It's the organization you use if you're sick, lost your job, where you get your social security etc. Basically a huge behemoth of all kinds of social or labor services.
While most of the code probably has little value for others (2000 different repos), I think it's quite noble that it's public, given it's made with tax payer money and serves our people. And when working there I found it quite cool to work in the open, a sense of pride in publishing everything we were doing. Also a bit funny, just checked the project I started 5 years ago: "last updated 42 minutes ago".
I think all countries should use their own instances of gitlab or others. It feels wrong that they all depend on GitHub to publish such important information.
Just curious, since it's been a dream of mine to have public services powered by open software: How often do bugs in the services get reported either, with direct references to the underlying software (function names, line numbers, etc.), or as changesets/PRs with proposal fixes?
Especially for simpler things like style/accessibility issues, I could see this being somewhat common honestly.
This is the baffling side of the EU to all outsiders/newcomers. When I first moved here, that was my first thought as well. There is just so much in common, why repeat everything everywhere instead of single effort with branches everywhere?! (police force, consular services, Identity services, and pretty much any Government paperwork one can think of, transportation services etc). However, the population is very localised and divided. The French do it their way, Italians another way, the Germans on their own way etc. It is hard to find gain common ground beyond what EU already represents(which is very good IMO). I do wish doing things at EU level becomes the norm, and individualities slowly disappear.
Imagine a single European rail service (not Euro rail where you can buy a single ticket that will make you take Dutch train, and then connect on a German train, and then on an Austrian train, and if you miss a connection, good luck figuring out your replacement..)
Such a collaboration has the potential to save time, money, effort, and increase quality. But in reality it either ends up being "design by committee", or a few of the countries are the drivers and the rest are the followers who try all kinds of maneuvers to retain some control.
Even if this is done under the umbrella of an EU institution, the politics work the same way except now every other country is trying all kinds of maneuvers in an attempts to retain as much of the control as possible.
This is not for co-develop. This is mainly report, of what government done. For some extent it could be used to check safety of software/infrastructure.
For example, in Ukraine used closed source software, and only war (because censorship), slightly slowed stream of scandal publications about bugs and vulnerabilities.
The tax systems are national responsibility, and building a bespoke app for a given tax system is cheaper than supporting 27 widely different tax systems in a single app.
Wow, looks pretty nice from the screenshots. Do you have experience using it? Does it work well/do what it claims? I recently moved to Spain, who has a digital identity system, but is a pretty disjointed attempt.
Yes, the project started in February 2017, so it's been a while and the app is very mature and frequently used by many citizens (full disclaimer, I was leading the development of the app and the backend from the beginning until almost two years ago).
It's a great app, doesn't do "much" except sending some government news from time to time. It was used a lot during Covid because it showed your negative QR code.
Yeah it works pretty well. Italy also has a digital identity system called SPID which can be used to log in for all governmental services which also works pretty well.
Speaking as an immigrant from America, I really like DigiD! I wish the US had something even remotely similar. The fact that we do not have a standardized national ID easily available to everyone is embarrassing.
DigiD has some minor annoyances, but it's a helluva lot better than some alternatives I could think of.
> The fact that we do not have a standardized national ID easily available to everyone is embarrassing.
Why? I’ve lived in a European country with common national IDs, in the US, and in a European country without national IDs, and I’m not sure that the absence of it is “embarrassing.” Note that in most European countries it’s an identifier of citizenship, not residence, with other ID cards such as residence permits, drivers licenses, or municipal registrations indicating residence. Therefore, it’s far from sufficient for many common use cases that depend on residence, and the countries that don’t have one such as the US or the UK typically use passports (or ad-hoc solutions such as US/Canada enhanced drivers licenses) for travel.
> The fact that we do not have a standardized national ID easily available to everyone is embarrassing.
Surely that's hyperbole. State IDs are pretty standardized, and even more so with the REAL ID system (if the mandates for it ever go into effect). When have you ever had a problem using one state's ID in another state?
It makes coordinating your information across many different service providers much more efficient. Here in the Netherlands for example, I can use DigiD to login and pay my taxes, pay for health insurance with a private company, authenticate to my pension plan and a ton of other things.
I cant vote with my Texas ID in Wyoming. A passport might be sufficient to vote in a different state for a national election but I’m admit that I’m not 100% sure on that.
