February 27, 2020
When polls in Iowa opened at 7 a.m. on Monday February 3, there was a sense of pregnant excitement across the U.S. as the 2020 Presidential Campaign officially kicked off.
Results from the day’s votes were expected to be finalized late that evening and a winner officially declared by the early morning hours. However, 48 hours later only 86 percent of the votes had been officially declared before the party announced their estimated winner, caving to pressure from the candidates and the entire country for official results. Over a week later, the declared results were still not official.
The problem was with the code in a mobile phone app that precincts used to report results. Iowa Democratic Chair Troy Price, who presided over the primary, stated, "While the app was recording data accurately, it was reporting out only partial data … due to a coding issue in the reporting system." It is speculated that, fearing external hacks if the app was widely tested prior to the election, insufficient app tests were done on a small scale. Regrettably, the actual full test of the app was the ‘live test’, which comes with a high risk of failure.
But the official story of a coding malfunction was not the only problem: Limited app training and practice time, inaccurate reporting information, login delays, an inability to operate Google Sheets, and two-factor authorization tripping up counts were some of the other app-related challenges.
In a major election in the birthplace of democracy, watched by millions, how could a simple app not have been tested and retested prior to going live? More importantly, what can we learn— and do differently — as a result of what happened with the Iowa Democratic caucus app?
Complexity Only When Necessary
Early reports show that the caucus app was designed to avoid fraud and hacking problems, which made it far too complicated for the average person. Multiple log-in steps including email and password, two-factor authentication, and personalized PIN numbers were all required to gain access.
Maintaining a strong security protocol doesn’t necessarily require multiple steps, and innovative technologies that remove friction, like secure authentication and zero sign-on, can make the process user-friendly. Had the app been tested properly, over time with different user groups, these complexity issues would have come to light. In the age of fingerprint and facial recognition log-in, what is most important is taking the customer experience to mind. Users who have limited experience with security protocols, or young users who access Facebook and TikTok with their fingerprint alone have limited patience for friction.
Test, and Test Again
The caucus app was designed in a hurry, at a cost of roughly (only) $63K, by a small firm that had never taken on a project this complex. Outside analysts have hypothesized, and the Iowa Democratic Committee confirmed, that testing was limited to a small scale with limited time and budget.
Modern software processes require security, compliance, and governance to be built in and tested throughout the development process. This takes time, patience and a budget that correlates with the magnitude of the importance of the app and how it is expected to perform. One would think that with so much at stake, all of these basic app development and security testing steps would have been double and triple-checked in Iowa. But it did not happen with the needed level of expertise, and these steps were all overlooked in Iowa.
Training is the Foundation
After development and testing of an application, training is crucial—and was reportedly insufficient with the caucus app rollout. Cool technology and slick apps are only as effective as the least skilled users. If the users, employees and in this case volunteers who are charged with making the app work aren’t thoroughly trained and comfortable using it, it’s somewhat worthless. And if all else fails, make sure there is a workable backup plan that falls back on a reliable system.
When precinct volunteers ran into problems reporting vote totals with the new app on caucus night, the alternative was to call the results in. But the party’s phone system was inadequate to fit the need, and a flood of calls meant many volunteers couldn’t get through.
If you’re trying something new, make sure your plan B is up to the task.
In Retrospect …
In their (understandable) concern to prepare for an extremely unlikely disaster security scenario, Iowa sacrificed the fundamentals of a good user experience, and thereby increased risk of other failures.
In the end, the problem that no one expected was a set of layered mistakes that included a combination of people, process and technology failures. The IDC would have been better served spending the $63K they paid for the app on a prototype that was tested months before and at scale, and then a nominal amount more to fix the problems as they became apparent. Financially, from the perspective of cyber-mishaps that will take place this year, this was a non-event. But if you consider the far-reaching impact of peoples’ trust in technology and faith in democracy, this $63K mishap may have been a generational catastrophe.