As Democrats approach the long-awaited Iowa caucus on February 3rd, a new smartphone app set to be used for calculating the results of the event has come under fire for its major lack of electoral security and its undisclosed origins, according to a recent report published by NPR.
Unlike a simple primary vote where voters cast a ballot and the highest vote count wins, caucuses are determined via social affair — held across state gymnasiums, churches, recreation centers, or others — where delegates physically stand in their candidate’s assigned corner and caucus managers determine the results on site.
In adhering to these old-timey practices, Iowa’s Democratic Party chairman Troy Price has argued the app will modernize the vote and help “get results out to the public quicker”, all the while ignoring press questions about who exactly designed the app and what specific systems are in place to ensure election integrity. As of now, we only have his word.
“We as the party have taken this very seriously, and we know how important it is for us to make sure that our process is secure and that we protect the integrity of the process,” Price says. “We want to make sure we are not relaying information that could be used against us. If there is a challenge, we’ll be ready with a backup and a backup to that backup and a backup to the backup to the backup. We are fully prepared to make sure that we can get these results in and get those results in accurately.”
While this flowery language of politician-speak sounds nice, there’s a trend of ‘tell, don’t show’ that was also repeated by the Democratic National Committee (DNC), the Democratic Party’s ever-controversial governing body, which has reportedly reviewed and approved of both the app and the caucus security plans. At the time, neither caucus managers, party members, or the DNC revealed the app’s developers and methods, only their approval. Party officials say “operational security prevents them from disclosing specifics about the app”, but further revelations suggest security isn’t up to snuff.
According to confirmations from Price, the app will also be downloaded onto the insecure personal smartphones of the caucus precinct and its own party leaders, not through security hardware provided by the party or independent bodies. Betsy Cooper, director of the Aspen Tech Policy Hub at the Aspen Institute, told NBC News this matter only makes the app more likely to receive an attack as hackers could better obtain sensitive messages, emails, and passwords to strike. “I sure hope the engineers building it are among the best on the planet,” Cooper says, adding that it’s like “giving away the keys to the kingdom and making it easier for hackers to get in.”
This begs the obvious question: why use the app at all? Caucuses are inherently interpersonal, allowing for several witnesses and paper records to help correct cyber-attacks should there be an investigation. In 2020, it appears delegates will be given a physical, numbered presidential preference card to record their choice, set to be delivered to the Iowa Democratic Party through an established chain of custody. By contrast, Kiersten Todt, managing director of the cybersecurity non-profit Cyber Readiness Institute, told NBC News the phones “can be breached in a heartbeat”, yet it is the “preferred” method for managers to report results, according to the caucus manager handbook.
NPR interviewed several other cybersecurity experts who found the lack of transparency on the matter not only unhelpful to protecting the system but also counterproductive. “The idea of security through obscurity is almost always a mistake,” said Doug Jones, a computer science professor at the University of Iowa and a former caucus precinct leader. “Drawing the blinds on the process leaves us, in the public, in a position where we can’t even assess the competence of the people doing something on our behalf.”
The NPR report also makes note of how the state party is working with the national party’s elusive cybersecurity team alongside Harvard University’s Defending Digital Democracy Project, although their relationship to the app remains unclear. NBC only mentions that the developer is conducting election threat simulations with Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), according to a statement from Matt Masterson, a senior cybersecurity adviser at the agency.
Price declined to answer whether any other third-party investigation even looked into the app, let alone found any vulnerabilities before the event. David Bergstein, a DNC spokesperson, told NBC News that there’s simply nothing to worry about here as “the security of [Iowa] caucuses [are taken] extremely seriously from all perspectives.”
The word of the DNC, however, doesn’t mean very much considering the organization’s previous court testimonies arguing they’re actually a “private organization” under no obligation to ensure “fair and impartial elections” to their voters, despite such a mandate being listed verbatim within their charter.
For more context, the civil lawsuit where the statement originates was in regard to key DNC leadership favoring 2016 primary candidate Hillary Clinton over her rival Bernie Sanders. For an electoral app to be overseen by such undemocratic forces without third party watchdogs, it’s clear they’re not an authority on fair, impartial and secure electoral practice, whether it's through deceptive malice or just plain negligence.
If the wrong results go reported because of a hack, a glitch or shady political power grabs, “the damage to public confidence would be catastrophic,” Jones argues, implying greater power should be given to security watch-dogs. “Once you report something, it’s really hard to undo it, no matter how many retractions you print, no matter how many apologies you say, it’s too late, from that point of view, someone hacking the reporting process, even though its purpose is entirely informal, not intended to have any permanent importance, is something that could be very disruptive.”
