One should use the overused word kafkaesk no further burden, but the “online office” of our health insurance company!
Surprisingly, after all the pandemic-related homeschooling and KiTa chaos of the last few years, we only recently had to apply for child sickness benefit for the first time. Unlike sending in a certificate of incapacity to work, the unwieldy name of which is rightly abbreviated to AU and which should have long since found its way electronically directly from the practice to the health insurance company, you cannot simply submit the application for child-ill salary compensation without registering with the Upload health insurance. Here I would like a service from the health insurance company and not the health insurance company something from me, of course. Instead, you either need access to the so-called online office, whereby everything you need to know is in the name, or you send the certificate, which you received in paper form from the pediatric practice, in an informal envelope by post. Since I’m over 40 and grown up enough to stock up on envelopes and sometimes (time is against me) appropriately denominated stamps, I’m not yet capable of learning enough to simply send such things by post, so I’m reporting my wife at the online office. It won’t be that complicated.
By the way, if I had clicked on the link “here” in the sentence “If you have any questions or need help registering, you can find more information here.’, which I didn’t do due to a lack of questions and unreasonably inappropriate self-confidence, I would have clicked there directly the one important sentence read and save me all the hassle that follows:
With immediate effect, the use of the online customer area “Meine [NAME DER KRANKENKASSE]The use of a mobile device (smartphone or tablet) is required. Without this, use is no longer possible.
This important information is not mentioned anywhere in the actual registration process, there I am only asked for my wife’s first name, last name, insurance number and date of birth, which triggers the posting of a “one-time password” after being assigned a user name with crude validity criteria. It remains unclear why the e-mail address is not simply used instead of a more or less freely selectable user name.
This letter is here only a few days later and I can continue. Unfortunately I don’t get very far, because now I’m asked for the serial number of the health card and I have to wait until my wife is home again.
So just a few days later I have this card to hand and am happy to start my third attempt: After logging into the browser, I only get an error message that I haven’t linked a device yet. As mentioned, nowhere in the process was it mentioned that none of this would work without installing an app on a smartphone. People without a current smartphone (or with a lack of security in using it) or probably with a rooted smartphone are out of here, I have relevant experience with all three variants. You could have mentioned this detail beforehand, then I would have simply sent the application by post, but the hint is in good hands on the help page, where everyone but me will surely take note of it. Well then, I’ll get a suitable smartphone for this task. Since I’m usually responsible for such bureaucratic horror, it would be very clever if I used my smartphone for it, but I can already guess that I won’t be able to maintain such an account for the online office myself because you have a smartphone will only be able to bind to one account. Here the question of the purpose of a separate user name will arise again, but these are implementation details that you don’t bother with when modeling the process.
So I install the app on the device of my wife, who is present this time, log in there and see the four mandatory consent ticks for all sorts of data protection issues. Because the app only reacts extremely sluggishly and scrolls with reluctance and hesitation, I tap the text next to it instead of one of the ticks and get to the data protection declaration. Unfortunately there is no way back, the back gesture of the smartphone doesn’t work (why should it?) and I don’t see any control element that lets me return to the consents. WTF? The burger menu takes me back to the app start page and I am logged out again.
After the next login with the long initial password, I get – drum roll – the same insurmountable error message as in the desktop browser that I haven’t linked any device yet and need to install the service app. IN THIS APP!! You shouldn’t use the term in an inflationary way, but if something is Kafkaesque, then yes, this is it:
Figure: The edited screenshot is from the browser, but I later saw the same thing in the app, including the QR code that was not linked for tapping, which led to the Play Store before I was anonymized.
I yell all over the house so desperate and angry that the family gets together to see how badly I’ve hurt myself. A lot, but not physically, because I could just keep myself from banging my head full force on the tabletop or punching a hole in the drywall. Instead, my children now have a few more foul language in their repertoire. I am handed a fresh waffle to calm me down and consider going back on the blood pressure pills.
(Small digression: I have been dealing with such things professionally for about 15 years and the knowledge that either someone modeled the process willfully in exactly the same way or someone else actually implemented it so clumsily contrary to the process modeling that this error message appears on this It drives me even more insane with every step into seniority.)
