Automatic Instacart Bots

Instacart is taking legal action against bots that automatically place orders:

Before it closed, to use Cartdash users first selected what items they want from Instacart as normal. Once that was done, they had to provide Cartdash with their Instacart email address, password, mobile number, tip amount, and whether they prefer the first available delivery slot or are more flexible. The tool then checked that their login credentials were correct, logged in, and refreshed the checkout page over and over again until a new delivery window appeared. It then placed the order, Koch explained.

I think I am writing a new book about hacking in general, and want to discuss this. First, does this count as a hack? I feel like it is, since it’s a way to subvert the Instacart ordering system.

When asked if this tool may give people an unfair advantage over those who don’t use the tool, Koch said, “at this point, it’s a matter of awareness, not technical ability, since people who can use Instacart can use Cartdash.” When pushed on how, realistically, not every user of Instacart is going to know about Cartdash, even after it may receive more attention, and the people using Cartdash will still have an advantage over people who aren’t using automated tools, Koch again said, “it’s a matter of awareness, not technical ability.”

Second, should Instacart take action against this? On the one hand, it isn’t “fair” in that Cartdash users get an advantage in finding a delivery slot. But it’s not really any different than programs that “snipe” on eBay and other bidding platforms.

Third, does Instacart even stand a chance in the long run. As various AI technologies give us more agents and bots, this is going to increasingly become the new normal. I think we need to figure out a fair allocation mechanism that doesn’t rely on the precise timing of submissions.

Posted on April 27, 2020 at 6:13 AM44 Comments


Q April 27, 2020 6:26 AM

I don’t think of this as a hack. At no point is anyone using the website in a way that is contrary to the normal process. No one is using stolen credentials. No one is exploiting flaws or coding bugs to gain some access not normally given.

If the website wishes to prevent people doing this then rate limit access, or whatever other method gets the desires result. The onus is on the website to make it “fair”, not to sue external parties to coerce the the users into using it in the precise manner the website desires.

Ulf April 27, 2020 6:36 AM

Agree with Q on both counts. It’s just automation at work, not a hack. Many web sites cut down on bot access by providing APIs; it sounds like Instacart should do this as well, and then think about whom to give the time slots to.

People want to automate things, and the existence and continuing development of libraries like jWebUnit is testament that they’ll go to some length to make that possible. Fighting that is an uphill battle.

Jaime April 27, 2020 6:39 AM

Instacart can fight, but it’s going to be a tiresome battle and they are going to lose. They should take it as a signal that their customers are in need of a feature. If Instacart created a queuing system and allocated slots to their queue before making them public, it would both satisfy their customers and instantly make Cartdash irrelevant.

RogerBW April 27, 2020 7:01 AM

Back in the day, eBay tried to ban sniping bots. So we can see how well that worked.

rrd April 27, 2020 7:21 AM

“Fairness” is relative to the environment it works within. Nothing within our Western capitalist systems (British and American) is fair in any way, as the “haves” have set up the competition to give themselves every possible advantage. After they have taken whatever they want, the rest of us are left competing for the scraps, as evidenced by the availability of COVID-19 tests here in America.

The fact is — regardless of where our “evolution” has taken us over these past few centuries — that competition is inhumane for human beings. In order to truly manifest “humanity” we must embrace compassion, charity and equality of lifestyle and opportunity for the least of those around us.

In this Ammerican society, where there are so many destitute, uncared-for, homeless and hopeless citizens as well as callous capitalists who couldn’t give a shit about their suffering, fairness will only be possible by changing the system these systems (such as Instacart) work within.

The one trait, above all, that makes us human is our ability to self-evolve our morality. We must first each embrace compassion for one-and-all, and then we must work to build that into the fabric of our governments and societies. What we are living in is the result of blind competition; it has given us our leaders, our heads of industry, and the very system we live within, the “haves” and their attorneys having molded it to serve them above all.

So, where Instacart is a mechanism that could — in theory — be utilized to provide fair access to shopping-from-home, the environment it works within will be preyed upon by the predatory among us for their personal gain, regardless of how it hurts others. Attempting to protect it from predatory behavior is truly a noble goal.

That said, how many of you forgo being first in the newly-opened cashier’s line because the person three-deep in the next lane was there before you? That kind of competition is animalistic — lacking humanity — and is the root of all our problems, even if the tree above them is enourmously complex.

I admire your compassionate thinking, Bruce; it is literally the beginning of all goodness in this world: the inner desire to help others deal with their inherent disadvantages, to lessen their misery, to help them be the equals they were born to be.

