Two big lessons that Iowa and Geneva can teach us about technology in digital development

Last week brought two high profile technology failures into the global spotlight. Although these two mishaps may seem quite different at first glance, they both highlight challenges that are inherent in providing software in the public sector (regardless of locale) and illustrate cautionary lessons worth discussing for practitioners in Digital Development.

The Iowa Caucus Debacle – Sometimes the only winning move is to not play

On February 3rd, United States voters in the state of Iowa participated in their biennial primary elections.  These take place in the form of a convoluted “caucus” process, whose complexities are made evident in the form of the reporting sheet below. Reading this may feel familiar to anyone who’s ever attempted to follow a WHO health protocol worksheet.

To facilitate the complicated caucus process, the Democratic Party of Iowa (IDP) requisitioned the development of a custom mobile app that met a certain set of requirements. It needed to follow precise custom logic, require minimal training, be developed in a short period, be rapidly scaled state-wide to all 1,681 precincts, and come in at an extremely low cost ($63,182).

Sound familiar yet?

What will sound even more familiar to Digital Development practitioners are the results. A night of chaos beset by technical glitches, an inability to use the app due to lack of accounting for unexpected user behaviors or poor connectivity, and such shaken trust that even days later there remains very little faith in the eventually reported numbers.

The magnitude of this failure has attracted a huge amount of interest in what went wrong. But in my view, there is no need for deep analysis of the possible sources of technical failure to understand the plain truth: it simply doesn’t make economic sense to build custom software to support a unique event that occurs every 2 years with a diverse and distributed volunteer workforce and that needs to be bulletproof in robustness and security. 

Iowa provides us with a reality check that even when the stakes are high there remains a dangerous willingness to ignore this truth on both the supply and demand side of the aisle, and this tendency is reinforced by our own wishful thinking. It’s easy to build software, but it’s hard to build software that works reliably. It’s even harder to tell the difference from the outside until the bottom falls out.

Ultimately the IDP has the same choices that all of us do with a limited budget and a unique problem they can’t get wrong. Accept the limitations of commercial tools, find a proven Open Source technology that leverages shared investment, or listen to most programmer’s opinions about voting and accept that some problems are just too hard to solve with silicon.

The U.N. Data Breach – Local doesn’t mean safe

In January, it was revealed that the United Nations suffered a breach in their Geneva and Vienna data centers in July 2019 as a result of an un-patched software vulnerability in one of their backend services. While the scope of the breach has not been disclosed, a reported 400GB of data was stolen as the result of the attacks which compromised 42 servers including three in the Human Rights agency.

The primary cause of the breach was a five month delay in applying an update to the affected software service, which for engineers isn’t surprising in the least. The domain of IT Security is a relentless global arms race. The public Common Vulnerability and Exposures database publishes more than a thousand new issues a month like the one that exposed the UN server. All of these vulnerabilities require software to be updated and urgently patched to prevent exploitation, often requiring manual efforts from overworked IT teams.

While well-deserved distrust in “Big Tech” has increasingly driven organizations out of the cloud and back to hosting data on-premise, the uncomfortable elephant in the room is that providing a safe, up-to-date server environment has become an expensive and high-skill responsibility. As we’ve seen, even organizations with the UN’s resources can fail to meet these requirements. 

Finally, the UN’s choice to cover up the breach (which was eventually leaked) highlights the deep challenges caused by misaligned incentives around IT security. Professional cloud hosting services have a tremendous amount to lose from a breach financially, and a legal obligation to report them under the GDPR and other regulatory frameworks. In comparison, the UN and many governments are (legally or practically) immune to such consequences, which means they have significantly less clear incentive to provide the expensive resources needed to prevent lapses.