Indian developer jailed for making unauthorized train ticket booking app(huffingtonpost.in) |
Indian developer jailed for making unauthorized train ticket booking app(huffingtonpost.in) |
Now, one can absolutely argue about whether this form of rate limiting is the right approach, but to circumvent something that is clearly prohibited & charge money to do that is illegal.
This does not mean that I think the current system is perfect OR that there aren't other players who also have backdoors into the process; just that the action is not as egregious as 'BUREAUCRATS STIFILING INNOVATION'. There is more nuance needed here [1].
"According to the sources, the apps enabled users to book Tatkal tickets bypassing security checks on the IRCTC portal. His mobile applications were unauthorized and had features to bypasses Completely Automated Public Turing Test (CAPTCHA), a security measure that users must fill in while logging in to IRCTC. As per reports the apps also bypassed other security measures installed by the IRCTC." ... "However, railway officials clarified Yuvrajaa bypassed the railway system and made money illegally which is a crime. He wasn’t event an authorized agent registered with IRCTC to book tickets. RPF has registered a case under section 143 (2) of the Railways Act (penalty for unauthorised carrying on of the business of procuring and supplying of railway tickets).
Developing an unauthorised software bypassing e-ticketing system is an offence. Such applications defeated the purpose of having a first-come-first-serve system and benefit only a few who use the software."
This govt., like most Indian govts, has a stupidly archaic & top-down / low-trust / risk-averse / bean-counter approach to innovation and transparency (case in point, the Covid tracking app Arogya Setu's sordid development & transparency issues), but this specific incident isn't the right stick, IMO. :)
[1] https://www.the420.in/conman-or-genius-arrest-of-iit-kharagp...
Fair access is not provided by the official website. When one clicks "Book" and then suddenly get an Internal Server Error in network logs (while UI shows in-progress icon) or gets logged out - where is Fair Access? If Railways gave 10 Rs for each such failure, they will go bankrupt within 2 hours. First-come-first-serve does not mean fair access when they can't fix their technical problems.
And this guy charged money only after the cost of the servers was high. To give a context the alleged amount between 2016 and 2020 he earned in 4 years is in the range of 27k-30kUSD. That is as per Railways. It is likely to be inflated. Pretty sure he was running into losses.
However I doubt he is totally innocent. Most developers would know this app would be illegal. Or may be he is just too naive - hard to say that since he is an IITian. The railways will probably find out each ticket booked, heavily penalize each such booking, add huge interest to that till date and make the total amount sound like a huge scam. Adventures with Indian bureaucracy will cost him big unless he manages to heavily PR himself as a victim.
https://theprint.in/opinion/india-wants-innovation-but-arres...
Indian railways website is very slow and pathetic (so bad that there are lengthy discussion on HN about it. search for IRCTC).
Given the shortage of tickets thousands of people try to book tickets at 7am when the window to book a certain class of tickets call `Tatkal` opens. Thousands of people are trying to book the exact same tickets from say 7am and by 7:10 am all tickets get sold out.
Now, if you could prefill all the forms and just press submit you might be able to buy the tickets before others. Railways website specifically tries to not allow any kind of pre-filling. The app merely bypasses that restriction. (I have written scripts in past to do just that when I lived there).
Railways is a classic colonial government system and operates pretty much as if India is still a British colony. They have their own police force called RPF which arrested the boy under Railways act 1989 for “unauthorised business of procuring and supplying railway tickets” which the boy did not do at all. Not to mention, the railways form has a captcha so it was not even a programmatic submission. There are railways mafias in India who buy tickets by bribing railways staff and I suspect these people are responsible for getting this boy jailed as his solution helped more genuine passengers to book their tickets by undercutting the "agents".
It remains to be seen how the courts apply the standard here but it will probably take around 10-15 years for the courts to come to a verdict.
Personal Rant: When I was in India, I had the misfortune of relying on Indian railways to travel home from college. I was so pissed that I was determined to get out of India so I have to never deal with Indian railways. I had tried all possible ways to hack the booking system and had my own chrome extensions to fill up the forms.
I do appreciate that the developer was solving a genuine need, so kudos to him. But anyone from India could've seen the government's reaction coming a mile away.
It was a lame app that prefilled the form in Railway app and charged money for this feature. This must have triggered some TnC breach. Similar things exist as browser plugin/scripts, but they are free and stay under the radar.
coming on to the guy here, >Developing an unauthorised software bypassing e-ticketing system is an offence. Such applications defeated the purpose of having a first-come-first-serve system and benefit only a few who use the software
so why not have this functionality in the first party website in the first place?
