Government of Canada and ePass: We Paid for This?

Posted on April 6, 2006
Filed Under /dev/null/ | 3,132 views |

ePass Canada

It’s tax time up here in the Great White North and for the first time ever I decided to try and get my taxes done on time rather than cram them in at the very last minute (due in no small part to 2005 likely being an easy year to figure out). To make dealing with the Goverment of Canada easier the GofC at some point paid someone to build an online digital identity management system which they call ePass Canada:

Having now spent the better part of the past hour breaking this system in a myriad number of ways I’m pretty confident in saying: ePass Canada is garbage.

The first warning sign that something wasn’t right with the site were the system requirements. ePass Canada requires a Java Virtual Machine which can only mean one thing: Java applets. Crap, not a good way to start off:

JVM required

Also troubling was the site telling me that my browser, Safari 2.0.3, wasn’t supported. Not to worry though because it helpfully suggests that perhaps I’d like to try Safari 2.0 instead:

Unsupported browsers

I find it troubling when a system that restricts access based on browser and OS isn’t smart enough to recognize point increases in browser versions. It usually means that somewhere in there, someone has hard-coded some values that may never, ever get changed again. Double crap.

The next indicator that this experience was going to hurt was the login warning expressely forbidding the use of such esoteric web browsing technologies as the Back button, the Next button and the Refresh button:

No buttons

That means that not only does this site use Java applets, the site itself is probably contained entirely within a single Java applet which would, as they note, not work with those basic browser buttons. Kudos, G of C, a crap trifecta.

You may have also noted this phrase: “Due to the secure nature of our system” in that image. As a general rule of thumb if a web system has to tell you that you can’t do something because of how “secure” it is, that line was probably fed to them by the vendor who built the system as the reason said vendor couldn’t implement a commonly-requested feature that really ought to be there in the first place. Where I come from in Developer Land this is known as “the excuse”.

Nonetheless, undeterred I continued onward, determined to see past tax returns online in all their glory. I got to the login screen and for fun looked at the source code (I was curious to see if the Java-ness had started yet. I love sites that use Java applets for their login forms, I really do). No Java here just:

<frameset rows=”0,*” border=”0″ framebor
   <frame name=”entrustTruePassAppletFra
   <frame name=”entrustTruePassGuiFrame”
</frameset>

(Long lines of frame definitions truncated for brevity). Frames. The site is built in frames. What is this, 1999? Frames can only mean one thing: the site will have a single frame containing the Java applet which will handle content display and one or more navigational frames of HTML communicating back to the mother-frame. No wonder none of the browser buttons will work; no wonder you can’t refresh a screen. People really still build web apps like this? I had no idea.

I believe we’re up to a quad-craplet.

I log in and…

Several minutes

Several minutes? Really? That helpful info appears right in the middle of the screen while the Java applet that is the core of the site loads. There’s no progress indicator to tell how many minutes, to indicate whether or not the applet has hung, or even a reasonable estimate of real time, just a spinning blue widget and “several minutes”.

And then bam! Dead end. Defeated in my tracks by the ol’ venerable cookie monster:

Cookies not enabled

Cookier not enabled - curses! Damn me and my cookielessness, how could I have been so… hey, wait a minute, my own sites use cookies to store information about me. I must have cookies enabled but then that would mean… No, surely ePass, handling the sensitive data of millions of Canadians, securely ensconced behind it’s chewy Java-flavoured no-Refresh-button goodness, could get something so basic as checking for cookies wrong… could it?

I checked and checked again:

Cookies are on

They’re on. Lo, the cookie are on. And they’re pretty liberal about who they’ll accept cookies from. So how could this be? How could it be that ePass cannot write it’s cookies to mine own private cookie jar?

Well, actually, it can. And it has, eleven times so far:

ePass cookies

All eleven of those cookies were created by the ePass Canada system in the process of my accessing and then logging into it, including the two that I’m guessing are the cookies it uses to check whether or not cookies are enabled: TruePassSessionTestCookie.

Quite frankly I have a very hard time trusting in any system that gets something as fundamentally basic to a web application as checking for cookies wrong.

I was stone-walled. No access, dead end. Until it occurred to me that maybe the problem wasn’t the lack of cookies but rather too many cookies. Perhaps ePass was full and like a baby who’s eaten too many yummy cookies, it was now puking back up into my browser window. I deleted all the ePass cookies, went back to the login screen and tried again.

Success - I logged into ePass. Yay for black magic and digital voodoo. The intro screen to ePass is pretty basic, lots of text, nothing very helpful except a scary message about identity theft, and this button:

Return button

I don’t really know what that sentence means, since I’m not sure which department they’re talking about or what an “epass Enabled Service” is that it’ll go to, but I like buttons and going somewhere other than the place with the scary identity theft message seemed like a good idea, so I clicked the button.

You know where that button goes to? It goes to the screen with that button on it. Ta-da. Clicking that button takes you to the screen that askes you to click that button. Oh Government of Canada you do have your sense of humour, but I’ve seen this one before (ping!).

