The mobile software developed to tally votes in the Iowa Democratic caucus yesterday has taken center stage in an ongoing controversy over who exactly created it and why it was deployed in such a sloppy state. Now, thanks to Motherboard, we know what the app looks like, and the error screens that specific precinct leaders encountered as they attempted to call in vote totals last night.
The app was created by a company called Shadow Inc., a for-profit software firm that says its mission is to “build political power for the progressive movement by developing affordable and easy-to-use tools for teams and budgets of any size.”
The New York Times reported that many precinct chiefs had trouble simply downloading the app, and Motherboard’s screenshots give hints as to why that might be. The app was not deployed through traditional app stores or even sideloaded using an enterprise certificate. Instead, it was deployed through mobile testing platforms, including Apple’s TestFlight and a similar service that services both iOS and Android called TestFairy. Both platforms are for apps that are not yet finalized.
Testing platforms are common for mobile apps, and are one of many ways in which independent app developers and large software makers can deploy beta software without going through the sometimes rigorous App Store and Play Store review processes. This is primarily to let developers squash bugs and ensure the app can run on a variety of different devices, some of which may be using outdated operating systems and powered by older, less powerful components that may render the app sluggish or just plain inoperable.
In this case, however, it looks like Shadow used test platforms for the app’s public distribution. Motherboard obtained screenshots showing a TestFairy download link for Android, while The Wall Street Journal reported Tuesday that Shadow used TestFlight for iOS devices.
Installing software through a test platform or sideloading onto your device manually both come with security risks, as app store review processes are designed to discover whether a piece of software is hiding malware or does something behind the scenes it’s not supposed to. In the event you do sideload an app or try installing an unofficial version, your smartphone typically warns you of the risks and asks if you want to proceed. It’s also a less stable model for deploying software at scale, which might explain the difficulty precinct chiefs had in downloading the program.
The screenshot from Motherboard also shows that the app was distributed using the TestFairy platform’s free tier and not its enterprise one. That means Shadow didn’t even pony up for the TestFairy plan that comes with single sign-on authentication, unlimited data retention, and end-to-end encryption. Instead, it looks like the company used the version of TestFairy anyone can try for free, which deletes any app data after 30 days and limits the number of test users that can access the app to 200.
According to the NYT, Shadow was also building tools for the Nevada Democratic Party, but earlier this morning, the Nevada party said it would no longer be using Shadow for its upcoming primary. “We had already developed a series of backups and redundant reporting systems, and are currently evaluating the best path forward,” William McCurdy, the state Democratic party chairman, told CNN.
The issues, of course, weren’t restricted to the overall lack of review and testing or the security oversights — the Shadow app just plain failed when it was needed most. Motherboard’s screenshots showing the error screens for the app indicate it was experiencing a variety of unexplainable errors, and that it was communicating this to the poor precinct leaders with garbles of technical nonsense they were no doubt unequipped to parse during the time-sensitive reporting process.
Multiple caucus chairs reported problems with not only obtaining the app, but logging in. Zach Simonson, chairman of the Wapello County Democratic Party in Iowa, explained today in The Washington Post, that “the party didn’t really roll out the app so much as drop it on the doorstep.”
“On Monday, I fielded calls all day from chairs trying to download the app and getting blocked,” he writes, in a first-person piece titled “My chaotic, infuriating night running an Iowa caucus.” Simonson says he tried signing in himself, only to be told his PIN wasn’t valid. “In our county, only two of the 22 caucus leaders were able to use the app successfully,” he adds.
The result of this mess is that the reporting hotline began backing up as the IDC tried to revert to over-the-phone tallying and precinct leaders resorted to counting up votes by hand. As it stands now, votes are still not in, and the results of the Iowa caucus remain in a state of flux.
In a statement released Tuesday morning, Shadow confirmed it had made the app, and said it regrets “the delay in the reporting of the results of last night’s Iowa caucuses and the uncertainty it has caused to the candidates, their campaigns, and Democratic caucus-goers.”
Importantly, this issue did not affect the underlying caucus results data. We worked as quickly as possible overnight to resolve this issue, and the IDP has worked diligently to verify results.— Shadow, Inc. (@ShadowIncHQ) February 4, 2020
We will apply the lessons learned in the future, and have already corrected the underlying technology issue. We take these issues very seriously, and are committed to improving and evolving to support the Democratic Party’s goal of modernizing its election processes.— Shadow, Inc. (@ShadowIncHQ) February 4, 2020
Update February 4th, 3:56PM ET: Clarified that TestFairy maintains an iOS testing platform as well as an Android one, but it has not yet been verified whether Shadow Inc. used TestFairy to deploy an iOS version of the app or another testing platform. The headline has been updated to reflect this fact.
Update February 4th, 7:52PM ET: Added information from The Wall Street Journal regarding Shadow’s use of Apple’s TestFlight program for the iOS version of the Iowa Recorder App.