Iowa’s caucus app was a disaster waiting to happen

A smartphone app designed to help announce the results of the Iowa caucus ended up crapping out and causing a massive delay by almost an entire day.

The Iowa caucus traditionally uses gatherings of people in counties across the state to determine which candidates they want to back for the presidential nomination. They use a paper trail as a way of auditing the results. While Iowa may have only 41 delegates needed out of 1,990 to nominate a Democratic candidate, the results are nevertheless seen as a nationwide barometer for who might be named to the ticket.

In an effort to modernize and speed up the process, the Iowa Democrats commissioned an app to speed up the process.

But the app, built by a company called Shadow Inc., failed spectacularly. Some districts had to call in their results instead.

Iowa Democrats spokesperson Mandy McClure described the app’s failure as a “reporting issue” rather than a security matter or a breach. McClure later said it was a “coding issue.” The results had been expected to land late on Monday but have now been delayed until Tuesday afternoon, according to the Iowa Democrats.

Who could have seen it coming? Actually, quite a few people.

“There was no need whatsoever for an app,” said Zeynep Tufekci, an associate professor at the University of North Carolina in a tweet.

Little is known about the app, which has been shrouded in secrecy even after it was profiled by NPR in January. The app was the first-of-its-kind to be used in a U.S. presidential nomination process, despite concerns that use of electronics or apps might open up the process to hackers.

What is known is that details of its security were kept secret amid fears that it could be used by hackers to exploit the system. That’s been criticized by security experts who say “security through obscurity” is a fallacy. Homeland Security secretary Chad Wolf said on television Tuesday that the Iowa Democrats declined an offer from the agency to test the app for security flaws. And because of the secrecy, there’s no evidence to show that the app went through extensive testing — or if it did, what levels of testing and scrutiny it went through.

Some say the writing was on the wall.

“Honestly, there is no need to attribute conspiracy or call shenanigans on what happened with the new app during the Iowa caucuses,” Dan McFall, chief executive at app testing company Mobile Labs, told me in an email. “It’s a tale that we have seen with our enterprise customers for years: A new application was pushed hard to a specific high profile deadline. Mobility is much harder than people realize, so initial release was likely delayed, and to make the deadline, they cut the process of comprehensive testing and then chaos ensues.”

Others agreed. Doyon Reuveni, who heads up software testing firm Applause, said the app should have gone through extensive testing and real-world testing to see the “blind spots” that the app’s own developers may not see. And Simone Petrella, chief executive of cybersecurity firm CyberVista and former analyst at the Department of Defense, said there was no need for a sophisticated solution to a simple problem.

“A Google Sheet or another shared document could suffice,” she said. “It is incredibly difficult — and costly — to build and deliver solutions that are designed to ensure security and still are intuitive to an end user,” said Petrella. “If you’re going to build a solution or application to solve for this type of issue, then you’re going to have to make sure it’s designed with security in mind from the start and do rigorous product testing and validation throughout the development process to ensure everything is captured and data is being directed properly and securely.”

The high-profile failure is likely to send alarm bells to other districts and states with similar plans in place ahead of their respective caucuses before the Democratic National Convention in July, where the party will choose their candidate for president.

Nevada was said to be using the app next for its upcoming caucus in February, but that plan has been nixed.

“We will not be employing the same app or vendor used in the Iowa caucus,” the spokesperson said. “We had already developed a series of backups and redundant reporting systems and are currently evaluating the best path forward.”

In a tweet, Shadow Inc. expressed “regret” about the problems with the Iowa caucus, and that it “will apply the lessons learned in the future.”

Why an app was used for such an important issue is a question that many will be asking themselves today. At least on the bright side, Iowa is now a blueprint of how not to use tech in elections.

A voting app by Shadow Inc. takes center stage at chaotic Iowa caucuses

American democracy can be confusing and messy. There is, perhaps, no better example than last night’s Iowa caucuses. The votes that kick off presidential primary season are, at once, a wonderful celebration of citizen participation in representative democracy and a rather complex system that remains a mystery to many of those outside the nation’s 31st most populous state.

It is, however, an extremely important one for presidential candidates who spend the months leading up to the event doing photo ops while awkwardly attempting to eat food from a stick. It’s the source of much momentum that can propel a candidate into the general. As such, the chaos and uncertainty following last night’s voting are all the more troubling. The day after the long-awaited and much ballyhooed caucuses, no victor has been declared (though some appear to have already declared themselves).

