Human Intelligence – The Why of the API

JuriusDoctor 2017-07-11

One of the most common questions I get asked (or overhear) as a teacher, content creator, and recruiter is “Why do I need to give a corporation my API(s)?”

The answer is a deceptively simple one—deception being the point. Recruiters, personnel officers, and other corporation and alliance officials need to ensure that the players joining their membership are forthright, honest, and a good cultural fit. As long as CCP’s EVE Online End-User License Agreement (EULA) allows a game culture where scamming, theft, piracy, and corporate espionage are permitted—if not endorsed—then it behooves them to use every tool at their disposal to achieve that.

The API is the single largest tool in that toolbox. While the EULA has very strong language around the use and disclosure of a player’s personal information, it is a lot less protective of character information and the communications, interactions, and play a user has in the use of that character. The EULA document clearly states that nothing you do as your character is private, and you should have no such expectations that it will be. The API grants access to that information.

What the heck is an API?

For those who are unfamiliar with the term, API is short for Application Program Interface.

An API makes it easier for developers, both at CCP and third-party, to develop additional tools outside of the game and to access information and data sets to use in those tools. Tools empowered by APIs include:

The above is not an exhaustive list.

As such, while the API is a programmer’s tool, for recruiters and officers in EVE’s many corporations and alliances the API is more of a Swiss Army Knife.

Why do corps ask for an API?

In addition to the host of tools designed for player-benefit, above, there are also tools created expressly for corporations.

These tools allow the user to parse through your account, and character information. What kind of information? Everything.

Everything contained in the game about your account and the characters in it.

I’ll let that sink in for a minute.

Okay, so beyond sounding like an Orwellian nightmare this is actually incredibly useful for vetting players for a corporation. It can tell a corp officer or recruiter a lot about your engagement with the game, with others, and with certain types of game-play.

The purpose for requesting this information is multi-layered:

  1. Transparency: Are you acting with good faith? It sets out a foundation of trust and honesty.
  2. Trust, but verify: Does your account and character details support your backstory and your assertions?
  3. Education: Does your API(s) show a thoughtful approach to character development; where can the corporation or alliance help you to grow?
  4. Fit and suitability: If you are joining a PVP alliance do you have the requisite skills to fly the alliance doctrines? Do you show prior experience in solo and fleet PVP?
  5. Counter-intelligence: Are you lying? If so, why, and to whom do you report?

Looking at a submitted API, however, takes a bit of experience and awareness. You have to know what it is that you’re looking for and you have to understand the rationale that drove it. While you run the sincere and extreme risk of fallacy of intent, you can also underestimate the motivations of a particularly savvy or dedicated spy.

On the matter, John le Carré wrote that “once you’ve lived the inside-out world of espionage, you never shed it. It’s a mentality, a double standard of existence.”

He was not wrong.

Analysis Paralysis

A model for analysis can be wrong but data never is.

The biggest problem tech, bio-med, and hard sciences companies have in presenting analyses with large data sets is that with sufficient data you can appear to support anything. Companies which adopt big data tools without properly trained and experienced data scientists can end up with horribly skewed, inaccurate, or flat wrong assertions and can waste millions of dollars on a “sure bet” that turned out to be trash.

People can, and have, built whole careers on bad or incomplete data. When new data is revealed that disproves their understanding of the world, some take it very badly. Others are excited for the chance to learn the truth, because of all the new possibilities for discovery which are revealed. (I kid you not: a fossilized piece of human excrement upended the archaeological chronology of the Americas.)

When you get a big set of data like an API output, you need to know what questions to ask in order to prove the legitimacy of a person’s claims. Otherwise, you’ll just end up frozen looking at a giant wall of information and it’s easy to get lost in that data. This is called analysis paralysis; where you have so much information you’re not sure where to start. This is where the social sciences meet the hard sciences. You need to be able to refocus your search to shine a very bright light on the gaps between a person’s story and what the hard data in their API doesn’t do to support their claims.

