Around the world, national governments are moving away from sending physical post to its citizens, to sending it by email. We’re increasingly on the move a lot, staying in different cities, countries and continents. Asking our parents and friends to open up our snail mail and send us a pic over WhatsApp is getting tiring and prone to mistakes. So all in, this is a great development. It’s just that, in typical government fashion, the implementation has left a lot to be desired for the citizen’s user experience.
I’m a Dutch citizen (that’s the Netherlands). So I’ll tell you the process. It’s the same in most countries though. For your convenience, I’ve translated the screenshots into English where possible.
The process of reading a message from the government
1) I open my Gmail inbox.
2) I get a message by email from the government.
3) Like any normal person would expect, I open the email to see the message I get from the government.
To my shock, it’s not the message, but just a notification that there’s a message. Somewhere. Okay it says, it’s in my MessageBox.
The problem starts.
Governments thought it was a good idea to build their own internal citizen email system instead of using the email system the world already uses. Bad idea.
So let’s find that MessageBox. First of all, there’s no link to the MessageBox. The email states that’s because it’d be prone to phishing. I seriously doubt this strategy helps. What happens now is people will Google “MessageBox” and I could just buy a fake Google ad that sticks on top and register MessageBox.nu (instead of .NL for Netherlands), copy the layout and get people’s usernames and passwords:
This is a fake mockup, don’t worry, but I could…
There’s of course a gazillion other ways to trick people to enter their username and password. So sending these cryptic notifications by email just feels a lot like security by obscurity.
4) So, I was able to find that MessageBox
Let’s login. For some reason, on the login screen itself, I can choose if I want to authorize with just a username and password or also do a 2-factor authentication by SMS. This is mind boggling.
The point of 2-factor authentication is to limit random people from signing in by having a second authorization (SMS). If I can CHOOSE if I want to use it ON the login screen. How does that help?
This is like putting a lock on my front door that the burglar can optionally enable or not. What oh what do you think the burglar would do?
GOVERNMENT Y U NOT THINK PROPERLY?
5) I logged in with just my username and password
Now I can see my MessageBox:
To be fair, it looks pretty clean and well designed. Good jab UXers!
6) Let’s open the message.
I have no idea WHICH message I got, because the email never specified that. But I’ll just be a good citizen and click the latest message at the top.
Now I see the message. No wait, it’s still not the message. It’s a message that tells me there’s a message in the PDF attachment.
So wait let’s get this right.
I just got a message by email, that told me I had a message waiting for me, and inside that message it tells me the message is actually in the file attached to the message.
7) Opening the attachment
8) Instead of opening it up, it downloads to my browser’s Downloads folder
They could have easily fixed this by adding a download attribute to the link. Saving us another few clicks.
9) Opening up my Downloads folder and find the file
10) Opening the actual file
There it is! Great, it’s a PDF print of a physical piece of paper that hardly fits on my screen. But okay, let’s read it. I got it, thanks government.
Let’s compare to how it was before
It took me 10 clicks to read ONE message sent to me from my government.
Previously, this letter would be in my physical inbox with all my other post. I could just open it up and there it was. It’d take me seconds. It took about 10x less time than this. So going digital hasn’t been an improvement for the government here, it’s become worse.
The intention is good, but the experience fucking sucks.
It’s like, a government employee comes to my door at random times, and tells me I have a letter at the post office. Now I have to get my car, drive to the post office, prove it’s me, then I get the letter and I have to drive back. And I have to do this ten times per month. It’s ridiculous.
Why?
I asked them directly why it’s so convoluted. And why I can’t just get the PDF messages straight into my inbox without all this tedious clicking?
@levelsio This is on purpose due to security considerations. ^BG
— MyGovernment webcare (@MOwebcare) January 20, 2016
Okay, so it’s security. I see their point.
Because what if my email leaks a message from the tax authority about my income? But wait it doesn’t. There’s a gazillion web services where I simply click Forget Password and they’ll send me a password reset link. Which means I can access that web service if I have access to my email. So anyone with access to my email could open that. And my email is protected itself with Google’s 2-factor authentication.
So again, this seems again like security by obscurity.
If my email is hacked, they’ll surely find the password I used for my government login page in there. So they’ll be able to login ANYWAY and get all my government messages.
So in any case, governments should let users choose if they prefer a faster user experience with less security (and get messages directly in their inbox), or a slower user experience with more security (and read messages on government’s own convoluted message portals).
@levelsio We’re restricted by security rules. Luckily, you don’t have to login that much because of the notifications you get by email. ^BG
— MyGovernment webcare (@MOwebcare) January 20, 2016
But wait, that’s bullshit. I get these messages every few days:
I get 10 notifications per month. That means I have to click 100 times per month to read my government’s messages. And I don’t even have a lot of dealings with my government. Imagine other people.
They’re advertising heavily in The Netherlands to get every citizen to stop receiving physical mail and switch over to this system:
It says “Farewell, blue envelope”. The government tax authority traditionally sends letters in a blue envelope. So we’ll say goodbye to that by using the new digital message system.
The problem here is that with a convoluted user experience like this people will simply start ignoring their government messages. People don’t have the time to keep track of this stuff. And they’ll miss important emails. And how about all the people that are not as good with computers as tech kids like us? They’re fucked. Good job, government.
Why is this important? Because government systems are the biggest systems people use in their life. They cater to EVERYONE in a country. In this case it’s 17 million people for the Netherlands. That’s a lot of people that are forced to use a shitty system. So it’s important to speak out.
And it’s not just The Netherlands, the same thing happens in a lot of other countries like UK and Singapore.
You’re getting tired. I know. Same here.
So I fixed it myself!
So today, I built a robot that checks for notifications, logs into the government system, downloads the new messages, emails them to me DIRECTLY with the PDF as an attachment.
Here’s the message it sends to me. How it should be. It shouldn’t take 10 clicks. It should take 1 click.
Maybe I’ll open source it and maybe I’ll even make it a little mini service. And maybe that’ll force the government to come up with a better user experience, because hey, you don’t want one kid to have thousands of your citizens login details stored, right? I thought so:
@levelsio @ellesdewaard @MOwebcare Let’s make an app where people have to give their government login ceredntials. Then there’ll be an official app in no time.
— Marc Köhlbrugge (@marckohlbrugge) January 25, 2016
Update
I received some feedback after posting this article on Hacker News:
@levelsio @MOwebcare so short-sighted… thankfully your government is doing it right. sensitive data should not delivered to a gmail inbox
— Victor Figol (@victorfigol) January 27, 2016
Some people have understandable security worries with sending stuff directly over email. So to solve that, you could even let the government send encrypted emails that are decrypted with a government-made browser extension. That’d save a lot of time too and be secure.
@levelsio Auto uploading of documents to Dropbox would be more secure for instance.
— Casper Bakker (@casperbakker) January 27, 2016
There’s other ways too, @casperbakker suggests connecting Dropbox to your government account, so that it auto saves new messages with their PDF attachment in your Dropbox folder on your computer. Dropbox is secure, and your government will only have access to one folder on there.
There’s a few other people who wrote about this in Dutch.
I’d love to hear other solutions that make it easier but are still secure.
P.S. I'm on Twitter too if you'd like to follow more of my stories. And I wrote a book called MAKE about building startups without funding. See a list of my stories or contact me. To get an alert when I write a new blog post, you can subscribe below: