>It's not actually about how the ballot is interpreted by downstream hardware and software. That's a different issue.
To me, this seems like the only part worth worrying about, and any solution to it should satisfy your concerns as well.
Every ballot should have a UUID that the voter takes with them (or make it a hash of their voter registration number or something). As soon as the ballot is processed, the results are posted to a public place. Voters can then confirm their ballot was recorded accurately.
This still doesn't tell you that all the internal variables were incremented correctly, but you can separately aggregate the publicly posted results and compare with the aggregate reported by the machine.
The problem this still doesn't solve is electronically stuffing in fake ballots.
> Every ballot should have a UUID that the voter takes with them (or make it a hash of their voter registration number or something). As soon as the ballot is processed, the results are posted to a public place. Voters can then confirm their ballot was recorded accurately.
Opening the door for vote bribery or voter intimidation.
$1,000 for every tag proving you voted for my candidate.
If you don't prove you voted for my candidate, expect some retaliation!
You can already do that today by having people take a photo of their ballot. Or just buy their signed but otherwise blank mail-in ballot and complete it at gangster HQ. Or give them the money and don't require proof at all, because most people will just do what they agreed to do.
This doesn't happen today because it isn't scalable and is easy to get caught and prosecuted. Electronic manipulation is more appealing because it does not require interacting with people.
Taking a photo of the ballot is illegal. Also, one can just always strike the ballot before putting it in the
machine after having the completed ballot. In some places of mail in ballots it's possible to cancel the mail in ballots and vote in person after.
And bribing people to vote is already illegal in the first place. Do things being illegal stop the behavior or not? You're arguing both sides of the coin at this point.
Most people aren't going to try too hard to undermine or outsmart the gangster. Which is why, again, the perpetrator doesn't even need validation of how people actually voted. Vague threats will work just fine. In fact the gangster will still beat up a random sampling of the voters anyway.
There's far less incentive to actually pay bribes or hurt specific people if there's no reliable proof of the vote. Even with people taking a photo of a ballot, one can still just strike that ballot and vote again after taking a photo. It's an immense risk that will likely not do you any good, because there's no way to actually know those people voted. The people you're paying and who voted for you would have likely voted for you anyways and you're just otherwise paying people to not bother voting at all or voting against you, while you face immense risk.
If the gangster is just going to hurt a random sampling of people anyways, you might as well just vote however you want to vote. They may or may not commit violence against you regardless of how you vote, its completely disconnected. If you know they can validate it, you're probably going to be less brave.
Just put yourself in those two situations. One where the ballot is absolutely secret, and one where it can be trivially looked up. Someone says you better vote for X or I'll hurt you. You really don't want to vote for X. In the first instance, do you vote for X? In the second, do you still vote for X knowing the thug will be able to know for sure how you voted?
I'm not suggesting nobody would do an illegal thing, obviously I acknowledge people would do illegal things. I'm just pointing to that as why taking a photo of a ballot is illegal in many areas.
To me, this seems like the only part worth worrying about, and any solution to it should satisfy your concerns as well.
Every ballot should have a UUID that the voter takes with them (or make it a hash of their voter registration number or something). As soon as the ballot is processed, the results are posted to a public place. Voters can then confirm their ballot was recorded accurately.
This still doesn't tell you that all the internal variables were incremented correctly, but you can separately aggregate the publicly posted results and compare with the aggregate reported by the machine.
The problem this still doesn't solve is electronically stuffing in fake ballots.