Iowa Caucus Results App Could Have Been Hacked, Even Vulnerable To Changing Vote Totals, ‘ProPublica’ Reports

A report by the investigative news organization ProPublica found previously undetected vulnerabilities in the 'Shadow' app used in the Iowa caucuses.

Hand holds smartphone with Iowa app.
Alex Wong / Getty Images

A report by the investigative news organization ProPublica found previously undetected vulnerabilities in the 'Shadow' app used in the Iowa caucuses.

On Tuesday, almost 24 hours after the Iowa caucuses kicked off the Democratic primary season, the state’s Democratic Party finally released partial results from the voting, which were getting released in small increments into late Wednesday. The delay was allegedly linked to issues with a smartphone app which, for the first time, was intended to be used in reporting results from individual caucus meetings to the Democratic Party headquarters, where the vote tally was compiled.

The company behind the app, Shadow Inc., apologized for “the underlying technology issues” that led to chaos and uncertainty in reporting results from the Iowa caucuses, according to the Associated Press. However, a new investigative report published on Wednesday identified what could be far more serious vulnerabilities in the vote-tabulating program — vulnerabilities that could even allow hackers to tamper with vote totals.

The story, by the nonprofit investigative journalism organization ProPublica, alleges that while no evidence exists to show that voting data was directly affected in Iowa, the app was “so insecure that vote totals, passwords and other sensitive information could have been intercepted or even changed.”

IowaReporterApp, as it is called, was created by Shadow Inc., which in turn is owned by ACRONYM, a nonprofit company founded in 2017 by Democratic political strategist Tara McGowan, according to the AP report.

While McGowan said on Monday that Shadow is a “separate” entity from ACRONYM, the companies share the same address in Washington, D.C. Additionally, Shadow’s CEO was reportedly ACRONYM’s former chief operating officer and chief technology officer.

Pete Buttigieg speaks at an event.
Pete Buttigieg, apparent winner of the Iowa caucus. Spencer Platt / Getty Images

At the request of ProPublica reporters, the Massachusetts-based computer security firm Veracode inspected the program, finding that it contained no “safeguards” to protect data as it was transmitted from caucus sites to the Democratic Party vote-counters.

“It is important for all mobile apps that deal with sensitive data to have adequate security testing, and have any vulnerabilities fixed before being released for use,” Veracode’s chief technology officer, Chris Wysopal, told ProPublica, adding that Shadow made a “poor decision” by allowing the app to be used without adequate checks for security vulnerabilities.

Iowa Democratic Party spokesperson Mandy McClure told the investigative group that all of the vote totals transmitted through the app were in the process of verification, by comparison to on-paper, hard-copy records of the caucus votes.

ProPublica also noted that the U.S. Department of Homeland Security offered to test the program for vulnerabilities, but Iowa Democratic officials never responded to the offer, the group’s report says.

By 5:25 p.m. EST on Wednesday, 86 percent of Iowa precincts had reported results, with former South Bend, Indiana, Mayor Pete Buttigieg holding a lead in the state delegate count with 26.7 percent. Vermont Sen. Bernie Sanders remained close behind in second place with 25.4 percent, according to The New York Times.