[toddkazakov]

You don't even have to trust the software or the hardware. All that is important is votes to be cast as intended and the tally to be correct. End-to-end cryptographically verifiable voting systems achieve that by different means (zero knowledge proofs, etc.) An example is the Pret-a-Voter voting protocol. It uses re-encryption mix nets to provide verifiability (close how Tor works).

[badsock]

You absolutely have to trust the software and the hardware.

Modifications at the hardware/OS level can deliberately misrepresent the voter input from the touch panel, and can then alter what is displayed on the screen to match what the voter expects.

No matter how bulletproof the encryption protocol is, it still needs to be fed a choice via an analog, unencrypted channel because human beings are analog and unencrypted. If you control that channel, it's game over.

And you can't get around that by having a system that enables people to verify their vote at a later time on a second (presumably unhacked) machine, because then you'll also enable the forcing of voters to prove that they've voted the way that they've been coerced to.

[luchs]

You have to trust some hardware, but not necessarily the full stack you listed above.

For example, chipTAN is commonly used in Germany to verify online banking. You have to trust the chip on the banking card and the card reader, but not your computer, network connection, or your smartphone.

A similar device may also work for online voting. The hardware would be simple enough to audit it. Your computer would never learn the vote.

[badsock]

If the chip has its own display and input, and every step of the manufacturing process is carried out under strict supervision by all parties, and every time there's a firmware update the entire software stack is re-audited, then maybe. You raise a good point.

There's the whole business of securely distributing the chips (so they're not swapped out with counterfeits in transit), dealing with theft (and coersion to not report the theft), etc. But yes, if you can get a never-network-connected, brutally simply, completely automated voting device into 230 million hands, then I can't think off the top of my head how to exploit that. I would move on to trying to exploit the tallying system.

At that point, though, is it really cheaper than paper ballots? Perhaps it's worth it to engage more voters, but it still seems like a terrible risk to take - I'm only very grudgingly aware of computer security matters, just because I can't think of a way to exploit it, doesn't mean that one of the 7 billion people out there won't. And it only takes one.

Also I should point out that my original point stands - what you bring up is a million miles from what they proposed in TFA.

[kennydude]

Yup, or you get something like this -- https://www.youtube.com/watch?v=EV_c1-YTk8M