All voting systems that I know of require trust, with or without machines. Do you trust the person counting your ballot to count correctly? There's a district in the UK that prides itself on always being the first to return results. I would be fairly worried about the ballot counters there.
Eventually someone has to trust someone to execute correctly. Unless there's some voting system I'm not aware of that doesn't require humans and is easily verifiable at the point of voting by the average voter.
There are theoretical cryptographic systems where each voter can verify that his vote was counted properly, without revealing his vote to anyone. I don't think any have been implemented in practice.
That in itself is a problem because the ability for the voter to prove who they voted for opens them to coercion or bribery. Although doing it online (or by post) opens that risk anyway.
I read a paper on one that allowed up to a randomly selected 50% of votes to be audited and still preserve the secret ballot, but it was so complicated that I barely followed and I definitely don't think I could convince a room full of people it was safe.
This is a critical distinction. As a concrete example, here's how voting worked in a scheme I once read about. On any one ballot, the order of candidates was randomized. Then the way the scheme worked was that after voting, the voter tore off the candidate positions (but not their vote) and threw it away in a huge pile of them, burned it, or whatever. (Made it so that someone couldn't come behind them and figure out their position list, essentially.)
Later, after the votes were tallied, the voter could verify that their ballot was (1) counted and (2) counted towards their chosen candidate. But crucially, all they could verify was that the vote counted towards position 1, or position 2, or position 3, ...
The point is that since the voter couldn't prove to a coercing party that the position they voted for was (or was not) the candidate the coercer wanted them to vote for, they were immune to coercion. They could prove that they voted for position 2, sure. But which candidate was at position 2?
The voter knows the truth because they saw the position list. However, until we have mind-reading technology, a coercing party could only take the voter's word.
I'm not following how the counting is done. If all the counter has is a ballot with position 2 checked and the corresponding candidate name torn off, how does that vote get tallied to the proper candidate?
That doesn't verify anything. They are shuffling encrypted data between devices, but none of that is connected to the actual results. This isn't verification, it's smoke and mirrors.
That's not the point of this feature. The point is that if your computer is infected with malicious software that blocks or manipulates your votes then you can detect such things.
The International Association for Cryptologic Research (IACR) uses Helios Voting [1], an implementation of a cryptographic voting protocol [2], to vote for its directors. See the 2010 mock election [3,4] or the 2012 vote for the IACR directors [5]. You can find some other technology resources for Helios here [6].
Thats why any person can act as an observer if they so wish and oversee the person counting your ballot. I can not possibly do the same with a turing machine.
So why can't you be an observer of the sys admin when they install the software. Witness some chain of command that the software has come from an authorized source, meets a digital check-sum and is installed properly. It can then be secured by another party with a two password "lock box" type approach kind of like we use with our crypto system at work that guards our CC processing. There are systems invented and implemented in the world already that can rid your concern over some rogue sys admin. Takes all of 1 minute of critical thinking.
You don't seem to understand, so heres a whitepaper [1] from Rop Gonggrijp on how to play chess on a Nedap voting computer. And the Nedap machines are special-built and programmed to ensure the authenticity of the votes, using anything from printers to read only memory. Not fucking Python running on a loosely secured Linux box.
Despite the halting problem being unsolvable, formal verification is a huge area in computer science. News flash: you can not formally verify some web app running on Python running on Linux, being fed with input from a gigabit link to the complete outside world.
So the idea of using Python for an electric voting machine is dead from the onset, a complete no-starter.
(And yes, of course computer languages are inherently more or less secure by themselves, through the simple proxy of allowing programmers to make (or prevent) severe errors. Think C and fixed-size buffers on the stack.)
There are a number of checks that can (and are) put in place in physical paper based elections that mean large scale collusion is needed to make large scale fraud work.
1) Observers at polling stations.
2) Sealed ballot boxes.
3) Observers from many parties and neutrals at counts.
4) Physical votes retained and recountable.
It isn't going to be completely secure but if you measure the systems security by how few people you could rig an election with it is an order of magnitude harder [edit: to rig].
that can happen also with physical voting. I have personal experience (years ago) that I was sysadmin of voting result calculations machine, and I was asked to change some numbers to fit them to the calculation system, as some vote counters had messed or lost some ballot papers. You can verify individual physical votes, but in the big picture (which matters) you must also just trust some sys admins.
There usually are representatives of various political parties at each polling station during elections in my country.
How do you watch electroing vote counting? How do you recount in case of doubt?
With physical voting you need more than observers at the counting itself. One common means of electoral fraud is to introduce boxes full of pre-cast votes for your candidate into the counting process.
Eventually someone has to trust someone to execute correctly. Unless there's some voting system I'm not aware of that doesn't require humans and is easily verifiable at the point of voting by the average voter.