[luchs]

You have to trust some hardware, but not necessarily the full stack you listed above.

For example, chipTAN is commonly used in Germany to verify online banking. You have to trust the chip on the banking card and the card reader, but not your computer, network connection, or your smartphone.

A similar device may also work for online voting. The hardware would be simple enough to audit it. Your computer would never learn the vote.

[badsock]

If the chip has its own display and input, and every step of the manufacturing process is carried out under strict supervision by all parties, and every time there's a firmware update the entire software stack is re-audited, then maybe. You raise a good point.

There's the whole business of securely distributing the chips (so they're not swapped out with counterfeits in transit), dealing with theft (and coersion to not report the theft), etc. But yes, if you can get a never-network-connected, brutally simply, completely automated voting device into 230 million hands, then I can't think off the top of my head how to exploit that. I would move on to trying to exploit the tallying system.

At that point, though, is it really cheaper than paper ballots? Perhaps it's worth it to engage more voters, but it still seems like a terrible risk to take - I'm only very grudgingly aware of computer security matters, just because I can't think of a way to exploit it, doesn't mean that one of the 7 billion people out there won't. And it only takes one.

Also I should point out that my original point stands - what you bring up is a million miles from what they proposed in TFA.