18app: the story of a problem and of how it was a solved


18app: the story of a problem and of how it was a solved

What we can learn when a mistake turns into a challenge for improvement

Questo articolo è disponibile anche in italiano

Today we want to tell you a story about the digital transformation of the country. This is a story in which the citizen, rather than being defeated by bureaucracy, is finally featured at the center of decisions: 9,375 citizens born in 1998 (former eighteen-year-olds, now nineteen), who were accidentally excluded from the 18app program (the platform that allows citizens to receive their Cultural Bonus) after the registration deadline of this past June 30, have just been readmitted to the program. As per current law, they still have until December 31, 2017 to spend their bonus of 500 euros in museums, cinemas, theaters and concerts.

We’ve informed these kids through an email and a text message. We will be monitoring the replies and if necessary, find a new way to contact those who haven’t yet registered by the end of the week.

But this is just the very end of a long story, a story that began five months ago. So make yourselves comfortable because we are going to tell you everything in detail. We want the reasons why this problem happened to be clear and also to tell you what the strategies were for dealing with it so that a similar event never happens again.

18app: a history

18app is a program provided for by law through which 500 euros are awarded to all eighteen-year-olds. The kids can spend this money on any cultural activity, whether it be purchasing books and theater tickets or enrolling in classes on music or foreign language. The first group of citizens to receive this award were those born in 1998. They were asked to register themselves on the system by June 30, 2017 and to spend their bonus by December 31 of that same year.

Since before the launch of the program (which took place last year), the Digital Transformation Team had been collaborating with MIBACT and SOGEIfocusing on the purely technical aspects of the platform: user experience, fluid integration with other operators, future developments.

And yet, immediately after the June 30th deadline  the last date to register on 18app  we began receiving reports (through various channels including the call center or Facebook, whether it was through the official page or the group that developed spontaneously in response to the problem) of an increasing number of eighteen-year-olds who claimed to have completed the activation of their bonus before June 30, but never received access to the system and, in consequence, their bonus.

Our first investigations into this problem revealed that these were all users who hadn’t yet spent a single euro through the platform: the registrations hadn’t been processed successfully but the eighteen-year-olds weren’t aware of the problem until after June 30, when they tried to spend their bonus but by then it was too late. They had missed the deadline and had already been excluded from the system.

  • In September, we began a process of in-depth technical investigation, calling on the support of a few Identity Providers (the private companies providing the SPID digital identity service). After a few trial investigations, we were able to identify cases involving a few users who, despite having completed the access form on the 18app site before the June 30 deadline, did not show up as present on the system. It was as if their registration had been “lost” or had somehow remained pending. This could only be due to a bug in the system, a defect in the software.

If these eighteen-year-olds (roughly 3% of those registered) had tried to spend even a part of their bonus by June 30, we would probably never even have noticed that a bug existed. If they’d tried to spend the money and, by doing so, re-entered the system, their pending registration would have been automatically completed and the problem would not have come to our attention.

At this point it was clear that an intervention was needed to re-admit these eighteen-year-olds to the program: through the Identity Providers, we carried out a complete extraction of the data associated with the eighteen-year-olds listed as registered on 18app and cross-referenced this with our data regarding those that were listed as having completed the system registration.

It took time. Identifying the right formal process to use wasn’t easy. This was the first time since the launch of SPID that an event like this had occurred and a cross-check between IdP (those who provide the SPID identity) and the services that use SPID had never been hypothesized, let alone codified as a technical or contractual procedure. Because the data we were dealing with was personal, it was necessary to proceed with the utmost care and attention. Despite a few moments of frustration (mainly due to the complexity of the operation), we were able to move ahead with our goal of keeping the citizen at the center of our decision-making.

Sound strange? Based on the registration data from the June 30th deadline, the unused part of the budget originally set aside for 18app had been reallocated because it was thought that the number of people registered had been defined with certainty. All in all, it’s reasonable not to leave money that we know won’t be spent in a budget. It makes more sense to reassign it as quickly as possible. Fortunately, however, a margin of expenditure had already been foreseen to safeguard against possible errors, theoretical errors that were soon to become reality.

And that’s how we finally got to November 28, the day we managed to officially reestablish system access for 9,374 eighteen-year-olds.

In the end, it was all the bug’s fault. But what are bugs? Why do they exist in software? And, most importantly, how can we avoid them?

more digital world also requires more digital citizens, that is, citizens who have a greater awareness of the rules that govern the digital world.

The first rule we need to become aware of is that all software has bugs.

Information systems are all around us. They are on our desks, in our pockets, on our wrists. I’m certain that we’ve all experienced, at least once in our lifetime, an imperfect system. That is, a system with at least one bug. The signs can be subtle: an undetected click, a USB stick that goes unrecognized. Or they can be more obvious: a program that crashes, a document that becomes corrupted, a website whose images are distorted, a notification that appears one hundred times.

Bugs are one of the biggest challenges for those involved with software. To reduce their occurrence as much as possible, it’s necessary to always follow the best practices.  and the experts in this field of work know them well: defensive programming, automated tests, manual tests, monitoring.

Compared to other engineering fields, those who design software do it within a completely different context. The rules are more flexible, evolution is rapid, the time in which to solve problems is extremely limited and the changes are continous.

