What Went Wrong With the Iowa Caucus App?
Isadora Teich wrote this article
There was a lot of hysteria surrounding the botched release of the IowaReporterApp.
Blame for its failure was either directly placed or implied to rest on the shoulders of many different sources; from the app creators themselves to the Iowa Democrats.
But even before its release, there were echoes of concern.
Many experts cited a lack of testing, rushed creation, potential security holes, and the overall secrecy surrounding it as major potential issues.
In the days leading up to caucus night, the IowaReporterApp was considered to be a potential target for early election interference, according to the Des Moines Register.
It turns out they were right.
In the days following the app’s now-infamously failed launch, conspiracy theories flooded the internet.
In leftwing circles, many felt this was the DNC’s attempt to crush the lead of popular candidate Bernie Sanders. This opinion was even echoed by major news publications like The Guardian.
On both the right and left, a Russian interference conspiracy took root. This opinion was echoed by Democratic Rep. Sheila Jackson Lee of Texas and reported on by rightwing news site The Federalist.
At an FBI oversight hearing in the House Judiciary Committee with FBI Director Christopher Wray, Jackson Lee said:
“I hope that the Iowa Democrats will ask for an FBI investigation on the app. I believe that Russia has been engaged in and interfering with a number of our elections.”
But, what actually went wrong with the app?
Let’s take a look.
First, Why All The Fuss About Iowa?
Iowa has a special position during the presidential campaign season.
It is widely considered to be a reliable indicator of a candidate’s national popularity.
While it is not a guarantee set in stone; if a candidate takes Iowa, it is very likely they will be the democratic nominee.
The Iowa Caucus traditionally used gatherings of people throughout the state to pick the democratic candidate.
This year, the Iowa Democrats sought to modernize their infrastructure, speeding up the process via an app (good idea), alongside changes to the caucus itself (bad idea).
There is already a substantial learning curve to contend with when it comes to ensuring the smooth rollout of an entirely new technology, and this, coupled with changes in protocol, is not necessarily a recipe for success.
This year, for the first time, there were supposed to be three sets of results — instead of one.
Precinct chairs were supposed to use the IowaReporterApp to report each individual vote cast.
However, they could also do this via phone if they didn’t want to use the app.
This year, for the first time, a paper trail of votes was introduced into the mix as well.
If this seems confusing to you, you are not alone.
The people participating in the Caucus couldn’t wrap their heads around it, either.
The rule changes and a buggy app combined ground the Caucus to a complete halt. The IowaReporterApp turned out to be so buggy that a reporter who downloaded it couldn’t even open it. Many people reported issues in using and even just opening it. Apparently, simply logging into it was difficult, and sometimes even impossible due to strange error messages.
The app was also not available in app stores, forcing users to have to sideload it (never a good idea, folks).
Many daily smartphone users have never side-loaded an app from outside of an app store and don’t even know what that means.
Essentially, users had to download it from another channel because it was not available in the App Store or Google Play Store. This process can be difficult for even savvy smartphone users.
On top of being hard to access for numerous reasons, it was also plagued with data-reporting errors.
This led to statewide confusion and an almost day-long delay in results.
With the added pressure and importance of the Iowa Caucus, this truly became a national nightmare.
Conspiracies and Chaos
One big reason so many conspiracy theories have flourished is that the app (and the organization who developed it) largely remains shrouded in mystery.
They refused to reveal practically anything at all prior to it’s release and even after, due to fears of hackers misusing the information.
The app was profiled by NPR in January, and even in that interview, Troy Price, chairman of the Iowa Democratic Party, refused to answer basic questions about who designed the app, or what security measures had been put in place.
This move was criticized by many experts.
“The idea of security through obscurity is almost always a mistake,” said Doug Jones, a computer science professor at the University of Iowa. Jones is also a former caucus precinct leader.
Homeland Security secretary Chad Wolf said that the agency had even offered to test the app for security flaws.
Third-party testing is typically a critical part of app development during quality assurance testing.
