The COVID-19 Vaccine Complicates the Bot Debate
*epilepsy warning*|Hatemail: Newsletter and Intel from the LaBac Hacker Collective
Bots are Testing Ethical Boundaries Amid Vaccine Distribution
As they become available, people are scrambling to secure vaccines for themselves and for loved ones. This week our collective discovered a method to game the NYC vaccine distribution website using automation, or “bots.” With a basic script, we were able to scan for all available vaccination appointments in real-time.
What we found was disappointing. Not only was the site not making the best use of anti-bot tooling like reCAPTCHA, but there was no enforcement against repetitive replay attacks. This has left the site vulnerable to all sorts of bots, the worst of which could potentially capture vaccine appointments on behalf of others.
As it turns out, software developers throughout the U.S. have been creating bots to locate open vaccine appointments – including, of course, in New York City. Perhaps one of the best examples of this is @TurboVax, a bot developed by software engineer Huge Ma, which was called “the hottest Twitter account in NYC right now” by NYC Councilmember Mark D. Levine. Ma’s bot pulls information from New York’s government-run websites on one end, then tweets available appointment slots out the other. It’s not hard to find similar bot projects for different locales across the country.
Benevolent Bots Appear to Exist
The U.S. is currently administering nearly 2.8 million COVID-19 vaccines a day, but state-level rollout challenges continue to remain a source of confusion and frustration among residents and healthcare professionals alike. Software developers have been responding to the problem with bot projects that are generating mixed reactions from health workers, state officials, and residents.
Advocates and creators of these bots argue that the online systems currently used by many states favor those with constant access to computers, people who are tech-savvy, and individuals with the time to sit in front of a portal throughout the day to grab an appointment.
In Maryland, professional programmer Matthew Tralka initially coded a bot to help his parents secure a much-needed vaccination appointment and was dismayed at how inaccessible registration sites were for busy workers and disabled individuals. Tralka told Capital Gazette, “[t]here are disabilities that prohibit people from typing very quickly. I wanted the program that I made to be something that people like that could use without refreshing 30 times and typing info in over and over and over again.”
Likewise, in Austin, Texas, software engineer James Kip created Texas Vaccine Updates [GitHub], which uses Slack and a web scraping bot to help people find appointments. Like Ma and Tralka, Kip started working on a bot after watching his parents (both over the age of 60) struggle with getting an appointment. His project, which has grown since he began, now relies on many volunteers to ensure that appointments are going to people who need them the most.
The lack of federal guidance in the early days of the pandemic undoubtedly played a role in how different states have struggled to distribute personal protective equipment, COVID-19 tests, and (ultimately) the COVID-19 vaccines. The various criticisms directed at different state appointment systems – and vocalized by bot creators such as Ma, Tralka, and Kip – speak to the larger logistical flaws prevalent in the country’s initial response to COVID-19.
Consider the situation in Florida. After being unable to spin up a reliable platform to manage vaccine appointments, state officials settled for Eventbrite, an event management and ticketing site you might be familiar with from the before-COVID times, to sign residents up for vaccine appointments. This decision resulted in several cases of Florida seniors getting duped into paying for fake appointments.
Not all Bots are Benevolent
We recognize that it is presumptuous to assume that behind every vaccine bot is a well-meaning creator looking to make vaccine registration more accessible and equitable. After all, there have been instances of bots messing with local distribution processes instead of fixing them, such as in the case of Franklin County, Mass.
In mid-February, Franklin County opened up a few hundred vaccine slots at their local clinic but soon learned that 95 percent of their appointments had been grabbed by non-residents, many of whom used bots to register. Officials had to cancel the appointments and switch to a more private process to ensure the doses allocated to the county would get to people living there.
Relatedly, some critics have vocalized concerns that these bots could potentially lead to future markets for vaccine appointments where slots are immorally overpriced. (It’s unlikely, however, that bots only directed to generate open appointment alerts, like the NYC bot created by Ma, could directly foster such a market). Others are concerned about bots immobilizing local sites that aren’t prepared for the traffic they can bring. In London, bots were recently blamed for flooding the city’s vaccine booking system.
Some vaccine providers such as CVS and Walgreens appear to be aware of the potential for abuse and have considered this in the design of their appointment portals. This is not their first rodeo, as resource scalping of PPE (personal protective equipment), sanitizing products, toilet paper, and other coveted resources at the beginning of 2020 was a trial to beef up botting and scalping protection. Jim Cameli, Walgreens Boots Alliance's Chief Information Security Officer, recently stated that “[...]security measures such as bot detection and prevention will play key roles in delivering this critical service to patients.”
In a similar vein, California has rolled out the vaccine appointment portal, MyTurn, which has coincidentally heightened the complexity for botting. This has not dissuaded the creators of the San Diego COVID Vaccine Bot from continuing their botting efforts as they do not believe the MyTurn solution is without critical flaws. One feature the creators of the San Diego COVID Vaccine Bot call out is the lack of place holding. On Monday, they tweeted: “It's frustrating to enter a bunch of forms and then reach the end to know that someone else beat you to it.”
Similar to Tralka’s concerns over Maryland’s process, MyTurn also fails to adequately support folks with accessibility barriers related to typing or web access. The San Diego COVID Vaccine Bot creators encourage anyone who has had difficulties with California’s MyTurn solution to submit official feedback.