At the center of the confusion is an app reportedly built by a for-profit company called “Shadow Inc.” According to reporting by The New York Times, the app used by the Iowa Democratic Party was “quickly put together in just the past two months” and not subjected to the kind of scrutiny one might traditionally reserve for software used in such an important statewide contest. The app is said to be a replacement for a system wherein caucus participants called in their election. The party reportedly paid Shadow around $63,000 in two installments to build one of its “affordable and easy-to-use tools.”

We reported on the crashed app and delay late last night. “We found inconsistencies in the reporting of three sets of results,” Iowa Democratic Party spokesperson Mandy McClure said in a statement. “The underlying data and paper trail is sound and will simply take time to further report the results.”

McClure was quick to point out that no evidence of a hack or other intrusion was found — an important point after the fallout from the 2016 election.

Shadow’s background is, fittingly, shrouded in some mystery. Digital nonprofit firm ACRONYM, which has been tied to Shadow, issued a statement late last night claiming to merely be an investor that didn’t provide any technology to the Iowa Democratic Party. “We, like everyone els,e are eagerly awaiting more information from the Iowa Democratic Party,” spokesperson Kyle Tharp said in a statement.

A followup statement from the Iowa Democratic Party Chair Troy Price chalks the error up to a “coding issue.”

As part of our investigation, we determined with certainty that the underlying data collected via the app was sound. While the app was recording data accurately, it was reporting out only partial data. We have determined that this was due to a coding issue in the reporting system. This issue was identified and fixed. The application’s reporting issue did not impact the ability of precinct chairs to report data accurately.

Because of the required paper documentation, we have been able to verify that the data recorded in the app and used to calculate State Delegate Equivalents is valid and accurate. Precinct level results are still being reported to the IDP. While our plan is to release results as soon as possible today, our ultimate goal is to ensure that the integrity and accuracy of the process continues to be upheld.

Price also echoes the early statement regarding hacking and insists that, in spite of reports of insignificant testing, the system was vetted by security experts.

“We have every indication that our systems were secure and there was not a cybersecurity intrusion,” he writes. “In preparation for the caucuses, our systems were tested by independent cybersecurity consultants.”

The LA Times notes that Shadow began life as Groundbase, which was founded by former Clinton 2016 digital campaign staffers, Gerard Niemira and Krista Davis.

The unclear and uncertain nature of the situation has gone way toward fueling doubt among voters in a time when many are understandably already skeptical of the system.

Google finally brings its security key feature to iPhones

More than half a year after Google said Android phones could be used as a security key, the feature is coming to iPhones.

Google said it’ll bring the feature to iPhones in an effort to give at-risk users, like journalist and politicians, access to additional account and security safeguards, effectively removing the need to use a physical security key like a Yubico or a Google Titan key.

Two-factor authentication remains one of the best ways to protect online accounts. Typically it works by getting a code or a notification sent to your phone. By acting as an additional layer of security, it makes it far more difficult for even the most sophisticated and resource-backed attackers to break in. Hardware keys are even stronger. Google’s own data shows that security keys are the gold standard for two-factor authentication than other options, like a text message sent to your phone.

Google said it was bringing the technology to iPhones as part of an effort to give at-risk groups greater access to tools that secure their accounts, particularly in the run-up to the 2020 presidential election, where foreign interference remains a concern.

FBI secretly demands a ton of consumer data from credit agencies. Now lawmakers want answers

Recently released documents revealed the FBI has for years secretly demanded vast amounts of Americans’ consumer and financial information from the largest U.S. credit agencies.

The FBI regularly uses these legal powers — known as national security letters — to compel credit giants to turn over non-content information, such as records of purchases and locations, that the agency deems necessary in national security investigations. But these letters have no judicial oversight and are typically filed with a gag order, preventing the recipient from disclosing the demand to anyone else — including the target of the letter.

Only a few tech companies, including Facebook, Google, and Microsoft, have disclosed that they have ever received one or more national security letters. Since the law changed in 2015 in the wake of the Edward Snowden disclosures that revealed the scope of the U.S. government’s surveillance operations, recipients have been allowed to petition the FBI to be cut loose from the gag provisions and publish the letters with redactions.

Tech companies have used “transparency reports” to inform their users of government demands for their data. But other major data collectors, like credit agencies, have failed to publish their figures altogether.

Three lawmakers — Democratic senators Ron Wyden and Elizabeth Warren, and Republican senator Rand Paul — have sent letters to Equifax, Experian, and TransUnion, expressing their “alarm” as to why the credit giants have failed to disclose the number of government demands for consumer data they receive.

