Sunday, November 01, 2020

IRCTC - Autocratic, Unfair, Unethical and Monopolistic organization

IRCTC is one of the most Autocratic, Unfair, Unethical, Technically dumb and Monopolistic organizations in India. 

Since IRCTC is no longer a wholly owned government organization, Union Government should revoke the special privileges that it is getting. Till now, IRCTC is the sole organization which is selling tickets online. The Union Government should come up with a fair process and select multiple organizations to sell the tickets online. If the Union Government selects only one organization, it may do unethical, unfair activities and may trouble the people (what IRCTC is doing now). If the license is given to multiple organizations, it would encourage the competition and people would get better services. 

Also, IRCTC should not be having any special legal provisions which are not available to any other public limited company. IRCTC is using the RPF Acts to arrest others, when the mistake is with IRCTC itself. If IRCTC cannot secure their site, then IRCTC should not be allowed to sell the tickets online, and the license should be given to other organizations by following a fair process. 

Unfairly giving exclusive power to IRCTC (Selling tickets online)

IRCTC is a public limited company, and not wholly owned government company. Indian Railways is giving full power of selling tickets online to one single company, IRCTC. When it was wholly owned by the government, it was fine. But, when it is a public company, it is completely unfair. 

If Indian Railways want to give license to some organization for selling tickets online, it should come up with a proper process and invite any organization to bid for that, and the license should be given to multiple organizations that satisfy the criteria. [If License is given to one organization, that organization may become an autocrat.]

Indian Railways did not follow any of that process and gave exclusive license to IRCTC alone. This is unfair by any standard. This is worse than 2G or Coal scams. Media and Opposition parties are concentrating on the scams where black money exchanged hands. But, if we see the potential loss of money or unfair process on very big transactions, this is much more unfair than 2G or Coal scams.

Technically Dumb Organization

IRCTC is the most technically dumb organization. It is surviving solely because of the exclusive power given by the Government. If the Government stops giving exclusive power, almost nobody would buy tickets from IRCTC. 

IRCTC is blocking the users for using the autocomplete feature in their browsers. Autocomplete feature is there in the browsers for decades. Anybody who knows computers a little bit would use autocomplete to fill the forms. If IRCTC wants to block auto complete, it needs to come up with its own technology which makes auto complete not possible for the users. But, IRCTC did not come up with anything like that, but blocked users who used the browser's autocomplete feature. This is the dumbest thing by any standard, and unfortunately IRCTC does not understand that it is the dumbest thing.

Special Legal Powers for IRCTC

Since, IRCTC is a public limited company, the legal powers of IRCTC should be like any other public limited company, and it should not have any special powers. Right now, it is misusing the RPF Act and other provisions that are exclusive for the Government organizations. IRCTC is incapable of handling even basic (Software) security, but it is passing the blame to others and arresting them.

The following are the blatant misuses by IRCTC.

Auto Fill Software

Technically dumb IRCTC arrested one person in Vellore, Tamilnadu for using "Auto Fill Software". Anybody who understand software technology can clearly say, how dumb it is. Autocomplete feature has been there since the beginning of the browsers and many people use it. If IRCTC does not want people to use Auto Complete, it has to bring its own technology which prevents Auto Complete. Instead of doing that, it is arresting people or blocking users for using Auto Complete. 

It is like, IRCTC was thinking that it was in the 1700s (when there were no cars), and arresting people for using cars, bikes and other vehicles. 

Insufficient Security of IRCTC - Who needs to be blamed for theft?

If a person thieves from a house every day from the same house, who needs to be blamed? Is it the house resident or the thief?  A thief needs to be blamed. But, more than that, the resident of the house needs to be blamed. If a thief steals for one or two days from a house, we can say that the thief is wrong. But, if a thief is stealing from the same house everyday, it is the mistake of the resident of the house for not taking enough precautions even after facing theft multiple times. IRCTC is doing exactly like a resident. If anyone hacks their system regularly, then they should block the access for that hacker. Instead of that, they are putting the blame on the hacker. 

If a person has booked tickets unethically for a couple of months, what IRCTC is doing without fixing that issue. [In this statement, the word unethical is used only by IRCTC, and no person who has some technical knowledge would use that word.]

Intentionally Reducing Security - An Illustration

I have taken a few valuable items from others and told them that I will secure it in my house. One person is repeatedly coming to my house and stealing a few things from my house. I lodged a police complaint against the unknown thief and still the thief is stealing from my house and I did not do anything to secure my house. When others ask me to return their valuables, I will tell them that the thief has stolen everything and I don't have anything. Can I just live as if nothing happened? 

Any person who knows logic and has some common sense would say that, I am responsible for everything, and for the things lost, I need to buy that with my own money and return to the actual owners. 

In the same way, IRCTC is responsible for keeping it secure. If it is one off case, we can understand that, there is some issue. If IRCTC claims, someone hacked their system and booked X no.of tickets over a few months, it is the issue with IRCTC and not the hacker. Responsible people of IRCTC should be punished for non taking enough security.

Public Access - Private Access

There are two types of access to any website. One is public access. Other one is private access. Private access refers to the restricted access like access to the servers, databases and others which are not meant for the public. Public access is referred to the access that everyone gets without any permission. Typically, it means, anything that one can browse through the site. 

If anyone gets private access to the resources of any website, the website owner has to investigate how others got private access and should take necessary steps.

If anyone is getting something by the public access, which is not intended by the website owner, then it is the mistake of only the website owner and not by anyone else. Only the website owners have 100% responsibility.

As far as I know, I never read the news about getting private access to IRCTC by anyone. Even if it is there, most probably, it is due to some employee of IRCTC leaking the credentials or access etc. IRCTC filed most of its cases, where someone did something with public access. 

Public Access - Handling by Other Organizations

If the website owner does not want something to happen in their site, but, if someone could do it through public access, then it is the sole mistake of the website owner. The big organizations know that, and they offer a very good amount to those who find those mistakes and report to them. 

Awards by Major Organizations for Finding Security Loopholes

Microsoft - Rs.1.8 Crore

Google - Rs.1 Crore

Facebook - Rs.15 Lakh

Amazon - Rs.11 Lakh

IRCTC - Arrest people

Our great IRCTC arrests people saying they hacked their site. [For the cases filed by IRCTC, no good technical person calls it hacking. It is only advanced usage. Since, IRCTC is dumb in technology, it calls the advanced users' usage as hacking.]

Bypassing the Railway System

For one arrest of an individual, the media report says that the individual bypassed the railway system to book the train ticket. I don't know whether it is mentioned like that in the case report, or the media used its own words. There is absolutely no meaning to bypass the railway system to book a ticket, because the tickets are in the railway system. The person would not even have bypassed IRCTC. The person would have used some software technique to book the tickets faster (which a non-software engineer might not know). 

As mentioned above, if IRCTC does not want to use the advanced features in the browsers, they should come up with new technology, and not arrest people who are using advanced features.

Making Money Illegally was Crime

There is a mention that the person was charging Rs.10/ticket and it is illegal to make money that way, and it was a crime.

For example, if I am not in a situation to book a ticket myself, and if I offer someone Rs.10 to book on behalf of me, are you going to arrest the person who booked a ticket for me? If so, you need to arrest the majority of Indians. 

Penalty for unauthorised carrying on of business of procuring and supplying of railway tickets

The above sentence is mentioned in one media report of one person's arrest. If this is correct, Railway police needs to arrest the head of IRCTC and other top people of IRCTC. The reason is, IRCTC is not fixing the issue, and allowing people to exploit. Even when someone is exploiting, IRCTC is arresting that person and blocking that person's app, and not fixing the issue of IRCTC. That's why, repeatedly different people are hacking. So, IRCTC top people must be arrested for allowing others to exploit the railway system.

[Hacking and exploiting words have to be taken from the definition of IRCTC. No good technical person would call that hacking or exploiting.]

Can non-tech people book a tatkal ticket easily?

Before IRCTC says useless things like, "deprived of a chance to buy tickets", we have to check whether a non-technical person can book a tatkal ticket? I am sure, if you take a good technical person and non-technical person (who has enough experience in buying things online) in booking a tatkal ticket, the technical person has a better chance of getting a confirmed ticket. IRCTC is already depriving non-technical people from buying the tickets. It is arresting people who are helping others with their expertise. It is blocking the users who are using their expertise for themselves. 

Why is someone paying a higher amount?

IRCTC and other government organizations should introspect why someone is paying a higher amount for the same thing that is offered by the government organization for a lesser price. If Indian Railways or IRCTC are offering a ticket for a lesser price, then why are people going to others and paying higher amounts for the same ticket. Few people who do not have enough knowledge would say that, those people are blocking the tickets and the common man does not have any other option other than going to them and pay a higher price. This can be true for the printed government bus tickets, but not true for Train tickets (or even flight tickets). Indian Railways is very secure and a non-employee cannot block the tickets and sell it to others. 

Whomever IRCTC is claiming as hackers, they are just helping others to book tatkal tickets, because non-technical people cannot book the tickets. Few of them might be using automated tools to help others. Since, IRCTC is not helping non-technical people to book Tatkal tickets, they are going to someone else and paying higher amounts. 

If the same situation happens to any private commercial organization, they would solve the problem of non-technical people by some other means, rather than filing cases against people who are helping. In fact, it is a very big business opportunity for the organization. 

Change of name/age/sex in the ticket and other internal security issues

A person who is not an employee of Indian Railways/IRCTC cannot change the name, age, sex of any ticket. Whether IRCTC agrees or not, Indian Railways is very secure (By the definition of any popular technical organization). It is not possible for a non-employee to block the ticket and sell it to others. If I book a ticket, then the ticket can be used only by someone of the same name/age/sex mentioned in the ticket. If someone has changed any of those, it is definitely with the co-operation of some employee of Indian Railways/IRCTC. The employees of Indian Railways/IRCTC should be punished more, because they have internal access to the system. 

Share Price of IRCTC

IRCTC is having a higher share price, only because of unfair power that it has received from Indian Government. The moment the Union Government follows a fair process for Train Tickets, the share price would hit rock bottom.

No comments:

Post a Comment