I submitted this letter on the EFF's website. If you want to reference my letter in composing your own, please do so, but don't include my words without attribution as it will reduce the impact of my comments.

I'm an information systems security professional. I work as a software engineer at a well known internet security software vendor. Prior to that I spent many years designing secure network infrastructure for Internet connected computer systems. I've been an IEEE member for 10 years (member number: XXXXXXXX). I'm writing to express concern with the IEEE electronic voting standards process (SCC38/P1583).

Recently there has been a great deal of public discourse about the security of electronic voting technologies. Unfortunately, this has been a very muddied process. We have, on the one hand, technology vendors and elections systems officials who have a vested interest in dodging questions about systems that have already been built and deployed. Furthermore, these vendors and officials are used to hearing uninformed luddite objections whenever new technology has been applied to the voting process. On the other hand, we have activists who don't always understand what they are talking about. However, in all of the noise and drama surrounding this issue there have been a number of serious questions with real technical merit raised by security professionals, and I feel that industry and elections officials have found reasons to dismiss these objections without giving them serious consideration.

In listening to elections officials in my home state (Georgia), I found that their primary concern in deploying electronic voting equipment has been to reduce the workload involved with counting votes. These officials do not understand how difficult it is to develop information systems that are secure against manipulation from well funded adversaries, and they do not understand how the way that they use the systems vendors have supplied impacts the security of those systems. Furthermore, they seem uninterested in hearing from professionals outside of one individual professor in the local university system who they have designated as a trusted advisor.

In asking the IEEE to help develop standards for electronic voting systems, Congress has entrusted the organization with the role of providing a technical voice of reason in all of these discussions. Unfortunately, the IEEE has an extremely poor track record when it comes to information security standards. The recent 802.11* standards have had very poor security qualities, and these standards processes have moved forward for years without soliciting input from security professionals. (Only in the past few months have I heard, anecdotally, that they have started to reach out to people who have been breaking their security techniques for years.)

It is absolutely essential that the standards that this committee produces include very tight security requirements. I haven't read t... [ Read More (0.3k in body) ]