Yes. The current legal situation with access to online resources is an absolute, unmitigated disaster.
My advice to anyone building anything significant off an API or scraped access: do it anonymously. Never reveal your real identity. Never use your real IP. Don't process credit cards. Don't register an identifiable LLC. Run it out of China or Russia where American companies will have a hell of a time trying to get to you.
If you depend on one entity's API, that entity is not going acquire you. At best, your product will be ripped off and they'll make you irrelevant. This happens to popular mobile applications all the time.
At worst, you'll get sued civilly, get your wages and bank accounts garnished, lose all of your possessions, and get criminally prosecuted under the CFAA, end up doing some time, and eventually get released with the stipulation that you never touch a computer or access the internet again for the rest of your life.
Unless you can ramp up to doing tens of millions of revenue per year (or have investors willing to pony that up) before the company you depend on notices/decides they don't like you anymore and sends out their law firm, you're dead meat, no matter what the details of your case are and no matter how wrong they are.
These are not problems you want. It's easier to put your service in the onion and run it from there, access all external data via proxy, only accept Bitcoin for payment, and never tell anyone the link to your real-world identity. Granted it takes good opsec to continue this for a long time, which is really hard to pull off, but it may be doable depending on your level of commitment.
Scraped content is one thing, but most APIs require a unique key. Forget "trying to get to you": they already know everything they need to know to cut off your API access.
Break their mobile apps. Use their own API key against them. Also break their websites.
For example, for Google, look at Google Keep – that one leaks API keys directly in the list of accessed URLs, the key has been the same for years, and provides access to Maps and Keep. Same with YouTube (the app packages an API key for the v3 data API) or the WolframAlpha app. Many more apps, from simple "what’s for lunch at my uni’s cafeteria" to Transit apps all leak API keys. Preferably you use the key of an app from the same company which maintains the API, so you can guarantee to always find a recent one.
I spent a few weeks last summer extracting API keys for next to all services out of apps, and breaking some DRM solutions, just to get experience with reversing software (which was something I had a course about at uni at the same time, and the experience helped me with homework).
A rotating schema of pirated API keys seems even less sustainable than just risking use of a proprietary API. Not something on which I'd want to build a business either. At some point, the effort of reverse engineering exceeds that of actually building the damn thing for yourself.
The reverse engineering can be automated (as the official apps have to use the key at some point), and as the official app won’t get cut off from support, you can just continue using the latest version of it.
Yeah, but you can usually acquire an network of API keys without making the connection obvious (depends on their API access policies of course) and rotate them as appropriate. Also, many APIs offer the same data through a public interface that can be accessed by scraping, so you can scrape and avoid identifying yourself.
LLCs do not protect against tort liability. They'll pierce the veil. See Facebook v. Power Ventures, Inc., where the founder was found personally liable for 3 million dollars in damages despite the fact that he was a) accessing Facebook on a specific user's behalf at their request and therefore was essentially a browsing device and b) was not violating copyright by any reasonable standard (Ticketmaster v. RMG is not reasonable) since the content he was downloading was owned by the user requesting the download.
My advice to anyone building anything significant off an API or scraped access: do it anonymously. Never reveal your real identity. Never use your real IP. Don't process credit cards. Don't register an identifiable LLC. Run it out of China or Russia where American companies will have a hell of a time trying to get to you.
If you depend on one entity's API, that entity is not going acquire you. At best, your product will be ripped off and they'll make you irrelevant. This happens to popular mobile applications all the time.
At worst, you'll get sued civilly, get your wages and bank accounts garnished, lose all of your possessions, and get criminally prosecuted under the CFAA, end up doing some time, and eventually get released with the stipulation that you never touch a computer or access the internet again for the rest of your life.
Unless you can ramp up to doing tens of millions of revenue per year (or have investors willing to pony that up) before the company you depend on notices/decides they don't like you anymore and sends out their law firm, you're dead meat, no matter what the details of your case are and no matter how wrong they are.
These are not problems you want. It's easier to put your service in the onion and run it from there, access all external data via proxy, only accept Bitcoin for payment, and never tell anyone the link to your real-world identity. Granted it takes good opsec to continue this for a long time, which is really hard to pull off, but it may be doable depending on your level of commitment.