UPDATE: The Traceabiliity system will be offline until January 2nd!!! Failure: “all critical tasks will not be complete by the end of our contract with the current vendor on Oct. 31, 2017” The Washington State Cannabis tracking software (Seed-to-Sale) will be degraded starting Oct 25th, and then completely offline Oct 29th. MJ Freeway will perhaps have their system online Oct 31st – even if that system is missing features/requirements that currently exist.

It was announced today that MJ Freeway, with about 10 days until go-live is not ready. The LCB has offered what they refer to as a “generous” offer to BioTrackTHC who has declined to extend their services. So, now we have a scenario where the current system becomes reduced in functionality starting on the 25th of Croptober, and is offline from October 29th, until the morning of Oct 31st. A disaster, we could all see coming months ago despite MJ Freeway claiming that all would be well.

Categories: API, Technology, Traceability

Here is a pretty serious bug in the Washington State Traceabilty system that is powered by BioTrackTHC. In the object descriptors provided by the BioTrack API there is a field called ‘sessiontime’. This value is populated with the time the object was last modified, generally. On the QA results API calls however this field is populated with the time the API call is made. So, each call to lookup the QA results reports a different timestamp.

Categories: API

There is a huge bug in the BioTrackTHC API in Washington (and NM, HI, IL). We’ve raised this issue with both the WSLCB and with BioTrack and yet BioTrackTHC refuses to address the issue at all. Even worse, if you are affected by the bug BioTrackTHC refuses to help. Reproduction: From the BioTrack API it’s possible to adjust user permissions, with a fairly granular set of permissions including: user_add and user_modify permissions.

Categories: API

Today BioTrackTHC+WSLCB released another update to the API; again with zero advance notice for third party integrators. At the end of Friday an announcement was provided which details the changes. This leaves integrators (such as WeedTraQR) in the lurch. Now, we have to work through the weekend to integrate these critical updates. On multiple occasions WeedTraQR has communicated to both BioTrackTHC and the WSLCB how to deploy updates to an API.

Categories: API, Traceability, Transparency

The authentication system for this API is a fucking joke. Rather than use established standards like oAuth or hash-tokens they require that users of the API use the SAME CREDENTIALS that are used to sign-in to their system. This is a KNOWN ANTI-PATTERN in the technical world for many reasons. It’s problematic because it requires integrators to keep this password on file. If there were any security issues in the integrator platform it could expose this BioTrack credentials.

Categories: API, Traceability

BioTrackTHC abruptly changed their API On Saturday, May 28th with zero notice to any of the third party integrators in Washington State. The change this time created a new value for the LocationType field of the Vendor objects. The new value is ‘9’. BioTrackTHC also (silently) published an updated API document (https://biotrackthc.com/sites/default/files/state-docs/JSON-21.pdf). This new documentation introduces functionality for manifests to be transported by third parties. However, no mention is made about LocationType 9.

Categories: API, Technology, Traceability

Once again BioTrackTHC has modified their API with zero notice to the third party integrator. The API in question this time is inventory_manifest_lookup. This API takes only one parameter, a six digit license ID. Prior to May 14th, if one was to query this API using an in-active license ID it would respond with the message: { "error": "No inbound transfers or pending manifests found.", "errorcode": "602", "success": 0 } Then, the API changed on May 14th without notice.

Categories: API, Traceability

There appears to be a bit of a discrepancy with how the BioTrackTHC system handles the QA results. Sometimes it shows the results are there and keeps the association with the parent ID. In other cases that relationship seems to be lost and one must know a sub-lot of a sub-lot ID to find the results. Oh, and in that specific case one API call shows no results and another API call does provide QA results.

Categories: API, Traceability

For integrators in Washington (and other States) BioTrackTHC maintains the list of the vendors authorized in the system and their license numbers. This list is visible from the sync_vendor API call. However, a critical piece of data is kept out of this data-set – which licenses are active. What this means for an integrator is that is not possible with the data provided by the system to determine which license can and should be used.

