By Jack Morse
When it comes to the integrity of our elections, it’s important to remember that things can always get worse.
That painful truth was ground even deeper into our skulls today with the revelation that the busted app responsible in part for the flat out disaster of a Feb. 3 Iowa Caucus also happened to be extremely hackable. That’s right, according to security researchers who analyzed the app’s code, it would have been possible for bad actors to change vote counts.
So reports ProPublica, which asked the security company Veracode to look over the IowaReporterApp. What Veracode found definitely did not reassure. In addition to potentially being able to change vote tallies, Veracode told ProPublica that passwords could have been intercepted.
Importantly, there is at present no evidence that vote tallies were changed in this way. However, the fact that the app was designed in such a way that there could have been speaks to the stunning negligence in the design and development process.
Speaking of which, the IowaReporterApp was made by a company called Shadow Inc. The company posted a statement to its website apologizing for its failure to relay vote tallies in a timely and accurate manner.
“We sincerely regret the delay in the reporting of the results of last night’s Iowa caucuses and the uncertainty it has caused to the candidates, their campaigns, and Democratic caucus-goers,” read the statement in part.
Notably, the statement did not address the app’s alleged poor security.
According to the New York Times, Iowa officials paid Shadow Inc. $63,183 to develop the app over the course of two months. ProPublica reports that Iowa Democratic party officials never took up the the Department of Homeland Security on an offer to evaluate the app.
But wait, it gets even shadier. Kasra Rahjerdi, an Android developer who reviewed the app’s code, told Motherboard that it looks like the app was made by someone just learning how to write code.
“Honestly, the biggest thing is — I don’t want to throw it under the bus — but the app was clearly done by someone following a tutorial,” he told Motherboard in part. “I get deja vu from my classes because the code looks like someone googled things like ‘how to add authentication to React Native App’ and followed the instructions.” Yikes.
With the full results of the Iowa Caucuses still not reported a full two days after the event, it’s important to remember that an app never should have been used to report votes in the first place. A 2018 report, titled “Securing the Vote: Protecting American Democracy” and published by the National Academies of Sciences, Engineering, and Medicines, makes that clear.
“At the present time, the Internet (or any network connected to the Internet) should not be used for the return of marked ballots.”
If only someone within the Iowa Democratic party had heeded that warning. As it is, we’re stuck with the aftermath of a busted and hackable app that kicked off the Democratic presidential primary.
And don’t forget, it can all still get worse.