It’s no coincidence that the 18app site has had the beta label displayed under the logo for many months now. This label indicates that the version isn’t final. A necessary distinction because it’s very rare for such a complex piece of software to achieve perfection in the first years of life. In the case of what happened with 18app, we are talking about a bug that concerned the first large-scale application of SPID, an articulated protocol that involved many different actors and implementations. Making sure all this different software communicates correctly is a tricky thing to do.

As a technician, I hear myself saying that the bug shouldn’t have been there, but I can’t guarantee that I wouldn’t have made the same mistake myself.

So, if the presence of bugs in software is inevitable, we have to do what we can to avoid the easy rhetoric of accusation against whoever put the bugs in the software. Fantasizing about the chimera that is the perfect software is no way to solve problems. Those who create software at a professional level know this well and try to do differently: when a bug is found, they rush to repair it as quickly and effectively as possible. They inform users and attempt to reduce the damage suffered as quickly as possible. Corrective measures are implemented so as to make sure that similar problems don’t happen again on other occasions. If you’re interested in the technical aspects of how this bug was behaving, you can find all the information you need in the FAQ at the end of this article.

A look towards the future

Ofcourse, to be truly effective, we still have a lot more work to doFive months is not an intervention time to be proud of. We have to learn to do better than that. Coordinating between ten different institutions in addition to all the state and private companies involved in this project (of which eight were directly involved with this issue), wasn’t easy. But this type of coordination is typical of the complex (and complicated) system that is the public machine and is just one example of what we face on a daily basis while working on the digital transformation of the country.

So what’s left for us to do? There are many processes that can still be improved upon and we are already working on them. Some examples?

  • The SPID implementation software, which we are primarily developing on Developers Italia by providing reference implementations and examples of use. In the coming weeks we will be working to standardize the protocol as much as possible, leaving less and less room for the possibility of implementation errors and increasing the number of automatic verifications guaranteeing the absence of bugs.
  • The processes of SPID, which we want to improve in direct cooperation with the Identity Providers by creating a system that allows for people from technical support (i.e. call centers) to have greater visibility of the issues affecting those who are reaching out for assistance. In the future, this will help provide a better quality of assistance, which also means being able to identify, earlier and with more clarity, the presence of anomalies and acting on them as soon as possible.
  • And then there’s 18app itself, which we want to improve by raising the quality of communication, especially towards eighteen-year-olds, by making sure all the deadlines are clear (it will be necessary to complete the registration by June 30 of each year) and improving the technical aspects of monitoring so as to be able to immediately identify eventual problems. The program has been renewed for all citizens born in 1999 (and perhaps again for those born in 2000) and it’s important for all of them to be able to take advantage of this wonderful opportunity for personal growth.

The challenge of building a more digital Public Administration is just at its beginning, but we are happy that 18app became a software project and not a large-scale campaign of sending and receiving paper receipts.

There’s still room for improvement, but we are proud of all the possibilities that 18app offers. Citizens can use a smartphone to spend their bonus in real time, receiving their discount at the time of purchase rather than after having filed out and signed a stack of paper documents, further attached to copies of identity cards and further still, verified and reimbursed.

We’ve truly saved a lot of money by implementing software in a very short period of time and by using identification technology like SPID (which had only just been launched). This incident has been very instructive for everyone and it will help us to do better.

Not only that, but 18app was also used for distributing the Teacher’s Card (a bonus for teacher training). We hope that it becomes a model for all those programs designed to manage the allocation of bonuses from the state to its citizens.

We want to thank all the institutions and government agencies that collaborated with us on the management of this critical situation. We see this as a sign of cultural change and we hope it becomes an example for the management of other similar situations, all the while never forgetting to keep the well-being of the citizen at the center of the decision-making process.


1 . Why do we only have until December 31st to spend our bonus? There’s only one month left! Can’t you extend the deadline?

The law, to date, imposes this deadline. We have begun a discussion in Parliament to see whether the deadline can be extended by three months, but we don’t know if it will be possible to do this. Our advice is to spend the bonus during the month still available.

2 . I haven’t received any contact from you via email or text message. How do I know whether I’ve been readmitted to the program?

Because we needed to reach the entire group of those concerned, the message via email or SMS only serves to notify. If you are reading this document and want to verify your status, you can connect to the website http://www.18app.italia.it/ and access your profile. If you aren’t registered within the group of 9,374 identified individuals, the system will respond with an error message.

3 . I applied for SPID before June 30, 2017 but I never connected with the 18app site. Do I have access to the bonus again?

No, the law is very clear, as is the information on the website and social networks: people eligible to use the bonus must register themselves on the 18app site by June 30, 2017. It isn’t enough to get an SPID, you must also connect to the 18app site by June 30, 2017.

4 . I’m a technology person. What was the bug?

It was a race condition between two : one that was creating the registry information for the registered user and one that was creating the current session. In a relatively minor number of times, the start of the session failed because the user was not yet registered and, consequently, the whole transaction went into rollback, interrupting the registration itself.

Giovanni Bajo  

Developer Relations

Please sign in or register for FREE

If you are a registered user on The OECD Forum Network, please sign in