Categories: API, Traceability

Recently BioTrackTHC introduced some breaking changes in the data-set returned by the sync_vendor API call. These are breaking changes and the data-set now does not match with the documentation – at all. Here is what one of these broken records looks like { "address1": "1445 INDUSTRIAL WAY", "address2": "STE 19A", "city": "LONGVIEW", "location": "412233", "locationtype": null, "name": "MAMA J'S", "processor": null, "producer": null, "retail": null, "state": "WA", "transactionid": "31019131", "transactionid_original": "

Categories: API, Technology, Traceability

The BioTrackTHC system in Washington State mis-handles the room data. Once it’s broken it is not possible to resolve this issue via the API, nor via the Web-UI. Let’s take a look at the data. { "success": 1, "inventory_room": [ { "transactionid": "14835464", "name": "Quarantine", "quarantine": 1, "deleted": 0, "location": "416689", "roomid": "1", "transactionid_original": "14835464" }, { "name": "Quarantine", "quarantine": 1, "transactionid": "28505882", "transactionid_original": "28505882", "roomid": null, "location": "416689", "deleted": 0 } ] } The issue that we have has been highlighted.

Categories: API, Traceability

Here is documentation about yet another data error we’ve found in the Washington State Marijuana Traceability system that is operated by BioTrackTHC A client, who shall remain nameless, brought to our attention that a specific product name was being displayed for 100s of items in their WeedTraQR system but not in their BioTrackTHC Commercial version, nor was this product name showing in the BioTrackTHC Free version. We inspected the data we get from the BioTrackTHC API and found this product name was included, and therefore displayed in WeedTraQR.

Categories: API, Traceability, Transparency

In Washington all marijuana producers and processors are required to report details about their business to the State. Some of this data includes weights. Washington State has, effectively, zero control or accuracy with the weights recorded in this system. The inconsistencies in the operation of this software points to an even larger problem: A core function of tracking this inventory, the weight, is not handled consistently or correctly.  

Categories: API, Compliance, Traceability

For the API that Washington State had BioTrackTHC build they have not provided any documentation on the error codes provided by this API. Most API Providers (read: all others) provide some type of documentation on what kind of error codes could be emitted by their software. For over six months the existing documentation has shown: This document does not currently have a detailed list of error codes. That will be forthcoming in the final draft for ease of debugging effort

Categories: API, Technology, Traceability

This post is targeted to all you technical folks out there who ever tried to use the BioTrackTHC APIs in Washington State. As you’ve likely noticed this API is a poor implementation. Here are some details of what makes it so crappy. Not a REST style May moons ago (c2000) internet software engineers came up with a methodology called REST. It’s an elegant, best-practices way to design computer-to-computer interfaces (APIs).

Categories: API, Traceability

Viridian Sciences caught a little heck last week for their post claiming that the WSLCB site (previously) at http://www.mjtraceability.com/ was being used over a non-encrypted connection. In fact, the LCB has flatly denied this. We don’t have any recordings of our findings but, reviewing browser history going back over a few months we could see that the following was true. http://www.mjtraceability.com/ was begin served over a non-encrypted connection (until at least Jan 12, 2015).

Categories: API, Transparency

This POST has been Retracted

Categories: API, Traceability

In WA, our State & Liquor Control Board (LCB) have created an awesome advancement in the system of Public <-> Government data interaction. The Traceability API. This is a massive improvement over existing methods that business have with communicating with their respective governments. The intent of any API is to provide fair and equal data access to any/all organizations with the desire and technical skill for integration. In WA, this Traceability API has been given a single vendor who is responsible for the State Internal System, Traceability API, Public Fair Access System, Commercial Solution.

Categories: API, Traceability

In Washington the Liquor Control Board (LCB) has taken control of the budding Marijuana business. Our Producers, Processors and Retailers – all of them must provide a crazy amount of operational details to the State for compliance reporting. This compliance system also has some APIs exposed which provide a good example of why the State shouldn’t be building these systems. The core problem is there is only one vendor, BioTrackTHC. They constructed this API, provide the documentation and any technical support for this API.

Categories: API, Compliance, Traceability