So as most of you know, the health insurance exchanges for ACA (Affordable Care Act) went live on October 1st, 2013. Well at least in theory they did. When it comes to the exchanges states had two choices: Either implement their own exchange so that residents of that state could buy health insurance or let the federal government do it for you. At the end of the day, only 16 states decided to implement their own exchanges. At this point I think it is safe to say that they were the smart ones.

Ten days after the exchanges have opened, all accounts seem to indicate that the state specific exchanges are up and running whereas the federal exchange is a total disaster. Sure it’s more responsive now than it was ten days ago and it is no longer dumping me in a queue before I’m allowed to login. However it just doesn’t work. Let me be specific here, because as a developer, I hate it when a user reports an issue to me by simply saying, “It didn’t work”. That doesn’t mean anything in and of itself as the only indicates that the actual result deviated from your expectation of the what the result should have been. Without knowing what your expectations were to begin with and what the actual result was, such a concern cannot be addressed.

Needless to say, all I really want to do right now is get a feel for the pricing. I have valid and affordable insurance up through April of next year, so I’m in no particular hurry (unless of course I find a better deal). However in order to even see the list of available plans I have to fill out an application for coverage. The application itself is fairly straightforward. No big surprises there. Except of course when it just doesn’t work. The real rub in the process seems to revolve around the “Identity Verification/Proofing” process. At some point the system understandably needs to verify that you are who you say you are. This is of course where things get really fucking stupid.

The Federal Government in all of their wisdom decided to rely upon Experian for this service. Experian has proven that they are incapable of providing this service. Calls from the Federal Exchange to Experian are timing out, but these time outs are being registered as failures on the Exchange. After three failures, the Exchange (or Experian, not sure which) bans you from further attempts to validate your identity. The only way around this according to numerous blogs is to create an entirely new account and start over. Thankfully this isn’t my problem. My identity was verified on the first try. However despite this I cannot complete my application for coverage because it says I have not completed Identity Proofing. It then forwards me to a page to start that process, which displays an error and then forwards me to my profile which clearly indicates, “Identity Verified”. I’ve gone through this process at least two dozen times now. Within each iteration I have to go through every page of the application again. Sometimes I even have to fill in fields that I filled in and saved at least a dozen times prior. My application seems to randomly lose bits of data each time I log it and attempt to go through it again. This is the sign of a wretched and piss poor design. We can presumably blame CGI Federal for this as they are the primary application developers. They have received $88 million in compensation for their work thus far. Time for a fucking refund.

Sadly, this is just the beginning of the issues with the Federal Exchange. Every request made to the site, initiates a call to Google Analytics. What the hell? Analytics should not be used to track user activity within the private parts of an application. That creates a massive opportunity for information leakage. If you want to use it on the front page of the website, fine. If you want to use it on the login page, fine. But after I’m logged in? Fuck that noise. That’s completely unacceptable. Of course that’s not even the worst of it. The app is also tossing requests to Double Click servers and there is certainly no rational explanation for that. But of course it goes even further by making calls to chartbeat.net, which is a service similar to Google Analytics. What the hell? Just how many ways am I being tracked by external entities as I use this exchange? Is this even legal?

Hell I haven’t even begun to lam-blast the design of the application itself. On the front end it appears that the majority of the sub-screens are embedded as client side templates within the original markup (hence the huge amount of HTML the main page contains). The format of the templates is not one I’m familiar with but that’s not overly relevant. In any event most of the navigation through the site consists of ajax calls, the output of which is being rendered against the appropriate template. When it works. Which is to say that the individual AJAX calls sometimes go quickly and other times they time out after a few minutes. Nevertheless even going to the login page of this app pulls down 86 separate files from various sites. Because of the aforementioned tracking utilities, every single subsequent AJAX request is being saddled with numerous other requests to third party entities.

On the surface this design is alright - until you consider the fact that they are embedding the content for a lot of templates that may or may not be relevant to the user depending upon their location in the workflow of the application. I may not require the template for the identity proofing page, especially if I’ve already completed it (or as in my case I’ve completed and not completed it all at the same time). So instead of embedding these templates within the raw HTML sent to each and every user, the templates should have been placed into separate static template files on a high availability CDN (Content Delivery Network) and only loaded as required. This gives the end user’s browser the opportunity to cache these resources once they are requested and prevents the app from having to send them to the user over and over again.

At the end of the day the cost for implementing the federal exchange has exceeded $600 million (this figure includes the $88 million CGI themselves has received) and I can’t imagine why. This application is terrible. It is essentially a “How Not To” manual for web application development and load balancing. The deeper I dig into it, the more I find that is wrong with it. Given the slipshod development work here, I can only imagine what a nightmare this site is on the security end of things. Sadly they already have my social security number. Dammit.