Hacker News new | ask | show | jobs
by ch_123 2045 days ago
The headline has been editorialized. While I don't agree with what the authorities did here, and believe the developer was acting in good faith, the developer created an app for buying railway tickets which charged a small fee for the tickets - the issue was that he was arrested for making money off ticket sales, as opposed to "automating forms on a website"
5 comments
moh_maya 2045 days ago
Yep. He circumvented rate-limiters that ensured that you couldn't game the booking system. The regulations very clearly prohibit this to ensure fair access.

Now, one can absolutely argue about whether this form of rate limiting is the right approach, but to circumvent something that is clearly prohibited & charge money to do that is illegal.

This does not mean that I think the current system is perfect OR that there aren't other players who also have backdoors into the process; just that the action is not as egregious as 'BUREAUCRATS STIFILING INNOVATION'. There is more nuance needed here [1].

"According to the sources, the apps enabled users to book Tatkal tickets bypassing security checks on the IRCTC portal. His mobile applications were unauthorized and had features to bypasses Completely Automated Public Turing Test (CAPTCHA), a security measure that users must fill in while logging in to IRCTC. As per reports the apps also bypassed other security measures installed by the IRCTC." ... "However, railway officials clarified Yuvrajaa bypassed the railway system and made money illegally which is a crime. He wasn’t event an authorized agent registered with IRCTC to book tickets. RPF has registered a case under section 143 (2) of the Railways Act (penalty for unauthorised carrying on of the business of procuring and supplying of railway tickets).

Developing an unauthorised software bypassing e-ticketing system is an offence. Such applications defeated the purpose of having a first-come-first-serve system and benefit only a few who use the software."

This govt., like most Indian govts, has a stupidly archaic & top-down / low-trust / risk-averse / bean-counter approach to innovation and transparency (case in point, the Covid tracking app Arogya Setu's sordid development & transparency issues), but this specific incident isn't the right stick, IMO. :)

[1] https://www.the420.in/conman-or-genius-arrest-of-iit-kharagp...

link
smdz 2045 days ago
This is a case of 'BUREAUCRATS STIFLING INNOVATION' and this is how it often looks like. He could have gone through legal channels to approve his app and would not be able to find approvals even after being able to afford those financially.

Fair access is not provided by the official website. When one clicks "Book" and then suddenly get an Internal Server Error in network logs (while UI shows in-progress icon) or gets logged out - where is Fair Access? If Railways gave 10 Rs for each such failure, they will go bankrupt within 2 hours. First-come-first-serve does not mean fair access when they can't fix their technical problems.

And this guy charged money only after the cost of the servers was high. To give a context the alleged amount between 2016 and 2020 he earned in 4 years is in the range of 27k-30kUSD. That is as per Railways. It is likely to be inflated. Pretty sure he was running into losses.

However I doubt he is totally innocent. Most developers would know this app would be illegal. Or may be he is just too naive - hard to say that since he is an IITian. The railways will probably find out each ticket booked, heavily penalize each such booking, add huge interest to that till date and make the total amount sound like a huge scam. Adventures with Indian bureaucracy will cost him big unless he manages to heavily PR himself as a victim.

link
inapis 2045 days ago
> Fair access is not provided by the official website. When one clicks "Book" and then suddenly get an Internal Server Error in network logs (while UI shows in-progress icon) or gets logged out - where is Fair Access? If Railways gave 10 Rs for each such failure, they will go bankrupt within 2 hours. First-come-first-serve does not mean fair access when they can't fix their technical problems.

I am not sure if you know the history of IRCTC and why it is slow (at times. Things have vastly improved in the last decade). People have asked this many a times and their explanation does make some sense, that if IRCTC is super fast and efficient, then people with cash to spare/with computers and good internet access will hog all the tickets, denying people in rural areas a fair opportunity to purchase tickets. That is still probably true in 2020, because a good chunk of Indians in rural areas either do not have good internet connectivity, lack digital means of payment or are simply flummoxed by the online process.

