DEV Community

Cover image for The Reddit blackout is a lesson in risk management
Joe Mainwaring
Joe Mainwaring

Posted on • Edited on

The Reddit blackout is a lesson in risk management

This morning I ran headfirst into the picket line for the Reddit Blackout which hindered some research I was doing into a technical solution.

Image description

While I empathize with the impact to indie devs and SMBs dependent on the Reddit API, I can't support the protest. Reddit's API is not a public good; we are not entitled to freely access it. While I could cite capitalist talking points to support my position, I'd rather focus instead on a different narrative, one which I suspect is underestimated by many indie devs and SMBs - risk.

Risk Management

Risk Management was originally defined as part of the ISO 31000 Standard and can be summarized as:

the identification, evaluation, and prioritization of risks, followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events, or to maximize the realization of opportunities.

For mature technology companies like WorkTango, we are required to invest in Risk Management, and one way we meet this obligation is by maintaining an artifact known as a Risk Register. A Risk Register is a ledger which captures all of the criteria outlined in the definition of Risk Management. We add to this register as risks are identified, and engage in a quarterly exercises to brainstorm new risks. This provides the business as a whole with an understanding of potential risks for resource planning (feature development) and strategic decision making.

So why bring up risk management and the risk register in the context of the Reddit Blackout? If WorkTango was in the business of creating a client app for Reddit's platform, we would have identified Reddit's free API as a dependency risk.

Dependency Risk

Dependency Risk is a category of risk you take on whenever you have a dependency on something (or someone) else. When we build client apps wholly dependent on a third party platform, a dependency risk is created. That third party could cease operating, or as both Reddit and Twitter have demonstrated, stop giving away their resources for free.

Open APIs are free, as in beer

As a developer, it's best to think of Open APIs as free, as in beer:

  • The API resource (beer) cost you nothing
  • But APIs aren't free, somebody paid for the API (reddit)

The 2010s was a golden age in capital investment and the technology industry benefited significantly, enabling a lot of free resources as a draw to build audiences and engagement. However, the 2020s so far have proven to be more challenging. Money is no longer free and as a result, many companies are having to mature their business models to be more self-sustaining. This means reducing expenses and finding additional sources of revenue. Monetizing previously open APIs is an unfortunate intersection that addresses both needs. Expect less free beer on the internet as we progress through these tougher economic times.

Mitigating the Risk

The only way to mitigate a dependency risk is to add a layer of redundancy, but when you build apps on top of platforms like Reddit or Twitter; you can't fail over to a different platform to access the same content. So how would I mitigate this risk?

  1. Accept that if this risk is realized, it's game over for the app. Since I do not own the backend which my app depends on, losing access to it means my app can no longer function. Draw up a plan to wind down the product gracefully in the event this risk is ever realized.
  2. Diversify. If I can't prevent a game-over situation, the next best mitigation strategy is to diversify my revenue streams. That means building a second app on a different platform (ex: slack app), or building an app without the platform dependency risk. That way, if I lose one app, I take a financial hit, but hopefully the other app can support myself while a new app is conceived to replace the lost revenue.

Did you find this post insightful, or perhaps you disagree with my risk points in regards to Open APIs? Share your thoughts in the comments below.

Top comments (28)

Collapse
 
pas_27513 profile image
pas_27513

To your opening point on why you cannot support the protest, Reddit app developers like Apollo’s Christian do not take issue with Reddit wanting compensation for their API, it’s the incredibly short timeframe they were given, as well as the exorbitant cost that was clearly designed to eliminate all 3rd party apps. Developers for apps like Apollo and RiF have poured their heart and soul into their Reddit readers for years, likely a decade. Most of us that use these apps would be happy to pay a monthly fee to continue using them, but there is no path where any of them can come up with a pay plan that will bring in 2 million dollars per month in the timeframe they were given. I would be interested to hear your thoughts on this, because the protest was not about the api costing money.

Collapse
 
theaccordance profile image
Joe Mainwaring

My thoughts are pretty simple: None of that matters from a risk management perspective.

Collapse
 
moopet profile image
Ben Sinclair

Could you elaborate?

