Amazon API crackdown neuters book apps
New keys to the etail kingdom
Following a change in the Amazon.com API, downloadable applications that rely on the etail giant for product data are experiencing a kind of Amazonian impotence.
Nathaniel Elam, a Linux user from New London, Connecticut, recently encountered the problem with his copy of Tellico, a tool that keeps a digital catalog of his CDs, LPs, videos, and other collectibles. The open source app is designed to automatically pull titles, track names, cast lists, images, and other data from various websites, but two weeks back, Elam's copy suddenly quit working with the world's largest etailer.
Then Elam noticed a similar problem with an aging Windows app known as Album Art Aggregator, which provided cover art for his collection of ripped CDs. And after a quick web search, he turned up issues with several other Linux apps, including Amarok, a music player for the KDE Linux desktop interface, and Rhythmbox, a music-management app for the GNOME destktop.
As it turns out, all are victims of a recent change to the Amazon.com data API. On August 15, Amazon began rejecting API requests that weren't signed with a secret access key. In the past, Amazon required a key from each application, but this was a key that could potentially be picked up and applied to any other tool - a particular danger with open source apps. Now, in an effort to maintain tighter control over use of the API, Amazon is requiring signed authentication.
"We are requiring that all calls to the Product Advertising API be signed in order to help us prevent unauthorized and improper uses of the API," reads an Amazon FAQ. "Signed requests will help developers protect the security of their access identifiers and will help prevent others from using their access identifiers to make unauthorized calls to the API."
This means that a separate key is required for each installation of an application. With a web-based app, each user is tapping into the same, centrally-located tool, so the developer can request and apply a single key for all users. But with a downloadable desktop app, each user needs their own key. The developer must tweak the app to accept the key and either distribute keys or have users apply their own keys by way of a free Amazon Web Services account.
The end result is that using desktop apps with the API is a bit more complicated. And existing apps - like Elam's version of Tellico - are on the fritz.
"Before, Tellico - as an application - had a unique access key. So every search that came from Tellico had the same key. It was hard-coded in the source. Some other application could have used the same key, since it was pretty much public, though," Robby Stephenson, the app's developer, tells The Reg. "Now, the new scheme requires each user to have a separate key that is kept private."
Like other developers, Stephenson was first notified of the change in May, and he received regular notifications from Amazon until the change was made in mid-August.
Stephenson has tweaked the new version of his downloadable app to use the private keys, but he has no intention of updating older versions that work with older interfaces. "The Amazon searching no longer works for any version of Tellico released for KDE3," he recently told his users. "I don't plan to try to backport that support, either. Sorry, folks. You'll just have to use a different search source."
What exactly is Amazon trying to crack down on? It's unclear. The company did not respond to specific questions about the API change, merely pointing us to that online FAQ. But it's worth noting that Amazon has also changed the name of the API, dropping the "Amazon Associates Web Service" moniker in favor of "Product Advertising API."
The company's terms of service say that the API can only be used by applications that "have the principal purpose of advertising and marketing the Amazon Site and driving sales of products and services on the Amazon Site." But the terms have always read this way. And the new setup hardly seems like the best means of severing ties with product cataloging apps along the lines of Tellico and Books for MacOS X. But it has certainly made their lives a more difficult. ®
T & Cs stringent already
I use the AWS APIs (and the apps I coded were unaffected by this as they require users to provide their own keys - Amazon made clear for ages in advance this minor change was going to happen). If someone finds the functionality useful enough they will be prepared to get keys from Amazon - it only takes a few seconds. The change is quite subtle anyway - main public key the same, just requires an extra secret key, and really no major hassle code wise.
My apps always used the users own keys as the whole idea of AWS affiliates is that click throughs (with id encoded in urls) that lead to Amazon purchase give the affiliate a tiny cut of that sale - lots of sales via Amazon gives nice cash reward: My customers want this cash for themselves - they do not want my keys earning me money via lots of micro-payments.
The AWS T&Cs - if you bother to read them, are very restrictive - when I last checked the images and other information can be cached for no longer than 24 hours and long term storage is totally forbidden: So the apps I produce get data dynamically and do not store it: Another benefit of using users own keys is that, if someone uses my apps and takes a long term copy of the data my app dynamically serves (violating T&Cs) then that is their breach of contract with Amazon and their legal responsibility.
However just about every other app I have seen that uses AWS breaches the Amazon T&Cs - but Amazon seem to take a very relaxed attitude, this change does not prevent that abuse.
Apps that did uses a single key for many users were at risk anyway - there are (quite low) usage limits (unless you apply to get a more "pro" account where restrictions are far less) and using same key in a widely distributed app could have meant calls fail (although from my testing it seems Amazon never really enforce the non "pro" limits - using test accounts I have exceeded the 1 call per second limit and daily call limit without problems).
Anon as commenting on an area I work on occasionally.
Re: getting something for free - costs Amazon money
Nope, the likely problem is that at least some of the cover art and pictures are not licensed for reproduction anywhere besides the amazon website. By allowing apps to pilfer the content unimpeded Amazon puts itself into a position of assisting an infringement or infringing on copyright.
"What do you mean "What?!?!" ? It's trivial to use Wireshark (etc) to sniff API calls... this should not be a surprise to you."
I think he was referring to the ethics of just plugging someone else's key into your own stuff. Although I daresay he and I are surprised about you bringing sniffing into it when *you can get the key from the source*. I thought all you open source gimps read the source code as a matter of course, since no-one else can be trusted to write a trustworthy and/or stable app? Sheesh.