Utah's Electonic Voting RFP


An editorial in today's Deseret News urges the state to proceed slowly with a move to electronic voting. The Voting Equipment Selection Committee (VESC) released an RFP last week. You can read the press release (PDF), the executive summary (PDF) or the full RFP (PDF) for yourself. I loved this quote from the press release:

Members of the Voting Equipment Selection Committee have worked diligently to develop an RFP that addresses both the needs of Utah voters and the requirements of federal and state law, said Lt. Gov. Gayle McKeachnie. By leaving the door open for numerous systems including optical scan and electronic voting equipment, I am confident the state will select a system that Utahns will feel comfortable using.

The Lt. Governor got it exactly right. VESC has left lots of doors open, seemingly unwilling to actually take a stand on almost anything. Usually you write an RFP to make sure the State gets what it needs. This RFP seems crafted to invite vendors to tell the State what it needs.

I'm particularly concerned about the lack of a requirement for voter verifiable audit capability in electronic solutions. The RFP makes a nod in the direction of security and says that's the second most important selection criteria (after cost), but saying your concerned about security in general terms without being quite specific about what you require leaves the door open for all kinds of rationalization. In fact, if you do the math, security counts about 10% while cost counts for 30% in the selection. That seems upside down to me.

One need look no further than the constant plague of email viruses and security warnings to understand that computers suffer from a whole host security problems. The problem is that security is not something you can guarantee with a few code reviews or a carefully chosen panel of experts (as the RFP suggests). In fact, security is so hard to achieve that most Computer Scientists who have looked at the problem have concluded that the only way to prevent problems is to provide a method for auditing the results, provide for independent recounts and to allow each voter to check the results of the machine. This is called a voter verifiable paper audit trail (VVPAT).

California Sec. of State Kevin Shelley is concerned enough about security issues in electronic voting machines that he's banned (PDF) the use of machines that don't contain a voter verifiable paper audit trail. I don't understand why Utah's VESC has been unwilling to take a similar stand. They've never said as far as I can tell. In fact, you'll have a hard time finding any information that will help you understand their rationale for their decisions or what they think is important. It seems as if their prime directive has been to keep everyone happy and get an RFP out:

The Voting Equipment Selection Committee has been very deliberative in drafting this RFP, said committee chair and state Chief Information Officer Val Oveson. We have been very collaborative in addressing all issues related to the purchase of a new statewide voting solution and are excited to see the RFPs timely release.

Unfortunately, when it comes to computer security and especially in an area as important as ensuring the integrity of the voting process, you need the help of computer professionals. This isn't an area where consensus alone will necessarily lead to a better result.

Now that the RFP is out, our main hope is that VESC will be very careful in applying their security criteria. As they proceed through the evaluation process, the public will have a chance to comment on the various proposals. I urge you to get involved and let VESC know that you only support the selection of electronic solutions that have a voter verifiable paper audit trail by signing this online petition if you live in Utah.