Iowa caucus voting app’s ‘security through obscurity’ seeds disinformation and legitimacy concerns

February 3, 2020, 3:30 PM UTC

When Iowans caucus Monday evening for their preferred Democratic presidential nominee, party leaders will be encouraged to use a new smartphone app to tally and transmit results. The app will allow caucus managers, Democrats who run the caucus process in each of Iowa’s 1,678 precincts, to quickly report results back to the state for tabulation. But that’s about all party leaders in Iowa have said about the app: It exists.

Last week, party officials said keeping specifics of the app confidential is a strategic move to ensure it remains secure and out of hackers’ crosshairs. “We are confident in the security systems we have in place,” Iowa Democratic Party Chairman Troy Price told the Wall Street Journal.

This lack of transparency has alarmed cybersecurity and election tech experts, who say the strategy could backfire and leave the caucuses open to powerful disinformation campaigns. Multiple security officials confirmed to Fortune that they reached out to the DNC to express their concern about the lack of communication surrounding the app.

“Security through obscurity doesn’t engender trust—and trust in the electoral process is a cornerstone of fair democratic elections,” says Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center.

The Iowa Democratic party did not respond to multiple requests for comment by Fortune about the app, including what security testing has been done on it, and who will be responsible for auditing the votes after the caucuses.

Multiple sources tell Fortune that the DNC partnered with the Department of Homeland Security and Harvard University’s Defending Digital Democracy (D3P) project to develop the app. But, that alone raises a yellow flag, says Gregory Miller, co-founder and COO of the OSET Institute, a nonpartisan, nonprofit group focussed on open source election technology. “Harvard’s D3 Project focuses on process (not platform), and to a lesser extent, policy,” he adds. “D3 is not any kind of qualified technical cybersecurity assessment organization.”

(After publication—and the chaos of the Iowa caucus—sources clarified their previous statements. Harvard’s D3P project and the DHS were brought in to consult on general election security, but they did not specifically test or contribute to the development of the app used.)

Disinformation campaigns love a vacuum, and—filling in the space where security details would typically be—conspiracy theories and questions over the integrity of the app are rising online in advance of the caucuses.

“Because there’s no transparency and no one can answer questions, it makes it all much easier to create an effective rumor or conspiracy theory,” says Edward Perez, OSET’s global director of technology development. “All that is necessary for a disinformation campaign to be effective is to say something that causes doubt.”

Cloudy security

This is not the first time Iowa has used tech in the caucus process—it’s just the first time parties involved have revealed nothing more about it. 

In 2016, Microsoft created two special apps: one for the Democrats and another for the Republicans to use when calculating and submitting their caucus results.

“Built on Microsoft technology, the new platform will feature a secure system, which will enable precincts to report their results directly by party and will ensure that only authorized Iowans are reporting results,” Microsoft said in a 2015 blog post. The results were stored and managed on Microsoft’s Azure cloud platform. A spokesperson for the company tells Fortune that Microsoft is not working with the Iowa Democrats on the 2020 election app.

Miller contends that if the 2020 app was being supported on a popular, secure server like Google or Amazon’s cloud platforms, there would be no need for the silence.

Instead, he tells Fortune, there may be others reasons for cloaking the name of the developer. “It could well be they’re using off-shore, low-cost developers, which would have hugely bad optics, regardless of where they come from,” he says.

Another possibility, Miller posits, is that “it’s a local ‘Joe’s App Shop’ developer, who will likely get paid to run the back-end.” Disclosing that fact wouldn’t just call into question the developer’s credentials and cybersecurity qualifications, but would expose it as a target for hackers.

The mystery surrounding the caucus app developer also concerns Mackey. “Since most businesses also operate with a desire for their customers to trust them, I would expect any vendor of electoral software—including apps—to be proud of their contribution to the execution of fair elections and thus want their name associated with the election,” he says.

Integrity and the Internet

According to Miller, the app being connected to the Internet “is downright alarming and candidly suggests that some part or all of the Democratic Party operations are tone deaf to the current well-documented Internet voting risks,” he adds.

But it’s worth noting that the state’s first-in-the-nation process does come with built-in transparency that makes it different than other elections that use secret ballots. Iowa’s caucuses involve groups of people gathering in rooms at their local precinct to openly choose a candidate. This makes it more difficult to fix election results, since voters will know the outcome of the caucus in their precinct. This year, for the first time ever, voters will also be asked to fill out a presidential preference card, creating a paper trail of the vote, in case the app leads to any irregularities.

“In the context of the Iowa caucuses, the use of an app is an attempt to better account for the challenges of how the caucuses operate,” Mackey says.

However, as technology becomes an increasingly large part of the voting process, security vendors, political parties and the local government officials in charge of overseeing the vote need to be transparent about the tech they’re using, who makes it, and the types of security testing it has undergone, Mackey says.

In the case of Monday’s caucuses, OSET tells Fortune that the app has yet to be stress-tested. A report out of Iowa says caucus leaders using Android phones are having issues with it. Are either of these allegations true? With the DNC not responding and the app’s developer a mystery, it’s unclear. When considering whether they trust the new app, Iowans, as the voting process begins, will just have to go with their gut—just like they do when they vote.

“Trust is the fulcrum of the stability of our democracy, and it is the product of two things: transparency and communication,” says Miller, “In the absence of those elements, it’s hard to establish trust.”

Clarification, February 4, 2020: After publication, sources clarified the involvement of two groups brought in to consult on the development of the app.

More must-read stories from Fortune:

—2020 candidates’ positions, and records, on economic issues that affect women
—Bernie Sanders wants the future of the far left to be female. Is that enough?
—Michael Bloomberg’s radical plan to cut prescription drug costs
—Fortune Explains: The debt ceiling
—Millions have been purged from voter rolls—and may not even realize it

Get up to speed on your morning commute with Fortune’s CEO Daily newsletter.

Read More

Artificial IntelligenceCryptocurrencyMetaverseCybersecurityTech Forward