The emotional opposite of love is, of course, hatred, but the behavioral opposite of love is selfishness, either individually or in our groups. Hatefully hot or coldly callous, selfishness is the root of all our problems, from Trump to child raping Catholic priests to racism to the Taliban to the griefer computer hacker to those fuckers who refuse to cover their face at the store — they’re all just selfish bastards.

jbmartin6 April 27, 2020 7:25 AM

Fairness is a problem in a lot of ways. I don’t know about Instacart specifically, but I have found that delivery slots for other places are only made available very early in the morning, and are usually gone by say, 9 AM. That isn’t fair to anyone who can’t log in at that time, perhaps someone who has a factory shift at that time for example. The business could implement some sort of lottery system or something like that, but is there a business gain in doing that? Probably not immediately, but long term. Some other ideas: block accounts that log in too frequently. Add priority weighting to accounts that have failed to get a slot for some time.

wgg April 27, 2020 7:51 AM

Second – They should take an action, but that action should be making it easier for ordinary users to compete, not try to ban the bots.

These “races” play out everywhere from commerce to government subsidies to slots at a birth center where I live. The organizations used to try fight the automated tools. Then they seemed to largely give up. But recently, I’ve applied for a government subsidy (with limited slots), and they:
– Announced the starting date and time in advance (which was neither too early in the morning nor late at night)
– Allowed all participants to prepare everything in advance (and download the prepared data in XML)
– Made it so that you could then import the prepared data, and all you had to do on the set time was click on a button

Rick B April 27, 2020 8:19 AM

First, does this count as a hack?

Does high-frequency trading on Wall St. count as market or currency manipulation?

It certainly goes against the spirit of inter-human trading of goods and services, which is what stock markets were originally created to do…

I feel this is the same exact concept (and I’m not a fan of either).

Vesselin Bontchev April 27, 2020 9:17 AM

Whether it is fair or not depends very much on one’s ideology.

Socialist ideology: Everybody must be equally miserable as they are fighting each other trying to win the checkout clicking game.

Capitalist ideology: Those who have the skills to make and use a checkout bot should enjoy the fruits of their labor and screw those who are too dumb to do so.

This is really a flaw in the store’s software. They should fix it (e.g., by adding CAPTCHAs), if they don’t want automated checkouts, instead of fighting stupid legal battles.

JonKnowsNothing April 27, 2020 10:17 AM

Not a hack and not an exploit.

A hack would involve using an error or program or logic flaw to achieve a more desirable result.

An exploit would be using some aspect of the code in a manner Not Intended.

The program automated a function outside of the main system. Probably “unfair” but that’s subjective to whether you got the item or didn’t get the item.

If you plan to write up about this sort of thing, I recommend you spend some time playing PVP. Player vs Player games all have various versions of this and just about anything you can dream up and never even occurred that someone would do in order to “win”.

PVP games (solo) or RVR (group) range all over on their policies about what is OK and what isn’t. These companies have seen it all and if there is an advantage to be found in any update-release it will soon be noticed in play.

While eSports or on-line chess have been making news with their $1Mill or more prizes, players of all abilities use anything they can to “win” even at the very basic levels.

  • Scripting/Lua. Lots of that.
  • Macros. Similar
  • Keybinds. Enhanced key presses/ 2 keys for 1
  • Animation and Activation timing. Watching at what point you can get the next skill to execute even if the previous skills animations are still active.
  • Click Streaming. Keybinds and macros to maximize the number of skills executing per tick, by using instant-action-skills on a faster loop then follow up with a lock down skill.
  • Quick Streaming. Executing multiple skills in a short duration.
  • Screen Scraping. Screen reader for specific icons, text or other indicators and automated response.
  • Script Mapping. Reverse engineering all aspects to find Min-Max options.
  • Full automated responses. A complex set of actions and key presses generally for a more predicable situation.
  • Rank Farming. A non-competitive agreement between 2 players or 1 player doing multiboxing to earn points for advancement.
  • Multiboxing. One player controlling many toons. Depending on the game this generally requires multiple accounts.
  • Multiboxing with One keyboard. One key press sends commands to multiple boxes. Requires setting up each class skill sets for complementary actions on a single keystroke.

That’s just for starters.

Then you have the hack types where they analyze the packet system and timing and use network packet streaming to “stuff” the stream. If you get caught you will generally get a ban. There are versions were the stream stuffing is “light” but you still get a 2 for 1 turn around.