The Iowa democrats declined, and because of the lack of transparency, there is literally no proof that the necessary testing was done at all.
A Potential Security Nightmare
In another strange twist, potential failure to adequately test the app due to security concerns aside, the app itself was actually a huge security nightmare.
According to officials at Massachusetts-based Veracode, a security firm that reviewed the software at the request of ProPublica, the IowaReporterApp lacked key safeguards to prevent hacking. It was actually so insecure that vote totals, passwords, and other sensitive information could have been intercepted or manipulated easily. Transmissions to and from the phone via the app were virtually unprotected.
In an effort to maintain security in case future apps are created for this purpose and used on a mass scale, news outlets are choosing not to report on the specific failures within the app.
However, Chris Wysopal, Veracode’s Chief Technology Officer, said that, in general, the problems were simple and a result of the party’s failure to adequately test and fix their app prior to release.
He said: “It is important for all mobile apps that deal with sensitive data to have adequate security testing, and have any vulnerabilities fixed before being released for use.”
Who Is Behind The App?
After the debacle, we found out that the app was built by a for-profit company called Shadow Inc.
Shadow promotes itself in this way:
Our mission is to build political power for the progressive movement by developing affordable and easy-to-use tools for teams and budgets of any size.
State campaign finance records via HuffPost show that the Iowa Democratic Party paid Shadow $60,000 to build the app in November 2019.
Then, sources briefed on the app by the party told the New York Times that the app was created in only two months time.
While there are no strict rules about how much time you have to spend building an app, this was clearly not enough time to build a functional and secure app.
There was likely almost no testing or tweaking to improve the IowaReporterApp given this timeframe.
Despite the importance of it working, and the sensitive information it would handle, it was never tested on a statewide scale.
It is very possible, that due to the party’s rush to get it done, their security fears, and their general lack of tech literacy, Shadow was pressured to release the app before it was ready.
It’s likely the Democrats had no idea of the severity of the mistake they were making until it was too late.
Shadow’s Secrecy and Strange Ties Raise Questions
As a company that works specifically with democratic candidates, it makes sense that Shadow has ties to a number of them.
These include Joe Biden and Pete Buttigieg.
This has even led to suspicions that Buttiegieg and Shadow had worked together to disrupt the caucus.
The fact that Buttigieg declared his victory in Iowa on Twitter in the midst of the chaos, before any numbers had been released, did not sit well with many people.
Another not quite so palatable aspect of all this is the overall shroud of mystery surrounding Shadow (name aside).
On their website, for example, they showcase no employee names, photos, or information.
The company itself boasts ties to numerous powerful democrats and companies, but is not open about who is behind it.
Shadow also has unclear ties to a non-profit and left-leaning digital consulting company Acronym, which may or may not be a bunch of intertwined organizations involved in tech and politics.
A year ago, Acronym announced they were launching Shadow.
However, after the Caucus debacle, Acronym CEO Tara McGowan tweeted that Shadow was just an independent company Acronym invested in — that they themselves were not behind the organization.
I cannot reliably tell you what the actual truth of the situation is.
No one is sure.
And that is a big part of the problem.
Essentially, we have an app development company with intriguing political connections and mysterious inner workings that created an app shrouded in secrecy without proper testing that worked so poorly, it turned an important political event into chaos.
Why Was The App Such A Disaster?
To be perfectly honest, from the perspective of an app developer, this situation is pretty unbelievable.
The Iowa Democratic party spent a good chunk of money to have an app developed that would be capable of delivering sensitive information and would have powerful implications for the users it was developed for.
To hear Shadow did not embark on actually building this app until late November of 2019, and was expected to be ready by the Iowa Caucus — that is just an impossible order to meet.
Even simple apps with far less pre-loaded features take time and care to develop.
They will likely go through multiple rounds of testing — just to get things right.
In the 2016 Iowa caucus, similar apps were used by both Democrats and Republicans — we just didn’t hear about them because they worked.
Leading up to 2016, the parties had partnered with Microsoft, who contracted a company called InterKnowlogy to build out their apps.