>However, railway officials clarified Yuvrajaa bypassed the railway system and made money illegally which is a crime. He wasn’t event an authorized agent registered with IRCTC to book tickets.
did this guy take a users money, buy a ticket on his behalaf and get a commission from the railways? no. from the customer? no. all he did was make a fucking autohotkey for their website. he charged 20 rupees, thats USD $ 0.30 for hosting the service, paying for the upkeep. any of his non customers who were disadvantaged because of his service, well no shit. go and ask the government to fix their website and bring it in parity with this guy
look. this guy automated typing, refreshing, probably even bypassing captchas. on that note, why should this be "illegal" to do automation? just because they say in Tnc's? grow a pair. why should the government rate limit customers by shoving captchas?
i had the misfortune of buying a couple of tickets back in june 20 or july was it for some relatives. that was the most agonizing time of my life. random refreshes, logouts, not being able to do multiple logins, having an actual monthly limit on the number of tickets you can buy in a month, the payment failed 4 times. i had to borrow money twice because the payment was deducted but credit not given. refund was sanctioned after 15 days AFTER a deduction of Rs. 2500 i think USD $ 40.
if i had used this guys service, i would have been glad to pay him 10 times over because the service which should have been promised by the first party itself IRCTC was in 1990's.
>regulations.
such a bs word in india. why doesnt the railway make their website like a 2020 website which does automation, remembers your shit, allows instant payment and refund, this and that
In any case, he clearly wasn't collecting ticket payments on behalf of the train company, so I don't see how they could accuse him of acting as an unauthorised agent
This is because there is a black market for railway tickets, where agents charge a high free for booking tickets online for many illetrate buyers, especially in rural areas.
Don't know how likely that is given the current US stance on immigration, but he clearly has the initiative, even if his app is not welcome.
My favourite part was the "maintenance" window the website would go through every night. Which was never really indicated on the website other than vague messages/errors - but everybody knew that's what it was.
The front end definitely can be much much better; but the issue is very simply there are not enough tickets to match the demand.
"From 29 tickets booked in a day in 2002, it has reached to 13 Lakh tickets a day as of now. It is reported that the IRCTC system is currently capable of booking 15K tickets a minute online and can handle 3 Lakh concurrent users to handle any surge in demand." [1] (13 lakhs is 1.3 million)
"Of the 15 million passengers who climb aboard one of 8,520 trains each day, about 550,000 have reserved accommodations. Their journeys can start in any part of India and end in any other part, with travel times as long as 48 hours and distances up to several thousand kilometres. The challenge is to provide a reservation system that can support such a huge number-regardless of whether it’s measured by kilometres, passenger numbers, routing complexity, or simply the sheer scale of country. " [2]
If anyone has better references on the frankly astounding technical accomplishment that the CRIS Passenger Reservation system, please share.
"Passenger Reservation System (PRS): A nationwide online passenger reservation and ticketing system, developed and maintained by CRIS, was developed in C and Fortran on a Digital OpenVMS operating system using RTR (Reliable Transaction Router) as middleware. Also known as CONCERT (Country-wide Network of Computerised Enhanced Reservation and Ticketing), it interconnects the four regional computing systems (in New Delhi, Mumbai, Kolkata and Chennai) into a national PRS grid. It allows a passenger anywhere to book train tickets from any station to any station. PRS handles reservations, changes, cancellations and refunds, reserving over 1.6 million seats and berths daily. Complex rules, validations and fare-computation techniques are interwoven in the application" [3]
[1] https://inc42.com/features/how-online-train-booking-ticket-p...
[2] http://www.egyankosh.ac.in/bitstream/123456789/25869/1/Unit-...
[3] https://en.wikipedia.org/wiki/Centre_for_Railway_Information...
This functionality being to work-around the intended first-come, first-serve allocation of these last minute tickets?
