[my8bird]

the big issue I see with this system is that the audit ballots are invalid. this means the developer only has to ensure that the audit system works. they can do whatever they want with the rest if the ballots since they can not be audited

[Hellcat]

I'm glad you raised this question, because I'm sure most people will think that. The fact is, that the system doesn't act any different in the 2 cases (audit and real), in both cases it FIRST prints the encrypted vote (and now the voter can actually see the his vote hanging out of the machine, but he still can't touch it), and now it asks the voter if he would like to verify (audit) or not (real), if he chooses to verify, the machine will print the key to decrypt the encrypted text and then the voter can verify that what was encrypted was really what he voted for. If he chooses not to verify, it will print the cleartext (unencrypted). Notice that for the machine to "fool" the voter it needs to predict when a voter will choose to verify or not in 100% accuracy because if 1 voter finds that what was encrypted wasn't really his choice, then the whole election is a shame and can be closed ignoring all votes.