Thread Thread
 
theaccordance profile image
Joe Mainwaring

My post is the elaboration.

Thread Thread
 
moopet profile image
Ben Sinclair

Oh sorry, I didn't notice you were the OP!

Collapse
 
giulio profile image
Giulio "Joshi"

You're right when you say

Reddit's API is not a public good; we are not entitled to freely access it.

and that too many people probably built castles over someone else kingdom.

What could be cultural, and maybe needs some gap-closing, is that if kingdom owners that allow specific passages in practice are often due to keep the passage open, even if the pact is not formal agreement or registered contract.

Following the land ownership metaphor, I'd say we are very near the easement of passage laws (Italian text, needs translator) that regulate rights of access, that behaves exactly how users are requesting access to API.

Why? In my opinion, because the existence of law that covers the same expectations and cultural necessities that have been severed by Reddit, and why all the fuss is not only justified, but also representative of how users are feeling stolen of respect.

What Reddit did was to put a terms and agreement and legally grab the content, a trade-off often overlooked by subscribing people, and yet seriously misplaced: a media platform needs the users not just the content. They're not publishers: they're communication platforms.

As a (previous) reddit user that broke the gentlemen agreement on how I do expect a media platform to behave, regardless of what they could legally or economically do.

I wish them luck anyway, but find this less and less important in my daily browsing.

Collapse
 
theaccordance profile image
Joe Mainwaring

Perhaps we may see new regulation to ensure continued access to APIs, but I'm personally betting on the opposite. Even if we did legislate that private parties had to retain access they once provided, there's still the cease operations scenario which would cut off access - and there's no guarantee in those situations that a shutdown will be graceful.

Collapse
 
giulio profile image
Giulio "Joshi"

You're right, also laws too specific to a tool can lose effectiveness pretty quick.

GDPR covers data access, propriety, and users rights around it... de facto regulating existence of interfaces, no matter if those where email addresses, actual API or applications.

In all this matter, yes Reddit bestow its own right about application usage, but has rug-pulled other businesses. I'm a bit surprised there is no legal ground were the collateral damage could be discussed and judged by a third party.

Thread Thread
 
theaccordance profile image
Joe Mainwaring

That's basically the difference between a free API and a paid API. With a paid API, you'll have engaged in a contractual relationship which will likely have better provisions in terms of guaranteeing access. Free APIs have a unilateral contract which means the provider dictates the conditions for use.

Collapse
 
syntaxseed profile image
SyntaxSeed (Sherri W)

We should all be very aware that closed platforms, no matter how free-as-in-beer they are, they are not a public good. Companies love to have all of us creators feel like the platform is open so that we pour our own time & effort into creating content & tools for them that benefits the platform. But it's a one-way relationship.

Don't carry stone for someone else's castle.

It's time we invest into platforms built on open standards & protocols & software instead of providing free labour for private corporations.

Collapse
 
theaccordance profile image
Joe Mainwaring

I wouldn’t say it’s a one-way relationship, but there’s definitely a hierarchy of who’s priorities matter first. Creators do benefit from these platforms, but platform operators will make the chances necessary to meet the demands of their bosses (VCs/stockholders) and keep their workforce employed

Collapse
 
toddbradley profile image
Todd Bradley

Good article. I wonder how many developers of apps that depend on the Reddit API really do grown-up risk management, with risk registers and everything. I suspect it’s very few, if any. I think the only way I’d bet my business on getting something for free is if I didn’t need to invest much in my product and could therefore just walk away at any time.

Collapse
 
theaccordance profile image
Joe Mainwaring • Edited

I suspect very few Indie devs and SMBs have mature risk management programs in place because it's not a trivial effort. I don't think they need to invest in something as articulate and tedious as a risk register, but I do think some thought needs to be given on risks. In my past indie projects, we didn't keep a register, but we did invest a little bit of time into identifying potential areas which would scuttle the project.

Collapse
 
andreasvirkus profile image
ajv

We are not entitled to freely access it.

There's certainly arguments to be made why people have that expectation though. Would you claim the same if Wikipedia did it? What about hackernews or any other platform where all of the site's content was generated by its users, and also moderated by them? It's easy to understand where the sense of ownership stems from for the protesters and why they feel robbed.

