>Gives you a paper result that you can verify, and leave there for manual recounts as needed.

That's fair. I guess you could also force a recount for a random portion of the polling stations to detect anything fishy. I'm not sure if it'd be really worth it though, would it be such a massive improvement over simply counting paper ballots directly?

>Checksums and verified hardware.

Nah, that won't work. Who checks that? Who makes sure nobody tampers with the hardware after it's been verified? How can you even verify a piece of hardware, it could tell you it's running code X when really it runs code Y, no amount of checksumming will help. You could easily backdoor a processor to run a special ROM instead of the official one. Good luck detecting that.

Are we supposed to send electronic engineers at every poling station to check for any tampering with the hardware? How about people making copies of the chips that look exactly the same from the outside but are backdoored? You can't just trust whatever is printed on the package.

So what do you do? Take a random sample of machines during every election and decap all the chips to look for something abnormal?

IMO it's just too much hassle for very little benefit.

Take a random sample of machines and compare a number of pretend-votes to the outcome. But if cars change their behavior based on detecting a test environment, how would you trust a voting machine to not do something similar?

In the end a trusted minor miscount would be less bad than a count that is widely untrusted despite being correct: one would mean living through a "what if some people would have cast a different vote" alternative reality, the other would be a full blown legitimacy crisis, with unconstrained cheating in the next election as the least bad of all possible outcome.

Just stick to paper ballots.

You haven't solved the problem that being able to prove to anyone else who you voted for should not be possible.

If there's a discrepancy, you count the paper receipts. You can order a million simple chips for like $0.03. They chip vendor isn't going to know who is running for dog catcher in 2018. You test a random sample to ensure they can count. You use simple code that is open source and write it to the memory exactly once and blow the fuse to prevent tampering.

We can put people in space. Verified hardware and software is a solved problem. Well, assuming you don't make it absurdly complicated. All it needs to do is eliminate manual counting - while providing a paper printout should someone need a recount.

You don't even need special tokens to make sure the person in the booth is only voting once. You can be as simple as making it flash an LED to be monitored by the election officials. They have volunteers from the various parties already there watching. Watching a light may even be easier.

It doesn't need to be complicated. It need only be a glorified abacus.

Did you reply to the wrong person? My comment was about one simple thing: It should NOT be possible to prove to anyone else who you voted for. Your reply doesn't seem to address that.

Separate from that, what does using millions of one-use physically collected chips buy you that just writing to a paper ballot doesn't?

You put your printout in the box, as I said above. It prints it out, you put it into the box after confirming it says you voted for who you said you voted for.

You buy millions of chips so that we never have to go through this again. This way, the validated code and hardware don't have to be worried about, for a long time. The chips go in the machine, they run it. You'll have spares for a very long time.

What does this do? When the polls close, they don't have to count them. They need only count if there's a demand to do so, like a recount today. That's it. Problem solved.

Oh, so you're in favor of electronic voting for instant results plus a write-only auditable paper trail. That's what I favor too. I didn't quite understand what you were getting at the first time; sorry about that.