Every government agency in the US doesn’t know who I am without me telling them. And even then if they fat finger the number I could be in for a world of hurt until someone realizes.
It's was on purpose. Americans traditionally don't like the idea of a standard, mandatory national ID. But SSNs have basically been re-appropriated to serve that purpose, to get around that, despite them being explicitly listed as "not intended as a means of general identification."
I find the DigiD app to be one of the most annoying implementations of 2FA out there. You have to unlock the app with a pin code, then enter an app-generated code on the site, then scan a QR with the app, and then grant permission to login to that site.
If you compare that to 2FA for Office 365 for example, where you just have a push notification where you press a button to allow, then you can't help but think that some attention to UX would be helpful.
As it is, I usually pick SMS verification instead of using the app. Yes, less secure, but so much easier.
For an app that cost in the tens of millions to produce[1], and for which the company (gov-owned and operated) behind it charges implementors/users (not end-users ofc)[2] for each and every single successful DigID authentication event €0.13, DigID authorization event €0.88, and even for every digital message delivered into your "berichtenbox" €0.32, it could.. no rather it should indeed provide a much better experience than what we have now.
If the money is going back into the public coffers supplanting other tax revenue, a fee for delivery must help prevent spam? I don't know enough about the topic but at first glance it seems there could be worse things.
I suppose it would hinge on your view of regressive use fees as well.
“ This code has been disclosed in response to a request under the Dutch Open Government Act ("Wet open Overheid"). This implies that publication is primarily driven by the need for transparence, not re-use. Re-use is permitted under the EUPL-license, with the exception of source files that contain a different license.”
It sounds like they might not been very keen to maintain the app.
Can there be alternative better implementations or DigID “hardcoded” to one provider?
On the other side of this, push-phishing through MFA fatigue has become extremely frequently used to hack into enterprise O365 instances (as well as Google Cloud accounts and the like).
People don't generally read it when their phone apps send them a "please login" notification after the 200th one that day, they tend to approve it without thinking (or worse, accidentally approve a phishing notification while trying to login), especially when busy, which results in them letting phishers onto their device.
The DigiD login flow is a bit of a mess, but it seems very well designed to avoid that particular tendency. The entire process requires active involvement from the end-user, which means they'll be paying attention on whether it's them logging in or not.
This is real and a serious threat. Both the company I work in and I (personal account) have been targeted with this specific method. I got tens of random notification pop-ups on my phone in different days and I almost approved it once. It didn’t stop until I disabled login using that specific email address altogether.
Edit: I received the notifications for Microsoft Authenticator app
That's a bad comparison, as you're comparing a full authentication process against just one step: with Office 365 (and SMS verification for DigiD) you additionally need to provide a username and password, which you don't need to do with the app.
I think the only part that can reasonably be simplified without compromising security is to use a push notification instead of having to scan the QR-code.
> That's a bad comparison, as you're comparing a full authentication process against just one step: with Office 365 (and SMS verification for DigiD) you additionally need to provide a username and password, which you don't need to do with the app.
I hadn't even noticed that app login doesn't require username and password. With a password manager that doesn't add a lot of friction. Even when accounting for that extra step, I still find Office 365 and SMS verification much easier.
What's the purpose of the code you're entering from the app? Isn't that a bit superfluous/couldn't the app open a communications channel with the server via the QR code you scan and provide that itself?
If you leave the country without setting up SMS you can’t ever use 2FA. They claim to support adding foreign numbers, support people being abroad, support adding new DigiD accounts from abroad, but oh no you can’t just add a number. Not even by going to an office or doing a virtual interview. I would think this violates EU law on discrimination. If you live in the UK post-Brexit it’s now totally impossible, I believe (since you aren’t even allowed to make a new account).
Holder of Dutch passport here. I created a DigiD account from France, using a French phone number.
You plan a video conf using their web app, connect at the right time, and show your passport when asked.
As an aside, I login without using their app, as my Android phone does not support Google Play.
Don't know what happens if you don't have a dutch passport though. I guess they are under no obligation to render services to people that are neither citizen nor national.
A bit like when I got married and the French state wanted proof that I wasn't already married before, during the period I had lived in the UK. The UK services wouldn't give me the time of day, since I was neither British nor living there. I ended up getting an official looking note from the Dutch embassy to the UK, stating that "to the best of their knowledge I wasn't married" =)
After moving to the States and losing my Dutch mobile number I was also not able to use it for more than 10 years.