There's also a whole novel to be written about the mission of Reddit, Schwartz and what they initially stood for, but as you'll most likely reply "None of that matters from a risk management perspective", I'll leave it at that.

Collapse
 
theaccordance profile image
Joe Mainwaring • Edited

Would you claim the same if Wikipedia did it? What about hackernews or any other platform where all of the site's content was generated by its users, and also moderated by them?

Yes, I would make the same exact argument for every single platform on the internet today that is owned and operated by private parties. It does not matter whatsoever about the who, the why, or the how. None of these platforms are public goods, they're simply "free beer".

There's also a whole novel to be written about the mission of Reddit, Schwartz and what they initially stood for, but as you'll most likely reply "None of that matters from a risk management perspective"

You're correct, my reply is none of that matters, because objectively it's factual: None of that does matter in the context of Risk Management. That sounds cold, but feelings aren't an ingredient when managing and mitigating risk. Keep in mind too that historical perspectives on how Reddit should operate are historical - based on the conditions of that time. Today's economical conditions are vastly different from 10 years ago and it's forcing those who are running businesses like Reddit to adapt in order to survive.

Collapse
 
spo0q profile image
spO0q 🐒

It seems that most people use third-party apps to browse Reddit, not the official web platform.

Many other companies have tried to follow that pattern: open everything and attract wonderful OS initiatives and, at some point, close everything to monetize, but this is actually risky.

The "downgrade effect" is highly probable. Don't mess with your users.

Collapse
 
muppetjones profile image
Stephen

I have to add that it's entirely possible that third-party apps did consider risk management. From what I've read, it actually sounds like some may have: Apollo devs have mentioned that in March of 2023 they specifically asked about API support and changes and were told "no changes", not for years.

Yes, the risk of losing API access is high, but the likelihood of occurrence was very low: Years of robust performance and assurance from the owners that nothing was changing. Even with proper risk management planning, such a sudden and aggressive change couldn't have been properly accounted for. Thirty days is not sufficient for any massive restructuring, especially if you're taking the time to things like risk management. Take into account the high cost and openly hostile CEO, and I'd be surprised if any risk management plan would survive.

Regarding the lack of support for the blackout, keep in mind that if was largely driven by users of reddit, not by the third-party devs (at least not some devs). Attributing the blackout to indie devs because they didn't properly identify the free API as a dependency risk is fraught with logical fallacy. Classic correlation without causation.

More likely, that argument was intended as clickbait and a way to generate discussion, which worked at least in my case, but may have backfired. I now have a negative association with this post and will be less likely to view any of the authors or resources as a credible source of information.

I'd argue that a more informative "here's how to do risk management effectively" with reddit as a case study would have been a more effective post. Instead, this post comes off as a cold, inflammatory advertisement.

Collapse
 
kajin41 profile image
kajin41

When I first read the headline, I assumed this would be about Reddit's poor handling of their risk management. As a platform who's customers also make and moderate their product. They did not consider the risk that volunteers needed more time to make process changes than someone working full time. The blackouts have nothing to do with the third party apps and all to do with the community driven content. The moment reddit put a short timeline on changes and didn't clearly communicate the nuance in writing was the moment. People don't go to reddit because forums are a unique product to them, they went there because it could be trusted not to pull the rug out on them. Reddit's biggest risk was losing that trust, and along with it the 1% of customers that provide and moderate their content.

Collapse
 
theaccordance profile image
Joe Mainwaring

It’s hard to disagree with identifying a dependency risk with the content creators on the platform, although churn isn’t a foreign concept and tough decisions certainly attempt to forecast potential churn

Collapse
 
incognitjoe profile image
Joe Butler

You''re not wrong but it's a depressing statement on what the internet has become, instead of what is used to be.

Viewing the death of an open internet as a risk management exercise is honestly, very sad.

Collapse
 
theaccordance profile image
Joe Mainwaring

That’s certainly one take but there’s no emotion to it, Risk Management is simply another skill similar to JavaScript programming.

Collapse
 
Sloan, the sloth mascot
Comment deleted

Some comments may only be visible to logged-in visitors. Sign in to view all comments.