Press Clipping
What caused the Iowa Democratic Caucus app debacle? Too little software testing

The Democratic Party primary in Iowa is making headlines for all the wrong reasons after an app designed to tally delegates failed, delaying results for the first primary of the 2020 Presidential primary season by nearly 24 hours.

The app in question, called “Iowa Reporting App,” was designed by a company called Shadow Inc., a firm established. Chief Executive Officer Gerard Niemira formerly served as the director of product on the Hillary Clinton 2016 campaign. Shadow says its mission is to “build political power for the progressive movement by developing affordable and easy-to-use tools for teams and budgets of any size.”

Problem was, the app failed dismally. Officially, a coding issue in the app is being blamed. “As part of our investigation, we determined with certainty that the underlying data collected via the app was sound,” Iowa Democratic Party chairman Troy Price said in a statement. “While the app was recording data accurately, it was reporting out only partial data. We have determined that this was due to a coding issue in the reporting system. This issue was identified and fixed.”

Questions have been raised, however, as to whether the issues were even worse. Motherboard reported that the app did go through beta testing, with one user saying that they couldn’t even log into the app days before the primary was held.

That wasn’t the only report of access issues. CNN reported that another user was receiving an error message while trying to log into the app to report results, debunking the official explanation, since the app couldn’t have been reporting data accurately if people couldn’t log into the app to add the data.

One thing is certain, however: It appears that there wasn’t enough testing of the app.

“All current indications from reputable media sources are that the application was inadequately tested at scale,” Michael Bailey, security engineer at digital forensics firm Crypsis Group, told SiliconANGLE. “This generally means that either more extensive user testing to understand the users’ experience navigating the application, or stress testing by hurling a large number of requests at it was required to avoid points of failure.”

Jack Mannino, chief executive officer at application security provider nVisium LLC, agreed. “Systems perform differently in preproduction and live environments due to a number of factors — volume of usage, heavy loads, simulated to real attacks and/or app component failures,” Mannino explained. “This is why exhaustive and comprehensive testing must be done across the software development lifecycle from prototype development through integration to preproduction or simulated environment, and especially before live deployment for such mission-critical applications.”

And all this testing needs to be done far ahead of when it needs to be used.

“Given the importance for this application to be secure and functionally accurate, planning should have been scheduled to have final testing begin months prior to the caucus,” said Bob Bajoras, president of the custom software development firm Art+Logic. “The fact that users were downloading the application on the day of the Caucus suggests the software was behind schedule and possibly only made available at the last minute. There should have been a drop dead date a month or more before the Caucus when a decision would have been made to defer the use of the application until the next election if it wasn’t already through the necessary testing.”

Moreover, he said, testing needs to be done in parallel with development. “Testing would be performed not only on the final solution, but on every interim release that added new functionality,” he said. “The fact that multiple users reported trouble installing the application suggests this step of the process was inadequately performed.”

The unfortunate upshot is that the failure will have a lasting impact on the public’s trust in using information technology to adequately and accurately support future elections, whether they’re held at state or national level, Mannino added. ‘It is vital that at all levels information technology initiatives be well-designed, well-executed, thoroughly vetted and extensively tested before live deployment at any level of election.”

Bailey was slightly more positive, concluding that the debacle “is arguably a positive in the long term.”

“A number of election security experts agree: We aren’t ready for mobile and online voting,” Bailey said. “While theoretically the technology exists, the technology industry has proven time and time again the inability to always fully understand the user’s experience, consistently test for different scenarios, scale properly, and develop a robust security architecture around the solution. All of this and likely more are necessary for proper voting over the internet.”