ACM Washington Update, Vol. 11.5 (June 6, 2007)

By David Bruggeman
June 8, 2007


[1] Newsletter Highlights
[2] USACM Urges Revisions to REAL ID Rules
[3] USACM Member To Testify on Proposed Employment Eligibility Verification System
[4] E-Voting Reform Legislation Passes Committee; ACM Lauds Move
[5] TGDC Refines Next Set of Voting Standards
[6] Spyware Legislation Passes House
[7] About USACM

[An archive of all previous editions of Washington Update is available at]


Below are highlights of the top stories from May. Congress took a major step forward toward reforming e-voting, while the Administration proposed controversial and vague new rules to implemented a national driver’s license system. There is more detail on each item below, as well as on our weblog at

* Responding to proposed rules to implement the REAL ID Act, USACM called the proposal fundamentally flawed, urged revisions to the proposed rules and called for the Administration to send Congress new legislation to address privacy, security and accuracy concerns.

* USACM Member Peter Neumann will testify this week on proposals to expand an electronic employee verification system for employers.

* The Committee on House Administration passed major e-voting reform, which now awaits action by the full House.

* The Technical Guidelines Development Committee met to refine the draft of the next version of the Voluntary Voting System Guidelines.

* The House of Representatives passed legislation intended to curb spyware after two competing versions cleared House Committees.


Arguing that the REAL ID Act is a de facto national identification system with poor controls for privacy, security and accuracy, USACM filed detailed comments calling for the department to strengthen the rules and propose new legislation to Congress to address the flawed policy of the Act.

Congress passed the REAL ID Act in 2005 over the objections of many privacy, security and technology experts. It calls for each state to standardize drivers’ licenses and share each state DMV database with agents from every other state. USACM commented on the problems with the law, and you can see
those comments at:

USACM comments on the rulemaking pointed out that the law and the proposed rules increased the risk of identity theft; made insider threats more dangerous; and lacked privacy, security, and accuracy guidelines necessary to protect personal information, among other issues. To address some of the concerns USACM made the following recommendations (excerpted here, please see the related post or the full document for our detailed comments on each of these):

“At a minimum, the final rule should require stronger, more detailed privacy, security and accuracy provisions than the NPRM. Even with the improvements to the proposed rulemaking we suggest below, existing technology and approaches cannot solve the policy problems raised by the REAL ID Act. We urge the Administration to send Congress proposed legislation to address these issues and frame the policy around privacy, security and accuracy goals – or to repeal the REAL ID act entirely. These issues should be addressed before the REAL ID Act becomes active.”

    1) Delay implementation of the REAL ID until all underlying databases and the federated query service have been fully tested and are operational.

    2) Minimize the data stored on the machine-readable zone (MRZ).

    3) Specify privacy, security and accuracy standards for the licenses, the databases, and the federated query service.

    4) Base the privacy standards on the Fair Information Practices.

    5) Require security consistent with standards such as the Common Criteria Evaluation and Validation Scheme (CCEVS).

    6) Include strong access control procedures for REAL ID documents and data.

    7) Require data breach notification procedures for any agency controlling REAL ID data or documents.

    8) Limit the scope of the usage of REAL ID to only the uses specified by law. We oppose any expansion of the official purposes of the REAL ID.

USACM’s full comments can be read at:

The draft rules are for the driver’s license and identification card provisions of the Act. They are available at:

USACM issued a press release in conjunction with our comments. You can read it here:

The Department of Homeland Security received over 12,000 comments in response to the proposed rules. With an implementation deadline less than a year away and legislation pending in Congress to repeal these rules there will be pressure on DHS to release final rules sooner rather than later.


On Thursday June 7 at 10:00 AM, Peter Neumann, USACM Member and Principal Scientist at SRI, will testify to Congress on behalf of USACM regarding proposals to expand and make mandatory the Employment Eligibility Verification System (EEVS). The EEVS is a query-based system that allows employers to verify the work-eligibility and identity documentation that
employees provide upon being hired. Currently this is voluntary system running as a pilot program with about 16,000 employers participating. As part of overall immigration reform efforts, Congress is considering legislation to expand this system and make it mandatory that all employers use it to verify an employees legal work status.

