Skip to main content
Bot Free Policy

Why we participate in official, certified developer programs

Openbridge Support avatar
Written by Openbridge Support
Updated over 5 months ago

Openbridge does not employ bots, web, data, or screen scraping technologies for data pipeline automation. Openbridge only utilizes approved, official APIs to create scalable, secure, and compliant data pipelines.

Employing bots, web, data, or screen scraping technologies would violate the terms, AUPs, and DPPs set forth by companies like Amazon, Google, and Facebook. Using these technologies can put customer accounts at risk of suspension or termination.

Backdoors->Bots->Breaches

Bots require user-level account logins for data scraping. Accounts like these have been at the heart of the latest attacks by threat actors taking over accounts.

The attack was detailed for Amazon in the "Scrape and Pillage" threat assessment, which details the significant risk third-party tools using account data scraping represent for Sellers, Vendors, and Advertisers on the Amazon platform platforms.

Official, Certified Developer Programs & APIs

Participation in formal, certified developer programs from companies like Amazon, Google, and Facebook is critical for transparency, consistency, and security.

Openbridge invests significant time and energy in working through official developer programs established by Amazon, Facebook, Google, Stripe, etc. Companies require developers who participate in programs to undertake rigorous audits, reviews, and compliance monitoring to be approved as users of their systems.

For example, here is what Amazon requires of us:

As a data custodian for Marketplace sellers and vendors, Amazon rightly demands developers meet API usage and security standards.

We take our developer and partner commitments seriously, which means adhering closely to applicable data protection and acceptable use policies for each API we leverage on our customer's behalf.

How To Check If A Developer Is Using Bots?

Developers often do not reveal that they are using bots to extract data, and if they do, they describe a bot in fanciful terminology like "robotic process automation." These are your first clues that they are not using official, certified APIs.

Most bots emulate the behavior of a user and a browser. If someone asks you to register a new user email address in your account, they use a bot to access your data. For example, in the first step, they will ask that you add an email address for the company to your account:

user-account-country@data-export-company.com

Once this email is added to your account as a new user, they use this email address to manually AND programmatically log into your account. If your account uses enhanced security via multi-factor authentication, the developer may ask you to disable or bypass those security controls,

To further show the point, we detailed an Amazon to use below.

Use Case: Amazon

There are two software development approaches to working with Amazon: the "front door" and the "back door."

The "Front Door": Approved Amazon Developer

The "front door" reflects developers who leverage official Amazon APIs and formally participate in their developer program(s).

Openbridge, as an approved Amazon developer, is bound to comply with all applicable program terms;

Compliance includes testing, audits, security, legal, and governance policies covering data collection, storage, use, transmission, and deletion.

These policies and agreements explicitly define how Openbridge, as a developer, can get data from Amazon through its APIs. While this is a significant investment of time and energy, it reflects a commitment to Amazon and our customers to meet shared standards and best practices.

The "Back Door": Bypassing Offical Amazon Programs And Systems

On occasion, prospective customers have asked us to develop "back door" Amazon data services. We politely decline as it does not align philosophically with our mission and would violate our Amazon developer DPP and AUP.

However, commercial developers operate outside official Amazon developer channels and offer "back door" Amazon data services.

What exactly is a "back door" data service? These are applications designed to collect data by bypassing or circumventing official Amazon APIs. An example of a back door data service is the web, data, or screen scraper. Scraper applications mimic a person using a browser to scrape data from web pages, download files, or perform a task.

With Amazon, a developer will request user credentials so the scraper application can pretend to be a user and log into a Seller Central account. The developer's screen scraping application will log in to a Seller Central account, collect data, and store it somewhere. The screen-scraped data will often be reports, which include Amazon-restricted PII data. These scraper apps usually require a seller to turn off account security features to enable access. For example, these apps will require turning off two-factor verification on Seller Central, which can cause their screen scrapers to break.

The Risks Of Bypassing Official, Approved Amazon Developer Programs

So what's the issue with back door data services? Since a scraping application mimics the behavior of a person using a website, it operates outside Amazon's terms of service:

  • Amazon expressly states that granting user authorizations to Amazon Portals to manually or programmatically circumvent Amazon policies for data access violates AUP. As a result, if detected by Amazon, your Seller Central or Vendor Central account can be suspended or terminated.

  • Amazon Advertising prohibits developers from requesting credentials for Amazon Advertising interfaces and services (e.g., log-in credentials for the Advertising Console) for use in their applications. They state, "Never ask for or accept an Amazon Advertising Participant's access credentials for any purpose," which is exactly what the back door developers are doing.

  • Unlike Amazon-approved developer applications, there is no formal review by Amazon of security controls for the receipt, storage, usage, transfer, and storage of your data. These developers avoid the audit, review, and authorization process required of approved Amazon developers.

If a developer claims they do not need to leverage official data access APIs, they deliberately choose an unapproved data access pattern they know Amazon would not accept.

Amazon can suspend or terminate the offending seller or vendor account if you use back-door data access services. Is it worth the risk?

Summary

The Openbridge philosophy is to adhere to developer program requirements set forth by Amazon, Facebook, Google, or others regarding data governance, security, transit, or storage.

Our commitment is to align our efforts, so we comply with the terms of any developer program services agreements in which we participate. This includes partnering with program owners (Amazon, Google, Facebook, and others) as we complete functional testing, review, refactoring, and monitoring outlined in their program terms.

Establishing long-term relationships with developer programs not only ensures compliance but also allows us to be an advocate on our customer's behalf. Our program participation provides direct access to troubleshooting, feature requests, enhancements, performance, and roadmaps to give our customers a voice in the technical evolution of these systems.

Did this answer your question?