I could still send the application in the mail and let this online office continue without me, but out of sheer irrationality I log out of the app and try again. Who knows? After the next login I come back to the consents: four pieces, why actually? Oh, actually I’d rather not know, blood pressure and such. This time I tick all of them very carefully, because the app jerks dangerously again when scrolling. As a bonus, in the app’s dark theme (following the smartphone mode), the active checkmarks become invisible as soon as you tap them. After all, where would we be if we simply used the user interface elements provided by the operating system? And where would we be if you tested your digital outpourings properly before the release and, above all, off the modeled happy path? Dark themes, all newfangled nonsense!
After the four ticks, I somehow have to agree to further data protection conditions or contact route permissions, it remains unclear why and whether I can also reject that: There is an option “none”, but the text above says that there must be a contact route, so that the online office works at all. So I agree with all ways and already expect unnecessary sales calls. After all, you can change the desired contact channels later, this process step promises me.
Before or after this step, the memory faded somewhat with my anger, I had to set my own final password, which in turn had to follow various rules. I decide on a wild insult and hope that at least someone will have something to laugh about when the access data leaks, which is to be expected sooner or later. Because if you use a second factor for the login, you no longer have to properly secure the access data, as probably at least half of those responsible naively imagine. Don’t laugh, you would be shocked if, like me, you had seen the most simple SQL injections and plain text passwords in databases, even in highly serious applications. IT security is in bad shape in general: As long as IT security is carried out according to some 11-year-old (latest version!) certification basis, you as a decision-maker in Germany are no longer responsible, regardless of whether this is still the case Technology is or ever was. That’s what it’s all about when you talk to these people. However, this is also due to the fact that people who have understood IT security on a deeper level usually avoid such responsible bodies for very good reasons. If you know all this, you cannot take responsibility for it. I feel the same way.
Imagine that in a chemical plant, business chemists would be responsible for operational safety instead of safety engineers. (If that’s the case, please don’t take away my illusions about this: I can hear and feel the explosions of rupture discs and tank systems in the area around my breakfast table and I would like to sleep reasonably peacefully.)
So now I’m actually logged into the app, but I don’t have the scan of the application here, so I log into the desktop with the new access data and release the login on the smartphone. I then succeed in uploading the application right away, the topic is finally settled and I am asked with a small, conspicuously designed disruptive element in the corner whether I have barriers to report. Do people who are not experts know what that means? I know it and write a first version of this text in the form there. After that I feel better, log out and also close the app on the smartphone.
I hope I never have to go there again.
But then it occurs to me that I would like to have the text I just wrote along with a few screenshots for the technology diary and log in again because I can see my message in the inbox in the app, but I cannot mark any text there. why? As before, the phone rings and I see a notification that I need to release the login. From there I get to the previously closed app, but instead of the release dialog I see the start page and am no longer logged in. So I log in again here, am happy again about my unfriendly password and see the start page again: The release dialog no longer appears, the notification is gone and after a while my login times out on the desktop. Next try, I leave the app open: Again, no release dialog comes up and after a minute or two I run into a timeout on the desktop. I still have an arrow in my quiver: I leave the app in memory, but send it to the background and try again: This time it rings again, I get the notification and get to the app from there, where I’m also logged in and also get the release dialog displayed. Eureka, only three tries!
The text of my message, which I copy out there, ends with the encouraging words:
I’m amazed at how many barriers this online office throws at you and I wonder how many members make it here. My suggestion: Firstly, communicate clearly in advance that you have to install an app and keep it permanently available on a bound device and secondly, make sure that the error message “No device linked” is never and never ever displayed on this very device in this very app. At the very latest, this is the moment when you want to light something. Maybe that was a weird April Fool’s joke.
I’m afraid this wasn’t some weird April Fool’s joke, but I really hope I never have to find out. But it’s still nice that people are so aggressively interested in all the barriers that have been put up. In a better world, my text ends up printed out on the desk of a responsible person, who uses this as an opportunity to repair the process accordingly. In our world, I include this illustrious anecdote in my teaching material.
(Gregor Meyer)