During covid the government provided an ability to schedule a zoom call to verify identity remotely and set up Digid with a foreign number so I finally have it.
It's slightly easier on-device (where the app runs), still try opening your government messages inbox, that takes 5 taps/screens/faceID and a code. It always works though, and one does not use it very often.
I do appreciate that they keep is so secure (or perhaps I should say, not logged in by default). It works well in general imho.
I have dozens of 2FA codes now that requires searching for the correct one and I have to store backup codes in physical form. Which probably a lot of people keep unencrypted on their desktop somewhere.
With the Digid app you just need to remember the pin code or unlock with face id.
The app generates the codes for each login and then you just scan the QR. It's very simple to use.
Recently I lost my phone and had to set everything up again. I had to start digging for 2fa backup codes, but Digid I could easily set up again using the NFC chip in my passport.
> On desktop, you use pin, type code, then scan. I find the flow quite smooth.
I find the constant back and forth between devices annoying. 2FA is already annoying because you have to switch from desktop to mobile and back, but that can't be helped. There's no need to make it 6 times, though:
desktop (on site) -> mobile (start app + pin) -> desktop (fill in code) -> mobile (get camera) -> desktop (scan QR) -> mobile (press allow) -> desktop (continue on site)
The company making this clearly doesn't want to open up development, this code was released because the government was forced to. They stripped the commit history and some hard coded details and I don't think they'll develop on this repo either.
Some extra eyes on the current code might fix some small issues, but I doubt this is going to improve the app much.
It's pretty pathetic how many people feel the need to dunk on this bit of code just because it's not how they would write it. There's nothing really wrong with it. I'm sure the author was aware of alternative, perhaps more concise solutions using a string builder but they chose to be clear instead.
I'm pretty sure they weren't because of the redundant conditionals which simply defy logic. If there was only one check for every if statement, honestly I could give this a pass since it's at the very least simple, but by adding one extra redundant check for every statement you just created 9 new places where a bug could appear.
Furthermore, using Unicode characters to represent progress is the true smell here. There simply are better ways to do this.
In the grand scheme of things, does it matter? No. But this is Hacker News LOL, someone has to discuss it.
It has almost twice as many comparisons as necessary. The term to the left of each AND is redundant because it has already been checked by the preceding IF. It also does not guard against negative arguments. Perhaps the environment in which it is used guarantees that negative arguments cannot occur.
If I were reviewing this code I would at least ask the developer to add an assertion or contract requiring that the argument be in the inclusive range [0..1]
The choice of variable name, percentage, is also misleading. At least I suspect it is because I would expect the comparisons involving percentages to be to numbers between 0 and 100.
If lack of allocations is a requirement then one could create a static array of strings and use
int(percent * 10)
as the index. This would eliminate all of the comparisons and also throw an index out of range (in any sane language) if the value was outside the allowed range.
I vaguely suspect that this is a product of the sort of environment where you have to fill out a form in triplicate to get the static analyser to let you concatenate strings (which, to be clear, may not be inappropriate for something like this).
I do object to the variable being called ‘percentage’ tho, as it clearly isn't one.
I have no idea where all of you got the idea that percentages go up to 100. It's in the name: PER centage, meaning x/100 [0].
For instance if you want 20% that could also be expressed as a fraction such as 20/100, which turns out is the same as 2/10 or 0.2.
I do think they should remove the redundant statements in the conditions and also have an assertion that guarantees percentage to be [0, 1].
> The term "percent" is derived from the Latin per centum, meaning "hundred" or "by the hundred". The sign for "percent" evolved by gradual contraction of the Italian term per cento, meaning "for a hundred". The "per" was often abbreviated as "p."—eventually disappeared entirely. The "cento" was contracted to two circles separated by a horizontal line, from which the modern "%" symbol is derived.
This might be a little more obvious for me since my first language is derived from Latin, but anyhow it still keeps the meaning in english.
This is likely an effect of translation more than anything. While the Dutch are generally very competent English speakers and writers, their expertise tends to end the conversational level. Anything technical in its conception takes decades of intense every day use to intuit.
Source: native English speaker working in the Netherlands with a team of Dutch people. They are all really smart people, but they tend to err on the side of simple vocabulary when forced to think in English.
