Immigration services at Burgh Quay have been back open since 10 May, after five months closed.
But also back are the businesses booking up appointment slots on the Irish Naturalisation and Immigration Service (INIS) website and selling them to immigrants desperate for appointments.
There are some simple steps the government could take to tackle the problem, according to a software engineer and cyber security analyst.
The Department of Justice tried, making some software changes in 2018. But appointments are still for sale.
A new online appointment scheduling system is in the works, says a Department of Justice spokesperson.
The Loopholes
Steve Atkins, a software developer in Ranelagh, spent a quiet Sunday afternoon in late 2018 poking around the INIS website to find the loopholes that were letting bots grab the available slots at that time.
“I thought I’m going to go in and see what they’re doing because, why not? I’m a software developer. This is the stuff I do for fun,” says Atkins.
Appointment-trading services using the bots had sprung up after the Department of Justice abolished its first-come-first-served queues to book immigration services in Dublin, and replaced them with an online booking system in September 2016.
Atkins says that in 2018 online services were charging up to €40 to sell the slots to migrants who were scrambling to secure an appointment for months, people like Atkins’s wife.
After running a few tests, Atkins realised that he could script a bot of his own to grab an appointment, as there were few security measures in place to stop him, he says.
He ran a test last week and it was still possible, he says.
Solving CAPTCHAs
The only security measure on the INIS website meant for stopping bots from extracting data is a CAPTCHA, says Rimom Costa, a software engineer and cybersecurity analyst.
A CAPTCHA, which stands for “completely automated public Turing test to tell computers and humans apart”, often appears at the bottom of online forms to prevent spammers and bots from intruding or stealing data from websites.
It sometimes looks like a box of distorted numbers or characters, and users are asked what they can read. Some CAPTCHAs are photographic, using a set of images.
Solving the CAPTCHA on the INIS website is simple, Costa says: one has only to check a box confirming that the form wasn’t filled by a robot.
There are various ways to bypass that simple CAPTCHA when a bot is booking a slot, he says.
Two years ago, Costa created a bot to secure an immigration appointment for himself, he says.
He used it again to get one for his wife and sometimes friends and acquaintances who were especially desperate for a slot – but only one appointment at a time.
His system had a manual step, which wouldn’t be practical for bots carrying heavier loads of data, looking to grab up all the available slots, Costa says.
If he were to use the bot for profit, Costa says, he would use services that solve CAPTCHAs for cheap. In countries such as China, India, and Vietnam, poorly paid workers tackle CAPTCHAS like that for professional spammers.
The payment is per CAPTCHA, with the rate starting from $0.50 per 1,000 images, depending on a client’s workload, says the website Anti-Captcha, which peddles itself as solving CAPTCHAs since 2016.
Hacking into Chrome’s source code to manipulate the website into authorising you as a trusted source is another way of bypassing CAPTCHA to secure all available slots in one go, Costa says.
Supplying Demand
Costa, the software engineer and cybersecurity analyst, never charged his friends or acquaintances when he booked a slot for them, he says.
That’s unethical and reminiscent of instances of naked opportunism that he witnessed and disdained growing up in Brazil, he says.
“I’m from a country that used to be very poor, and when you needed to call someone, you had to use a public telephone. Usually, there were some people selling the coins,” says Costa.
“The coins were very cheap, but when they’d see there was a big queue, their coins were ten times more expensive,” he says. “You always have these people exploiting, all over the world.”
Renan Danton, a software developer in Brazil, who runs the appointment-selling site GNIBot, does charge.
Danton began booking appointments using a machine as an English-language student in Dublin in 2017, he says.
He insists that he is not using a bot for booking the slots. The word “bot”, he says, stands in the title of his site because he’d created one to notify Facebook users “about available appointment slots” two years ago.
He declined to reveal his methods. “The technology we use is private information, and I can’t share it,” says Danton.
For bypassing CAPTCHAs, though, Danton says he has “40 employees to fill the form and complete the CAPTCHA”.
He denies using available anti-captcha services and said that his CAPTCHA solvers are not low-paid workers in developing countries. “I have employees who work for me,” he says.
“Work hours would be 8 hours per day Irish time zones of course, the payment is per appointment booked,” he says, and his employees work online.
He doesn’t think he’s exploiting fearful migrants in need of their papers, and unlike Costa, doesn’t view the service as morally reckless.
“Every business rises from a problem, not the opposite. I really believe we’re helping people and save their precious time instead [of losing] those days and weeks struggling to get an appointment,” says Danton.
Although GNIBot is one of the services that amasses appointments before an actual user gets a chance to book a slot, Danton doesn’t think his service is part of the problem.
“There are many immigrants coming every day but there’s no slots to supply this demand, the problem already exists before GNIBot exists not the opposite,” he says.
A representative for GNIBIRPVISA, a service similar to GNIBoT, did not respond to an interview request.
Block the Bots
The Department of Justice is aware of issues in the past around securing appointments, said a spokesperson. “A set of software fixes were introduced in late 2018, designed to prevent such abuses of the system.”
But they are aware that some services continue to sell INIS bookings and the department is concerned, the spokesperson said.
“The Department strongly advises against this practice of providing sensitive and personal data to unregulated and unknown third parties,” the spokesperson said.
The spokesperson didn’t respond to a query asking how much they had spent on safeguarding the INIS website against those third-party agents.
But they did say that a tender has recently been awarded for a new “appointment and scheduling system which will streamline and further improve the registration process”. They’re hoping to roll out the new system in the coming months, they said.
Securing the system against third-party bots is not a complex feat, says Costa.
All it takes is having someone monitor the website’s logs for suspicious activity, he says. “So, they would see that the same IP is continuously requesting appointments.”
They could then block their access to the site, he says. “It’s a simple task, it’s not that complicated.”
But Danton, of GNIBoT, says he could get around that fix: “If immigration blocks my IPs it wouldn’t be a problem at all because there are proxy servers which anyone can hire.”
Giving each immigrant a unique personalised code as soon as they arrive in the country is another of Costa’s solutions to the problem. Each person would enter their code on the website to book an appointment.
“Doing so, people that are not even in Ireland wouldn’t be able to overload the system with appointment requests since they don’t have the code,” he says.
In the meantime, as it works to improve the system for booking in-person appointments for immigration services at Burgh Quay, the Department of Justice is also working to reduce the demand for these.
It has set up a service to allow people to renew some immigration permissions online. This online renewal system has processed 75,000 applications since July 2020, the Department of Justice spokesperson said.
Unfair Advantage
Steve Atkins, the software developer in Ranelagh, says services like GNIBoT would not have sprung up if immigration appointments weren’t a “scarce commodity”.
But there’s little appetite from the state to address it because it’s not the same as a business that has to compete, he says.
“They don’t care how you got there, they’re not losing any money, nobody else is providing this service and there is always demand,” he says.
Atkins says the situation unfairly favours wealthier immigrants, and the INIS would be happy to serve them before others.
Dina Halasa, who has purchased immigration appointments in the past, says she’s been called “classist” by her friends for doing so.
“Because I paid to solve my problem. And I was like, if it’s going to fix my problem, I honestly genuinely don’t care,” says Halasa.
But she sympathises with migrants who can’t afford to pay their way to the Burgh Quay office, she says.
“I understand that a lot of my friends are on a very limited budget, so €40 means that there’d be a couple of days in the month that they won’t be able to live a normal lifestyle,” she says.
“Every euro counts for them, but that’s not the case for me,” she says.