Here’s the Shadow Inc. App That Failed in Iowa Last Night

"I've got about 150 messages from other precinct chairs in my county asking questions about the app in the lead up to last night."
February 4, 2020, 6:12pm
GettyImages-1203885457 copy

Jonathan Green said that everything was going well until he had to use the IowaReporterApp.

"On the ground, it went great," Green, the chair of the Democractic presidential primary caucuses in Iowa's Fremont Township and Lone Tree precincts and an IT systems administrator for a financial services firm, said.

"I got pissed off four years ago at how my precinct was run, which is why I volunteered to do it this time around," he said. "We had 113 people and everyone was pleasant. I had to recruit a secretary once we were going—I couldn't find one ahead of time. Everyone was patient and in good cheer. I know that's not likely the case today. My girlfriend, especially, is distraught. She has poured her life and soul into this thing, and for naught."

Green, like many other precinct chairs, faced problems reporting the results of the caucus to Iowa's Democratic Party using the app. Due to a coding error, the app, created by a company called Shadow Inc., wasn't reporting the correct data, according to the Iowa Democratic Party. The error resulted in the Democrats delaying all public reporting of the results of Monday's caucuses, and has sown chaos and confusion in a hotly contested and deeply important primary. But the app wasn't just plagued with data reporting errors, the app didn't work properly on Green's phone.

Green shared an email with Motherboard that shows that he was first invited to test the app on January 18. The invite was sent via TestFairy, a mobile app testing platform for Android that is similar to Apple's TestFlight, which allows developers to test and share apps before their official release. The email refers to it as IowaReporterApp 1.1 and says that it is 26.43MB. The email also says that the app is being sent by jimmy@shadowinc.co. That email address did not respond to a request for comment.

1580839573469-pp

On February 2, Green received an email with general instructions for precinct leaders, including a number for the Caucus Night Communication hotline. On February 3, 1 p.m., he received an email with the subject line "IMPORTANT: Final App Instructions." This email included more detailed instructions on how to use the app, and instructed precinct leaders to call the results in to the same phone number as the hotline in case the app "stalls/freezes/locks up."

"I've got about 150 messages from other precinct chairs in my county asking questions about the app in the lead up to last night," Green said.

Green, who used his personal Samsung S7, explained that in order to report the results, he had to sign in with an email and password, provide a two-factor authentication, and enter a one-time password generated by the Google Authenticator app. After this, he would need to enter his precinct PIN, but he did not get that far—when he entered the one-time password generated by the Google Authenticator app, this is the error message that he saw:

1580839489534-image-10
1580839502869-image-9

Three cybersecurity experts said it was not possible to determine much about the issue based only on the error message, with one mentioning how generic the error was.

Cybersecurity and voting experts said they were not surprised the app failed, and that the rollout of the app was so haphazard and irresponsible that its failure was a “predictable outcome.”

“We were really concerned about the fact there was so much opacity. I said over and over again trust is the product of transparency times communication. The DNC steadfastly refused to offer any transparency. It was hard to know what to expect except the worst,” Gregory Miller, cofounder of the Open Source Election Technology Institute, which publicly warned the IDP against using the app weeks ago, told Motherboard. “I don’t want to say I told you so, but …”

The New York Times reported that the app wasn't tested widely before it was deployed, and Miller said it's obvious that the app was rushed. That Shadow pushed a new build of the app just two days before the caucus seems to suggest the company was tinkering with it until the last minute. Installing an app via TestFairy or TestPilot is nonstandard and usually comes with a warning message from the phone's operating system. Phone users would be right to be skeptical about installing or trusting it.

"When you're vetting an app for something like this, you need to do load testing, regression testing, pen testing," Miller said. "It’s not just the app, it’s the deployment process. No one should ever deploy an app like this and have a popup that says this isn't safe for your phone."

A disaster like this is an unforced error for Democrats, and is sure to undermine American confidence in an electoral system that has been under attack from foreign governments, bots, and disinformation.

"Everyone from bots to Republicans literally devoured this scene and sowed a lot of seeds of confusion and chaos. You don’t deliver an app days before the event and call it good. Not with this much riding on this," Miller said. "In a system, in a world where we are questioning every aspect of elections and whether they can be trusted, why would you do anything to fuel a disinformation attack, and that’s exactly what the Democrats have done. They’ve opened a can of whupass on themselves."

This article originally appeared on VICE US.