Iowa's Democratic Party plans to use a new Internet-connected smartphone app to help calculate and transmit results during the state's caucuses next month, Iowa Public Radio and NPR have confirmed.
Party leaders say they decided to opt for that strategy fully aware of three years' worth of warnings about Russia's attack on the 2016 presidential election, in which cyberattacks played a central role.
Iowa's complicated caucus process is set to take place Feb. 3 in gymnasiums, churches, recreation centers and other meeting places across the state.
As opposed to a primary in which voters cast ballots in the same way they would for a general election, Iowa's caucuses are social affairs; caucusgoers gather in person and pledge their support for a candidate by physically "standing in their corner" in designated parts of a room.
Iowa's Democrats hope the new app lets the party get results out to the public quicker, says Troy Price, the chairman of the state party.
In an interview, Price declined to provide more details about which company or companies designed the app, or about what specific measures have been put in place to guarantee the system's security.
But security is a priority, he says.
The state party worked with the national party's cybersecurity team, and with Harvard University's Defending Digital Democracy project, but Price declined to answer directly whether any third party has investigated the app for vulnerabilities, as many cybersecurity experts recommend.
"We as the party have taken this very seriously, and we know how important it is for us to make sure that our process is secure and that we protect the integrity of the process," Price says. "We want to make sure we are not relaying information that could be used against us."
Unlike many states in which local and state officials oversee the presidential primary election, in Iowa the state party is responsible for administering, staffing and funding the caucuses, relying primarily on trained but unpaid volunteers.
Cybersecurity experts interviewed by NPR said that the party's decision to withhold the technical details of its app doesn't do much to protect the system — and instead makes it hard to have complete confidence in it.
"The idea of security through obscurity is almost always a mistake," says Doug Jones, a computer science professor at the University of Iowa and a former caucus precinct leader. "Drawing the blinds on the process leaves us, in the public, in a position where we can't even assess the competence of the people doing something on our behalf."
The Iowa Democrats' plan is for caucus leaders to compile the results from participants and submit them to the central party via their smartphone apps. In the past, the leaders might have called in the results over the phone.
Because caucusing is an in-person process, verified by witnesses, there is virtually no risk that a cyberattack on the app could change the results of the caucus and go undetected.
If the wrong results were reported because of a hack, there would be people from each precinct who could correct it, and paper records.
But the damage to public confidence would be catastrophic, Jones says, if a hack caused the wrong winner to be called on caucus night and then that announcement had to be retracted.
"Once you report something, it's really hard to undo it, no matter how many retractions you print, no matter how many apologies you say, it's too late," Jones says. "From that point of view, someone hacking the reporting process, even though its purpose is entirely informal, not intended to have any permanent importance, is something that could be very disruptive."
A number of other potential vulnerabilities could also be introduced by using the technology, experts say.
If the app doesn't work, either because a denial of service attack clogs the system or for any other reason, then there could be confusion at precincts across the state, and a potential delay on a winner being announced.
State Dems promise contingency plan
Price, the state chairman, says Iowa Democrats have "redundancies built into the system," including a hotline to accept results, but declined to further detail those as well.
Should the app go down for any length of time, the party would need to receive hundreds, if not thousands, of phone calls from the state's 1,679 precincts.
Still, Price says he's confident in their contingency planning.
"If there's a challenge, we'll be ready with a backup and a backup to that backup and a backup to the backup to the backup," Price says. "We are fully prepared to make sure that we can get these results in and get those results in accurately."
It's unclear how similar this year's app is to one developed by Microsoft and a private contractor that was used by both parties in 2016.
Price did confirm that the app again would be downloaded onto the personal smartphones of the caucus precinct and party leaders, and not onto party-provided hardware.
That could make the system a more appealing attack target, according to Betsy Cooper, director of the Aspen Tech Policy Hub at the Aspen Institute, because peoples' phones also may contain sensitive messages, emails and passwords.
"I sure hope the engineers building it are among the best on the planet," Cooper says.
Price said when designing the app, the developer considered the close proximity to potentially sensitive information, but he again didn't detail exactly how that information would be protected.
Four years ago, Russian attackers hacked into the email accounts of prominent Democrats and weaponized the information they stole throughout the election year.
Cooper said that the party could, if it wished, disclose who developed the app or the types of testing that had been done on it without "giving away the keys to the kingdom and making it easier for hackers to get in."
"Basic transparency about how it was built, how up to date the security of the app is and how it's been tested all could be made publicly available with little cost to the DNC," she says.
Price said that some details would be unveiled about the app to reporters and the public in the days leading up to the caucuses, but he did not commit to revealing the identity of the developer. Less than three weeks before the caucuses, precinct chairs have not yet gotten access to the app.
Questions beyond security
Internet connectivity and tech literacy in Iowa have improved over the past four years. Local party leaders say they expect that more precinct chairs will own smartphones and be more comfortable using an app this cycle than during the previous one.
Still, in more rural parts of the state, some Iowans have been slow to adopt to technology, according to Gary Gelner, who chairs the Hancock County Democratic Party in north central Iowa. There may be some lingering skepticism.
"At least everybody with smartphones is gonna do it, I know that," Gelner says. "You'd be surprised how many people up here got the old flip cellphones."
Gelner was skeptical of the party moving to a caucus night reporting app in 2016. Though he's more optimistic this year, he's still wary of a process that he says could delay the release of the closely watched results.
Gelner said one of his precinct chairs in 2016 resorted to phoning in his results, only to find he couldn't connect.
"He called in and he tried for half an hour and he couldn't get through," Gelner said.
An insecure ecosystem
The Iowa Democrats' app will theoretically allow the state party to report the results much quicker than a phone-based system, and it may also help local party leaders with what's referred to as "caucus math."
A party manual says the app will "automatically calculate the number of delegates" presidential contenders are awarded, based on a formula involving the number of supporters for each candidate, the total number of delegates awarded and overall turnout.
But as is the case with much in the world of voting technology, things that make voting easier or more efficient can also introduce new unforeseen issues.
Travis Weipert is the top elections official in Iowa's most Democratic County, Johnson County, and this cycle he'll also be volunteering to oversee a caucus site as a precinct chair.
He says his experiences as an elections administrator make him skeptical of any system that mixes democracy and the Web.
"As long as you're staying off the Internet, then there's no connectivity, your chances of an issue are almost zero," Weipert said. "It's when you get on the Internet and security patches haven't been made that you open yourself up [to hacking]."
Weipert says there is a tendency for some local officials to underestimate the interest that foreign powers or bad actors may have in their elections. While he says he's doubtful "rogue states" would target the caucuses, he says it's something party leaders have to consider.
This is the second time in the past few months that the Iowa Democratic Party has had cyber experts questioning its commitment to security.
Last year, under pressure from the Democratic National Committee to increase accessibility at its famously arcane caucuses, the state party proposed a plan to allow Iowans to caucus remotely.
Internet and phone-based voting systems are considered notoriously insecure however, and the national party said there wasn't a system available secure enough to support such an idea.
So that plan was scrapped.
Jones, the University of Iowa cybersecurity specialist, says transmitting results from precincts to the state party through a smartphone app isn't as insecure as the virtual caucus plan — but that it's still insecure for the same reasons.
"The entire ecosystem of smartphones is extraordinarily poorly secured," Jones said. "And resting security functions on that ecosystem is something I don't trust at all."