| Two systems. One assigns a unique a temporary code to you on arrival at the polling station, much like those "take a number" queues at places. Then another unconnected voting system with printable receipt. Step 1) You queue, get a "Temporary Voting Id" Step 2) Enter the booth, enter your "TVID" Step 3) Vote Step 4) The Machine prints your Receipt with your vote clearly visible and your TVID as local proof its you and your vote is right. Step 5) You fold your printed ballot and put it in a box. Step 6) You fold your ID Receipt and place that into a "Validation Box" as you leave. Step 7) All machines keep and print a "Tally" used as the count. Step 8) All ballots and validation id's are saved in boxes and shipped ready for recounts if needed, ID's can be matched to ballots to validate attendance and votes anonymously. Bonus Step) ALL vote machine should produce a "Vote Audit" when asked that will show a full history of votes (without times and in random order) and the ID's used and ALL id generation machine should produce all vote id's generated (again without times and in random order) |
The UI of a #2 pencil and a pre-printed form is a lot simpler and easier to use and un-jammable compared to an e-voting machine printer. Also cheaper and harder to hack.
If you keep your ID receipt theoretically you could prove your vote and sell it. If you don't keep your receipt, they might toss out your vote and you'll be unable to prove it. There are cryptographically secure-ish ways to work this, mostly involving statistical security (I forget the exact term, the kind that makes engineers pull their hair out because the algo looks inefficient but the inefficiency is the source of the security)
Even worse I assume multiple votes per TVID would overwrite the previous vote to handle user interface mistakes (see above, why must we use a complicated electronic UI instead of a #2 pencil and paper UI?). So any poll worker with access to the unshredded TVID has root password and can change everyones vote at their leisure.
You should have inserted the votes into a networked blockchain so people can ask WTF if 50 votes are changed ten minutes after the polls are officially closed. Or people could ask WTF when district #239 is the only district to have 50 revotes more than five minutes after the original vote. And the blockchain would store the former pre-tampering ballot which might be handy once the corruption is identified.
Of course it'll be fun to link the timestamped blockchain to CCTV cameras everywhere, so if you timestampped blockchain you no longer have anonymous voting, every ballot is now linked to license plates and face pictures, thank you "war on fake terror".
If the TVID is not cryptographically secure you don't need access to the box of stored TVIDs, because I see they handed #200 to me, #201 is next on the table, why shouldn't I type in and "correct" votes for TVID #190, #191, #192, #193 ... while standing in my private booth?
If I walk out the door with a cryptographically secure verified TVID and just toss a blank piece of paper into the TVID disposal box, then I can sell my TVID to someone for money or booze or sex, then dude walks in with my TVID, gets one of his own, votes for the two of us. You'd need to timestamp each TVID for a limited validation time. I could see management at companies requiring people to hand in their TVIDs to get their timecards or paychecks. Or at soup kitchens. Or crooked cops, or especially college professors. Imagine trying to explain you can't give your TVID to your feminist studies professor because your african world heritage professor already took it, which class do you accept the "F" in?
Essentially with TVIDs you're trying to implement Kerberos tickets which is tricky enough for computers, much less 80 year old deaf poll workers who dropped out of high school during the great depression and have never touched a computer. Every security hole or bug thats ever existed in Kerberos needs patching.
There are so many problems I'm kinda bored right now, but I can tell CCTV attacks and cellphone camera based attacks are going to be a very interesting problem. Essentially any security guard with a high res camera pix of the stack of TVIDs has root over your system, I think. If the TVIDs are preprinted any corrupt person with physical access to them before the election or before the recount anyway, who owns a cellphone camera or has access to a photocopier has root. Big data attacks might be possible, "sell" memorized TVID number to the bartender as part of a "I voted so now I get a free shot" sounds very much like democracy boosterism until the employer collects memorized ballot receipt number for their own parallel "I voted so I get a free ice cream cone at work" democracy boosterism, until the data is sold and you're powned because you gave away both parts plus the name your employer knows to "separate" entities who are not "separate" after all.
I'm not sure if you fix everything if you basically end up with optically scanned pencil on paper ballot "scantron" voting or if you end up in a parallel but different rabbit hole of higher complexity, cost, and lower security.