Iowa Caucus App Fiasco Shows Need for Open Source Transparency

shutterstock_435294154-e1474481753641
4 February 2020

The Iowa caucuses were thrown into disarray as reports surfaced an opaque app used to tabulate the results and report them to Democratic Party officials was reporting only part of the required data. Although the app had been developed to improve efficiency in communicating the final caucus tallies, it ended up causing significant delays. According to security experts, the incident served to highlight the risks of relying on digital systems and the centralization of information, and a lack of transparency regarding these systems. 

On Tuesday morning, Iowa Democratic Party Chair Troy Price released a statement defending the caucus, saying the underlying data recorded was accurate and that due to paper records party officials were able to double-check the data. 

Reporting issues were “due to a coding issue in the reporting system. This issue was identified and fixed. The application’s reporting issue did not impact the ability of precinct chairs to report data accurately.”

A 2019 report from Veramatrix, a software security company, said it is considered acceptable for there to be between 15 and 50 errors per 1,000 lines of code. The average app is comprised of 50,000 lines of code, which would translate to an industry-accepted average of 2,500 errors.

“The error rate or bug density varies between apps. It depends on the security education the app developers have, the quality of code testing and reviews,” said Asaf Ashkenazi, Veramatrix’s chief operating officer. “For example, in the Iowa Democratic Party case, based on reports, it seems the testing process was not adequate.”

While this may be an acceptable level of risk for, say, Candy Crush, it’s a different matter when the app is handling primary election data. And those risks were compounded by the fact that little information about the app was made publicly available in advance of the caucuses. The Iowa Democratic Party refused to divulge the name of the app, but it was developed by Shadow, a Democratic technology firm. In a statement, the company said “the underlying data and collection process via Shadow’s mobile caucus app was sound and accurate, but our process to transmit that caucus results data generated via the app to the IDP was not.”

By using the app, the party introduced one more point of risk to the caucus were it to malfunction. And it did. 

When something as important as an election is at stake, it is, frankly, malpractice to allow proprietary software.

Joshua Simmons, a board member of the Open Source Initiative, which promotes and protects open source software, believes software like this should necessarily be transparent. 

“When something as important as an election is at stake, it is, frankly, malpractice to allow proprietary software,” Simmons said. “Open-source licensed software guarantees security researchers have access to vet and improve the software before it’s put into use.”

Simmons said trust in institutions and the systems they employ is critical to any functioning democracy and that over the last few years he’s seen growing skepticism and cynicism. 

“Open source is an important step in creating transparency, cultivating trust and building more resilient systems,” he said. 

The Iowa Democratic Party had declined to name the app’s developer to deter outside interference from an adversarial third party, such as Russia.

“Based on news reports, it looks like the app was not properly tested, which is alarming,” Ashkenazi said. “I believe that any app owner should make information available on what processes are being used to test its app and what technologies are used to shield the app from hackers. This practice can provide more confidence.”

This lack of transparency results not just in technical errors that subvert trust in the app, but also opens the door for misinformation and conspiracy theories to take hold.

The Bernie Sanders campaign released its own internal numbers last night, showing a Sanders victory. Pete Buttigieg declared victory before any precinct results were reported. Conspiracy theories were widespread on social media and are only likely to multiply as time goes on.

The confusion and misinformation comes amid a wider trust decline in democratic institutions is declining. 

The Edelman 2020 Trust Barometer, which measures people’s level of trust in institutions, found that people today grant their trust based on competence (which they define as “delivering on promises”) and ethical behavior (which they define as “doing the right thing and working to improve society”). The report found that neither business nor the government is seen as competent and ethical. Will the Iowa caucuses only reinforce this?

The idea of blockchain in voting as a way to immutably tally results has garnered support from some in the blockchain community while drawing fire from cybersecurity experts. My colleague Adam Levine wrote today about what role blockchain may have been able to play here, and he says that while it may have helped in some aspects, it certainly would not have fixed the fundamental issues at play. 

Decentralized solutions reduce our reliance on singular entities that are fallible and that, when they break, can take people’s trust in institutions with them. The app was introduced in the name of efficiency and centralizing the data, but also provided one point where, if it broke, could throw the information it contained into question. 

Whether blockchain is the solution to election infrastructure weaknesses is an open question. But blockchain technology is asking whether that infrastructure is over-centralized and liable to failure. Exclusionary technologies, developed in a walled garden, evade outside scrutiny. They show the risks of relying on that status quo when it comes to our elections.