[grzm]

I misspoke in saying "receipt". You're right that we can't rely on voters keeping their receipts for a recount. I meant a paper record of the vote kept in addition to the electronic record.

I'm not sure where I might have given the impression that a recount would not be necessary. A paper record makes a recount possible and the election system auditable.

The linked Wikipedia article on end-to-end auditable voting systems provides an overview and links to different methods of making voting systems more trustworthy. There's a lot of thought and details that go into it, and if it's something you're interested in, I suggest following up on some of the links and spending more time. I know it's taken me reading a lot of different articles and implementations, and I still need to look up different parts of it.

I did find this slide deck from Ron Rivest helpful:

"Auditability and Verifiability of Elections" ACM-IEEE talk March 16, 2016

https://people.csail.mit.edu/rivest/pubs/Riv16x.pdf

Were there particular areas that didn't make sense to you?

[58]

It seems pretty simple to me. Have the machine print a receipt that shows your info and who you voted for, have the voter check it over and sign it, and then have the voter hand it in before leaving the voting station. The receipt is really no different than a paper ballot at that point.

That's not to say that other security precautions can be ignored. Ideally I'd think there should be mature open-source software running on secure intranets for each voting station, and transparency at every level of the process, including better transparency in how those physical receipts are transported, handled, and stored.

[melse]

Bear in mind that by requiring each voter to sign their ballot slip, you're reducing the anonymity of the election, since it's potentially possible to prove that you voted in a certain way to sell your vote.

[VLM]

The gold standard, which has been deployed where I live for a couple decades now, is to skip all the e-voting network touchscreen foolishness and simply fill out an optical scantron sheet like the tests you probably filled out in school.

The last step of voting is inserting the ballot into the scantron machine. Valid ballots are eaten, invalid are kicked back out at you.

Theoretically the machine can output running totals at any time, and if you've never seen an optical scanner in action you'll be surprised how fast it can scan and grade a classrooms worth of multiple guess tests, less than a minute to scan and process perhaps a hundred tests, so a thousand people living in my voting district is not exactly a data processing challenge. The votes can obviously be counted by hand of course, they're just custom printed multiple guess test sheets.

Optically scanned paper tapes and punch cards were contemporary in the 60s and optical scantron machines appeared shortly after. I'd estimate my state converted from mechanical voting machines and mimeograph machines to scantrons and photocopiers about the same time, lets say 1980 although maybe as late as 1984 or earlier in the 70s. I distinctly remember watching my parents vote one last time on an old fashioned voting machine when I was a little kid, probably voting for Nixon, may have been Reagan but I'd have been too old by then, I think. Old fashioned mechanical voting machines were cool and steam punk ish in appearance.

Its such a simple, cheap, reliable system that it almost leads credence to claims that elections are being intentionally rigged. Its hard to explain otherwise why something so cheap simple and logical is being covered up and so few people know about it. Ironically I live in a non-swing state in a gerrymandered district so my vote has never mattered and never will, but at least if I ever get a chance to influence politics via voting, its pretty obvious my vote would be counted fairly.

[waxim]

Two systems. One assigns a unique a temporary code to you on arrival at the polling station, much like those "take a number" queues at places. Then another unconnected voting system with printable receipt.

Step 1) You queue, get a "Temporary Voting Id"

Step 2) Enter the booth, enter your "TVID"

Step 3) Vote

Step 4) The Machine prints your Receipt with your vote clearly visible and your TVID as local proof its you and your vote is right.

Step 5) You fold your printed ballot and put it in a box.

Step 6) You fold your ID Receipt and place that into a "Validation Box" as you leave.

Step 7) All machines keep and print a "Tally" used as the count.

Step 8) All ballots and validation id's are saved in boxes and shipped ready for recounts if needed, ID's can be matched to ballots to validate attendance and votes anonymously.

