Hopefully by now you’ve heard that Hawaii was not attacked with ballistic missiles Saturday. It was, however, attacked by poor software design or, quite possibly, poor QA.
Let’s recap here.
The Hawaii Emergency Management Agency erroneously sent a cell phone warning message to damn near every phone in the state. The message warned of an incoming missile attack. Naturally, this caused a certain amount of chaos, confusion, fear, and panic.
Fortunately, it did not, as far as I can tell, cause any injuries or deaths, nor was there widespread looting.
The backlash has been immense. Any misuse of the cell phone emergency warning message system is going to trigger outrage–does anyone else remember the commotion back in 2013 when the California Highway Patrol used the same functionality to send an AMBER alert to phones across the entire state of California?
Many people turned off the alert function on their phones in the wake of that and similar events elsewhere–although, let’s not forget that one level of warnings can not legally be turned off. I don’t know if HEMA used the “Presidential” alert level–certainly a nuclear attack would seem to qualify for that level of urgency–but it may be that only the White House can send those messages.
For the record, my current phone doesn’t allow me to disable Presidential or Test messages; the latter seems like an odd exclusion to me. In any case, I’ve turned off AMBER alerts, but have left the “Severe” and “Extreme” messages on. I suspect many who have gotten spurious or questionable alerts have turned those off.
Which puts those charged with public safety in an awkward position. The more often they use the capability, the more people are going to turn off alerts. I hope the people looking into a California wildfire alert system are keeping these lessons in mind.
But I digress. I had intended to talk about the Hawaii contretemps from a software perspective.
The cause of the problem, according to a HEMA spokesperson, was that “Someone clicked the wrong thing on the computer.” Later reports “clarify” that “someone doing a routine test hit the live alert button.” I put “clarify” in quotes, because the explanation actually raises more questions than it answers.
See, for a test to be meaningful, it has to replicate the real scenario as closely as possible. It’s would be unusual to have one button labeled “Click Here When Testing” and a second one that says “This Is the Real Button.” The more typical situation is for the system to be set to a test mode that disables the connection to the outside world or (better yet) routes it to a test connection that only sends its signal to a special device on the tester’s desk.
Or heck, maybe they do have a test mode switch, and the poor schlub who sent the alert didn’t notice the system wasn’t in test mode. If so, that points to poor system design. The difference between modes should be dramatic, so you can tell at a glance, before clicking that button, how the system is set.
If it’s not poor design, the reports suggest some seriously poor test planning. Though I should emphasize that it probably wasn’t a failure on QA’s fault. They probably wanted a test mode, but were overruled on cost or time-to-launch concerns.
Wait, it gets better: now we’re hearing the problem has been solved. According to the news stories, “the agency has changed protocols to require that two people send an alert.” In other words, the problem hasn’t been fixed at all. The possibility of a mistaken alert may have been reduced, but as long as people can click on a live “Send an alert” button while testing, they will.
Better still, by requiring two people to coordinate to send an alert, they’ve made it harder to send a real message. Let’s not forget that emergency messages are time critical. If the message is warning of, say, a nuclear attack or a volcanic eruption, seconds could be critical.
But have no fear: the Homeland Security Service assures us that we can “trust government systems. We test them every day.”
How nice. In the immortal words of Douglas Adams, “Please do not push this button again.”