In theory PVP is player vs player as opposed to PVE which is player vs environment (aka server). When concepts of “fair” enter into PVP areas bring your asbestos gear ’cause there will be a Wall of Flame. All for the reasons mentioned by others.

Game makers try to match skills in competitive round games by using ELO scores similar to chess rankings. It’s only partially successful.

  • A keyboard only player vs a mouse click player vs a controller player all have advantages or disadvantages depending on the game design.
  • If you play against a macro-scripted player you are going to be disadvantaged.
  • If you use a macro-script and compete against another scripter with a better script well…
  • If you have a better graphics engine that can fast render animations same.
  • If you have a better network ISP connection same

Then there is the Unintended Advantage. Game makers revise their codebase and skills to “Balance” play. If a particular type is too dominant they can nerf it (reduce effectiveness) or buff the others. These changes cause a mass reshuffle of which classes are deemed “better”. If a revision or update contains any aspect that will shift the balance of play it will be found. It might not be WAI but players will make it WFM (Works For Me).

Check out PVP at your favorite online provider. Spend at least a few months to get past the NOOB stage so you can recognize what’s going on besides Retreat and Rez.

Companies like the one in the post take PVP to the commercial markets. After hours stock trades or high-speed trading use the same concepts. Stock market manipulations are buffs and individual trades are nerfs. It’s just harder to see and document on a business platform.

ht tps://
(url fractured to prevent autorun)

Andy April 27, 2020 10:18 AM

This is a possible violation of a couple of clauses in Instacart’s TOS.

“You may only access the Services through the interfaces that Instacart provides for that purpose (for example, you may not “scrape” the Services through automated means or “frame” any part of the Services), and you may not interfere or attempt to disrupt the Services.”

“In order to use the Services, you may need to create a user account. You agree that you are responsible for all conduct and transactions that take place on or using your account and that you will take precautions to keep your password and other account information secure.”

Since IANAL, I have no clue as to Instacart’s ability to successfully sue the bot makers, but they can certainly terminate the account of any user that uses one in violation of the above terms.


JonKnowsNothing April 27, 2020 10:25 AM


re: Screen Scraping

iirc(badly) recently court cases have stated that scraping in not a violation of a legal law. It’s inclusion in a TOS/EULA is purely to keep those that do not scrape from doing it. Those that do scape know it’s OK.

It was a lawsuit over scraping details from LinkedIn public pages. Similar attempts to prevent FB and Google from taking your photographs have also failed. LEOs scape anything they can get a screen shot of.

JonKnowsNothing April 27, 2020 10:31 AM

Re: PVP (player vs player)

I should add a warning: Either turn on your profanity filter text and speech or be prepared for a torrent of “language not heard in polite society”.

It’s pretty nasty.

There a plenty of players who do not engage in foul language or actions, but finding them in a PVP environment is another challenge.

Also, you may be exposed to word, phrases and comments that you have no idea what they are talking about. Since you won’t know what they insult is, you may not be bothered until you find out. Urban slang changes fast.

Scrub does not mean wash your hands…

Phaete April 27, 2020 11:28 AM

I think the meaning of the word hacking changes depending in which era you were born.
I was already hacking before commercial software was widespread, on a hardware level.
For me hacking means altering something to make it do something other then it usually does. Software just became another platform where this was applicable when that became widespread.
It also did not automatically associate itself with unauthorized entry/use, it was applicable on that alarmclock/pinball machine that you owned and changed.

This era it mainly means unauthorised access/changes to (computer) system.

So to be pedantic, the person who wrote the code to change the function of that system, was a hacker (saying nothing about auth/unauth), the people using it are scripters.

But boohoo for the company instacart, this shows how much they rely on tech, but how they are not willing to seek tech solutions.
Queuing, selective throttling, timeouts, increased wait etc, there are legion of possibilities.

Arclight April 27, 2020 11:41 AM

This sort of thing is the reason you have to complete a full nine-step CAPTCHA to check on your pet food order.

At the same time, I would also argue that this is basically a feature request – Let me put my request in ahead of time, then using some sort of queuing algorithm to fit it into the workflow without me having to be Gold farmer.

TruMo April 27, 2020 12:16 PM

IMHO, this is an example of human augmentation to complete a legitimate business transaction, not hacking. Agree with the long-term view expressed in the original post that this sort of thing will increasingly become a new norm, if not a new necessity, in future (for better or for worse), and that we need to collectively define its boundaries in a way that reflects our values as a society.