Lies are like bad research. The beauty of the scientific method is that when you hold up presented findings to ardent scrutiny it only takes one bad premise to make the whole fallacy collapse. And if you’ve done your job right, anyone should be able to reproduce your results. I get excited when I catch someone in a lie.

Tread lightly, though, because it can be hard to balance paranoia and jurisprudence.

Human Intelligence

The denials, if they need be given, could better be given with sincerity, and they could only be feigned if you didn’t know them at all.

– Kenneth Eade, Russian Holiday

At the end of the day, it all boils down to Human Intelligence, referred to in military and law-enforcement circles as HUMINT or ELINT, Clandestine Intelligence, Cloak and Dagger, Sneak and Peek, and a dozen other euphemisms, acronyms, and pejoratives. Regardless of how you come by your data, you need a means to aggregate it and you need a person who knows what they’re looking for to make the call on a person’s sincerity, the reliability of the data, and the possible variances on the model. All it takes is one piece of information to undo a person’s façade.

This is where human intelligence meets counter-intelligence.

Once you find something that doesn’t fit the weave of a person’s story, you need to be able to understand what it means in the greater arc of New Eden’s social, economic, military, and political environment. Once you have one bad premise in a person’s assertion that they’re being forthright and honest, you need people who can go digging, and know where to look. People with spies of their own to discreetly ask questions, covertly reconnoiter, and report back to you.

It’s never the size of the lies. Spies get caught out in the details.

Here are three examples which are common enough that (as a recruiter) I don’t feel like I’m selling the keys to the kingdom in sharing them:

  • Personal standings: You apply to a corp as a neutral newbro, but you have +10 personal standings set with someone in their enemy’s alliance.
  • Wallet and skills: You claim to be a day-one newbro, but you’ve got 300M ISK and all of your skills are only combat-related.
  • Kill History: You claim you’ve never “done PVP” but you’re on kills with Bomber’s Bar or Spectre Fleet.

When it comes to spies, there are a figurative thousand-and-one ways to find them out. Where there’s one, there are always more. Always.

I have never caught a spy where it was only one piece of information which sold them out. The API isn’t the only place that information comes from.

Spies beware.

If you’re one of the newbros who has asked the question, “Why do you want my APIs?” I hope that this answers your question.

Let your voice be heard! Submit your own article to Imperium News here!

Would you like to join the Imperium News staff? Find out how!

Comments

  • Bertram Renning

    Hi,
    I am not really a newbro anymore (without being anywhere near experienced either) and I think the question I would be asking is “Why do you want my _full_ API key ?”.
    I can understand the need for transparency, having access to the inventory, to the kill history or skill point, all fine. However, as you point out, API can delivered “Everything contained in the game about your account” (!) that’s worst than an “Orwellian nightmare” you basically have access to god vision (or THE Truth). Which might be awesome from a scientific point of view, and I wouldn’t mind it use in an other form of citizen science but we are talking about giving that information access to basicaly an unknown person (the recruiter is rarely personally known by the one applying and for sure you never know every one that will be involved in handling your precious key).
    To be honest I am pretty sure that most of those asking for it have no idea what they are asking for and just don’t use it (so they should be happy with just a partial API key) but for those who “know how” … Well it’s where the tag line “eve is real” go from cool to scary. When you can analyse all of the communication of a character, there is very few limits to what you can learn (and the limit is certainly not the eve sandbox).
    I am really under the impression that the full api key requirement is only so because “everyone else is doing it”.
    The other side might as well be true, people giving away their full API key have no idea what they are giving away and does so because they have no choice. I personally don’t think that anyone is giving away freedom for security (which capsuler don’t really need, being immortal) but most are certainly giving away freedom for social security (“be part of the group”) which is the main driver for pretty much everything in eve.

    Don’t you think that most recruiter/corporation could ask for a partial API key instead of a full one ?

    July 11, 2017 at 11:29 am
    • This is one of the most interesting aspects of negotiating in the context of an Eve type sandbox.

      You give the entire API because you have absolutely no leverage again the entity you wish to, and often need to, engage with. Gentleman, neo-liberalism at its finest.

