[NickNameNick]

Electronic voting machines are inherently unsafe. (Consider the difficulty of validating that the software has not been tampered with eg trusting trust, that the drivers have not been tampered with, that the network transfer of the counts is secure and validated, that the hardware is safe and reliable, that the screens and display controllers are displaying what the software thinks they are displaying, etc).

The 'best' option is to use them to print a paper ballot that the voter can validate before putting it in a ballot box. But at that point, you've basically invented a $2000 pencil.

Options that rely on the voting machine itself to count or transmit the votes can't be adequately validated. Options that publish the votes in the clear - allowing voters to check their votes were recorded properly violate anonymity requirements, and options that publish obfusticated votes don't actually provide useful auditability.

Not being able to provide a paper (or equivalent) ballot recount is (or should be) completely unacceptable.

[jack9]

> Electronic voting machines are inherently unsafe.

Nothing about a voting machine is inherently unsafe (for any purpose of the word), or we wouldn't use machines ubiquitously. They are both safe and reliable. Software is difficult to do, but we go into space anyway.

> allowing voters to check their votes were recorded properly violate anonymity requirements

Nope. Using hashes and keys is how we do it in the technical community and would work fine with voting.

> publish obfusticated votes don't actually provide useful auditability.

You're improperly lumping problems that are a combination. Some have very good solutions and one is a rather intractable problem (for machines).

Added votes

Missing votes

Misrepresented choices

Altered votes

Most of these could be handled. The issue of added votes would be something that could only be handled by serious federal criminal legislation against padding at any level (which we don't do today) because only a human is trusted to determine if a voter is another human.

[awqrre]

A properly engineered votechain (blockchain-like) could also possibly solve this problem without needing a paper trail.

[kabdib]

There's still a tremendous amount of trust involved, and many components to secure. Some folks have done security analysis of voting machines and were not impressed (an understatement). Block chains and other applications of crypto are kind of pointless if the firmware can be subverted to record Candidate B while displaying Candidate A to the user.

Oh, there are lots of technological solutions (display hashes of a vote, which can be photographed and checked, for instance). But paper and pen have worked for a long time and we have decent strategies for dealing with its faults, while the target area of a microprocessor-controlled voting machine is mind boggling.

[NickNameNick]

That doesn't preserve the anonymity requirement for safe voting systems. Blockchains are only pseudonymous and a malicious landlord, employer or family member could easily coerce you into divulging your ID.

[synchronise]

You could give out randomised voting smartcards with an embedded private key at every polling station, which would preserve the anonymity.

[NickNameNick]

If you take the key with you after you vote, which you will need to do if you want to validate your vote later, then you can be coerced into disclosing it.

[synchronise]

I believe that the keys would just be taken by the machine, that way you'd be able to verify the vote was placed without the risk of revealing the identity of the voter attached to that card.

[jMyles]

> allowing voters to check their votes were recorded properly violate anonymity requirements

Why can't voters be provided with a random vote ID, which they can write down and later check against a list?

If you're concerned about people buying votes directly by buying IDs, just make the set of possible IDs small enough (ie, the same size as the number of registered voters) to confound buyers into being uncertain whether their provider might have just thought up a random ID and written it.

[cariaso]

> Why can't voters be provided with a random vote ID

https://en.wikipedia.org/wiki/Electoral_fraud#Vote_buying

"bring me an ID which shows you voted for X and I'll give you $5"

https://en.wikipedia.org/wiki/Electoral_fraud#Intimidation

"bring me an idea showing you voted for X or you're fired"

https://en.wikipedia.org/wiki/Voter-verified_paper_audit_tra... is the correct-est solution I'm aware of.

[jMyles]

How is giving them a unique ID any different than the current situation? They can just as easily take a video of themselves voting as proof for these purposes.

[cariaso]

That is quite new, and of questionable legality http://www.nytimes.com/2015/08/25/us/selfies-in-voting-booth...

for exactly the reasons above.

[Retric]

IMO, a paper ballet with electronic verification in the booth solves these problems. Just make the in booth scanner reject happy. It can also display multiple languages for instructions.

[bsdetector]

A $2000 pencil that replaces tons of paper instructions printed in several languages and prevents double-voting and other mistakes may still be valuable. Not so much in democracies where you cast one vote every 4 years, but in America where you can have a dozen every year or so a voting machine can be useful.

A computer with $5 camera that can tally a paper ballot per second grocery-store style is also useful because you get accurate results in half an hour instead of a day later. Poll observers can't count that fast, but they can video the counting and review it later.

We can safely and effectively use computers as much as we want on either side of the ballot box.

[spacecowboy_lon]

And paper ballot counts can be witnessed/checked by candidates representatives which is impossible with electronic ballots.