Clive Robinson April 27, 2020 12:51 PM

@ Bruce,

I think we need to figure out a fair allocation mechanism that doesn’t rely on the precise timing of submissions.

That is fairly easy, “closed bid offer”, that is there is a time window in which you can make a “bid” at the end of that period all the “bids” are opened and the wining “bid” selected.

The two issues that spring to mind are what would the “bid” be to be fair and secondly how do you stop “denial of service” type attacks.

The design of the bid could br simple such as you get X points a month and you use these points to make your “bid” this would favour those who placed large orders occasionally as opposed to those who want little and often. The catch though is how do you stop multiple accounts. That is if I open four seperate accounts I can bid an entire months points from one account for the first week of the month, the second account for the second week and so on.

Thus you quickly get to realise that all such systems can be gamed in some way or another.

Thus you need some system that is easy for humans but hard for computers. @Vesselin Bontchev mentions,

“They should fix it (e.g., by adding CAPTCHAs)”

Those that have been around this blog for long enough will know I once thought of using CAPTCHAs as a way to lighten the load on humans whilst making it difficult for machines as part of an authentication system. The idea was still born when someone drew to my attention the fact that in parts of Asia people would sit at computers solving capatchers for just a cent or two each…

Thus those that wish to jump the system will simply pay someone a tiny some of money to do it for them.

So what ever system that is thought up will need to be,

1, Simple to use.
2, Cover all possible angles.

The problem is that the second is an “Unknown Unknown” problem you have to not only know ever class of attack but also all the actual instants by which an attack can be carried out.

In essence it requires the designers to be able to see into the future… Which is not a tallent many possess if any reliably.

Phaete April 27, 2020 1:03 PM


A unknown unknown is only unknown for so long.
AS soon as it it known you can react.
Since they had the time to let some lawyers handle the case, it is not a zero day or anything similar, heck i’m too lazy too look up the reg date of the scripting domain.

It’s been known and then they can react. The fact it was an unknown unknown a year ago is no excuse anymore, just fix it.
No solution will be perfect, but this is not rocket science.

I think their choice has more to do with cheap hosting, very limited network control and a biased management.

La Abeja April 27, 2020 1:06 PM


… a way to subvert the Instacart ordering system.

That’s too low-class. There’s nothing to subvert. They left some sort of online ordering system wide open to pranksters on the internet without requiring any sort of deposit or security (like a credit card) to place the order.

It’s like the teens who call in a fraudulent order for pizza delivery at the wrong address, and then they offer a reduced price on the spot for the pizza they deny having ordered.

MarkH April 27, 2020 1:47 PM

@Vesselin Bontchev:

Here’s a proposed revision (changes in italics):

Socialist ideology: Everybody must be equally miserable as they are fighting each other trying to win the checkout clicking game.

Libertarian ideology: Those who have the skills to make and use a checkout bot should enjoy the fruits of their labor and screw those who are too dumb to do so.

Capitalist ideology: Those who pay more should be able to buy their way to the front of the queue.

Clive Robinson April 27, 2020 2:17 PM

@ Phaete,

The fact it was an unknown unknown a year ago is no excuse anymore, just fix it. No solution will be perfect, but this is not rocket science.

Technically and practically “just fix it” is all that can be done, on the assumption that the underlying code can be fixed which might not be the case (hence my comment about CAPTCHAs and Asian assistance).

But neither technically or practically tend to be considered in “managment minds” as you note,

I think their choice has more to do with cheap hosting, very limited network control and a biased management.

The bias being they understand the concept of “nails and hammers” but not engineering, thus they use a blunt object to try to solve a problem that is not amenable to being treated like a nail.

In essence they see technical or practical solutions as “needless” or “sunk” cost, and delude themselves that lawyers sending scary letters will cause others to “cease and desist”. It’s a belief in “power politics” when they do not realise that their power is in effect meaningles in the game they are playing.

The basic rule they fail to understand is that you have to be “Proactive not Reactive” and they lack the skills or ability to be “proactive” in a technical environment. Worse they mentaly denegrate those who have both the skills and the ability as well as the rare quality to think “Hinky” and thus get ahead of the curve.

It’s a problem compounded by the fact that they will not change to meet the challenges of a changing environment. Thus as we frequently get told about dinosaurs their fate will at some point be extinction.