      July 11, 2017 at 11:34 am
      • More so than that, the interesting question is, “how do you game the contents of your API?” There are really, really good spies out there which have done exactly that.

        The problem with it is time.

        We’re talking cold war Russian mole level dedication here. Completely different personas and years… possibly decades… of dedication and patience.

        July 11, 2017 at 8:59 pm
    • Any activity in the game can be used to subvert your corp/alliance/coalition. Obtaining evidence for wrongdoing could have to do with any in-game system. In The Imperium/ Goonswarm Federation you can expect privacy from outsiders using our own communications systems (forums, jabber, etc.) but still not really expect privacy from directors and moderators/ internal affairs.

      July 11, 2017 at 3:35 pm
      • “Any activity in the game can be used to subvert your [corp/alliance/coalition.”] Bertram, what Cavin said.

        Like I said in the article, the API isn’t the only tool available to corporations and alliances. It’s just the foremost and the most powerful.

        Further, you have to realize that the biggest, most powerful corporations, alliances, and coalitions often allow spies to operate clandestinely within their organizations. We know you’re a spy, and we let you stay a spy with you none the wiser.

        Why?

        As the Russians put it, “Dezinformatsiya”.

        Alternately, as Sun Tzu put it, “It is essential to seek out enemy agents who have come to conduct espionage against you and to bribe them to serve you. Give them instructions and care for them. Thus doubled agents are recruited and used.”

        July 11, 2017 at 9:09 pm
    • To answer your question, “Don’t you think that most recruiter/corporation could ask for a partial API key instead of a full one?”

      In no uncertain terms: Absolutely not… No way. Nuh uh. Not today, space friends.

      I’ll be honest, I trust your altruistic defense of capsuleer liberties like I trust a slow-boating Nereus in Kinakka. But you’ve raised a couple of interesting points and I’ll address them point form:

      1. [“Why do you want my FULL API key”] No no, you misunderstand. Not your full API key. Your FULL ACCOUNT-LEVEL API keys, for all of your accounts. It’s everything or GTFO.

      2. [“you basically have access to god vision (or THE Truth).”] Damned straight! Because anything less than the truth is a lie by omission. Re-read that part where you have no expectation of privacy. I’ll bet that if your work requires you to use a computer, your employment contract says almost the same thing, in the same words.

      3. [“To be honest I am pretty sure that most of those asking for it have no idea what they are asking for and just don’t use it”] I can guarantee you that’s not the case.

      4. [“When you can analyse all of the communication of a character, there is very few limits to what you can learn”] “I read your emails” is not just a t-shirt I wear at work.

      5. [I am really under the impression that the full api key requirement is only so because “everyone else is doing it”.] Interesting thought, but your statement presumes that this is the accepted behaviour without cause.

      Yes, most corps do it because “everyone else is doing it”… in the same way that security companies, financial institutions, childcare centres, and medical dispensaries all require criminal record checks. “Everyone else is doing it” for a goddamned reason. I.e. Is this person dependable, or a thief (or worse)?

      6. [“people giving away their full API key have no idea what they are giving away and does so because they have no choice”] Most people do not realize what degree of access a full account API grants. True! Most people also do not actually read and agree to the terms and conditions. But they do so because of the service/membership/benefits they want out of the trade. Cost of admission.

      7. [“I personally don’t think that anyone is giving away freedom for security”] See above. Cost of admission.

      8. I’ll also address the unstated but tacitly implied objective in your argument: that asking for full API keys is in some way nefarious or a gross violation of a player’s character rights.

      To which the first of these premises have to be observed:

      a. [Your character has no rights.] It’s a video game, you don’t own the IP, and what you do in it is subject to CCP’s whims. You pay the cost of admission twice: once to play, and once to play with others. Get good.

      b. [I only care what your API says as far as it goes to helping you pass the sniff test.] Everything else is extraneous. As I’ve said in prior articles – I work two full-time IT jobs as an admin and a consultant, I write, I’m a parent, I have a social life, and I play EVE. I don’t have time to CARE about what’s in your API beyond that point. A lot of – nay, most – recruiters are in the same place.

