There are machines that print paper receipts to voters (presented under glass so voters can verify), and then drop the receipts into a traditional lockable ballot box. The voter cannot access the paper ballot without evidently tampering with the machine; the only issue is that you'd need a way to get poll workers the ballot at issue without identifying the voter.

I actually believe this is actually the best possible situation.

The voting machine should print a clear, unambiguous, ballot and on-screen tell you to verify it before you officially "cast" your vote. "If the ballot below does not represent your choices, please click <HERE> to request an attendant."

I'm thinking of this more as having printers that print out an unambiguous completed ballot and less as voting machines that "also print out a copy".

You could keep the computers but you also have the papers sealed in boxes. Then you can manually check 1-5% of the votes and make sure the machines are correct. Or if someone contests the count and a judge decides the reasons are fair you can count again all the votes in that polling station.

You can't do this. Probably the most fundamental problem with electronic vote verification is that you cannot give someone physical evidence of how their vote was cast, because it makes voter coercion feasible.

Its why almost all absentee / write in ballots are set up so that if you send multiple ballots only the last one is counted (or an in person vote if you give one). If someone tries to coerce your vote and use the absentee ballot as proof unless they keep you imprisoned until the election is over they can't prove you didn't resubmit / go in person to change your vote.

With receipts for in person ballots the only way to defeat coercion is to make it so you can, at the point of receipt, get issued an intentionally flawed receipt. But if you are verifying votes this way, it would have to be for another legitimate voter voting the exact way your coercer wanted. That sounds like a hugely limiting technical flaw.

Congratulations, you've invented a very expensive pencil.

> ANOTHER machine that instantly counts my vote. A readout on the top of the machine shows the total number of ballots counted today.

Which can be hacked to show you the correct count, but not report the correct count later on. At which points obviously the paper ballots can be emptied out and verified, but then which part of this isn't paper voting except with complex machines needlessly inserted?

Paper votes can be counted quickly by machine if so desired, but the counting machines will have to be monitored and watched carefully to make sure they tally correctly. Essentially they cannot be placed in a public area where just anyone has access.

We already have these systems in deployment. My precinct uses optical-scan paper ballots where any mark inside the bubble is valid. You can fill, dot, cross, check, whatever---the machine will count it as a mark. If you have a stray mark that results in an overvote, the machine will reject your ballot, then prompt you to either correct the overvote or override the error. The scanner will also accept ballots fed in any orientation as long as it's not folded or wrinkled.

It's surprisingly robust and user-friendly.

And then that ballot should be what is actually tabulated and the internal digital tally ignored, or not even kept. The machine should be a device to facilitate creation of accurate, easily tabulated paper ballots, period.

The lack of a receipt is deliberate and prevents vote-buying. A carbon copy of your vote will open as many avenues to fraud as it will close.

and uncertainty. In principle the idea of hitting a button and having the non-networked machine spit out a paper trail that can be electronically counted sounds like a good compromise. But this leaves 1 or potentially 2 sources of uncertainty that are not necessary: (1) that what the machine prints actually corresponds to what you wanted and (2) that the counting machine actually counts what it says on the paper.

(1) is not such a risk if you can verify it visually before submitting. There do exist I believe some ideas in cryptography to allow you carry a record of your vote that allows you to verify it without revealing the choice, these could have interesting application here, but I don't know the pros and cons.

(2) is even a risk in the non-machine case, although it can be mitigated by having multiple independent parties do the count. But it can't easily be done by machine and have the same level of certainty.

It still requires a complex software system that no lay person (and no expert in short order) can verify.

That problem remains and it isn't really a technical one. Any voting machine has to be able to be verified using simple visual, mechanical inspection for the people to trust it. More technology will only undermine trust further.

So if you have to count the paper balloty anyway, why even bother with spending all that money for a voting machine?

That's good and all, but in the 4 states I've voted in, only one had a paper ballot. 3 were me showing up to the polling place and pressing buttons on a monitor. The 4th mails me a ballot, I fill things in, and send it back (so no receipt either).