It sounds like the overall system isn’t in a healthy, modern state, but I don’t think the essential feature this guy’s tool provided is desired by the original website.
can you buy an airline ticket at the airport 2 minutes before boarding? yes. does the system accurately track unbooked seats with 100% accuracy? yes. can you "automate" airline ticket booking with an almost 1 click operation? yes. can the millions of airline websites and agents manage simultaneous ticket booking of a single seat so that at no time are two people charged for the same ticket? yes. can they reschedule, do web check in, assign seats, book meals, cancel tickets? yes. can they offer error free painless booking experience without plastering user with stupid captchas or otps? yes.
if yatra.com can do it, irtctc not doing it because they follow some arcane regulations about "security" and not doing things intuitively is why they are shit and the onus is on irctc to provide feature parity with airlines experience. dont blame someone on helping
do you understand having a waitlist in 2020 means you are doing something seriously wrong in your workflow
(partly tongue-in-cheek) Maybe it was not that bad to start with (was it based on CICS?)
Are there any whitepapers or design overview presentations by CRIS or anybody else?
Believe me, I know well the complexities involved in developing computerised reservation systems, but I'm not sure what is astounding about this - it's what every CRS does. 550k bookings a day is nothing extraordinary
Don't get me wrong, I don't think the whole railway system is a small feat - i wouldn't want to be working on that project, but it's definitely not to "next generation" standards in 2014 (and definitely wasn't when i visited in 2018)
[1] https://economictimes.indiatimes.com/industry/transportation...
Huh? You've described a run-of-the-mill, moderate-scale reservation system. This is not "astounding" in any sense except, perhaps, the hyperbole.
Fortran on a Digital OpenVMS.... in 2020
its like when you see a php extension on a website, there isn't an inherent limitation with php and it is made to be quite performant, you just know the people involved have a high correlation of making UI/UX an afterthought and stuck in a different decade and this is highly correlated with other afterthoughts on performance
If you make sure your software is just more economical/accessible without giving a unfair advantage is often less illegal or at least tolerated in many counties.
And many counties include EU countries like Germany.
Broadly classifying anything not convenient to the state as illegal does not stand ground, AFAIK there is no law which prohibits automation of forms on any website?
Now the toll road keepers, arrest him for helping his clients? That I think is wrong. If his clients had complained that he didn't deliver on his promise but charged money, then that could amount to cheating. He didn't do that. He used code he wrote to provide a service to his clients.
Yes I agree, it could be hacky code, and it worked because the website was itself sub optimal. But putting him into prison because the website couldn't be made better (prevent his hack) amounts to bullying to hide the technical incompetence.
By analogy, it is legal to park my car in my own garden, but not legal to park it in my neighbour's garden. If I were to do that, I might expect to be punished for "parking my car".
Under the Railways Act, all those who help passengers with ticketing are expected to register with the IRCTC as an agent. Does this apply for app creators? The officer reserved his comment.
I think the case depends on how the court interprets that question.
I am not sure if you know the history of IRCTC and why it is slow (at times. Things have vastly improved in the last decade). People have asked this many a times and their explanation does make some sense, that if IRCTC is super fast and efficient, then people with cash to spare/with computers and good internet access will hog all the tickets, denying people in rural areas a fair opportunity to purchase tickets. That is still probably true in 2020, because a good chunk of Indians in rural areas either do not have good internet connectivity, lack digital means of payment or are simply flummoxed by the online process.
From your perspective, IRCTC is not fair access because the servers slow down but from the govt perspective, fair access is not limited to only IRCTC users. There might be an argument that railways has a low capacity overall and that there is a long way to go for efficiency improvements etc but given my experience over last 12 years, the experience has improved drastically. Wait times have gone down considerably on a lot of trains, you no longer have to plan your travel 6 months in advance, you can buy tatkal tickets without paying scalpers etc. In 2018 I could even book tickets (from home) on a train which had already departed from its source station (my departure point was halfway between the origin and destination) and people around me did not believe that this was possible.
If I understand correctly (and I might not) that sounds utterly absurd to me.
It sounds like you are saying "the official website is badly buggy and slow, but that's fair because some people in rural areas don't have good internet connections". I don't understand how a buggy and slow website helps those users! I would completely understand having a bug-free and fast website that reserved a certain proportion of the tickets for rural users or even for those with poor internet connections, but that doesn't sound like what you are describing.
> Wait times have gone down considerably on a lot of trains, you no longer have to plan your travel 6 months in advance, you can buy tatkal tickets without paying scalpers etc.
That certainly sounds good.
It is generally fast except between 10am-12pm every day (i.e. when the tatkal systems open) and that is what frustrates most people. When called out on these issues, IRCTC has consistently refused to add capacity to deal with the demand between 10am-12pm. You are correct that this could be solved by using quotas and reservations but they haven't done that. My only guess is that it is for political/bureaucratic reasons. It's easier to blame capacity issues than tell the reality.