The unspoken irony of complex platforms, like MyTurn in California, is that although they are highly engineered, their complexity indicates that we have lost touch with the value of usability and quality assurance – which is a serious problem when trying to get people from all walks of life to digitally sign up for a vaccine appointment.
Keep Trying for that Vaccine Slot
We have seen tremendous innovation and coalescence with tech from both individuals, companies, states, and more during the COVID-19 pandemic. And this momentum should be used to develop technological solutions that keep the most at-risk members in our society from falling behind. If developers are able to create more efficient distribution systems and are doing it for free, we have to wonder if it wouldn’t be more effective for state governments to work with them than against them.
But hey, that’s just us.
Tech abuse is always a possibility, but for now, please do not be dismayed by malicious bots or poorly designed sites. Get out there, and learn your way around your local health authority’s process and get vaxxed. If you have the capacity, consider reaching out to folks in your life who might struggle to get vaccine access on their own with the knowledge you’ve learned. Tweet about open appointments. Educate folks on Nextdoor. Write some zines about it. Every bit counts in times like these.
Large Moves by Big Companies (and Small Hands)
[CNN] Last week Jason Miller, acting as a spokesperson for former President Donald Trump, said in an interview on Fox News that Trump is planning to launch his own social media platform. Miller said that the new platform will “completely redefine the game.”
[Intercept] [Vox] On Sunday, Recode reported that a recent series of bizarre and antagonistic tweets made by Amazon executives and the official Amazon Twitter account were prompted by CEO Jeff Bezos himself. In one of the tweets, which arguably backfired, the company denied stories of workers using bottles to pee in lieu of bathroom breaks.
[Reuters] Last Tuesday, Telegram founder Pavel Curov announced that the messaging app had raised over $1 billion from bond sales and hinted that the funds would be used to expand services including premium plans for business users.
[Electronic Frontier Foundation] Aaron Mackey, senior staff attorney at the Electronic Frontier Foundation, raised some questions about Facebook CEO Mark Zuckerberg’s recent testimony to Congress proposing a rewrite to Section 230, calling the proposal “a self-serving and cynical effort to cement the company’s dominance.” Section 230 generally provides online media platforms with a liability shield over the content published by users.
Security, Hacks, and Policing
[Eonomic Times] [Reuters] A new report by a surveillance research group, IPVM, shows how the Chinese government is building an unprecedented surveillance system with facial recognition technology. The report itself provides the data standards designated by the Chinese government on how intrusive surveillance systems should be built throughout China. It adds to the growing concerns over the country’s human rights abuses as such technologies are being used to target ethnic minorities, like the Uighur Muslim population in the western Xinjiang province.
[Politico] Russian hackers allegedly broke into the email systems of the United States State Department Bureau of European Affairs and Bureau of East Asian and Pacific Affairs last year. According to one official, classified networks were not breached. This report contributes to the list of the known government agencies that have been breached by Russian APT Groups (Advanced Persistent Threat Groups) over the past year.
[techradar] [ZD Net] A whistleblower claims that the hack against Ubiquiti networks was way worse than the company had publicly disclosed and claims that the company downplayed the breach to protect the firm’s stock value.
[arsTechnica] A New York politician aims to ban armed robotics from NYPD use amid concerns over the militarization of police forces across the country. Some experts warn that non-lethal robots can often ultimately lead to armed ones.
[The Daily Beast] Proud Boys affiliate Charles Donohoe was arrested Wednesday on conspiracy charges for his alleged involvement in the Jan. 6 insurrection at the U.S. Capitol. Social media posts show Donohoe had close relationships with multiple police officers, highlighting disturbingly personal ties between Proud Boy members and law enforcement.
On Our Radar...
[CitizenLab] CitizenLab, whose digital forensics capability has been fairly pitted against nation-state hackers, has announced that the entirety of their platform and offerings will be made open source.
[The New Yorker] This pandemic has made an embarrassment of the way that data is used to service a point. This piece from Hannah Fry (@FryRsquared) describes the growing human phenomenon behind the use of anecdotal data, and how it dilutes the true science of the subject at hand.
[The Economist] The Economist captures trends in the growing industry of commercial satellite imagery. As the number of commercial satellites grows in our atmosphere, the more capabilities are added to the consumers of commercial espionage platforms.
[KnockLA] The biggest gang in Los Angeles is the LAPD. This well-sourced expose covers the secret society within the LAPD which encourages violence beyond what’s expected from a police officer.
[Verge] Medium staff have experienced a broad range of uncomfortable policies in the past couple of years, as detailed by 14 former Medium employees. What was once hailed as a savior platform for independent writers and publishers is now described as a dysfunctional machination on the part of the tech company ethos that drives its management.
Hate speech website: Clubhouse andjoinclubhouse[.]com
Who hosts: Clubhouse, Cloudflare
Today’s site is the app and company Clubhouse, who also operates the website joinclubhouse[.]com. As Clubhouse grows in popularity, it has provided a safe haven for conspiracy theorists and fringe actors.
We have observed that Clubhouse’s site resolves to an IP address protected by Cloudflare.
Webinar: Accessible Content in 2021 – Reaching People and Communities of All Abilities (Thursday, April 8, 3:00 pm ET) - This session hosted by Briefly will cover the modern tools and practices behind running accessible, virtual-first events and creating equally available content for all online. [RSVP]