The new Obamacare website, Healthcare.gov, officially opened on October 1, when it was immediately greeted by an onslaught on visitors that rendered the site unusable. Liberals trumpeted the millions of visitors as proof of Obamacare’s success (nevermind how many actually signed up or picked plans, as that was probably in the single digits). They attributed the early hiccups to the standard effects of really high traffic that would eventually be resolved.
Only the government would decide to handle heavy traffic levels with a virtual waiting line! Though to be fair, an automatic queueing system is actually a fairly complex and impressive functionality for a website, and though I encountered it every time I visited it usually seemed to update to a log-in screen after a few minutes. But again, heavy traffic is the least of their problems.
I finally got to the sign-up page to create an account. On Step 2 I read the following:
Choose a username that is 6-74 characters long and must contain a lowercase or capital letter, a number, or one of these symbols _.@/-
It said to pick a username that used letters, numbers, or a handful of special characters. It did not say it required multiple combinations of those character types. So I typed in my alphanumeric name and promptly received an error:
OK, so maybe I need one of those special characters anyway. I added an underscore to the end of my name and the error went away. I finished the signup process, and… I received a generic error message that my account creation failed. I attributed the error to heavy traffic and tried again later, receiving the same error.
Later, I decided to try Internet Explorer instead of Firefox and also happened to try a different username, putting a period in the middle. This time, the account was created! I got a “Marketplace account created” email and clicked on the confirmation link. Later I saw that the “Trouble logging in?” page conveniently listed an additional username requirement:
So that’s why my first login attempts were failing! Not only does this page list a different character limit (minimum of 5 instead of 6) and specify that it can’t all be special characters, it also says that it can’t end in a special character (even PCI isn’t that picky). Remember, the sign-up validation let me through with one on the end even though it wouldn’t let me through without one at all!
The Password Reset
I tried to log in, and was told: “The information you entered isn’t valid. Review this information. If you’re having trouble, call the Marketplace Call Center…”
My login failure continued after several tries. OK, I thought, maybe I mistyped my password twice when I signed up, or maybe it’s still not connecting to the database due to high load. I headed to the “Forgot your password?” page to see if I could reset my password or at least confirm if my account had actually been created.
The page asked for my username and sent an email to my email address. This meant my account must actually exist in the database, since they were able to derive my email from my username! “Please click the link below to reset your password.” I clicked the link, and….
What?? Couldn’t find a profile? With the information I provided? You mean with the information you provided me from your own Marketplace?? I tried again three separate times over the next few days, at different times of day and from different browsers and operating systems. Each time I got an email, and each time the link in the email sent me to the error above. I even tried replacing the period in the username in the URL with its URI encoded value in case they weren’t escaping strings properly.
If heavy load was preventing connections to the database, how did it get the email from my username every time? But if it was connecting to the database fine, how did their self-generated Forgot Password link fail to match a profile every time? There must either be a bug in the link to the Forgot Password page or on the page itself.
I tried the Live Chat option and got a helpful person after ten or fifteen minutes and explained my Forgot-Password-loop twice, but they basically just told me they were experiencing high traffic and to try again later, perhaps late at night or early in the morning.
The more I thought about these basic inconsistencies and bugs hampering every step of my progress, the more uneasy I became. These kinds of bugs reminded me of the kind of code I often find myself writing, especially when I haven’t taken the time to thoroughly debug, test for edge cases, or refactor things in a DRY manner.
And you know what else I tend to find in my code that has these kinds of bugs? Security holes. Lots of them. And when we hear about large systems getting broken into almost every other day, I shudder to think about what kinds of SQL injections or table name exposures are waiting to be discovered in code that seems to be this, well, sloppy. (It almost makes wonder if they’re even *gasp* hashing their passwords!) I feel bad for the poor souls forced to scrape this system together under who-knows-what constraints, but do I really want to trust my personal medical information to a treasure chest this big with such uncertain locks?
Sure, I’ve been biased against Obamacare from the start, and I’m half-surprised we’ve even made it this far. But I can’t say my interaction with it so far has done much to change my opinion – an interaction I’m only even mildly interested in because Mr. “If you like your insurance, you can keep it” Obama has already been wrong about both my and my wife’s previously offered plans.
I will admit I think the employer-insurance link is severely flawed (though arguably blamable on the government in the first place), and I even think increasing information and competition about plans can be a legitimate government function to improve market efficiency (i.e. the one part of Obamacare I actually almost sorta had a reason to hope for some kind of positive results).
Maybe the site will get better at handling the traffic levels. Maybe the little bugs will get fixed. Maybe the database connections don’t have any glaring holes. Maybe I did something stupidly wrong in my attempts above because I subconsciously didn’t want it work anyway and everybody else is having a better time. But if my experience thus far is any indication, we have not yet begun to debug.