I think it was BoingBoing that had a piece on “guerilla startups” and what they do. In essence they use asymetric warfare techniques to out maneuver the established encumbrants. However having done so they then lobby for legislation change to “pull up the draw bridge” behind them. Or atleast that is their intention, however they then tend to fail as they become the new established encumbrants, because they cease to be proactive and fleet of foot and become reactive with a large side order of slugish.

DB April 27, 2020 2:26 PM

Third, does Instacart even stand a chance in the long run. As various AI technologies give us more agents and bots, this is going to increasingly become the new normal. I think we need to figure out a fair allocation mechanism that doesn’t rely on the precise timing of submissions.

I don’t think so, and nor does anyone else stand a chance. This problem is inherent in a situation where there’s more demand for something than can be supplied. Fundamentally the only choice is whether to ration the supply by time or random selection (which will be exploited by automation and clever workarounds) or by raising the price (which will quickly price anyone who isn’t rich out of the market). Neither is really “fair” by the standards of a large chunk of the population, but those are the only two options. Pick your poison.

Norio April 27, 2020 3:03 PM

Bruce Schneier asks, “… should Instacart take action against this? On the one hand, it isn’t “fair” in that Cartdash users get an advantage in finding a delivery slot. But it’s not really any different than programs that “snipe” on eBay and other bidding platforms.”

And RogerBW comments: “Back in the day, eBay tried to ban sniping bots. So we can see how well that worked.”

Nowadays, most everyone on eBay assumes others are using sniping applications. So what’s the difference?–the speed of the broadband connection. That is, since everyone is using a sniper, the ones with an advantage are those with faster connections. If I have the fastest connection, I can snipe at the last moment and submit the winning bid. Is that “fair?” No, but it’s the logical outcome of a 2(or 3,4,5)-tier system.

It’s similar to the 2-tier system that is apparent with online stock trading apps and solutions; the real players have fiber optic and supersonic speeds and can place orders way before the great-unwashed-rest-of-us. And that’s not fair, either. But it seems unfairness is built into the infrastructure.

Bruce: “I think we need to figure out a fair allocation mechanism that doesn’t rely on the precise timing of submissions.”

Good luck with that, given the inherent inequalities of speed and timing.

lurker April 27, 2020 3:16 PM

@DB: Fundamentally the only choice is whether to ration the supply by time or random selection […] or by raising the price.

There is another option: Increase the supply. FDR did this for welfare and healthcare in the New Deal; about the same time my country did it for railways and housing; more recently we see fracking shale oil; and the Chinese have built High Speed Trains to remove the passenger traffic clogging their freight lines. A long time ago some sage said that “happy customers will come back to buy more”. This advice has been lost along the way. It seems businesses are no longer interested in having happy customers for repeat sales. Anyhow what does Instacart sell? Nothing of substance. It is a ticket clipper, pandering to that market who want a “one stop shop”. The only control they have over their supply lines is this synthetic queueing system. So rather than being starved out of the market by their suppliers, they are being gamed out of the market by queue jumpers. Way to go.

Yes, in this supply-side question I have deliberately ignored consumerism, and the bounds of a finite planet.

JonKnowsNothing April 27, 2020 3:53 PM

re: CAPTCHA systems

iirc(badly) Recently there was an article about challenges to Google’s version and possible use of other similar systems. Some of it had to do with “new fees” and Google-Creep.

There was a small section that stated that the “no fee versions” were used by Google to “capture” all the key clicks used by people attempting to click the right items. They used them to help ID pictures and stored them for use in the ML/AI datasets.

Other articles pre-COVID19 detailed how Google and FB were building a huge geolocation graphics ID system for the USGovt by overlaying pictures from their vast user photo albums to identify every object that could be seen in the picture from any orientation: trees, steps, potted plants.

It might be all those millions of clicks over the years, had more than several impacts.

disclosure: I am terrible at CAPTCHA, any of them. I cannot “see” or “distinguish” between the proffered images for the tell-tale marks. I will give it a go a few times and then… what ever it was I wanted to buy isn’t happening. If the store has an 800-free phone number I might try that or maybe not.

tfb April 27, 2020 4:49 PM


A hack would involve using an error or program or logic flaw to achieve a more desirable result.

Allowing something to gain an advantage because it is faster or can submit requests at a higher rate than you expected is ‘an error or logic flaw’.

Impossibly Stupid April 27, 2020 5:06 PM

I think I am writing a new book about hacking in general . . .

Which definition of hacking are you talking about, Bruce? The “classic” one of simply thinking up a clever solution to a problem, or the currently accepted one of maliciously breaking into a system without authorization (what used to be called cracking).

