With less than two weeks until Iowans line up to cast the first votes to pick a Democratic presidential nominee, party officials are reassuring voters that a new app used to report its caucus votes is secure. It’s not clear if they are correct.
The app will be used in the key caucus states of Iowa and Nevada by caucus managers — local registered Democrats who sign up to organize and run the process in each precinct — to expedite the process, calculate and assign delegates and report results back quickly. The app will also be used in satellite voting locations across the country.
But questions about the app remain unanswered, including who developed it and whether it has been subjected to independent security testing. Security experts say that the app is a potential target for early election interference, particularly since it is downloaded on to the personal phones of the caucus managers. Party officials say operational security prevents them from disclosing specifics about the app.
Kiersten Todt, managing director of the Cyber Readiness Institute, a nonprofit group that provides cybersecurity advice to small and medium-size businesses, said those phones “can be breached in a heartbeat.”
An attacker could also try to disrupt the servers that support the app, said John Sebes, chief technology officer of the Open Source Election Technology Institute (OSET), a nonprofit that conducts election technology research. NBC News has collaborated with the institute since 2016 to monitor U.S. election technology and voting issues.
Even a minor glitch could become a viral screenshot, Sebes said.
It’s not clear how many of the 1,679 precinct leaders will opt to use the app, but it is the “preferred” method for managers to report results, according to the caucus manager handbook.
Troy Price, Iowa Democratic Party chairman, said at a press briefing this month that the app is just one part of how the state’s vote is tracked, along with paper backups, a phone hotline and other, unspecified safeguards.
"If there is a challenge, we'll be ready with a backup and a backup to that backup and a backup to the backup to the backup," Price said.
The situation highlights how every level of the U.S. election process has come under far more scrutiny since the intelligence community determined Russia attempted to interfere in the 2016 election, including hacking both political parties.
Democratic Party officials say they have systems in place to detect and prevent intrusions, but declined to provide details over whether the app had been subjected to open-ended vulnerability testing. They also declined to disclose which company developed the app. By contrast, in 2016, Microsoft developed an app used at that year’s caucus by both parties, and its involvement was announced months in advance.
Among the security procedures put in place for 2020, caucusgoers will also receive a physical, numbered presidential preference card to record their choice, which will be delivered to the Iowa Democratic Party through an established chain of custody.
Experts have consistently warned that internet-based voting systems pose a serious security risk. While one Seattle county this week announced it would allow voting in an upcoming election by smartphone, U.S. internet-based voting is mostly experimental. But the Iowa app — a version of which was used to report caucus results in 2016 — shows how internet connectivity has entered certain parts of the process.
Heightened scrutiny around voting security has also been met with more resources and expertise devoted to preventing election interference.
The Iowa Democratic Party and the Republican Party of Iowa partnered with Harvard University’s Defending Digital Democracy Project at the Belfer Center, which develops and disseminates playbooks on best practices for the administration of elections, to help protect the caucus.
Those groups, along with officials from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the app’s developers, also participated together in election threat simulations.
“CISA remains committed to securing the 2020 election and has engaged with both parties, as well as state and local election officials, in support of that effort,” Matt Masterson, a senior cybersecurity adviser at the agency, said in a statement.
The Democratic National Committee has also reviewed the app and the caucus security plans, and said it confident that the Iowa Democratic Party was taking "the security of their caucuses extremely seriously from all perspectives,” David Bergstein, a DNC spokesperson, said in a statement.
Following a series of tense congressional hearings on election interference starting in 2018, the major social media platforms have enacted policies against false information intended to manipulate voting. New lines of communication allow election and security officials to flag items to the platforms for potential takedown or limiting how virally they spread.
CORRECTION (Jan. 23, 2020, 5:45 p.m. ET): A previous version of this article misspelled the last name of the managing director of the Cyber Readiness Institute. She is Kiersten Todt, not Thodt.
CORRECTION (Jan 24, 2020, 1:09 p.m. ET): An earlier version of this article misstated where the Iowa caucus app will be used. It will be used in Iowa, Nevada and satellite locations in the U.S., not overseas.