“Because your company holds so much potentially sensitive data on so many Americans and collects this information without obtaining consent from these individuals, you have a responsibility to be transparent about how you handle that data,” the letters said. “Unfortunately, your company has not provided information to policymakers or the public about the type or the number of disclosures that you have made to the FBI.”

Spokespeople for Equifax, Experian, and TransUnion did not respond to a request for comment outside business hours.

It’s not known how many national security letters were issued to the credit agencies since the legal powers were signed into law in 2001. The New York Times said the national security letters to credit agencies were a “small but telling fraction” of the overall half-million FBI-issued demands made to date.

Other banks and financial institutions, as well as universities, cell service and internet providers, were targets of national security letters, the documents revealed.

The senators have given the agencies until December 27 to disclose the number of demands each has received.

Most of the largest US voting districts are vulnerable to email spoofing

Only 5% of the largest voting counties in the U.S. are protected against email impersonation and phishing attacks, seen as a key attack method by hackers who officials say want to disrupt the upcoming presidential election.

The findings come less than a year before millions of Americans are set to go to the polls to vote for the next U.S. commander-in-chief, amid fears that Russia is preparing to disrupt the upcoming presidential election with tactics to manipulate voters as the U.S. intelligence community found in 2016. U.S. officials aren’t only concerned about the spread of foreign-led disinformation — or “fake news” — to try to alter the outcome of the tally, but also threats facing election infrastructure, like hackers breaking into election websites to dissuade or disenfranchise voters from casting their ballot — or even stealing voter data.

Researchers at Valimail, which has a commercial stake in the email security space, looked at the largest three electoral districts in each U.S. state, and found only 10 out of 187 domains were protected with DMARC, an email security protocol that verifies the authenticity of a sender’s email and rejects fraudulent or spoofed emails.

DMARC, when enabled and properly enforced, rejects fake emails that hackers design to spoof a genuine email address by sending to spam or bouncing it from the target’s inbox altogether. Hackers often use spoofed emails to try to trick victims into opening malicious links from people they know.

But the research found that although DMARC is enabled on many domains, it’s not properly enforced, rendering its filtering efforts largely ineffective.

The researchers said 66% of the district election-related domains had no DMARC recoat all, while 28% had either a valid DMARC entry but no enforcement, or an invalid DMARC entry altogether.

That could be a problem for six swing states — Arizona, Florida, North Carolina, Pennsylvania, Michigan and Wisconsin — where their largest districts are not protected from impersonation attacks. These states are critical to both Democrats and Republicans, as their historically razor thin majorities have allowed either parties’ candidates to win.

The worry is that attackers could use the lack of DMARC to impersonate legitimate email addresses to send targeted phishing or malware in order to gain a foothold on election networks or launch attacks, steal data, or delete it altogether, a move that would potentially disrupt the democratic process.

“It does not require a stretch to imagine attackers impersonating election officials via spoofed domains in order to spread disinformation, conduct voter misdirection or voter-suppression campaigns, or even to inject malware into government networks,” said Valimail’s Seth Blank, who authored the research.

“DMARC at enforcement is a crucial best practice for stopping the largest attack vector into any organization,” said Blank.

“It’s time to get it done,” he said.

Only a handful of 2020 US presidential candidates are using a basic email security feature

Just one-third of the 2020 U.S. presidential candidates are using an email security feature that could prevent a similar attack that hobbled the Democrats’ during the 2016 election.

Out of the 21 presidential candidates in the race according to Reuters, seven Democrats and one Republican candidate are using and enforcing DMARC, an email security protocol that verifies the authenticity of a sender’s email and rejects spoofed emails, which hackers often use to try to trick victims into opening malicious links from seemingly known individuals.

It’s a marked increase from April, where only Elizabeth Warren’s campaign had employed the technology. Now, the Democratic campaigns of Joe Biden, Kamala Harris, Michael Bloomberg, Amy Klobuchar, Cory Booker, Tulsi Gabbard, and Republican candidate Steve Bullock have all improved their email security.

The remaining candidates, including presidential incumbent Donald Trump, are not rejecting spoofed emails. Another seven candidates are not using DMARC at all.

That, experts say, puts their campaigns at risk from foreign influence campaigns and cyberattacks.

“When a campaign doesn’t have the basics in place, they are leaving their front door unlocked,” said Armen Najarian, chief identity officer at Agari, an email security company. “Campaigns have to have both email authentication set at an enforcement policy of reject and advanced email security in place to be protected against socially-engineered covert attacks,” he said.

