IOWA CITY, IOWA - Two of the first three states to vote in the Democratic presidential race will use new mobile apps to gather results from thousands of caucus sites — technology intended to make counting easier but that raises concerns of hacking or glitches.
Democratic Party activists in Iowa and Nevada will use programs downloaded to their personal phones to report the results of caucus gatherings to the state headquarters. That data will then be used to announce the unofficial winners. Paper records will later be used to certify the results.
The party is moving ahead with the technology amid warnings that foreign hackers could target the 2020 presidential campaign to try to sow chaos and undermine American democracy. Party officials say they are cognizant of the threat and taking numerous security precautions. Any errors, they say, will be easily correctable because of backups.
“We continue to work closely with security experts to test our systems and identify incidents, including disinformation monitoring, and we are confident in the security systems we have in place,” said Iowa Democratic Party Chair Troy Price.
The technology aims to produce a more efficient and reliable way of calculating and releasing results to the public than the complicated math and thousands of phone calls that the caucus system has long relied upon.
But the use of a new app by an unidentified developer, coupled with the high stakes of the contests, has concerned some observers. They worry that unofficial results could be inaccurate if hackers or other problems taint the data. That’s a problem even if the paper backups eventually provide an accurate tally.
“Scary would be a darn good word,” said Brandon Potter, chief technology officer of ProCircular, an Iowa company that has done vulnerability assessments for local elections officials. “If it’s secure, awesome. But it opens up all kinds of questions.”
Party officials in both states declined to identify the vendor that developed their apps, saying they did not want to create a potential target for hackers.
Microsoft developed an app that was used by both political parties in the 2016 Iowa caucuses and credited with helping obtain results from 95% of precincts within four hours. During that cycle, Microsoft’s role was announced months beforehand, and the company discussed security measures.
Some critics say the party should again identify the developers, along with the certification and security testing they have gone through, to boost public confidence.
“It would be really nice to know who developed it, how competent they are and what oversight they were subjected to,” said Douglas Jones, a University of Iowa computer science professor and election security expert. “The caucus night reporting, which is so important in determining which candidates drop out, which continue, who gets a boost from the caucus — all of that is definitely vulnerable to an attack on the app.”
Jones said hacking could take several forms. Hackers could try to corrupt the app before it’s downloaded, activate malware that might be lurking on phones or target the server that houses the app. Another concern: The app could crash amid heavy use as precincts report results.
He and others agreed that the official results of the Feb. 3 Iowa and Feb. 22 Nevada caucuses will eventually be accurate. Each precinct keeps paper copies of the results and numerous participants at each site will know the precise outcome.
Because of hacking concerns, the Democratic National Committee scrapped the Iowa party’s plan to hold a virtual caucus in which those unable to attend in person could use smartphones to record their preferences. Party officials said the risks posed by the reporting apps were much lower than with electronic voting.
The state parties worked with the technical team at the DNC to vet developers and design security protocols around the use of the app.
The Belfer Center at the Harvard Kennedy School of Government conducted simulation and training exercises with Iowa officials that included scenarios in which there were problems with a mobile reporting app. The training emphasized the importance of using authentication, secure networks to transmit data and encryption to guard against attacks.
“I do think that we need to give the Iowa team a lot of credit for how seriously they looked at all these issues,” said Eric Rosenbach, co-director of the Belfer Center.
DNC spokesman David Bergstein said national officials were coordinating with the Iowa party and the Department of Homeland Security “to run efficient and secure caucuses.” He said he is confident that state Democrats are “taking the security of their caucuses extremely seriously from all perspectives.”
Party officials said they would not be sending the app to precinct chairs for downloading until just before the caucus — to narrow the window for any interference. And while using the app is encouraged, precinct chairs still have the option of phoning in results.
Democrat Ruth Thompson, who will chair a Des Moines precinct, said she was not concerned about security risks related to the app.
“The Russians don’t care what’s on my phone,” she said. “I know we’ve got the app, but we have a paper backup. If there is a hack or something, there is the opportunity to correct it.”
Hacking fears aren’t new. In 2012, a video purporting to be from the hacking collective Anonymous called on supporters to “peacefully shut down” the Republican caucuses. In response, party leaders increased their security measures for the website where the results were posted.
Ultimately, it was old-fashioned data errors that tainted the results that year: The party chairman on caucus night declared Mitt Romney the winner by eight votes over Rick Santorum. Two weeks later, Santorum was declared the winner by 34 votes when results were certified.