Then I noticed that over on the left side of the screen a graphic labelled “epass Enabled Services”. I clicked it. It took me to a screen called “epass Enabled Services” which I can only assume is the screen the Continue button above, with the text telling me to click it to go to the “epass Enabled Service”, would have gone to had it gone anywhere at all.

This was progress.

Low down in the page was the link for “CRA’s My Account for Individuals”, presumably the Canada Revenue Agency. They’d know where my tax returns are, they’ll be able to show them to me. I clicked their link.

And ePass Canada asked me to log in again:

Login again

This was the super-secure system? This was the sandboxed Java applet? I just did that mere moments ago, cookies have been set (now up to 27 unique ones at this point; I’d show you but the image is really long), presumably a session has been enabled… ok, for you ePass I can log in again. For you I’ll click “Log into My Account”.

Or not:

aPass busted

Busted. I done broke ePass but good. Too bad they’re missing reason #5 from their list of stupid things a clueless user might have done to break their carefully-crafted site: · clicked a link.

Btw, guess where clicking the Continue button on that error screen takes you? Yep, to the error screen with the Continue button on it of course (ping!).

I even checked the source code of the page to determine whether or not the Coninue buttons are actually hooked up to anything (as any web developer knows, if you put a form into a web page and don’t set its action property, the form submits to the page it’s on, which looks suspiciously like what the G of C’s Continue button does). The button’s hooked up:

onclick=”submitTrigger(’bookmarkHandler’,'continue’,'frmGotoLCFe’);”

to a Javascript function that apparently handles all the form submissions for the site. It just doesn’t happen work.

And that was it, mired in the muck, unable to move, can’t go forward, can’t go back. Maybe I really am at fault here for using Safari 2.0.3. It’s not like it’s a well-known, standards-compliant browser used by very many people world-wide (for laughs try using Firefox with this system, I dare you).

I have three serious questions about this system:

1. How much did it cost to build?
2. Who built it?
3. Has it been independently audited for quality and security?

My guesses to the answers:

1. Either a) enough to call it a ‘fleecing’ or b) Dewey in Accounting’s cousin’s nephew
2. These folks
3. What’s an audit?

Comments

22 Responses to “Government of Canada and ePass: We Paid for This?”

  1. Alex on May 24th, 2006 10:47 pm

    No kidding - what a piece of crap. Right on par with the Govt of BC’s multi-million dollar portal that does so little it makes my wallet hurt.

  2. WhoMe on December 13th, 2006 3:59 pm

    Shucks. Quit complaining. It only cost $1B so far. What do you expect? perfection? and that Billion does not account for the millions sucker departments like Service Canada, Stats and Rev Can paid their staff to hack together solutions that use it.

  3. kat on January 12th, 2007 11:11 am

    Hahaha…oh wow. I really enjoyed reading this! What a clusterfuck.

  4. dw on January 24th, 2007 1:37 am

    do you know anything about security… whiner

  5. dw on January 24th, 2007 1:38 am

    if you can’t even figure out who built it you must be a simpleton.. oh yeah u use a mac …

  6. Keebler on January 24th, 2007 2:02 pm

    I know about security, and I’ve outlined the flaws in your system on my blog

  7. Chris on January 24th, 2007 4:29 pm

    To dw: well spoken good sir, well spoken. You wouldn’t happen to work in Ottawa for the government would you (as your IP address suggest)?

    As for security, indeed I do. Allow me to suggest to you that while a system that does not work may indeed be technically secure, perhaps there is a higher objective that ought to be addressed as well?

  8. Chris on January 24th, 2007 4:32 pm

    As for who built it, I’m well aware of who built it which simply adds further distress:

    The Government of Canada built the Secure Channel in partnership with a consortium of leading Canadian information management/information technology companies led by Bell, with CGI, IBM, Entrust, Cisco, Microsoft, and Canada Post as subcontractors. The total cost was $476M.

    That’s a half-billion dollar system that is marginally functional. Profitable for many, I’m sure however.

  9. Jason on January 26th, 2007 1:37 pm

    Their first mistake was going with Java.

    And to be all Web 2.0-ey, they should have called it iPassr.

    Nicely posted, Chris.

  10. Jerome on June 10th, 2008 12:40 pm

    Epass is a total nightmare. I’ve had to use it a couple times, as I am currently on EI. I use Firefox 3 beta5 and found that I was able to get through it after a couple attempts. I hear ya tho, its cumbersome, confusing and generally quite annoying. Hey! Just like the government of Canada!

  11. Paul on July 4th, 2008 7:38 pm

    Ugh, what a piece of junk. It is faster and easier to put your EI Report Cards in the old-fashioned way — by snailmail.

    Funny thing, they moved the EI Online Reporting system into the Service Canada domain so you have to login to ePass and your My Service Canada account first in order to click on the EI Online Report link which logs you out of the My Service Canada account and takes you to EI. If you want to go back to your My Service Canada account you must login again.

    It should be called My Poor Service Canada.

  12. Chris on July 4th, 2008 11:21 pm

    It saddens me that over two years later people are still having these problems with ePass but at least you have this site to let you know you’re not alone!

  13. sc on July 12th, 2008 8:42 am

    Yes…painful….especially as I only have dial up.