I'm triggered by the lack of brackets after every if-expression. Sure it looks nicer this way but the default Visual Studio code style settings will complain if you don't do it, hence I'm used to it.
I've started to remove them from my own code. It's widely mentioned as The Right Way, but I feel the reasons why are obsolete. The stated reason is always that you could forget to add braces when adding a second statement.
That was useful in a time where a text editor was "smart" when it copied your indentation to a new line. But nowadays any tooling will warn you when indentation doesn't match the bracing. The odds of people making that mistake has gone so far down, that the risk is no longer worth the reduced readability.
"...This code has been disclosed in response to a request under the Dutch Open Government Act ("Wet open Overheid")..."'
Sounds like it was not voluntary. Also not sure what kind of transparency is expected here, since there is no way to find if the source code published is the same used to build the app. Maybe decompilation is the way to go...
It's semi-voluntary; the request to open source the application came from the Dutch congress/2nd chamber if I recall, but took a while due to private information leaking concerns.
It was released as the result of a Freedom of Information (WOO/WOB) request made by serial "WOBBER/WOOOER" @BugBlauw, check his twitter (use google translate, works well with Dutch).
Readit News
It's the organization you use if you're sick, lost your job, where you get your social security etc. Basically a huge behemoth of all kinds of social or labor services.
While most of the code probably has little value for others (2000 different repos), I think it's quite noble that it's public, given it's made with tax payer money and serves our people. And when working there I found it quite cool to work in the open, a sense of pride in publishing everything we were doing. Also a bit funny, just checked the project I started 5 years ago: "last updated 42 minutes ago".
And not everything is there. ID Card software is hosted on Github https://github.com/open-eid
Especially for simpler things like style/accessibility issues, I could see this being somewhat common honestly.
The Foundation for Public Code: “We help public organizations collectively develop and maintain public code.”
Amazing people behind this org…
Dead Comment
This is the official government app (you can get benefits, pay taxes, etc...), downloaded by 30+ million citizens, stack is React Native + Typescript
Imagine a single European rail service (not Euro rail where you can buy a single ticket that will make you take Dutch train, and then connect on a German train, and then on an Austrian train, and if you miss a connection, good luck figuring out your replacement..)
Even if this is done under the umbrella of an EU institution, the politics work the same way except now every other country is trying all kinds of maneuvers in an attempts to retain as much of the control as possible.
For example, in Ukraine used closed source software, and only war (because censorship), slightly slowed stream of scandal publications about bugs and vulnerabilities.
DigiD has some minor annoyances, but it's a helluva lot better than some alternatives I could think of.
Why? I’ve lived in a European country with common national IDs, in the US, and in a European country without national IDs, and I’m not sure that the absence of it is “embarrassing.” Note that in most European countries it’s an identifier of citizenship, not residence, with other ID cards such as residence permits, drivers licenses, or municipal registrations indicating residence. Therefore, it’s far from sufficient for many common use cases that depend on residence, and the countries that don’t have one such as the US or the UK typically use passports (or ad-hoc solutions such as US/Canada enhanced drivers licenses) for travel.
I agree that digital IDs can be very useful.
Surely that's hyperbole. State IDs are pretty standardized, and even more so with the REAL ID system (if the mandates for it ever go into effect). When have you ever had a problem using one state's ID in another state?
I cant vote with my Texas ID in Wyoming. A passport might be sufficient to vote in a different state for a national election but I’m admit that I’m not 100% sure on that.
Every government agency in the US doesn’t know who I am without me telling them. And even then if they fat finger the number I could be in for a world of hurt until someone realizes.
If you compare that to 2FA for Office 365 for example, where you just have a push notification where you press a button to allow, then you can't help but think that some attention to UX would be helpful.
As it is, I usually pick SMS verification instead of using the app. Yes, less secure, but so much easier.
1: https://www.rijksfinancien.nl/memorie-van-toelichting/2019/O...
2: https://logius.nl/onze-organisatie/zakendoen-met-logius/door...
I suppose it would hinge on your view of regressive use fees as well.
It sounds like they might not been very keen to maintain the app.
Can there be alternative better implementations or DigID “hardcoded” to one provider?
People don't generally read it when their phone apps send them a "please login" notification after the 200th one that day, they tend to approve it without thinking (or worse, accidentally approve a phishing notification while trying to login), especially when busy, which results in them letting phishers onto their device.