Bonus Step) ALL vote machine should produce a "Vote Audit" when asked that will show a full history of votes (without times and in random order) and the ID's used and ALL id generation machine should produce all vote id's generated (again without times and in random order)

[VLM]

You can stuff the receipt box with fake receipts just to culture jam. IF you're going to pre-print certified serial numbered receipts, why not ballots? I suppose jamming the receipt signal would be wise if you're otherwise hacking the vote. It certainly would be easy.

The UI of a #2 pencil and a pre-printed form is a lot simpler and easier to use and un-jammable compared to an e-voting machine printer. Also cheaper and harder to hack.

If you keep your ID receipt theoretically you could prove your vote and sell it. If you don't keep your receipt, they might toss out your vote and you'll be unable to prove it. There are cryptographically secure-ish ways to work this, mostly involving statistical security (I forget the exact term, the kind that makes engineers pull their hair out because the algo looks inefficient but the inefficiency is the source of the security)

Even worse I assume multiple votes per TVID would overwrite the previous vote to handle user interface mistakes (see above, why must we use a complicated electronic UI instead of a #2 pencil and paper UI?). So any poll worker with access to the unshredded TVID has root password and can change everyones vote at their leisure.

You should have inserted the votes into a networked blockchain so people can ask WTF if 50 votes are changed ten minutes after the polls are officially closed. Or people could ask WTF when district #239 is the only district to have 50 revotes more than five minutes after the original vote. And the blockchain would store the former pre-tampering ballot which might be handy once the corruption is identified.

Of course it'll be fun to link the timestamped blockchain to CCTV cameras everywhere, so if you timestampped blockchain you no longer have anonymous voting, every ballot is now linked to license plates and face pictures, thank you "war on fake terror".

If the TVID is not cryptographically secure you don't need access to the box of stored TVIDs, because I see they handed #200 to me, #201 is next on the table, why shouldn't I type in and "correct" votes for TVID #190, #191, #192, #193 ... while standing in my private booth?

If I walk out the door with a cryptographically secure verified TVID and just toss a blank piece of paper into the TVID disposal box, then I can sell my TVID to someone for money or booze or sex, then dude walks in with my TVID, gets one of his own, votes for the two of us. You'd need to timestamp each TVID for a limited validation time. I could see management at companies requiring people to hand in their TVIDs to get their timecards or paychecks. Or at soup kitchens. Or crooked cops, or especially college professors. Imagine trying to explain you can't give your TVID to your feminist studies professor because your african world heritage professor already took it, which class do you accept the "F" in?

Essentially with TVIDs you're trying to implement Kerberos tickets which is tricky enough for computers, much less 80 year old deaf poll workers who dropped out of high school during the great depression and have never touched a computer. Every security hole or bug thats ever existed in Kerberos needs patching.

There are so many problems I'm kinda bored right now, but I can tell CCTV attacks and cellphone camera based attacks are going to be a very interesting problem. Essentially any security guard with a high res camera pix of the stack of TVIDs has root over your system, I think. If the TVIDs are preprinted any corrupt person with physical access to them before the election or before the recount anyway, who owns a cellphone camera or has access to a photocopier has root. Big data attacks might be possible, "sell" memorized TVID number to the bartender as part of a "I voted so now I get a free shot" sounds very much like democracy boosterism until the employer collects memorized ballot receipt number for their own parallel "I voted so I get a free ice cream cone at work" democracy boosterism, until the data is sold and you're powned because you gave away both parts plus the name your employer knows to "separate" entities who are not "separate" after all.

I'm not sure if you fix everything if you basically end up with optically scanned pencil on paper ballot "scantron" voting or if you end up in a parallel but different rabbit hole of higher complexity, cost, and lower security.

[zelos]

Not that I'd hold the UK up as a good example of democracy, but here there is a unique ID on each ballot paper that is noted down on a list next to your name when you vote. The ID/name list is kept securely, but can be used to find a voter's ballot paper later in the case of a dispute over the result or fraud.