DMARC, which is free and fairly easy to implement, can prevent attackers from impersonating a candidate’s campaign but also prevent the same kind of targeted phishing attacks against the candidate’s network that resulted in the breach and theft of thousands of emails from the Democrats.

In the run-up to the 2016 presidential election, Russian hackers sent an email to Hillary Clinton campaign manager John Podesta, posing as a Google security warning. The phishing email, which was published by WikiLeaks along the rest of the email cache, tricked Podesta into clicking a link that took over his account, allowing hackers to steal tens of thousands of private emails.

A properly enforced DMARC policy would have rejected the phishing email from Podesta’s inbox altogether, though DMARC does not protect against every kind of highly sophisticated cyberattack. The breach was bruising for the Democrats, one that led to high-profile resignations and harmed public perceptions of the Clinton presidential campaign — one she ultimately lost.

“It’s perplexing that the campaigns are not aggressively jumping on this issue,” said Najarian.

Jeanette Manfra, senior DHS cybersecurity official, to leave government

Jeanette Manfra, one of the most senior and experienced U.S. cybersecurity officials, is leaving government after more than a decade in the public sector.

Manfra, who served as assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), will join the private sector in the New Year. CISA is Homeland Security’s dedicated civilian cybersecurity unit set up a year ago to respond to help protect against threats to U.S. critical infrastructure and foreign threats.

In an exclusive interview with TechCrunch, Manfra said it was a “really hard time to leave,” but the move will give her successor time to transition into the role ahead of the upcoming 2020 presidential election.

She did not say what her new job will be, only that she will take time off to be with her family in the meantime. She will leave her post at the end of the year.

Manfra’s departure from government will be seen as largely unexpected. At Homeland Security, she has served three presidents and worked on numerous projects to improve relations with the private sector, which are considered crucial partners in defending U.S. cyberspace. She also saw the agency double down on election security, threats to the supply chain, and efforts to protect U.S. critical infrastructure like the power grid and water networks from nefarious attempts by nation states.

At TechCrunch Disrupt SF this year, Manfra also talked candidly about the ongoing threats to U.S. cybersecurity, including a skills shortage and the risks posed by another global “WannaCry-style” cyberattack, which in 2017 saw thousands of computers infected by file-locking malware, causing billions of dollars worth of damage.

Manfra joined Homeland Security in 2007 under then-president George W. Bush, half a decade after the department was founded in the wake of the September 11 terrorist attacks. Manfra described the early years as a time when there weren’t “a lot of people talking about cybersecurity.”

“It definitely was not really on the national stage at the time. It was, you know, there was still a lot of debate as to whether ‘cybersecurity’ was one word or two words,” she said.

But in the years past and as internet access and tech companies continued to grow, she said the U.S. saw several “wake up” calls that brought cybersecurity into the public mainstream. The hack of Sony Pictures in 2016 and the WannaCry global ransomware attack in 2017 were two, and both were blamed on North Korea. Another, she said, was the 2015 data breach of the U.S. Office of Personnel Management (OPM), which saw suspected Chinese hackers steal more than 21 million sensitive background check files of government employees who had sought security clearance.

The department’s cybersecurity presence started out as a “very small, frankly relatively unknown group of people,” she said. A decade later it had become a major force in managing crises like the OPM attack, a breach that she said helped to push government to better prioritize cybersecurity.

“[The OPM breach] forced us to make some changes across the government that’ve been good,” she said.

In the aftermath, the government took steps to bolster its own systems and networks to lower its attack surface by removing Kaspersky from its networks citing fears about Russian intelligence, and taking the lead rolling out HTTPS website encryption and email security protections across the federal domains — an effort still to this day largely neglected by some of the world’s wealthiest companies.

Election security, she said, was another major wake-up call for the government. Russia waged a widescale disinformation — or “fake news” — campaign during the 2016 election to sow discord and exploit divisions in communities across the U.S. But there were also fears that hackers could break in and modify the tallies in voting machines, a concern that never came to fruition but one that security experts say remains a threat. Lawmakers have been pushing for the removal of paperless and electronic-only voting machines to reduce the risk of hackers manipulate the votes in favor of a particular candidate.

“In 2016, it was our best judgment that the Russians were looking to undermine confidence,” Manfra told TechCrunch. “The public confidence is important, and we need to be thinking within the government about the adversaries’ ability and willingness to use those against us,” she said.