The DigiD login flow is a bit of a mess, but it seems very well designed to avoid that particular tendency. The entire process requires active involvement from the end-user, which means they'll be paying attention on whether it's them logging in or not.
Edit: I received the notifications for Microsoft Authenticator app
I think the only part that can reasonably be simplified without compromising security is to use a push notification instead of having to scan the QR-code.
I hadn't even noticed that app login doesn't require username and password. With a password manager that doesn't add a lot of friction. Even when accounting for that extra step, I still find Office 365 and SMS verification much easier.
You plan a video conf using their web app, connect at the right time, and show your passport when asked.
As an aside, I login without using their app, as my Android phone does not support Google Play.
Don't know what happens if you don't have a dutch passport though. I guess they are under no obligation to render services to people that are neither citizen nor national.
A bit like when I got married and the French state wanted proof that I wasn't already married before, during the period I had lived in the UK. The UK services wouldn't give me the time of day, since I was neither British nor living there. I ended up getting an official looking note from the Dutch embassy to the UK, stating that "to the best of their knowledge I wasn't married" =)
During covid the government provided an ability to schedule a zoom call to verify identity remotely and set up Digid with a foreign number so I finally have it.
I do appreciate that they keep is so secure (or perhaps I should say, not logged in by default). It works well in general imho.
With the Digid app you just need to remember the pin code or unlock with face id. The app generates the codes for each login and then you just scan the QR. It's very simple to use.
Recently I lost my phone and had to set everything up again. I had to start digging for 2fa backup codes, but Digid I could easily set up again using the NFC chip in my passport.
On desktop, you use pin, type code, then scan. I find the flow quite smooth.
I find the constant back and forth between devices annoying. 2FA is already annoying because you have to switch from desktop to mobile and back, but that can't be helped. There's no need to make it 6 times, though: desktop (on site) -> mobile (start app + pin) -> desktop (fill in code) -> mobile (get camera) -> desktop (scan QR) -> mobile (press allow) -> desktop (continue on site)
That's just being irritating.
I suppose openness will enhance security over time?
Some extra eyes on the current code might fix some small issues, but I doubt this is going to improve the app much.
So many big egos in software.
Furthermore, using Unicode characters to represent progress is the true smell here. There simply are better ways to do this.
In the grand scheme of things, does it matter? No. But this is Hacker News LOL, someone has to discuss it.
If I were reviewing this code I would at least ask the developer to add an assertion or contract requiring that the argument be in the inclusive range [0..1]
The choice of variable name, percentage, is also misleading. At least I suspect it is because I would expect the comparisons involving percentages to be to numbers between 0 and 100.
If lack of allocations is a requirement then one could create a static array of strings and use
as the index. This would eliminate all of the comparisons and also throw an index out of range (in any sane language) if the value was outside the allowed range.I do object to the variable being called ‘percentage’ tho, as it clearly isn't one.
For instance if you want 20% that could also be expressed as a fraction such as 20/100, which turns out is the same as 2/10 or 0.2.
I do think they should remove the redundant statements in the conditions and also have an assertion that guarantees percentage to be [0, 1].
> The term "percent" is derived from the Latin per centum, meaning "hundred" or "by the hundred". The sign for "percent" evolved by gradual contraction of the Italian term per cento, meaning "for a hundred". The "per" was often abbreviated as "p."—eventually disappeared entirely. The "cento" was contracted to two circles separated by a horizontal line, from which the modern "%" symbol is derived.
This might be a little more obvious for me since my first language is derived from Latin, but anyhow it still keeps the meaning in english.
[0]: https://en.m.wikipedia.org/wiki/Percentage
Source: native English speaker working in the Netherlands with a team of Dutch people. They are all really smart people, but they tend to err on the side of simple vocabulary when forced to think in English.
That was useful in a time where a text editor was "smart" when it copied your indentation to a new line. But nowadays any tooling will warn you when indentation doesn't match the bracing. The odds of people making that mistake has gone so far down, that the risk is no longer worth the reduced readability.
Sounds like it was not voluntary. Also not sure what kind of transparency is expected here, since there is no way to find if the source code published is the same used to build the app. Maybe decompilation is the way to go...
https://twitter.com/bugblauw
- https://github.com/alphagov
- https://github.com/hmrc
- https://github.com/dwp