So the Democratic party of Iowa tried to use an untested app to report caucus results during the Iowa primary caucus, and… It went as well as you’d expect. Digging deeper into the app, it should’ve been obvious this was never going to work.
In this case, however, it looks like Shadow used a test platform for the app’s public distribution. Installing software through a test platform or sideloading onto your device manually both come with security risks, as app store review processes are designed to discover whether a piece of software is hiding malware or does something behind the scenes it’s not supposed to. In the event you do sideload an app or try installing an unofficial version, your smartphone typically warns you of the risks and asks if you want to proceed. It’s also a less stable model for deploying software at scale, which might explain the difficulty precinct chiefs had in downloading the program.
The screenshot from Motherboard also shows that the app was distributed using the platform’s free tier and not its enterprise one. That means Shadow didn’t even pony up for the TestFairy plan that comes with single sign-on authentication, unlimited data retention, and end-to-end encryption. Instead, it looks like the company used the version of TestFairy anyone can try for free, which deletes any app data after 30 days and limits the number of test users that can access the app to 200.
What an unmitigated disaster. We’re in 2020 right? Not in 1783?
If it was 1783, we wouldn’t have probelms with electronic votes, as it would all be done through tried-and-tested paper ballots. Just like ever single electoral vote should be done.
Computers are a wonderful invention, and assist in making many tasks safer, more secure, and easier.
Voting isn’t one of them though.
The123king,
Computers aren’t the problem, but I don’t think that anyone in charge understand how critically important it is that these systems be open source and fully redundant (hardware, software, and personnel). Proprietary black boxes are never acceptable!!!
We need independent engineers to run elections!
I think everyone does understand these systems need to be transparent and auditable which is why everyone runs the other way. Everyone sees the potential to put their thumb on the scale, and they take the opportunity. Which voting machine CEO is on record as saying they’ll win elections for Republicans?
The bigger problem is politics becoming a part of people’s identities. It’s part of their lifestyle, and they will uncritically rally around their chosen totem.
Let’s face it, the US is pretty much a failed state at this point, especially after yesterday’s acquittal, and elections are just performance pieces in many parts of the country.
Flatland_Spider,
So you are suggesting that the use of proprietary & vulnerable voting boxes behind elections IS NOT a byproduct of politicians who misunderstand the technology, but rather a deliberate choice to put their thumb on the scale…I see.
Well, in the case of Iowa, I don’t really see evidence that malicious intent was involved, but if it was then wow…somebody really played their hand exceptionally well, plausible deniability and all. This kind of scheme is above trump’s pay grade, that’s putin-level manipulation right there.
Correct. People are working in bad faith. It doesn’t have to be Putin level, just a very hardcore right wing programmer who slips in a special key combo which gets leaked to the right people. Then there is a poll worker who has been radicalized by Fox News and religiously believes in the cause. It’s very benign and incredibly boring.
There are a lot of operatives working to get people elected who advance their agendas. The politicians are merely public faces, and it’s very much a Wizard of Oz scenario. You know “pay no attention to the man behind the curtain.” Lots of stuff has come out, in regards to gerrymandering, that shows it’s a well coordinated effort to obtain power and dilute the power of the opposition.
I’m not saying ignorance doesn’t play a part. I’m just saying politicians want to hear “we can get you elected”, and they they don’t ask questions about how.
I know I sound like I’m wearing a tinfoil hat. :\
This has been an excerpt from my essay “Why a Con Artist and Stupid Grifter (Trump) is the Perfect Zeitgeist of Our Times.” Thank you for reading, and subscribe to my mailing list. This concludes my performance.
I’ve heard there are connections to the Clintons, and it was to undermine Bernie and promote Buttigieg as the frontrunner. Seriously. People have made that statement, and the second part is plausible.
Realistically, it was a bunch of shoddy work. Per some comments on some other sites, the app itself functioned correctly, but it was the data transfer to the DNC which failed.
Flatland_Spider,
I through that in there to be a bit tongue and cheek 🙂
I don’t know why they even needed an app at all, a webpage would have been just as good without forcing anyone to fuss around with installing apps.