First, does this count as a hack?

Not in the modern sense. As soon as I read the first excerpt, I immediately thought of eBay snipe bots that you then mentioned. It’s only doing what the existing customer is authorized to do. It may be in violation of their user agreement, but that’s a separate matter.

There used to be a time when telephones had slow rotary dials, and early touch tone phones didn’t have a redial button. So when it came to radio contests that asked people to call in quick, were people “hacking” simply because they had the newer phones? There are countless examples of things like this, where people get an “unfair advantage” simply because they use a different tool to get the job done. None are “hackers” in any sense of the term.

Second, should Instacart take action against this?

Yes. The idea that legal action is the way to go, though, is dumb. They can throttle their server if anyone, bot or not, is hitting it too frequently. Dropping IPs into the firewall will also stop the traffic dead. I really don’t know what else they could be taking an issue with, let alone a legal issue. If they had competent management, they’d instead seek to implement whatever valued “feature” is being made possible by the Cartdash bot (or any other automated system).

Third, does Instacart even stand a chance in the long run.

No. They have customers who have to go to external parties to get a usable system. If they have no process in place to internalize that segment of the market, they will always be at risk of losing business to a competitor who will properly respond to customer demands.

Simple answer April 27, 2020 5:57 PM

There’s a simple fix – rate limiting refreshes. After X refreshes in Y minutes, lock the account out completely for Z minutes.

David April 27, 2020 9:29 PM

There is already such a fair allocation system. The free market provides the ability to allocate scarce resources in a way which also incentivizes supply of those resources. Perhaps if the ability of a service to provide sufficient delivery windows is overwhelmed, the delivery service should cost more.

MarkH April 28, 2020 3:42 AM

@Vesselin Bontchev:

The recent comment by David perfectly exemplifies what I meant by Capitalist Ideology: the wealthy getting what they want, and the poor getting little or none, is defined as “fair”.

Et voila!

Jon April 28, 2020 7:09 AM

This has been tried. Someone made the news awhile back about noticing how ultra-fast traders were front-running his own buy and sell orders, and decided to build a stock market that didn’t do that.

The answer was batching transactions over a period of time X, and then reconciling all of them at once. There would be a ‘best match’ of buy offer price vs. sell offer, and irrelevant transactions would then be discarded.

I think ‘X’ was one second for this market, but the same idea can apply. Ebay, for example, could have aggregated bids for X = 1 minute, and at the end of the minute only the high bid is displayed – if it’s the last minute of the auction, that high bid wins.

InstaCart could do the same, say with X = 5 minutes, and every distinct cart (trashing duplicates would be a good idea) gets their ‘closest to requested’ delivery window – with options, of course, to cancel; or reschedule – five minutes later.

Dunno how successful that market was. Haven’t seen much about it in the news since. J.

Jon April 28, 2020 7:14 AM

PS – to get back OT, I think Instagram is going to lose the court case (de facto if not de jure*), and it is up to Instagram to do something about it (like the batching system above). J.

  • Meaning that it’s going to be a game of whack-a-mole even if they do win in court. Their only real claim is ‘It’s against our terms of service!’ which people, and possibly the courts as well (eventually, if not today) will roundly ignore. If someone broadly open-sources a ‘Cart-Basher’ bot, will everyone who downloads, edits, and compiles and uses it be sued separately? Worldwide?? J.

JonKnowsNothing April 28, 2020 7:28 AM

Another aspect is the quality or inventiveness of the staff/programmers and the same qualities of management/ownership.

There are not any true Free Markets (see: many economics discussions). All markets today have some “burden to entry”. Either legal requirements (incorporation and tax fees), capital outlay (farm tractors $500,000 each, computer setups, servers) and labor costs(workers), raw materials (wood, components, bricks), distribution costs (delivery, packaging).

With computer based programs the “burden for entry” is primarily “intellectual knowledge”. You pay for someone to write code and “hope” it WAI (works as intended) when it is done. The quality of code will vary, as is the capability of the programmers/staff. You may be able to afford 1 or 2 very good people at start up but the 80-20 rule will hit pretty fast. 10% will be outstanding, 10% will be duds and the rest in between. Salary is the primary burden for this. In the younger days of Silicon Valley, Start Up Shares were a counter offer in lieu of full cash salary. After a few rounds of this, the reality hit, and no one will touch “Start Up Stock Options or Start Up Stock Grants” anymore.

