How a Bad App—Not the Russians—Plunged Iowa Into Chaos - The Atlantic
►https://www.theatlantic.com/technology/archive/2020/02/bad-app-not-russians-plunged-iowa-into-chaos/606052
You may be wondering if the Iowa caucus chaos is a hit job by election-meddling Russians. The morning after caucus-goers filed into high-school gyms across Iowa, the state’s Democratic Party is still unable to produce results. The app it developed for precisely this purpose seems to have crashed. The party was questioned before by experts about the wisdom of using a secretive app that would be deployed at a crucial juncture, but the concerns were brushed away. Troy Price, the state party’s chairman, claimed that if anything went wrong with the app, staffers would be ready “with a backup and a backup to that backup and a backup to the backup to the backup.” And yet, more than 12 hours after the end of the caucus, they are unable to produce results. Last night, some precinct officials even waited on hold for an hour to report the results—and got hung up on.
If the Russians were responsible for this confusion and disarray, that might be a relatively easy problem to fix. This is worse.
It appears that the Iowa Democrats nixed the plan to have precincts call in their results, and instead hired a for-profit tech firm, aptly named Shadow, to tally the caucus results. (As if the name weren’t enough to fuel conspiracies, the firm is run by an alum of Hillary Clinton’s presidential campaign.) The party paid Shadow $60,000 to develop an app that would tally the results, but gave the company only two months to do it. Worried about Russian hacking, the party addressed security in all the wrong ways: It did not open up the app to outside testing or challenge by independent security experts.
This method is sometimes dubbed “security through obscurity,” and while there are instances for which it might be appropriate, it is a fragile method, especially unsuited to anything public on the internet that might invite an attack. For example, putting a spare key in a secret place in your backyard isn’t a terrible practice, because the odds are low that someone will be highly motivated to break into any given house and manage to look exactly in the right place (well, unless you put it under the mat). But when there are more significant incentives and the system is open to challenge by anyone in the world, as with anything on the internet, someone will likely find a way to get the keys, as the Motion Picture Association of America found out when its supposedly obscure digital keys, meant to prevent copyright infringement, quickly leaked. Shadow’s app was going to be used widely on caucus day, and independent security experts warned that this method wasn’t going to work. The company didn’t listen.
But why bother hacking the system? Anything developed this rapidly that has not been properly stress-tested—and is being used in the wild by thousands of people at the same time—is likely to crash the first time it is deployed.
There never should have been an app. There are officials responsible for precinct results, but there are also representatives of campaigns on the ground in every precinct. Even without a more substantial reform of the complex and demanding caucus process, a simple adversarial confirmation system (a process used by many countries) would have worked well.
America already knows how to do election integrity. The National Academy of Sciences released a lengthy report about it last year, complete with evidence-based recommendations for every step of the electoral process. I wrote a summary of that report, but the full thing is available online. It tells us why optical paper-scan systems offer us the best mix of convenience and security, and advises us how to keep a proper paper trail. Experts and civil-society organizations have been advocating for these changes for years. It would take just a bit of money and political will to fix much of this, and fairly quickly. Instead, we’ve kicked off a 2020 election season that promises to be fraught in any number of ways. Several campaigns have reported that the same app is due to be used in Nevada in just three weeks.
Who needs the Russians?