I bet Shadow Inc (the developer in this case) probably made several times my yearly salary to build it. This is something high school level programmers should be able to do as a class project and I’d expect it to actually work. Obviously more expertise is needed to make sure it’s secure, but at least it should have worked! This was a display of incompetence.
s/through/threw/
If it was 1783 it probably would have had large scale voter intimidation, ballot stuffing, a minor riot, votes being blatently sold on site. And it still would have been better organised that that shower in Iowa.
This is the most 2020 thing to happen so far this year.
What could be more 2020 then some a**h***s rushing out a poorly planned idea, because technology, in the jankiest way possible with it cratering in spectacular fashion. The only thing they didn’t do is headquarter in San Francisco and file for an IPO.
Rosetinted glasses, hindsight, etc, but this is the state of the software industry in decade 2 of the 21st century. We’re living in the space age! 😀 Everything is a computer and nothing works for you. XD
> This is the most 2020 thing to happen so far this year.
Remember, 2020 isn’t over 😉 Plenty more could happen – war with _____; global pandemic; huge ice sheet calve from Antarctica -> Themes floods London, several semi-minor islands gone; failed EMP -> New York City blacks out for 6 months or so, causes global recession; global recession (other than above) caused by coronavirus mess.. All SORTS of possibilities for a apocolypse/mini-apocolypse!
When was the brilliant idea of “let’s go all-electronic in the first 2020 primary” dreamed up? If it was more than 4-8 months ago, it seems like it’s damn negligent to not have first done a *full* test run of the system. Meaning do a “moderate-scale test caucus” with about 8-20 sites, geographically distributed, perhaps with an intentionally slowed internet connection on 1 or 2 of them to test that, with a total of 20-40 people at each site. Surely the Iowa Dems could have set that up? (If not, I agree with a letter to the WSJ – *these* are the people we trust will be able to make a national health system work right?)
If it was less than 4-8 months ago that this fiasco was dreamed up (I’m assuming it took 4 months to code/modify it), then – well, they should have used this time around to fully test it – do it electronically *and* the old-fashioned way with paper – and make sure they match, but rely only on the paper for actual results, and then done a “full roll out” in 2024 (or 2022 off-year elections?)
For that matter, I wonder if there has been some computer science department at ISU that has said, “dammit, *we* could have written a better app than you idiots!” And who the heck buy/contracts an election app from “Shadow”? Sheesh!
I’m just amazed that they used a distribution mechanism – that sounds like it didn’t even have basic encryption?! Are they *inviting* the Russians (or other potential mal-actors) to try to get involved? 🙂 My understanding is that after the first round, anyone who gets less than 15% in total was dropped.. Is that 15% of the *statewide* total, or of the total in each caucus precincts? If it was of the statewide total.. And there was no secured verification that the numbers use were correct between precincts – couldn’t that allow a mal-actor to skew the election, unbeknownst to almost *everyone* (if not absolutely everyone)? Say candidate A gets thrown out in the first round. In any particular precincts where A got say 75% of the vote, people would think “oh, they got thrown out because everyone *else* must not like them.” And so no-one thinks there a fraud, unless the precinct captains are constantly verifying all the other numbers.
There was some book I read (I want to say by Penrose) that pointed out that an *any* minimally complicated election (in terms of number of sites) could be rigged in such a way that everything “looked within the margin of error”. IF there was a at least a single step in the counting that was not verified.
Jimw338,
Yeah, same thoughts here… It wouldn’t take much to build a working HTTPS solution in very little time. And the entire system should have been tested/audited end to end by an unrelated party months before the election. This reeks of mismanagement. They probably did it all last minute, and it wouldn’t surprise me if they outsourced everything and had zero in-house expertise or oversight.
I agree, no result should depend on a single point of failure (be it a person or machine) resulting in intentional or accidental error. For something like tallying elections, I think it would make sense to have 100% redundancy. It doesn’t need to be anything complicated. Each district would post their results into two different systems and any discrepancy would sound the alarm that something was wrong. It will probably be human error, but that’s easily corrected by having the worker resubmitting the data. If the worker was not at fault, then it’s time for election investigators to step in.
If you wanted to get more sophisticated (probably wishful thinking I concede!) you could even digitally sign all the numbers so that they can’t be changed anywhere upstream.