So with regard to computer programs, while you don’t need a big tractor, you do need a few clever folks to figure it out. It’s almost impossible to do this from boot-strap-labor (never done it) except in the rarer cases of “being able to figure it out” at an exceptional level. Interfaces are too complex.

When companies get beyond the Start Up Phase, where everyone talks to everyone, and you know where the whole project is on the critical path instantly, and they move into the next phase of growth, meetings, requirements, dress codes and inertia, it is way too hard to move anything internally. There is always someone who has a stake in the ground over any significant change.

Later on you lose all continuity as the original members depart for greener or more interesting pastures. No one remembers Why is Z There and not Over There? the entire design goes in the round file.

Still if you focus on the early “buccaneering” part of the development you can make great headway on a project and then dump it off. Pump and Dump is the motto of every Venture Capitalist.

This is the area where “innovation” and “quick cash turnaround” fuels the images of Silicon Valley. It almost never works. The rare cases where it does the cash returns are enough to make Billionaires from Millionaires.

In the case presented: The company is probably too moribund to make the change. If they Get Smart they will just buy up the other company and either shelve the code or incorporate it. A great number of companies are bought up just to shelve the code or product design.

name.withheld.for.obvious.reasons April 28, 2020 9:28 AM

@ David
Seems a bit of a stretch, especially since my thirty cases of toilet paper are about to run out…and I ran out of recipes for preparing TP appetizers.

Rational systems require rational participants. (Unless of course your IBM, gotta love the database).

c1ue April 28, 2020 10:54 AM

The people defending this as “not hacking” are over-focused on trying to define what hacking is.

A more valid way to look at it is: is the usage of this capability going to affect Instakart’s costs, Instakart’s ability to service to its overall customer base, distort the market or other ancillary effects?

The answer is unquestionably yes.

For items of scarcity, it raises costs for the typical customer because it allows profiteers to buy up the scarce inventory. Arguing that this practice is fine is the same as saying that scalpers who spam Ticketmaster are fine…they are not.

It raises Instakart’s costs as these programs spam Instakart’s web page and checkout process incessantly (which is likely how Instakart noticed this). It also very possibly damages the regular customer’s experience.

But most importantly: a hack is neither legal or illegal but an unanticipated use or outcome of a process. This is 100% unanticipated use.

The legal outcome is a function of lawyers, but the basic principle is very straightforward: We Reserve The Right To Refuse Service.
Federally, this right is only abrogated if provably the refusal was due to breaking anti-discrimination laws covering a protected class.

Clive Robinson April 28, 2020 12:45 PM

@ c1ue,

This is 100% unanticipated use.

Err bo it’s 100% predictable it was going to happen I could have told you that back in the late 1970’s as could anyone who lived throug “shortages”, “black outs” and similar.

You even actually know it your self, because you say,

For items of scarcity, it raises costs for the typical customer because it allows profiteers to buy up the scarce inventory. Arguing that this practice is fine is the same as saying that scalpers who spam Ticketmaster are fine…they are not.

The definition of “scarcity” boils down to “Demand exceeds supply”. Through more than four thousand years of documented trade history you can clearly see “traders” quite deliberately exploiting “supply to increase profit” so much so that religious texts even have things to say about such behaviours.

Also the even older “water wars” where one group of people damed up or redirected another groups access to water for what we would now call “political reasons” just the same as Vlaid Putin does with gas and other energy sources to old CCCP block nations every winter.

The simple fact is that we know that around 1/5th of the population have a certain mental attitude, it does not matter if you call them “Hawks”, “Business leaders”, “neo-liberals” or “socio/psychopaths” their attitude is they see absolutly no reason not to harm other people if it furthers their own objectives.

So the only excuse Instakart has for the problem which is 100% their own fault, is that they ignored history or thought they could ignore history…

Well I guess if they actually stop to think for five minutes instead of behaving like hawks themselves they might actually learn a usefull life leason. But something tells me from the fact they are not following one of a number of technical changes that would ease the problem, their mental model is their “problem users” are “nails” that should be “smashed down hard with a hammer”… A typical over reactive behaviour that realy is compleatly counter productive for them and will not solve the problem at any time let alone any time soon. The way to solve it is by being “proactive” and dealing with it quietly and quickly.

