The postmortem: Shadow took lots of shortcuts with Iowa 2020 caucus app

Extreme delays in reporting results shows "move fast and break things" is the wrong approach for election infrastructure, developers and business leaders say.

The Iowa Democratic Party did not train volunteers on how to use the 2020 caucus app from tech company Shadow, but that was not the only problem with the process. Apparently the firm released the app via a testing platform instead of the App Store or the Play Store.

Shadow used a distribution method similar to Apple's Enterprise Developer Program, which allows developers to write apps that will be deployed in-house and only available for their employees. 

SEE: Iowa caucus app fiasco: How it happened and lessons learned (free PDF) (TechRepublic)

Companies have been abusing that distribution method to get around the quality control processes built into the more formal distribution methods.

Here is a postmortem from software developers and business leaders on what went wrong with the rollout of the Iowa caucus app.

Paying the price for a rushed process

Bob Davis, chief marketing officer at Plutora, said that the point is not about whether an app is appropriate for a caucus, but about quality software.

"It isn't just about building the mobile app, it's about building the app to work with the plethora of dependencies that it will be hit with from scale to outside dependencies," he said. "Software is harder to do than it sounds."

Andy Ibanez, a digital solutions analyst for Banco Nacional de Bolivia, said going around standard app distribution platforms can have security implications for end users.

"Developers who use the standard developer program can distribute their apps to third parties, but the enterprise developer program allows more flexibility, so many developers have tried to take advantage of it circumvent Apple's rules," Ibanez said.

SEE: The app that broke the Iowa caucus, an inside look (CNET)

Mada Seghete, founder of Branch, said that it appears that Shadow made several risky decisions in building and releasing the caucus app. 

Seghete said the distribution method Shadow used is not intended for the general public, because it involves a number of additional steps, including installing security certificates.

"This is not a user-friendly experience, by design," she said.

Seghete said an app could have been a good choice for this use case but Shadow skipped the app review process baked into the App Store and the Play Store approval process.

"Move fast and break things is a great fit for Silicon Valley startups, but likely not for key election infrastructure," she said.

SEE: 10 dangerous app vulnerabilities to watch out for (free PDF)

Purdue University professor Eugene Spafford, a cybersecurity expert, said that in some ways, a tech failure this early in the process was the best outcome possible.

"Having an obvious glitch in software during a primary vote simply illustrates some of the concerns and was so much better than a problem that was hidden for weeks, unrecoverable, or even worse: hacked by outsiders," he said.

Robert Ross, the CTO of Curtail, said the failure at the Iowa caucus shows the risk of developing software on shorter, riskier timelines and waiting to identify and fix problems when the systems break, as opposed to resolving the problems before releasing the software.

Brain Foster, a senior vice president at MobileIron, said that it appears that the caucus app was overly complicated and required too many steps to log on, including email and password,   two-factor authentication, and a precinct PIN.

Foster also said that a new app takes between six and nine months to develop, not two.

Also see

oops.jpg

oops word on key showing fail failure mistake or sorry concept

scyther5, Getty Images/iStockphoto