Skip to main content

Iowa caucus app: no security vetting, no testing, no training – NYT [U]

Update: The Iowa Democratic Party has issued a statement, below, saying that data was correctly logged but not properly reported due to a bug in the app. It also claims that it did put the app through independent security testing, contradicting the claim made by the NYT.

Failures surrounding the use of a new Iowa caucus app have seen the Iowa Democratic Party unable to promptly report the results of the first party member vote for its 2020 presidential candidates. A report on the debacle describes it as a ‘systematic disaster’…

Background

A caucus is a meeting of local party members who express their support for a candidate by gathering in different parts of a large room. Any candidate who doesn’t get the support of at least 15% of those present is eliminated, and their supporters are asked to select a second-choice candidate. Once that process is complete, the numbers are tallied and reported to party leaders.

In the past, the reporting has usually been done by phone, and only the final numbers were reported. The party this year decided to switch to reporting via an app, and to report not just one result but three:

  • The initial support for each candidate
  • The second-choice of those members who needed to realign their support
  • The final delegates who won

But the party found itself in the embarrassing position of being unable to report any of the numbers due to reported problems in using the app.

What went wrong with the Iowa caucus app?

According to a New York Times report, there were three problems. First, a lack of security vetting to ensure the app hadn’t been programmed to distort the results.

Cybersecurity experts worried that it had not been vetted, tested at scale, or even shown to independent experts before being introduced in Iowa.

Christopher C. Krebs, the director of the Homeland Security Department’s cybersecurity agency, said late Monday that the mobile app had not been vetted or evaluated by the agency.

Second, there was apparently no end-user testing by those who would be required to use the app on the night.

“This app has never been used in any real election or tested at a statewide scale and it’s only been contemplated for use for two months now,” said David Jefferson, a computer scientist at Lawrence Livermore National Laboratory, who also serves on the board of Verified Voting, a nonpartisan election integrity organization […]

Polk County chairman Sean Bagniewski said he had expressed concerns ahead of time. “When you have an app that you’re sending out to 1,700 people and many of them might be newer to apps and that kind of stuff, it might have been worth doing a couple months’ worth of testing.”

Third, none of the party officials had been trained in how to use it.

“The app wasn’t included in the chair training that everyone was required to take,” said Zach Simonson, the Democratic Party chair in Wapello County.

Some reportedly hadn’t even downloaded the app ahead of time!

Where results were reported, the three sets of numbers were in some cases found to be ‘inconsistent.’ While the Democrats are insistent that this is only a reporting issue, and that the actual numbers have been safely and properly recorded, it’s certainly a huge embarrassment to the party – especially in an age where foreign interference with elections is a major concern.

Experts say it shows why it would be too dangerous to move to online voting in elections.

Matt Blaze, a professor of computer science and law at Georgetown, said that introducing apps in the midst of an election posed many problems. Any type of app or program that relies on using a cellphone network to deliver results is vulnerable to problems both on the app and on the phones being used to run it, he said.

“The consensus of all experts who have been thinking about this is unequivocal,” Mr. Blaze added. “Internet and mobile voting should not be used at this time in civil elections.”

Any technology, he said, should be tested and retested by the broader cybersecurity community before being publicly introduced, to test for anything ranging from a small bug to a major vulnerability.

“I think the most important rule of thumb in introducing technology into voting is be extremely conservative,” he said […]

J. Alex Halderman, a professor of computer science at the University of Michigan said, “This is an urgent reminder of why online voting is not ready for prime time.”

The full statement by Iowa Democratic Party Chair Troy Price can be read below.

Last night, more than 1,600 precinct caucuses gathered across the state of Iowa and at satellite caucuses around the world to demonstrate our shared values and goal of taking back the White House. The many volunteers running caucus sites, new voters registering as Democrats, and neighbors talking to each other about the future of our country demonstrated the strength of our party.

We have every indication that our systems were secure and there was not a cyber security intrusion. In preparation for the caucuses, our systems were tested by independent cybersecurity consultants.

As precinct caucus results started coming in, the IDP ran them through an accuracy and quality check. It became clear that there were inconsistencies with the reports. The underlying cause of these inconsistencies was not immediately clear, and required investigation, which took time.

As this investigation unfolded, IDP staff activated pre-planned backup measures and entered data manually. This took longer than expected.

As part of our investigation, we determined with certainty that the underlying data collected via the app was sound. While the app was recording data accurately, it was reporting out only partial data. We have determined that this was due to a coding issue in the reporting system. This issue was identified and fixed. The application’s reporting issue did not impact the ability of precinct chairs to report data accurately.

Because of the required paper documentation, we have been able to verify that the data recorded in the app and used to calculate State Delegate Equivalents is valid and accurate. Precinct level results are still being reported to the IDP. While our plan is to release results as soon as possible today, our ultimate goal is to ensure that the integrity and accuracy of the process continues to be upheld.

Photo: Pete Marovich for The New York Times

FTC: We use income earning auto affiliate links. More.

Hyper Drive GEN2
You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear