CoWin tightens rules for slot info sharing with third parties

The Indian Express
 
CoWin tightens rules for slot info sharing with third parties
Wild Casino

Now, for third-party entities sourcing slot availability information from CoWin’s database, such data will be made available with a delay of up to 30 minutes.

The National Health Authority (NHA) has introduced restrictions to access of CoWin portal’s vaccination slot availability information by third parties. While this move has come amid reports suggesting the misuse of the portal’s open APIs by some coders and software programmers to set alerts and book slots, the NHA said it was done to “ensure scalability” of the platform and to prevent cyberattacks.

Now, for third-party entities sourcing slot availability information from CoWin’s database, such data will be made available with a delay of up to 30 minutes. Additionally, the CoWin portal has been geo-fenced to limit access to the site from an Indian IP address. This has caused problems to non-residents trying to book a vaccination appointment for someone in India.

Prior to opening up the portal for booking of vaccine slots for the 18-44 age group, CoWin’s APIs were made open to the public to allow anyone to build a third-party portal where citizens could search for, and book vaccination slots.

In response to a query by The Indian Express, RS Sharma, NHA Chairman said: “The primary reason to implement caching (delayed availability of data) is to ensure scalability of the application to serve billions of people”. “Another reason to implement caching because of security reasons. Exposing production databases on public pages can be a security risk because someone may just write script to load this page million times during a day and overwhelm the application…This is absolutely necessary for population scale application such as CoWin,” he added.

An open API refers to a publicly available ‘application programming interface’ (API) that provides developers access to a proprietary software application. For instance, you have a Google Maps API that integrates with food delivery or travel portal, or the UPI API used by a range of apps to enable easy payments. In this case, the NHA has allowed anyone to access a set of requirements needed to communicate and interact with the CoWin platform.

“CoWin Public APIs to find appointment availabilty and to download vaccination certificates. These APIs are available for use by all third party applications. The appointment availability data is cached and may be upto 30 minutes old. Further, these APIs are subject to a rate limit of 100 API calls per 5 minutes per IP. Please consider these points while using the APIs in your application,” the Centre’s API Setu Portal reads on the CoWin API page.

The move has come after several reports of coders and software programmers trying to exploit the open API feature of CoWin portal to access available slots. Live availability of the said information would allow programmers to set alerts for whenever a slot opened and skewed the system against those without knowledge of or access to such programs.

The geo-fencing to disallow someone from outside India accessing the CoWin portal has also inconvenienced some. The inability for international IP addresses to access the CoWin portal has also troubled some corporates, which use VPNs on their network. Because CoWin restricts foreign IP addresses, some corporates trying to book a vaccination slot for their employees have been unable to do so.

Responding to a query on the geo-fencing, Sharma said: “CoWin application is designed for vaccination and related activities of Indian citizens. Hence, it is obvious that the user base of this application is in India. It is a good industry practice to restrict the access of the application to certain geography. It achieves two things for Co-Win. First, it reduces unnecessary traffic to the application which is utmost important for CoWin, which is expected to be accessed by over a billion people. Second, restricting access also reduces potential risks of Distributed Denial Of Service (DDOS) attacks from bad actors across the globe.”