India’s vaccination-booking API criticised for excluding millions, containing bugs, and overflowing with elitism

It’s faulty, struggling to scale, lacks a dedicated privacy policy


As India struggles to cope with its savage second wave of COVID-19 infections, its government is being criticised for an API that critics say is creating inequities in the nation’s vaccination program.

The API in question, Co-WIN, is designed to tap India’s vaccination-booking service and has been made available to third-party app developers in the hope that innovators find clever ways to get Indians signed up for their jabs.

India has made use of vaccination booking services powered by Co-WIN compulsory for people aged 18 to 44.

That’s drawn criticism from the likes of legal advocacy organisation Nyaaya, which has pointed out that just under 60 percent of Indians use the Internet and that while it is possible to use one mobile phone to register four people for a jab, that will leave many unable to book. Sumeysh Srivastava , Nyaaya’s development lead and a senior resident fellow at the Vidhi Centre for Legal Policy, also noted that the Co-WIN portal is only in English – a language spoken by around ten percent of Indians.

India’s Software Freedom Law Centre has also expressed its ire with Co-WIN, claiming that one-time-passwords for registration are arriving late, or not at all, that CAPTCHAs are proving buggy, are only offered in English and may be new to many Indian internet users.

The Centre has also asked why Co-WIN doesn't have a distinct privacy policy, instead of relying on the Health Ministry's generic polices for online services.

Another issue the Centre has noted is glitches in Co-WIN that have seen some Indians receive certificates for vaccinations that have not been administered.

India’s health Ministry acknowledged similar issues last week and tweaked the API so that it issues four-digit code that citizens can use to verify their vaccination records.

Co-WIN has succeeded to a point because numerous developers have created apps and other web services that use the API to identify when vaccines will be available and allow booking of jabs through the API. Some of those services even offer real time updates on when new jabs are made available.

But because of India’s low internet adoption and high rates of 2G, 3G and feature phone use, one effect of those apps is to make it easier for those with better internet access and more powerful devices to book a jab. Hundreds of millions of other Indians are less likely to have the knowledge, equipment, and opportunity to take advantage of third-party apps powered by Co-WIN.

But even those who can use Co-WIN powered services come up against the API’s limits – data is cached and may be up to 30 minutes old, by which time all available bookings may well have been used. The API also has a rate limit of 100 API calls per five minutes per IP address. And the Co-WIN portal has sometimes struggled to remain available as Indians seek vaccination bookings.

It’s not hard to understand the reason for the high demand: India has a seven-day average of 380,000 new COVID-19 cases and 3,800 deaths, and those figures are felt to be considerably under-report the true state of the pandemic. ®

Similar topics

Broader topics


Other stories you might like

  • Indian government signals changes to infosec rules after industry consultation
    Reports suggest SMBs will get more time, but core elements including six-hour reporting requirement remain

    Indian media is reporting that the government has consulted with industry about its controversial infosec reporting rules, possibly resulting in concessions that slightly ease requirements for some businesses.

    The rules, introduced on April 29 with no warning and a sixty-day compliance deadline, require organizations operating in India to report 22 different types of information security incidents within six hours of detection, maintain extensive logs of their own and customers' activities and provide that info to authorities as required, and use only network time protocol (NTP) servers provided by Indian authorities or synced to those servers.

    The rules generated swift and widespread opposition on grounds that they were loosely worded, imposed enormous compliance burdens, made India less attractive to foreign tech companies, and would harm privacy. The requirement to report even trivial incidents within six hours was criticized as likely delivering a deluge of reports that would contribute little to the stated goal of securing intelligence with which to defend the nation. The Internet Society warned that insistence on using Indian NTP servers would create an unhelpful reliance on that infrastructure.

    Continue reading
  • Another VPN quits India, as government proposes social media censorship powers
    New Delhi now fighting criticism of eroding free speech and privacy with two proposed regulations

    India's tech-related policies continue to create controversy, with fresh objections raised to a pair of proposed regulation packages.

    One of those regulations is the infosec reporting and logging requirements introduced by India's Computer Emergency Response Team (CERT-In) in late April. That package requires VPN, cloud, and numerous other IT services providers to collect customers' personal information and log their activity, then surrender that info to Indian authorities on demand. One VPN provider, ExpressVPN, last week quit India on grounds that its local servers are designed not to record any logs so compliance would be impossible. ExpressVPN will soon route customers' traffic outside India.

    On Tuesday, another VPN – Surfshark – announced it would do likewise.

    Continue reading
  • Indian government issues confidential infosec guidance to staff – who leak it
    Bans VPNs, Dropbox, and more

    India's government last week issued confidential information security guidelines that calls on the 30 million plus workers it employs to adopt better work practices – and as if to prove a point, the document quickly leaked on a government website.

    The document, and the measures it contains, suggest infosec could be somewhat loose across India's government sector.

    "The increasing adoption and use of ICT has increased the attack surface and threat perception to government, due to lack of proper cyber security practices followed on the ground," the document opens.

    Continue reading

Biting the hand that feeds IT © 1998–2022