From your perspective, IRCTC is not fair access because the servers slow down but from the govt perspective, fair access is not limited to only IRCTC users. There might be an argument that railways has a low capacity overall and that there is a long way to go for efficiency improvements etc but given my experience over last 12 years, the experience has improved drastically. Wait times have gone down considerably on a lot of trains, you no longer have to plan your travel 6 months in advance, you can buy tatkal tickets without paying scalpers etc. In 2018 I could even book tickets (from home) on a train which had already departed from its source station (my departure point was halfway between the origin and destination) and people around me did not believe that this was possible.

link
mcherm 2045 days ago
> their explanation does make some sense, that if IRCTC is super fast and efficient, then people with cash to spare/with computers and good internet access will hog all the tickets, denying people in rural areas a fair opportunity to purchase tickets.

If I understand correctly (and I might not) that sounds utterly absurd to me.

It sounds like you are saying "the official website is badly buggy and slow, but that's fair because some people in rural areas don't have good internet connections". I don't understand how a buggy and slow website helps those users! I would completely understand having a bug-free and fast website that reserved a certain proportion of the tickets for rural users or even for those with poor internet connections, but that doesn't sound like what you are describing.

> Wait times have gone down considerably on a lot of trains, you no longer have to plan your travel 6 months in advance, you can buy tatkal tickets without paying scalpers etc.

That certainly sounds good.

link
inapis 2045 days ago
IRCTC is infrequently buggy (no more than an average website). They might not have optimised for poor connections and thats where most people's buggy experience is.

It is generally fast except between 10am-12pm every day (i.e. when the tatkal systems open) and that is what frustrates most people. When called out on these issues, IRCTC has consistently refused to add capacity to deal with the demand between 10am-12pm. You are correct that this could be solved by using quotas and reservations but they haven't done that. My only guess is that it is for political/bureaucratic reasons. It's easier to blame capacity issues than tell the reality.

>reserved a certain proportion of the tickets for rural users

This already happens. There are quotas of different kinds.

P.S. You know what? You are actually right. There's no technical reason for this to be the way it is. They are using that explanation as a cover for a political or legal problem or by occam's razor, they probably have a fixed budget (and not allowed to use on-demand services like AWS) and the govt won't approve the budget necessary to solve the capacity issues between 10am-12pm.

link
sriku 2045 days ago
I believe this is the right explanation .. and I also agree that the experience has been readily getting better .. both the trains themselves and the ticketing system.
link
C1sc0cat 2045 days ago
How do you mean "hog" all the tickets just make them non transferable if they are already not.
link
inapis 2045 days ago
Tickets are non-transferable but bribery is still a thing, especially where demand far outstrips the supply.

Second, fake IDs are easy to make.

Third, it's impractical to enforce on the ground. Indian Railways is relatively open access compared to airlines. On average, trains begin boarding 15-30 mins prior to departure and have a very high number of passengers. With an avg of 16 coaches per rake, with each coach having 60-100 passengers, each train is carrying 960-1600 passengers. Some trains are even longer and most trains are over capacity because 2nd sitting has no reservation and people just pile on as far as there is room in the coach. It's pretty impractical to verify tickets of 1000+ people along with their ids. If you are departing out of a major city, its usual for TTEs to verify tickets after 2-3 hours (and after smaller stations have been crossed.)

Tickets have been hogged and scalped for a long time in India. I'm the first in my family who has no concept of bribing or buying scalped tickets or engaging an "agent." Everyone of the previous generation has plenty of stories about their experiences before. There is still a long way to go to improve access but I will also not deny that there has been a significant improvement compared to my parents experience.

link
michaelt 2045 days ago
So the government-run rail services don't provide enough capacity, the government's employees are corrupt, the government-issued ID documents are easily faked, and the solution is... to make government's train website slow and unreliable?
link
sriku 2045 days ago
I don't recall a single instance of corruption with the Indian railways at the consumer level in nearly 2 decades including an instance when I was fined for not purchasing a platform ticket which would've been an opportunity for the officer to ask for a bribe but he didn't.

