By John P. Mello Jr.
Feb 5, 2020 10:38 AM PT
A coding error in an app used to count vote totals in the Democratic caucuses in Iowa has delayed the release of final tallies, the state’s Democratic Party announced Tuesday.
Although the data collected by the app was sound, it was reporting only a portion of that data to party headquarters due a coding issue with its reporting system, the party explained in a statement.
After discovering inconsistencies caused by the flaw, party staff implemented manual backup measures that delayed release of final tallies.
Nevada was set to use the app for its caucuses Feb. 22, but has scrapped the idea after the Iowa debacle.
The problematic app was made by
Shadow, a company that builds political tools and platforms. At its website, it touts work it has done for Hillary Clinton, Barack Obama and the Democratic National Committee.
The company sincerely regrets “the delay in the reporting of the results of last night’s Iowa caucuses and the uncertainty it has caused to the candidates, their campaigns and Democratic caucus-goers,” CEO Gerard Niemira wrote in an online post.
“We will apply the lessons learned in the future, and have already corrected the underlying technology issue,” he added.
Shadow did not respond to our request to comment for this story.
Inadequate Testing
Although details about the app remain sketchy, it seems that it was rushed to market.
“It was tested for two months. It should have been tested for far longer than that,” said Bruce deGrazia, program chair for cybersecurity management and policy at the
University of Maryland Global Campus in Adelphi, Maryland.
“You don’t bring something like this out in the middle of an election cycle,” he told the E-Commerce Times. “That’s just asking for trouble. And guess what? That’s what happened.”
Organizations never should rely on brand new technology during the immediate lead-up to a critical event, said Jamil Jaffer, senior vice president at
IronNet, a network security company in Fulton, Maryland.
“You want to have vetted it and tested it and be relying on something you’ve had experience with,” he told the E-Commerce Times.
At the minimum, there appears to be a failure to perform adequate functional and stress testing of the app and its back-end systems, noted Jack Mannino, CEO of
nVisium, a Herndon, Virginia-based application security provider.
Systems perform differently in preproduction and live environments due to a number of factors, including volume of usage, heavy loads and component failures, he explained.
“This is why exhaustive and comprehensive testing must be done across the software development lifecycle — from prototype development through integration to preproduction or simulated environment — and especially before live deployment for such mission-critical applications,” he told the E-Commerce Times.
“It’s so important that people have faith in the results of elections, so it’s extremely important to vet these applications with extensive load testing before they’re deployed,” added Mark Graff, CEO of Tellagraff, a cybersecurity consultancy.
“Testing at load is critical for all election applications,” he told the E-Commerce Times.
Need for White Hats
It appears that Shadow’s developers did all their testing in-house, observed Michael Covington, vice president of product at
Wandera, an enterprise mobile security and data management provider in San Francisco.
“When producing an app with this much visibility, they really should have made an effort to collaborate with the White Hat hacker community in an effort to truly vet the security properties of the app and back-end supporting systems,” he told the E-Commerce Times.
Any app used in the democratic process should be released as open source software — or at the very least, be submitted to an independent organization for a complete static and dynamic code analysis, suggested Richard Henderson, head of global threat intelligence at
Lastline, a cloud-based provider of threat intelligence in Redwood City, California.
“How was something so obvious as ensuring the transmission of an accurate count missed? That’s a pretty substantial flaw,” he told the E-Commerce Times.
It was “entirely irresponsible of the Iowa Democratic Party and the app developer to approve the use of this app without adequate testing,” said Josh Bohls, CEO of
Inkscreen, a maker of enterprise mobility security solutions in Austin, Texas.
The app was not dealing with much data or demand, he noted.
“There were only 1,600 caucus sites,” Bohls told the E-Commerce Times. “That is an incredibly small number of endpoints connected to a centralized database that is only required to collect and process around 250 thousand records. In the app world, that is not much data.”
Disinformation Fodder
While the voting technology used by the Iowa Democratic Party was flawed, there are some bigger questions that must be answered, noted Parham Eftekhari,
executive director of the
Institute for Critical Infrastructure Technology, a cybersecurity think tank in Chicago.
“The real question is, ‘How did we get here?’ Where did the decision-making process fail that led to the development of a piece of technology that wasn’t properly tested and didn’t work? After the paper ballots are counted, they need to do a major dissection of the entire process,” he told the E-Commerce Times.
Whenever technology fails in a very public way, the consequences can be severe.
“Unfortunately, a failure like the one in Iowa will have a lasting impact on the public’s trust in using information technology to adequately and accurately support future elections, whether they’re held at state or national level,” Mannino said.
“I think many people will point to this debacle as an argument against technology in future elections,” said Paul Bischoff, privacy advocate at
Comparitech, a reviews, advice and information website for consumer security products.
“The many conspiracy theories surrounding the app will fuel distrust,” he told the E-Commerce Times.
Ideally, the problems in Iowa will help spur more rigorous future vetting and testing, not only of mobile apps but also of any digital aspect of the voting infrastructure, said Andrea Little Limbago, chief social scientist at Virtru, a data protection company in
Washington, D.C.
However, the biggest impact of the Iowa snafu may not be technical, she added.
“It will likely be used in disinformation campaigns that attempt to weaken the faith of Americans in free and fair elections, and will provide fodder for those who question election results,” she told the E-Commerce Times.
“In fact, it actually demonstrates the opposite — how a resilient system built on checks and balances and audit trails is foundational to election integrity,” said Limbago. “Hopefully that is the narrative that will prevail.”