↩️ back to experiments

On intentional misuse, databases, and co-opting the co-opters

A couple years ago, I did something a bit reckless. I was exploring WebRTC and wanted to see if it would be possible to create a site for my friend and I's birthday party without a back-end server to host data. Spoiler: this approach didn't quite work -- it required at least one internet connection that never dropped -- but I did end up creating an invite on my website with an interactive bit that friends could fill out, without a private server or database to hold that information.

Well, that's not technically true. I did use a private server and database, it just wasn't mine.

Running low on time and engineering energy, I dumped the invite responses and sensitive bits like time and place into the comments of a Figma file in my account. Then I sent the "invitation" - a link to my website containing one of my personal developer API keys in the URL - to my friends. Upon opening this invitation, JavaScript running on the site would go and fetch all the information from the comments of the Figma file and write to it as well using my API key. I essentially used Figma comments as a database, and my API key as the password. And I hoped that nobody shared out the weird-looking link I sent them but also opened it so they would come celebrate!

There's this database alignment chart meme that pops up periodically in one of the water cooler channels at work, whenever someone re-discovers a strange way an engineer has previously chosen to store data. When reflecting on what makes a database, I remember The Carrier Bag Theory of Evolution (popularized in this essay by Ursula K. Le Guin?) and wonder, what makes a basket so different from a database? What might a Carrier Bag Theory of Software look like? This little experiment got me thinking about a few other things as well.

Intentional misuse

At the time of creation, I was pretty sure this cute site violated Figma's Developer Terms. This seems slightly bad to admit considering that (at the time of writing) this is my employer. But that's exactly why I got this idea! Because I already knew how the API and backend worked and mentally/emotionally, it was the easiest tool at hand to reason about.

Digging in now, it seems possible that the only clause I violated was the Security clause, basically for exposing a personal (though throwaway) Figma account to undue security risk. I found this interesting because I was expecting there to be a clause governing how the Developer API could be used and possibly outright banning some cases, but the focus instead seems to be on making sure the Application using the API was developed properly and protected Figma's business interests. Even in the standard Terms of Service, "Use Rights" refers to how Figma's rights towards users, rather than the other way around. My little bday party invite seems a-okay by the Acceptable Use Policy.

This made me wonder if this sort of use of SaaS or any Internet-connected software with a data center was in a bit of a gray area, not explicitly banned but possibly a bit shady. From my standpoint, this wasn't the ideal solution either -- I would have liked to set up my own server to run this site but that just felt so ... painful ... for the scope of what I was trying to create.

In my head, I framed this experiment as a sort of intentional misuse of Figma's services: rather than using the site to design or whiteboard as it set out to do, I used it's APIs for my own unrelated purposes and not really in a malicious way either. Considering all the (free) data-hosting APIs I could easily get access to and even encrypt my data on top of, why would I go through the trouble of self-hosting and managing a database and its security? Why not let the corps do it for me, co-opting their hard work while remaining illegible and un-monetizable as a user?

In this modern dream, technology often feels to me like a prescription. A prescription in the sense of recommendation that is authoritatively put forward. It's hard for me to identify who exactly is the authority (or rather why we have not questioned their authority) telling me to adopt ChatGPT to boost productivity or buy a pair of AirPods to zone out the outside world, but these authorities definitely feel ... out there. New devices and fixes and lifestyle-hacks and apps (not just the digital ones!) are constantly pitched to me that on the basis that without them, I am too slow or too lazy or too ignorant or too unattractive.

When I was Google searching "intentional misuse" to see if that was a term and what it might mean, most of the results were about drug abuse and misusing medicine. I may be stretching the limits of this metaphor, but if technology were to be viewed as a drug (and indeed it is already), then what might its intentional misuse look like? Can we intentionally misuse and abuse Apple, Facebook, Amazon for our gain rather than theirs? Is this even a real thing? I'm not sure, but I want Google to eat itself.

Techno-capitalism co-opts everything

But is it possible to co-opt something back? I'm inspired by the early fandoms of Twitter, using the application for their own whims as opposed to public status updates or texts, what it was supposedly created to do. I'm inspired by projects like Sheet Sites, re-imagining Google Sheets as a website hosting service and inviting people to reflect on what they've created.

In software engineering, there is this idea that regardless of what purpose an API was designed for, users will find its limits and use it in any way it works. Such APIs will from thereon be required to uphold contracts they didn't even realize they were providing. It's named after the first person to publicly describe it - Hyrum's Law. From this angle, my use of Figma isn't misuse at all! I am but a simple user depending on one of the many observable behaviors of its Developer APIs.

Audre Lorde famously said "the master's tools will never dismantle the master's house", but it wasn't until writing this webpage that I took note of the phrase that comes after: "They may allow us temporarily to beat him at his own game ..." It's naive to think tricks and hacks like this could lead to any meaningful form of digital freedom, x[but perhaps they can give brief respite, small doses of resistance to the flattening and enclosure that is the current status quo. At least it did for me.

high fashion but make it sustainability
you already know this one

Technical details & make your own

All the code to make this work is contained here and in a script tag that can be viewed by inspecting source. To play around with this there's a few things you'll need:

  1. A Figma account. If you're worried about security risk and not already familiar with personal developer keys, I would suggest creating a burner account with an email address you don't typically use - iCloud's Hide My Email feature is nice for things like this, but you could alternatively just create a new email address.
  2. A personal access token (Home → Settings → Security → Personal Access Tokens). It should be configured to read-only for file content and write for comments, no access for everything else. Important: Remember to revoke these tokens once you're done testing and hosting your site, to avoid leaking any of the data in your Figma account. You can create new access tokens easily anyways.
  3. The file key of a Figma file to use for testing. You can create a new file by going here and extracting the text between the two slashes following the word design in the URL: www.figma.com/design/your-file-key/...
The following is a little playground you can use to get familiar with how this works. To get all the pieces working, you'll need to first input your file key and API key from the previous steps. Note: you should probably never give this kind of data away if any other site asks or do this type of stuff over public wifi! Read the source code of this page if you're feeling suspicious 🗝️.


no comments fetched!

Now that you can store and retrieve data from within the file comments, you'll want to make it accessible through a special URL that only you can generate and share out. You'll likely want to re-use the helpers I've linked here within your page. You can also download the HTML from this example page to get started.



And of course, relics from the original site:

bday party 2023
bootstrap bday party 2023