    And forget trying to log on at a friend’s high-speed connection…do you really want to download all those sh**y requirements onto their computer? Nah.

    The old snail mail cards were just as fast. What did we gain?

  14. Don on August 4th, 2008 5:02 pm

    I don’t understand what your complaining about. Don’t you love paying taxes and then get this as a reward. Not sure I want to get a passport anyway. Not sure I want to cross the line to the red, white , and blue. It seems to me that the government and agents of that country are paranoid enough now to be considered psychotic or at least scary. Pity my good friends down there. So maybe save myself $200 on not getting one of these documents.

    All the best to my fellow paranoids.

  15. D in YVR on August 20th, 2008 11:30 am

    Well… just tried the epass registration and login process… for the last 30 minutes. The other posters are correct! This system is a bojanged piece of development circa 1999. Five different screens before you even start registration. Countless other screens to collect registration. And, yes, error messages about trying to access the page from a ‘bookmark’ — huh? I never clicked a bookmark, but rather clicked on their own link on their own finely crafted web page. Not good. not good.

  16. ePass_Ares on August 20th, 2008 3:33 pm

    I’ve used the system seamlessly with Firefox and IE through Passport Canada and Services Canada.

    How should the system have been developed? What technology? On what type of infrastructure? Smart cards, epf’s? Would 2.5 millions Canadians like hauling around their identity everywhere with them instead of the Roaming abilities ePass provides?

  17. Dave on September 18th, 2008 2:12 pm

    I’ve used epass a few times now (passport mid 2007/services canada early 2008) and never had a problem.

    What I like best about this article is that they say right up front “We haven’t tested your browser version” …. so what does this guy do? You guessed it - keeps on trucking. Now when I do something stupid like that I generally don’t blame the people that warned me not to do it (well ok, sometimes I do). I’m not suggesting that government can’t move faster, we know it crawls. With so many ways to bash the Feds why waste time on this?

  18. MrHappy on September 18th, 2008 10:23 pm

    Thanks for the comment Dave, smart-ass though it may be. No worries, I’m a smart-ass too. However I’m guessing you’re not a web developer or you’d understand software versioning and the relevance of an x.x.# release. However if you’re advocating that government-funded software should indeed work *worse* as the software it runs on gets *better* and that in fact that’s to be expected (”stupid users, thinking better versions of their software should actually work better”) well, now we have an interesting conversation on our hands.

    I’m guessing you probably work in government, no? Your kind of thinking seems vaguely familiar….

  19. ePass_Ares on October 3rd, 2008 1:16 pm

    MrHappy - What point are you trying to make? Government funded software - running on software - should work better? What does this mean?

    The government goes above and beyond to state what ePass is and isn’t, the technology the service runs and what browsers and JVM version is supported. If “stupid” users are too stupid to read the simple Terms and Conditions the government presents them - the user should have their internet privileges revoked and they should go to a Passport office, wait with everyone else that day for over an hour and wait another 4 weeks for delivery - or they could use ePass to get to one of the many Federal Agencies that allow for expedited service delivery.

    Developers probably prefer the latter method because it gets them away from a keyboard and allows them to interact with humans for an hour once or twice a year.

  20. MrHappy on October 5th, 2008 9:07 am

    My point is that software designed for a country of users, paid for by those users should probably work for those users.

    To make bad software that makes use of poor technology choices, then plaster it with disclaimers is not to do a good job. It simpy foists the responsibility of making the software work onto the shoulders of the users instead of the original developers. And I am very much in the camp that believes it is the responsibility of the software developers to make their software work well.

    You state “or they could use ePass to get to one of the many Federal Agencies that allow for expedited service delivery” but it’s quite clear that for many Canadians they can in fact not use this software because it is (at least at the time of the writing of this original blog post) absolutely mediocre at best, and laughable at worst.

    It is also a cop-out for the developers (or even other users) to say “well, it works for me!” and expect that to be an acceptable answer. In professional software that benchmark generally isn’t considered a valid project requirement. Particularly in this case with software that in fact did state it should “work for me” and then proceeded to fail (at the time, in 2006) with spectacular results.

  21. ePass_Ares on October 7th, 2008 1:28 pm

    MrHappy - I suggest you use the system today. I’m not going to have a discussion based on your experience from 2006. We could spend a whole lifetime talking about products that were less than adequate in early stages until organizations were able to identify defects or short-comings and in improve their product. As well, the software is not “in-house” developed - its based on the Entrust suite of products. Entrust is a world leader in security technology. So while you are “laughing” at their product, Fortune 500’s worldwide continue to build corporate networks with the product with astounding success as do e-governments who are more than happy to hitch a ride on the robust system that Entrust provides.

    You can’t please everyone all the time, not when you are dealing with millions of citizens, many who refuse to acknowledge what decade we are in and continue to use dial-up connections or antiquated home computers. A fine line exists between building a system for those who want speed and ease of use and maintaining a relic that allows people still operating on Commodore 64’s to use the GoC services.

  22. Chris on November 4th, 2008 10:54 am

    Maybe the British government has a “Gently used” program we could buy off them.

Leave a Reply