be happy to pay a monthly fee to continue using them, but there is no path where any of them can come up with a pay plan that will bring in 2 million dollars per month in the timeframe they were given. I would be interested to hear your thoughts on this, because the protest was not about the api costing money.
My thoughts are pretty simple: None of that matters from a risk management perspective.
Could you elaborate?
My post is the elaboration.
Oh sorry, I didn't notice you were the OP!
You're right when you say
and that too many people probably built castles over someone else kingdom.
What could be cultural, and maybe needs some gap-closing, is that if kingdom owners that allow specific passages in practice are often due to keep the passage open, even if the pact is not formal agreement or registered contract.
Following the land ownership metaphor, I'd say we are very near the easement of passage laws (Italian text, needs translator) that regulate rights of access, that behaves exactly how users are requesting access to API.
Why? In my opinion, because the existence of law that covers the same expectations and cultural necessities that have been severed by Reddit, and why all the fuss is not only justified, but also representative of how users are feeling stolen of respect.
What Reddit did was to put a terms and agreement and legally grab the content, a trade-off often overlooked by subscribing people, and yet seriously misplaced: a media platform needs the users not just the content. They're not publishers: they're communication platforms.
As a (previous) reddit user that broke the gentlemen agreement on how I do expect a media platform to behave, regardless of what they could legally or economically do.
I wish them luck anyway, but find this less and less important in my daily browsing.
Perhaps we may see new regulation to ensure continued access to APIs, but I'm personally betting on the opposite. Even if we did legislate that private parties had to retain access they once provided, there's still the cease operations scenario which would cut off access - and there's no guarantee in those situations that a shutdown will be graceful.
You're right, also laws too specific to a tool can lose effectiveness pretty quick.
GDPR covers data access, propriety, and users rights around it... de facto regulating existence of interfaces, no matter if those where email addresses, actual API or applications.
In all this matter, yes Reddit bestow its own right about application usage, but has rug-pulled other businesses. I'm a bit surprised there is no legal ground were the collateral damage could be discussed and judged by a third party.
That's basically the difference between a free API and a paid API. With a paid API, you'll have engaged in a contractual relationship which will likely have better provisions in terms of guaranteeing access. Free APIs have a unilateral contract which means the provider dictates the conditions for use.
We should all be very aware that closed platforms, no matter how free-as-in-beer they are, they are not a public good. Companies love to have all of us creators feel like the platform is open so that we pour our own time & effort into creating content & tools for them that benefits the platform. But it's a one-way relationship.
Don't carry stone for someone else's castle.
It's time we invest into platforms built on open standards & protocols & software instead of providing free labour for private corporations.
I wouldn’t say it’s a one-way relationship, but there’s definitely a hierarchy of who’s priorities matter first. Creators do benefit from these platforms, but platform operators will make the chances necessary to meet the demands of their bosses (VCs/stockholders) and keep their workforce employed
Good article. I wonder how many developers of apps that depend on the Reddit API really do grown-up risk management, with risk registers and everything. I suspect it’s very few, if any. I think the only way I’d bet my business on getting something for free is if I didn’t need to invest much in my product and could therefore just walk away at any time.
I suspect very few Indie devs and SMBs have mature risk management programs in place because it's not a trivial effort. I don't think they need to invest in something as articulate and tedious as a risk register, but I do think some thought needs to be given on risks. In my past indie projects, we didn't keep a register, but we did invest a little bit of time into identifying potential areas which would scuttle the project.
There's certainly arguments to be made why people have that expectation though. Would you claim the same if Wikipedia did it? What about hackernews or any other platform where all of the site's content was generated by its users, and also moderated by them? It's easy to understand where the sense of ownership stems from for the protesters and why they feel robbed.
There's also a whole novel to be written about the mission of Reddit, Schwartz and what they initially stood for, but as you'll most likely reply "None of that matters from a risk management perspective", I'll leave it at that.
Yes, I would make the same exact argument for every single platform on the internet today that is owned and operated by private parties. It does not matter whatsoever about the who, the why, or the how. None of these platforms are public goods, they're simply "free beer".
You're correct, my reply is none of that matters, because objectively it's factual: None of that does matter in the context of Risk Management. That sounds cold, but feelings aren't an ingredient when managing and mitigating risk. Keep in mind too that historical perspectives on how Reddit should operate are historical - based on the conditions of that time. Today's economical conditions are vastly different from 10 years ago and it's forcing those who are running businesses like Reddit to adapt in order to survive.
It seems that most people use third-party apps to browse Reddit, not the official web platform.
Many other companies have tried to follow that pattern: open everything and attract wonderful OS initiatives and, at some point, close everything to monetize, but this is actually risky.
The "downgrade effect" is highly probable. Don't mess with your users.
I have to add that it's entirely possible that third-party apps did consider risk management. From what I've read, it actually sounds like some may have: Apollo devs have mentioned that in March of 2023 they specifically asked about API support and changes and were told "no changes", not for years.
Yes, the risk of losing API access is high, but the likelihood of occurrence was very low: Years of robust performance and assurance from the owners that nothing was changing. Even with proper risk management planning, such a sudden and aggressive change couldn't have been properly accounted for. Thirty days is not sufficient for any massive restructuring, especially if you're taking the time to things like risk management. Take into account the high cost and openly hostile CEO, and I'd be surprised if any risk management plan would survive.
Regarding the lack of support for the blackout, keep in mind that if was largely driven by users of reddit, not by the third-party devs (at least not some devs). Attributing the blackout to indie devs because they didn't properly identify the free API as a dependency risk is fraught with logical fallacy. Classic correlation without causation.
More likely, that argument was intended as clickbait and a way to generate discussion, which worked at least in my case, but may have backfired. I now have a negative association with this post and will be less likely to view any of the authors or resources as a credible source of information.
I'd argue that a more informative "here's how to do risk management effectively" with reddit as a case study would have been a more effective post. Instead, this post comes off as a cold, inflammatory advertisement.
When I first read the headline, I assumed this would be about Reddit's poor handling of their risk management. As a platform who's customers also make and moderate their product. They did not consider the risk that volunteers needed more time to make process changes than someone working full time. The blackouts have nothing to do with the third party apps and all to do with the community driven content. The moment reddit put a short timeline on changes and didn't clearly communicate the nuance in writing was the moment. People don't go to reddit because forums are a unique product to them, they went there because it could be trusted not to pull the rug out on them. Reddit's biggest risk was losing that trust, and along with it the 1% of customers that provide and moderate their content.
It’s hard to disagree with identifying a dependency risk with the content creators on the platform, although churn isn’t a foreign concept and tough decisions certainly attempt to forecast potential churn
You''re not wrong but it's a depressing statement on what the internet has become, instead of what is used to be.
Viewing the death of an open internet as a risk management exercise is honestly, very sad.
That’s certainly one take but there’s no emotion to it, Risk Management is simply another skill similar to JavaScript programming.
Some comments may only be visible to logged-in visitors. Sign in to view all comments.