Manfra said the department knew it had to work closer with state and local election boards to figure out their needs following the 2016 election. “We had a lot of honest conversations with [election boards] about what they need, what do we do, and how can we help,” she said. “It’s the fastest I’ve ever seen a sector come together.”

Those partnerships with local elections have given Homeland Security unprecedented visibility into the nation’s election infrastructure, she said, going from “some coverage” in 2016 to near-absolute insight across the country.

“If we ever did again get technical indicators that an adversary was trying to do something, we would be able to move more quickly and much more expansively across the country,” she said.

That effort paid off. Last year’s midterm election was remarkably quiet compared to 2016. Both the Justice Department and Homeland Security said there was “no evidence” to support foreign interference during the midterms.

It’s that running theme of public-private collaboration that Manfra looked back on with pride. “We don’t have all the answers and we can’t do it alone.” Those partnerships across the industry verticals — from elections to finance, energy and manufacturing — are “crucial to everything that we do,” she said.

“It’s really easy to say how important it is to have the government in the private sector working together,” she said. “But to do it well, it’s actually really hard.”

Manfra said the government had to be “willing to open itself” to build trust with its partners. “We now have some of the largest companies in the country that we built trusted relationships when they know that they can give us sensitive information — and we can take that and use it to protect other people, but we’re not going to abuse that trust,” she said.

Speaking of her time at Homeland Security, Manfra said she was most proud of her team. “A lot of them have been with me since we started,” she said. “They could be working out in the private sector making a ton of money, but they’re dedicating their lives here,” she said.

But she said she was “forcing” herself to have no regrets during her time in government.

It’s not yet known who will replace Manfra or will take on her responsibilities. But her advice for her eventual successor: “Trust your team, trust your partners, and stay focused,” she said. “It’s such a broad mission. It’s easy to lose focus.”

Related stories:

Google limits political ad targeting and all ‘demonstrably false claims’

Google has joined Twitter in revising its political ad rules ahead of what promises to be a brutal election season. But while the latter chose to ban political advertising altogether, Google is mainly limiting the ability to target political demographics, and promises to take action against “demonstrably false claims.”

In a blog post Wednesday afternoon, the search giant explained the new rules in a way that is clearly intended to be understood by a broad audience, not the ad-buying elite.

“Given recent concerns and debates about political advertising, and the importance of shared trust in the democratic process, we want to improve voters’ confidence in the political ads they may see on our ad platforms,” wrote Scott Spencer, VP of product management at Google Ads.

The primary change, he explained, will be the limitation of targeting terms that can be used for political advertising buys that appear in search, on display ads, and on YouTube.

Google knows an immense amount about every one of its users, and as such can display ads to people who like certain products, are concerned with certain issues, and so on. But starting in December, if the ad is political in nature, it will only be able to be targeted to age, general, and postal code. (Notably, Twitter considers using zip codes “microtargeting” and will not allow it for political content.)

That’s nice, but it should be noted that such microtargeting may not be necessary for political issues, since advertisers can target search terms like “South San Jose city council candidates” and they’re off to the races. They just can’t send ads to people because they’re a Democrat, a Republican, support marriage equality, handgun restrictions, etc… but they can buy ads for the search terms “gay marriage,” “assault rifle ban,” and other items. That’s kind of fundamental to search-based ad buys.

At least it seems to be a step in the right direction — deep targeting for serious issues like that is not only unproven and controversial, but also fundamentally creepy. Better to do without it.

Google also said that it’s already “against our policies for any advertiser to make a false claim—whether it’s a claim about the price of a chair or a claim that you can vote by text message, that election day is postponed, or that a candidate has died.”

As further examples of what it would not allow, it cited “misleading claims about the census process, and ads or destinations making demonstrably false claims that could significantly undermine participation or trust in an electoral or democratic process.” That puts rather a fine point on it.

And as a warning to temper your expectations, Google noted that “no one can sensibly adjudicate every political claim, counterclaim, and insinuation,” so it plans to take “very limited” action, only for “clear violations.”

Funnily enough, of all the institutions on Earth, Google seems the one best suited to adjudicating content in that way. But “sensibly” is the key word here, and it is sensible for Google to avoid making promises it can’t keep.

Lastly Google will be expanding its election-related ad transparency reports to include “state-level candidates and officeholders, ballot measures, and ads that mention federal or state political parties.” These will be publicly searchable like those for national candidates, as shown above.

That the major platforms are moving at all on this question of money in politics is good, but it is hard to say how these restrictions — such as they are — will affect how things play out. It’s unlikely this is the last we’ll hear from Google, Twitter, or others on the topic.