      Further, that level of access comes with the expectation that, from an organizational perspective, it will be used expediently and with some degree of professionalism. I have never heard of someone attempting to blackmail a player with something which was revealed by an API, and if it ever happened I would bet 20 Euro that CCP would drop the ban-anvil and more on the blackmailer.

      So… your argument, while interesting, is kind of moot and poorly supported by existing precedents. If you want to argue that CCP should change the EULA to grant fictional characters greater rights and freedoms, given the context, culture, and internal political atmosphere of this game, you are welcome to do so but be warned you face attempting to move Sisyphus’ boulder.

      July 11, 2017 at 8:54 pm
      • Bertram Renning Jurius Doctor

        Thanks for your answer. There is a few points I would like to emphasis :

        I do think the comparison with the real world is interesting, but we
        have been proven how bad things can go under surveillance so maybe using a
        sandbox to figure out how to do things in an other way might be nice ;).

        I do not think that the API by itself is bad rather than big eve organisation tend to abuse it.
        I understand why, but I regret the fact that [“You give the entire API because you have absolutely no leverage again the entity you wish to, and often need to, engage with”] as Alot put it.
        I also think that capsuler should be cautious about what informations they give to who.

        I do not have enough knownledge about it to say for sure but it seems to me that it should be less effort to monitor the [important/sensitive] informations than to monitor everything.

        I do not think CCP should change the EULA (on that’s subject at least).
        I would rather like to see a goon revolution “bee for freedom” or a dreddit thread “saving dinosaurs right”. A concord note might be nice too but I wouldn’t really believe in it.

        July 11, 2017 at 10:42 pm
  • Rhivre

    What do you think about the change to APIs coming with ESI? From account to char only?

    July 12, 2017 at 4:29 am
    • Welp, more work for applicants. I still end up looking at the same number of APIs. Because if I see data that suggests you have an alt you didn’t tell us about and I don’t get an API for it, it’s “Request Denied. Next!”

      July 12, 2017 at 2:45 pm
  • Alot

    This seems like the sort of bait which usually tricks me into ranting about my favourite modern day Orwellian practise: automated api scraping.

    Though I currently lack the gusto to hark on about it -.-

    July 12, 2017 at 10:45 am
    • Oh, Alot, now you’ve gone and done it… I really want to hear this. 😉

      July 12, 2017 at 2:46 pm
  • Feiryred

    I rarely ask for them, simply because if they are a good, knowlegable spai, I won’t find anything. A bad spai will leave footprints all over interesting places that don’t require me having their api 🙂

    July 13, 2017 at 2:23 pm
    • This is a very good point, and one of the things I stress is that officers who know the landscape and know the players rarely need an API to find out a spai. However, good spies aren’t in it for the short game and you can weed out a lot of low-level crooks and hangar thieves by using APIs.

      July 13, 2017 at 7:35 pm
  • Kravshera Kemma

    I know I’m late, but i have a theory. They know what they are doing. i mean I am security for my corp. i do the api checking. i use a couple programs to check them. i do full api’s only as well. Anything short it just stupid, to much to miss with alts. But all that is going to happen now, yea I’m going to need to you give me 2 more api keys thanks.. oh you don’t have alts? really? ok go make 2 more alts so i can see your telling the truth. Now on my way to my tinfoil thoughts, simple so it is easier for spy’s to get in and destroy corps form the inside out, they are already mess with the minerals why not corp structure as well. they don’t want these super giant corps it mess with the bottom line and new members joining. But then again Im a security officer its my job to be paraniod about every applicant. >.>

    July 13, 2017 at 10:20 pm
    • I like where you’re going there, and I think that moving from Account APIs to Character-only APIs is their way of:
      a. agreeing to the CSM and forwarded requests from player base
      b. introducing more room for in-game drama and big developments/heists

      It’s been a while since anything BOB-level happened…

      July 14, 2017 at 6:07 pm