Seeking input on the technical issues associated with this system, the Committee on Ways and Means Social Security Subcommittee asked USACM to provide expert testimony. Peter Neumann, a long-time member of USACM and expert on security, privacy and trustworthy systems, will provide his and USACM’s perspectives on this issue. The hearing will be webcast. You can watch it here:


After several years of discussion, the House of Representatives took the first step toward reforming e-voting systems. In May, the House Administration Committee marked up HR 811, the Voter Confidence and Increased Accessibility Act of 2007 introduced by Rep. Rush Holt (D-N.J.). The proposal is comprehensive reform of voting systems (requiring durable, private, paper audit trails), the certification process, and how votes are audited, among other issues.

The bill cleared the committee on a party line vote, with Democrats supporting the measure and Republicans opposing it. The legislation is controversial because of substantial opposition from state and local election officials who argue the mandates in the legislation are unfunded
and unwarranted. This opposition seems to be slowing consideration of the legislation by the full House of Representatives. It isn’t clear when the bill will be scheduled for House floor consideration.

In a related story, Senator Feinstein has introduced a similar measure in the Senate. This is significant because she is Chairwoman of the Senate Rules Committee, which has jurisdiction over this issue. You can find a link to that legislation here:

Below is our release on the House Committee’s action:

The amended bill can be found at this link:


In May the Technical Guidelines Development Committee (TGDC) held a meeting to continue to work on the next edition of the Voluntary Voting Systems Guidelines (VVSG). The TGDC is working hard to make sure they can present their draft to the Election Assistance Commission, which is charged with finalizing and adopting the standards, by the end of July.

The May 24th draft is available online for review and comment. While TGDC meetings typically don’t have time for public comment, Anyone may comment on the draft by emailing The document is quite lengthy, so it’s not too early to review it and submit your comments. You can read the draft here:

As of the end of the meeting, the sections requiring additional work before final approval were summarized in a document available online at:

Much of the discussion concerned clarifications of specific requirements and of definitions that may have different meanings for the technical and election communities or the public. At this point most of the changes are small refinements and adjustments in requirements to insure a more consistent, uniform and accessible document. There are some areas, such as requirements for cut sheet voter verified paper records, that need refinement, but the bulk of the document is set.

The issue of electronic pollbooks came up again, as it did during the March meeting. It’s problematic for the TGDC to address pollbook requirements because by law the committee can develop standards for ballot activation devices (which are part of a voting system as defined by statute), but not for voter registration databases (which are not). A TGDC subcommittee will
revisit the issue, but there is concern about externally networked pollbooks being connected to ballot activation devices.

The TGDC will meet again by telecom on July 3, between 11:30-4:30 p.m. Eastern time. This meeting will be open to the public. There is still some work to do with new requirements, but top-level organization and content have been approved. Those concerned about the draft of the next VVSG should review the document and submit comments to before that June meeting.


In early May two House Committees approved different bills focused on addressing the threat of spyware.

The House Energy and Commerce Committee approved HR 964, the Securely Protect Yourself Against Cyber Trespass Act (the SPY Act). This committee has approved similar bills in the previous two Congresses, only to see the legislation fail in the Senate. The legislation would require software companies to notify and obtain permission before the software is downloaded.
Fines would be up to $3 million for each violation of software installment and up to $1 million for each instance of personal information being collected without notice and consent. This bill would address phishing, online advertising that couldn’t be closed, and tracking Internet activity. There would be some exemptions to the last provision, when the tracking is based on search queries from a toolbar on the computer. The FTC would conduct a study on the prohibitions of information collection, in order to recommend other exemptions.

The House Judiciary Committee approved its own spyware legislation, HR 1525, the Internet Spyware (I-SPY) Prevention Act of 2007. While the SPY Act focuses on the FTC, the I-SPY Act focuses on the Department of Justice, authorizing funding for the Department to fight spyware. The bill would allow fines or prison sentences for violations, up to two or five years depending on the offense.

The I-SPY Act was taken up and passed by the House within days of passing out of committee. The SPY Act is scheduled for House consideration in the first part of June.


USACM is the U.S. Public Policy Committee of the Association for Computing Machinery (ACM). ACM is an educational and scientific society uniting the world’s computing educators, researchers and professionals to inspire dialogue, share resources and address the field’s challenges. ACM strengthens the profession’s collective voice through strong leadership, promotion of the highest standards, and recognition of technical excellence. ACM supports the professional growth of its members by providing opportunities for life-long learning, career development, and professional networking.

For more information about USACM and ACM, see:


For earlier editions of the ACM Washington Update, see


To subscribe to ACM’s Washington Update newsletter, send an e-mail to with “subscribe WASHINGTON-UPDATE “First Name” “Last Name” (no quotes) in the body of the message.

To unsubscribe, simply include the “SIGNOFF WASHINGTON-UPDATE” command in an
email to