I don't think I'd faking or bribery are big issues with ticketing any more. It is most likely equitable access between the "internet haves" and "the internet have nots".

link
kranner 2045 days ago
> Fair access is not provided by the official website. When one clicks "Book" and then suddenly get an Internal Server Error in network logs (while UI shows in-progress icon) or gets logged out - where is Fair Access?

Inept as it is, the official website still intends to provides fair access. Just because it is buggy does not make it OK to circumvent it, especially when such circumvention only reduces access for users who are not using this developer's software.

I say this as someone who has used the IRCTC website to book tickets. Tatkal tickets especially are nightmarishly hard to book.

link
smdz 2045 days ago
I am not saying it is OK to circumvent rules. BTW my access was revoked because they assumed I was using some automation - when I know I was not using any such thing. I am just good at computers and not even a fast typist. No response to my appeal - stopped using tatkal since then and fortunately never needed it after that.
link
vijaybritto 2045 days ago
> hard to say that since he is an IITian

Sorry that's not a measurement of any quality.

link
sriku 2045 days ago
I agree this needs more nuance instead of pitching it as a david-vs-goliath. The railways has made steady progress on making it easier to ticket starting with an old mainframe system and transitioning into the web age. Such transitions at the scale of Indian Railways are not to be underestimated and it is not only about a website as real physical trains are involved. They've introduced interim measures to ensure reasonably fair access to seats since they need to cater to a financially spread out populace and there is always someone waiting to make a quick buck out of it. The rate limits are important I think to not overwhelm the system and I do not for a moment believe that IRCTC is working against the people here. I say that from personal experience where one of the IT ops lead personally responded to an email suggestion I sent in (exchange was about 15y ago) to enable people without credit cards to more easily purchase tickets without dealing with long queues at counters.
link
throwawaybutwhy 2045 days ago
> starting with an old mainframe system

(partly tongue-in-cheek) Maybe it was not that bad to start with (was it based on CICS?)

Are there any whitepapers or design overview presentations by CRIS or anybody else?

link
yitchelle 2045 days ago
You see similar software used in Auction sites such as eBay and the likes. Are this type of software also banned in India?
link
dathinab 2045 days ago
In many country's such software is illegal and you can be held accountable, especially if you provide it in a way which makes you earn money.

If you make sure your software is just more economical/accessible without giving a unfair advantage is often less illegal or at least tolerated in many counties.

And many counties include EU countries like Germany.

link
moh_maya 2045 days ago
AFAIK, for railways ticket bookings, yes; not banned but illegal. However, it's common knowledge that they exist and are used.
link
jaikant77 2045 days ago
India has a strong legal framework and unfortunately very poor implementation (the arrest is an example of poor implementation/bullying by the state). When you say illegal, you should be able to specify the law under which it is illegal.

Broadly classifying anything not convenient to the state as illegal does not stand ground, AFAIK there is no law which prohibits automation of forms on any website?

link
jaikant77 2045 days ago
The car parking analogy does not fit. But if you want to use a similar analogy. Assume there is toll road which allows the first 100 cars. This guy uses his superior tech skills, to get his clients (cars) in the first 100. He charges them a premium.

Now the toll road keepers, arrest him for helping his clients? That I think is wrong. If his clients had complained that he didn't deliver on his promise but charged money, then that could amount to cheating. He didn't do that. He used code he wrote to provide a service to his clients.

Yes I agree, it could be hacky code, and it worked because the website was itself sub optimal. But putting him into prison because the website couldn't be made better (prevent his hack) amounts to bullying to hide the technical incompetence.

link
OkayPhysicist 2045 days ago
Under that analogy, pretty much all cracking is fair game.