InterKnowlogy had nearly two decades of experience in app development and a long, positive track record.
Shadow Inc, on the other hand, had no such track record of working on projects of this scale.
InterKnowlogy co-founder and co-CEO Rodney Guzman said that his company had about a year to create the 2016 apps.
The first three months alone were spent on product design, meeting with both parties, and doing usability studies to figure out how to make an app that would be easy for users to operate — regardless of their tech experience.
InterKnowlogy spent more time on just groundwork leading up to 2016 than Shadow spent on their entire app in 2020.
Michael Gramley, a software engineer who worked on some of InterKnowlogys apps, told Recode:
“To me, as an engineer, that just sounds nuts. You cannot make a stable platform in two months. We needed that much time just to test everything. If they really did that, then whoever the management was in that company set their engineers up to fail.”
The Iowa Democrats likely did not understand this.
Perhaps they lacked the technological literacy necessary to understand that what they were seeking to do just wasn’t possible — even right out of the gate.
There was certainly good intent behind unleashing an albeit untested and wildly insecure app on an entire state as part of the national election process, but someone who knew anything about apps would never have even considered this.
It was, best case scenario, naive of Shadow to agree to work on such a tight timeline with such specific, important constraints.
But no matter what, it was irresponsible of both parties.
Guzman said he would have never even attempt to create something so important so quickly.
“There’s too much at risk”, he told Recode. “I just wouldn’t have done it.”
A Lack Of Transparency
The belief that secrecy alone would make the app safe to use was another nail in the IowaReporterApp’s coffin.
It looks a lot like the party chose to avoid third-party testing entirely over these security fears.
Also, secrecy is a breeding ground for suspicion and fear.
This blog post mentions several prominent conspiracy theories that made the rounds following the now-infamous Iowa Caucus app meltdown.
Unfortunately, it barely scratches the surface of the theories that still abound.
If Shadow and/or the Iowa Democrats had been transparent from the beginning, it’s likely that the disaster never would have happened in the first place.
For one, people are not suspicious of what they feel they can understand.
Secondly, third-party testing would have likely led to an app that ultimately worked.
Beta testing should have been done on some scale, rather than just assuming that the app would work and people would be able to use it.
While it might seem out there, even some kind of large, mock vote performed secretly might have been useful to ensure it could hold up to real-world usage levels.
But their misplaced paranoia turned what was likely just gross incompetence into a news cycle that read like a series of spy novels.
So, What Can We Take Away From This?
This unfortunate technological blunder illustrates three very important points for appreneurs and companies to consider before heading into app development:
1) Apps are not built overnight. They require careful repeated testing and tweaking before release. For the IowaReporterApp to have been released to do such an important job without adequate testing is almost unbelievable. An app of this scale needed six months at an absolute minimum to get right.
2) Transparency is key. Let people know what you are doing and why. Communicate with your users and the public openly. If not, it can permanently damage your reputation. People will forgive simple mistakes. They will not forgive you if they feel like you fundamentally cannot be trusted. Companies related to Shadow are dumping it. Also, they made a similar app for the Democratic Nevada Caucus, and the Nevada Democrats released a statement that they would not be using it. It will likely be a long time before another state attempts to caucus with an app.
3) Take the time to make sure your app is secure. Due to security holes in the IowaReporterApp, things actually could have been a whole lot worse if it had ended up working properly.
4) Take extreme caution partnering with an untested app agency. Seriously. Do your research, and take careful stock of who they’ve partnered with in the past. Remember that if it sounds too good to be true when it comes to cost and timeline, it probably very likely is.
What do you think of the whole situation? Talk to me.
About ChopDawg.com: Since 2009, we have helped create 300+ next-generation apps for startups, Fortune 500s, growing businesses, and non-profits from around the globe. Think Partner, Not Agency.
Follow us on Twitter
Like us on Facebook
Double tap us at Instagram
Connect with us on LinkedIn
Find us on social at #MakeItAppn®