This month, we have added “API mapping” and “JavaScript file analysis” as core components of the NT Analyzer tool suite. This post explains what API Mapping is and how the feature provides critical insights regarding the transmission and processing of user data (a subsequent blogpost will address JavaScript file analysis).

NT Analyzer is a privacy testing tool that detects personal information transmitted by web apps, mobile apps, and embedded services, including identifying transmission of data to third parties. It uses low-level technical data to spot and remediate a wide variety of privacy compliance issues, including, for example, those pertaining to the VPPA, CCPA, HIPAA, and GLBA.

To date, NT Analyzer has focused heavily on identifying raw data transmissions. However, we have now expanded NT Analyzer’s analytical capabilities to include “API mapping.” API mapping generates technical documentation explaining why an endpoint collects particular data together with the structure and purpose of specific parameters and data elements. API mapping provides essential insights on how transmitted data is used and for what purposes—core inputs in any privacy risk assessment or analysis.

What is an API?

Although the term “API” is often used in legal areas relating to privacy and security, many practitioners may only have a fuzzy notion of what the term means unless they have hands-on experience with development. An “API” or “Application Programming Interface” is a pre-defined, structured set of rules and/or protocols that provides clear methods for how software systems communicate with each other in order to make specific features or services work for websites, mobile apps, connected TVs, and just about any network-aware device or application. APIs can be used for a variety of functions, such as location services (geocoding, reverse geocoding, directions), payment processing (Stripe API, PayPal REST API, Square payments API), AWS (S3 storage), analytics, ad delivery, ad targeting, and many other use cases. Companies may also have their own first-party APIs as well.

Why is API Mapping Essential for Privacy Testing?

“API mapping” consists of using a repeatable, formalized process to show how paths, parameters, headers, or request bodies align with—or “map” to—specific backend functions or endpoints. API mapping is used to gain an understanding of what a particular service does and how it operates by detailing who the data is shared with; what data is shared; when is it shared; and how the data is used. API mapping provides a company with the necessary information to understand potential privacy risks and any attendant compliance obligations.

In the context of privacy risk assessments and similar reviews, API mapping allows a company to understand and determine:

  • Who the data is being shared/disclosed to;
  • What data is being shared/disclosed;
  • When a particular share/disclosure occurs in the user journey;
  • Why specific data is shared/disclosed with that third party and for what purpose;
  • How a particular data element or parameter is used by the API; and
  • The Accuracy of Third Party Reps regarding access to user data and interactions.

For more information about NT Analyzer or API mapping, please contact either Steven Roosa steven.roosa@nortonrosefulbright.com or Wenda Tang wenda.tang@nortonrosefulbright.com.