Reselling credit card numbers you pilferred from a poorly secured website's database? You just helped your customers access information that was basically already publically available.

link
ch_123 2045 days ago
You're attacking a strawman here. The issue was that he was making a profit by reselling tickets, not by automating filling forms in a website. The mechanism is not particularly relevant.

By analogy, it is legal to park my car in my own garden, but not legal to park it in my neighbour's garden. If I were to do that, I might expect to be punished for "parking my car".

link
jkoudys 2045 days ago
You start by accusing him of using a strawman, then using an analogy which doesn't even remotely apply. It's closer to your neighbour selling you the rights to park in their garden, then you selling those rights to someone else. Far from a criminal, arrestable offence, so their point on the broad-brush of being "illegal" stands.

Even my closer analogy is still pretty far off and it's much more innocent. Maybe closer to charging a fee to use a very tricky to figure out parking meter.

link
sbmthakur 2045 days ago
The article itself mentions this:

Under the Railways Act, all those who help passengers with ticketing are expected to register with the IRCTC as an agent. Does this apply for app creators? The officer reserved his comment.

I think the case depends on how the court interprets that question.

link
smdz 2045 days ago
There is a difference between "guilty until proven innocent" and "innocent until proven guilty". In India, the former is how the law-enforcement works for most people while the justice system says the latter. Most people entangled in the slow legal system just want to get out of it even if it means injustice towards themselves. And the laws are so convoluted and in this case he has a behemoth monopoly to fight against.
link
jaikant77 2045 days ago
Yes. thats because technically thats what he seems to have done. Since tatkal tickets are limited in number, by prefilling and automating the forms he effectively helps his clients jump the queue. This is a clear hack, but I find it irrational to arrest a person because the website is suboptimal and cannot prevent his hack from running. This similar to what Github did when they pulled down youtube-dl, bully your way to compliance.
link
dmurray 2045 days ago
Github wasn't bullying anyone in the youtube-dl saga. Their crime was that they didn't stand up for their user.
link
Beggers1960 2045 days ago
One the rare situations where this type of issue should be - in part - rewarded to some degree.
link
realshadow 2045 days ago
And people who follow the rules should be punished. facepalm
link
sbmthakur 2045 days ago
This is still better. Certain publications described this as an attempt to stifle innovation.

https://theprint.in/opinion/india-wants-innovation-but-arres...

link
Karishma1234 2045 days ago
Some context here:

Indian railways website is very slow and pathetic (so bad that there are lengthy discussion on HN about it. search for IRCTC).

Given the shortage of tickets thousands of people try to book tickets at 7am when the window to book a certain class of tickets call `Tatkal` opens. Thousands of people are trying to book the exact same tickets from say 7am and by 7:10 am all tickets get sold out.

Now, if you could prefill all the forms and just press submit you might be able to buy the tickets before others. Railways website specifically tries to not allow any kind of pre-filling. The app merely bypasses that restriction. (I have written scripts in past to do just that when I lived there).

Railways is a classic colonial government system and operates pretty much as if India is still a British colony. They have their own police force called RPF which arrested the boy under Railways act 1989 for “unauthorised business of procuring and supplying railway tickets” which the boy did not do at all. Not to mention, the railways form has a captcha so it was not even a programmatic submission. There are railways mafias in India who buy tickets by bribing railways staff and I suspect these people are responsible for getting this boy jailed as his solution helped more genuine passengers to book their tickets by undercutting the "agents".

It remains to be seen how the courts apply the standard here but it will probably take around 10-15 years for the courts to come to a verdict.

Personal Rant: When I was in India, I had the misfortune of relying on Indian railways to travel home from college. I was so pissed that I was determined to get out of India so I have to never deal with Indian railways. I had tried all possible ways to hack the booking system and had my own chrome extensions to fill up the forms.

link
afiori 2045 days ago
If the timeframe is so tight it would be way more stable to just register all booking attempts (let's say up to 7:15) and then distribute the ticket randomly between unique users for some definition of uniwue user
link