>reserved a certain proportion of the tickets for rural users
This already happens. There are quotas of different kinds.
P.S. You know what? You are actually right. There's no technical reason for this to be the way it is. They are using that explanation as a cover for a political or legal problem or by occam's razor, they probably have a fixed budget (and not allowed to use on-demand services like AWS) and the govt won't approve the budget necessary to solve the capacity issues between 10am-12pm.
Second, fake IDs are easy to make.
Third, it's impractical to enforce on the ground. Indian Railways is relatively open access compared to airlines. On average, trains begin boarding 15-30 mins prior to departure and have a very high number of passengers. With an avg of 16 coaches per rake, with each coach having 60-100 passengers, each train is carrying 960-1600 passengers. Some trains are even longer and most trains are over capacity because 2nd sitting has no reservation and people just pile on as far as there is room in the coach. It's pretty impractical to verify tickets of 1000+ people along with their ids. If you are departing out of a major city, its usual for TTEs to verify tickets after 2-3 hours (and after smaller stations have been crossed.)
Tickets have been hogged and scalped for a long time in India. I'm the first in my family who has no concept of bribing or buying scalped tickets or engaging an "agent." Everyone of the previous generation has plenty of stories about their experiences before. There is still a long way to go to improve access but I will also not deny that there has been a significant improvement compared to my parents experience.
Inept as it is, the official website still intends to provides fair access. Just because it is buggy does not make it OK to circumvent it, especially when such circumvention only reduces access for users who are not using this developer's software.
I say this as someone who has used the IRCTC website to book tickets. Tatkal tickets especially are nightmarishly hard to book.
Sorry that's not a measurement of any quality.
I think the core issue is that the rail operator (gov) for whatever reason wants these last-minute tickets to be available at an artificially low ticket price.
That’s not what airlines are trying to do. Trying to build a system that works with the natural effects of markets is much easier than creating a system that works against market forces.
Look at the Ticketmaster experience for popular concerts and sports tickets. Waiting rooms and bugs and software workarounds/hacks, all because it’s a raffle for tickets being sold below what the free market price would be.
This does not appear to be a primarily technical problem. If these tickets sell out in 10 minutes, creating a better technical solution to let them sell out in 2 minutes isn’t actually improving anything meaningful.
If you raffle off these tickets to the luckiest fraction of people who want them, many prospective purchasers will end up disappointed. You can shift the mix of how many of them are disappointed by technical glitches versus how many are disappointed by the tickets going to other people, but you're still going to disappoint most of the people who want them.
>This does not appear to be a primarily technical problem. If these tickets sell out in 10 minutes, creating a better technical solution to let them sell out in 2 minutes isn’t actually improving anything meaningful.
i am sorry i don't understand how is forcing users to buy those tickets in 10 minutes instead of efficient 2 minutes helping anybody?
its not like i can just buy PNRs like i can do on airlines to inflate the demand. i have to buy a ticket now, if its available, i pay and thats it. why do you need complications. its not like i could sell my ticket or transfer or whatever.
where does ticketmaster come in? that is a for profit system designed to charge people to buy more tickets for their own commissions.
why is irctc wanting to be like that?
Keep in mind Identity is hard to check and for rural passengers. There were very few such documents before AADHAAR etc.
It depends on what “the issue” is. If the issue is that they want to allow some poor-but-lucky people to win the right to buy tickets below the market-clearing price, then keeping a fixed price doesn’t solve that issue.
Reselling credit card numbers you pilferred from a poorly secured website's database? You just helped your customers access information that was basically already publically available.
Even my closer analogy is still pretty far off and it's much more innocent. Maybe closer to charging a fee to use a very tricky to figure out parking meter.
That's a good analogy, but perhaps not for the reason you think. In many situations where you acquire property rights from an owner, there are clauses which restrict or limit sub-leasing to a third party, or using the land for commercial gain. If I was doing what you are describing, I would want to read the lease or agreement very carefully to see whether I am allowed to do that.
Again, I think the developer acted in good faith, but it seems a bit naive to resell something for profit (no matter how small) without seeking legal advice, or at very least reading the T&Cs. We also cannot accuse the government of setting arbitrary restrictions - ticket touting is a problem, even if the government probably could have done more to make it easier for people to buy tickets legitimately.
I don't think I'd faking or bribery are big issues with ticketing any more. It is most likely equitable access between the "internet haves" and "the internet have nots".