The ethical and security implications of vaccination slot finding apps

Nearly every social media platform is rife with helpless requests for oxygen, medicines and hospital beds. And one of the best ways to beat the virus? Vaccination, of course.  

Unfortunately, that’s yet another problem -- while the government did open up registration for 18+ citizens on May 1, getting a vaccination appointment on the CoWin website is, as memes making the rounds put it, akin to booking a tatkal ticket on IRCTC. 

Several companies and individuals have tried to, in the recent past, address this issue. Platforms such as Paytm, HealthifyMe’s vaccinateme.in, getjab.in, findslot.in and under45.in offer services that allow users to avail vaccination slots. 

But how safe are these platforms? How do they work? Do they give an unfair advantage to those who are tech savvy? And more importantly, why has the government not offered similar features on CoWIN? 

TechCircle decided to find out.  

Most of the aforementioned applications work as redirection portals and utilise a set of application program interfaces (APIs) that are provided by the government through APIsetu.in.  

“This is nothing but public information that the government provides on its website that we’re also able to provide. We just package it in a more intuitive fashion to search, filter and navigate. And we also provide alerts on it,” Tushar Vashisht, CEO and co-founder of HealthifyMe, told TechCircle.

And the apps are only getting more popular.  

“We have close to 1 lakh subscribers at this point,” Azhar Hussain, product manager at Microsoft, who built the application tracking website getjab.in with other developers, said. The application was launched on May 2. 

Getjab.in provides email alerts to citizens who enter their pin code, district and mail IDs, while under45.in redirects users to specific Telegram groups with alerts based on district/pin code inputs.  

But instead of offering access to the API, wouldn’t it be easier for the government to integrate it with CoWIN? Hussain agrees. 

“Having a notification system would be one of the things that they could have added on over there (CoWIN), because that would have been quite simple for them to implement as well, as they already have the information, right?” he said.  

Then there is the question of whether these platforms increase the load on CoWIN servers. Wifi Dabba founder Shubendu Sharma, who built findslot.in, does not think so. 

“Instead of browsing on CoWIN directly, they are using our website. This only distributes the load and does not increase it,” he said. 

And the government has also addressed the concern, to an extent. 

On May 5, the government said that the APIs are subject to a rate limit of 100 API calls, per 5 minutes, per IP. “The appointment availability data would now be cached and may be up to 30 minutes old,” the government’s API Setu website said.  

This essentially means that slot finding applications may not be able to provide real time data on availability, but they could still function as essential tools to help users find appointment slots once the availability of vaccines increases.  

Expanding reach 

Several, if not all of the appointment finding applications cater to users with smartphones. What about those who don’t have access to technology? 

Rural-focused fintech firm Spice Money has announced an initiative to help such users. The Noida based company looks to vaccinate the rural population through its ecosystem of 5 lakh "adhikaris", whom it looks to vaccinate first.   

Adhikaris are representatives of Spice Money who assist users with cash deposits, mini ATM, insurance, loans, bill payments and other services. They are likely to also help rural citizens register themselves on the CoWIN app.   

If the entire country has to be vaccinated, it is essential to incentivise those who help carry out vaccine registrations for citizens in rural areas, Spice Money CEO Sanjeev Kumar said.   

The government could also set up district-based APIs to stem confusion and offer facilities to accommodate those who may not have the necessary documents to register themselves on CoWIN, Kumar said.  

“The CoWIN platform is available only in English today. A multilingual approach would also help scale the vaccination initiative faster,” Kumar said.

Additionally, companies that have a large rural reach, like Spice Money, could partner with the government to support on-field vaccination drives, he said. “The network is a lot about the trust in the community and we can help with the reach and model that we have,” Kumar said.  

Security and fake portals 

No initiative, not even one that could potentially save the lives of thousands of people, is safe from cybercriminals.  

In February, union minister of state for health Ashwini Choubey had claimed that CoWIN followed the privacy policy as stated in the National Digital Health Mission.  

What about the new independent vaccine finding applications that have cropped up though? In the recent past, there have been incidents of cybercriminals using phishing and creating fake portals to exploit victims.  

“We know from statistics that there is big activity about phishing complaints around vaccines,” Oded Vanunu, head of products vulnerability research at Checkpoint Software, said.  

Such portals, he said, could be used to steal private information, money or even peddle fake vaccines to people. 

“Usually, the focus of scammers is more on money and data, and getting access to more information,” he said. 

For instance, on April 29, Lukas Stefanko, malware researcher at security firm ESET, discovered an SMS that offered fake vaccine registration services. The attackers, he found, send SMSes to users, mostly Indians, directing them to a website that claims to allow free vaccine registrations for those over the age of 18. When users downloaded the app, as directed, their device was attacked by malware. 

SMS worm impersonates Covid-19 vaccine free registration

Android SMS worm tries to spread via text messages as fake free registration for Covid-19 vaccine - targets India

SMS worm impersonates Covid-19 vaccine free registration

Android SMS worm tries to spread via text messages as fake free registration for Covid-19 vaccine - targets India
It can spread itself via SMS to victim contacts with link to download this malware. https://t.co/EXAAGARqOP pic.twitter.com/HX957bPVu5

— Lukas Stefanko (@LukasStefanko) April 29, 2021

India currently has 35,66,398 active Covid cases and has recorded 2,30,168 deaths, as per the Ministry of Health and Family Welfare website. The government data claims to have vaccinated 16,25,13,339 citizens with at least one dose so far.