But I’ll be honest Instakart is actually a “parasitic service” it does not actually produce anything of value that is tangable. It panders to a “me too” market that Alexa and the like also pander to. Which is “the status of servants” to do what they do not want to do. Many such people are actually narcissistic in nature and are themselves living parasitic existences. So to be honest I think Instakart and it’s troublesome patrons are a perfect relationship,

    So, natural philosophers do observe, a flea
    Hath smaller fleas that on him prey;
    And these have smaller still to bite ’em;
    And so proceed ad infinitum.
    Thus every hawk, in his kind,
    Is bit by a hawk that comes behind.

(With apologies to Jonathan Swift).

Norma Jones April 28, 2020 10:41 PM

Ok, now look at bot services as a Instacart Shopper. I can not tell you how livid I am!! I’m a Instacart shopper and I feel robbed.

scout justice April 30, 2020 8:25 PM

look post all current bots successful in grabbing batches. offers points of contact-and, who’s the fastest. and wish us luck. bots will not go away. and you will never be able to stop them

müzso May 1, 2020 10:41 AM

Cartdash only becomes a hack if Instacart’s ToS specifically prohibits users from using automated tools during their purchasing/checkout process. But apart from equalizing the chance of a successful checkout for all of their users, what else does Instacart gain from this? What does Instacart gain from ensuring that all users have equal chance for a successful checkout? Of course there’s the ethical side, but how many financially successful companies are really bothered by that?

If there was a legal requirement for them to do something like this, I’d completely understand the lawsuit.

On the other hand, I’d say that there should be some law/regulation that requires companies with publicly available services (with a fixed price) to ensure that no individual characteristics (ethnicity/race, technical savviness, etc.) of their customers affect their chances to use/buy those services.

Clive Robinson May 1, 2020 6:43 PM

@ müzso,

But apart from equalizing the chance of a successful checkout for all of their users, what else does Instacart gain from this?

You first have to realise that Instacart’s business model is a “parasitic one” aimed at people who think they have “to much status to shop”.

Instacart has not just a “fee” it also has “goods markups” of upto 20%.

This model only works for two primary reasons,

1, Shoppers think things are fair.

2, Because this makes the premium worth paying.

The minute shoppers realise it’s not fair and they are being penalized by othets with bots, they will do one of three things,

1, Get their own bot.
2, Leave the service.
3, Try and work the system another way.

None of which is good for Instacart because eventually many will leave, thus their revenue will drop, and the shared cost will mean increased costs passed onto those who have not jumped ship.

But there is another problem with the bots, it’s the significant diference in costs of a backend system designed for “average load” and “peak load”. The bots force “peak load” costs onto Instercart and all sorts of other issues such that things are more likely to break catastrophicaly when operating at “peak load” because “cascade failures” happen way faster and more frequently.

c1ue May 3, 2020 10:56 AM

@Clive Robinson

What I wrote was that the autocart shopping capability introduces multiple issues.
Scarcity is not exactly one of them. You see scalpers taking inventory for resale purposes as scarcity – which is true in a very narrow sense, but the real problem is that Instakart (or any other service/good provider) is prevented from providing services/products directly to its customers by users of the autocart software.
This is a parasitism problem.

Secondly, the use of autocart software likely increases cost to Instakart – which you did not address.

Thus damming of rivers or whatever is not relevant. Control over a scarce good is a monopoly tactic; Instakart isn’t the monopolist here, nor are the scalpers monopolists.

If this was government, the scalpers would be corrupt bureaucrats: they are obstructing the normal function of government in favor of being bribed.

Lastly, as to the value of Instakart’s service: again, I disagree.

Under your definition – any service is a parasite because it produces nothing tangible. Government would be a parasite; the post office is a parasite; the list goes on and on.

I actually agree that the large purveyors of “personal shopper” services are primarily negative to overall social interest because the large ones today exist primarily as a means to disintermediate labor (the actual workers) from organizing, branding, pricing, etc – however – this is a function of (lack of) government regulation.

It isn’t a coincidence that all of the gig labor companies are fighting reclassification of their work forces as employees. Gig workers are clearly employees under any existing standard definition: the workers are fully supervised as to what, when, how and how much pay in the terms of their work.

Nonetheless, there is actual value with Instakart providing routing, payment, customer/provider discovery, much as a dispatch service for in-home-senior care provides the same type of service.

Ben June 20, 2020 1:33 PM

It maybe instacart’s goal is so their customers know that they are doing everything they can to keep thing fair. Most animal know them being litigious is often about signaling.

Adam June 24, 2020 12:24 PM

I think about how this would affect the people actually shopping for the customers. If you are not using this service you are just getting the leftover jobs that aren’t picked up by the shoppers using this service.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.