Iowa’s caucus app was a disaster waiting to happen
A smartphone app designed to help announce the results of the Iowa caucus ended up crapping out and causing a massive delay by almost an entire day.
The Iowa caucus traditionally uses gatherings of people in counties across the state to determine which candidates they want to back for the presidential nomination. They use a paper trail as a way of auditing the results. While Iowa may have only 41 delegates needed out of 1,990 to nominate a Democratic candidate, the results are nevertheless seen as a nationwide barometer for who might be named to the ticket.
In an effort to modernize and speed up the process, the Iowa Democrats commissioned an app to speed up the process.
But the app, built by a company called Shadow Inc., failed spectacularly. Some districts had to call in their results instead.
Iowa Democrats spokesperson Mandy McClure described the app’s failure as a “reporting issue” rather than a security matter or a breach. McClure later said it was a “coding issue.” The results had been expected to land late on Monday but have now been delayed until Tuesday afternoon, according to the Iowa Democrats.
Who could have seen it coming? Actually, quite a few people.
“There was no need whatsoever for an app,” said Zeynep Tufekci, an associate professor at the University of North Carolina in a tweet.
Little is known about the app, which has been shrouded in secrecy even after it was profiled by NPR in January. The app was the first-of-its-kind to be used in a U.S. presidential nomination process, despite concerns that use of electronics or apps might open up the process to hackers.
What is known is that details of its security were kept secret amid fears that it could be used by hackers to exploit the system. That’s been criticized by security experts who say “security through obscurity” is a fallacy. Homeland Security secretary Chad Wolf said on television Tuesday that the Iowa Democrats declined an offer from the agency to test the app for security flaws. And because of the secrecy, there’s no evidence to show that the app went through extensive testing — or if it did, what levels of testing and scrutiny it went through.
Some say the writing was on the wall.
“Honestly, there is no need to attribute conspiracy or call shenanigans on what happened with the new app during the Iowa caucuses,” Dan McFall, chief executive at app testing company Mobile Labs, told me in an email. “It’s a tale that we have seen with our enterprise customers for years: A new application was pushed hard to a specific high profile deadline. Mobility is much harder than people realize, so initial release was likely delayed, and to make the deadline, they cut the process of comprehensive testing and then chaos ensues.”
Others agreed. Doron Reuveni, who heads up software testing firm Applause, said the app should have gone through extensive testing and real-world testing to see the “blind spots” that the app’s own developers may not see. And Simone Petrella, chief executive of cybersecurity firm CyberVista and former analyst at the Department of Defense, said there was no need for a sophisticated solution to a simple problem.
“A Google Sheet or another shared document could suffice,” she said. “It is incredibly difficult — and costly — to build and deliver solutions that are designed to ensure security and still are intuitive to an end user,” said Petrella. “If you’re going to build a solution or application to solve for this type of issue, then you’re going to have to make sure it’s designed with security in mind from the start and do rigorous product testing and validation throughout the development process to ensure everything is captured and data is being directed properly and securely.”
The high-profile failure is likely to send alarm bells to other districts and states with similar plans in place ahead of their respective caucuses before the Democratic National Convention in July, where the party will choose their candidate for president.
Nevada was said to be using the app next for its upcoming caucus in February, but that plan has been nixed.
“We will not be employing the same app or vendor used in the Iowa caucus,” the spokesperson said. “We had already developed a series of backups and redundant reporting systems and are currently evaluating the best path forward.”
In a tweet, Shadow Inc. expressed “regret” about the problems with the Iowa caucus, and that it “will apply the lessons learned in the future.”
Why an app was used for such an important issue is a question that many will be asking themselves today. At least on the bright side, Iowa is now a blueprint of how not to use tech in elections.