Given my experience, and that several others tell me they do similar things, I don't understand your counter argument. We already do not have paper ballots to check. There is ZERO verification currently. If those ballots are printed out from the electronic machine that I voted on, well you still have to trust that a corporation did not mess with anything and printed out the wrong ballot, or just didn't print yours out. The way we are doing things and the way we used to do things don't enable the trust that you are suggesting.

But let's assume that the year is 2000 and we're voting on a paper ballot. We don't get to take a copy home. Once we leave we don't know what happens to that ballot in the box. Has our vote been counter? Did we fully punch out the paper chad? Did our ballot get lost when a country wide controversy started and my ballot got mailed around the state several times? Can I verify that the government's decision of how to count my vote reflected my actual intention?

The answer to these is that you can't do any verification of this. So I rather kinda like the idea of a website that I can go to and check that my vote was counted correctly and matches. The triviality of it from the voter side makes this process easy. Does it solve all verifiablity problems within the pipeline? No. Does it solve some? Yeah.

Personally I'd rather take a step forward, even if that step is small.

I am just theorizing here: Someone now takes the box of paper votes and runs it through the scanner machine. And passes this number along to someone. What is stopping them from tampering at this step? I think this is precisely what my co-worker was describing. There is an inherent trust that your paper ballot is scanned and recorded in a fashion that matches your vote.

An electronic voting machine could potentially communicate votes in real time over a secure connection. Or in the case of Brazil's machines, I believe stores it locally, encrypted, with a verifiable cryptographic signature of some sort.

I'm sure we all know the multitude of other attack vectors this introduces. I guess I am just not convinced that paper makes things more secure.

I think the opposite. When filling a ballot, the voter can use a machine with a touchscreen. The person with poor sight can use huge fonts, the blind can use a screen reader, etc. The output from this is a printed paper form, filled out with perfectly legibility. No hanging chads, ambiguous marks, etc.

At this point, the voter (or an assistant) can verify the form just as if a human had filled it out for them.

From there, these perfectly-filled forms can be counted the old-fashioned way with many witnesses.

As someone who has designed questionnaires and computer interfaces, I think you miss a huge point here – electronic systems make vote counting easy because they constrain choice... but there's a lot less ability to verify that an electronic system actually captured the intention of the voter – just as this story shows.

So, how do you do that? 3 parts:

1) Use paper ballots, as I've argued for, above.

2) Count/scan each ballot immediately, before the voter leaves. Reject ones that do not process properly (i.e. the one you described above would be rejected if there were conflicting indicators). I thought I remembered MN doing that (I lived/voted there ~a decade ago), for example, and I'm pretty sure my poling place here in Illinois did that last time as well (haven't been there yet today). It's not an impossible task to enforce the same constraints on a paper ballot, doing so with the voter present and able to clarify/fix their ballot.

3)You try really, really hard to design easy to understand and use paper ballots (for all the reasons I said above, you need paper for an audit trail). Good communication design (i.e.: how you design/layout the ballot forms) matters a lot and most of them are terrible.

That, however, is no excuse for accepting an electronic system which gives up any ability to audit the count in a reliable way (and, unless the voter verifies a physical printout, no electronic system can be reliable, as discussed above).

Let me take a stab at one:

Each precinct has a number of voting machines on a local network. Voting machines print a paper receipt viewable by the voter. When the polls close the precinct has an instant count for a preliminary report that can be verified after the fact by a scanner/humans.

Why? Because marking a ballot is the challenge?

How about we simplify ballots?

We should just have paper scantron style ballots that people fill out. Then have scantron counting machines to tally them up after all voting nationwide has closed.

All the other issues people are trying to do to "fix" some aspect of voting are fundamentally flawed and those who are advocating for them are either desiring the ability to violate election integrity or don't understand the requirements of voting. Or trying to get money because someone in power sits in one of the two prior camps.