This seems like a good contract to the typical (american-inspired) secrecy around governmental systems. I would also like to believe open source makes software more secure, but I'm not sure if there is any research that confirms it.
Oh, and cool its made in python and not some enterprise java or .NET :)
We're getting off topic, but you do know that it's perfectly possible to write decent Java or C# without it being "enterprise", right? (whatever that means)
I'm starting to get sick of this "ruby/python/nodejs = cool, java/.net = slow bloated enterprise crap for men with suits" attitude that keeps reappearing here on HN.
Whether your work environment is cool, whether your code is decent and snappy, all that has very little to do with your programming language choice. Admittedly, if you compare modern Ruby to VB6 you might conclude that VB sucks, but that's an unfair comparison since the technologies are a decade apart. It's like saying Python rocks because you hate COBOL.
You can work at a scrappy startup and code lean C#, and you can work at a bureaucratic departmentalized hell and code AbstractProxyProviderFactoryProviders in Python.
And, yes, you can even work at a bureaucratic departmentalized hell and code decent Python. Or Java. Or C#. Or Ruby.
Indeed, and so it's uncool and crappier than Python? How is that related? The OP clearly used the term "enterprise" with a negative connotation. I doubt he was referring to a brand name.
I suspect the implication was that being written in Python makes the code more accessible to "normal" people, both to read and (perhaps to an even greater extent) to run. If it were written on .NET one would likely (because Mono is incomplete) need a Windows server to run the code. If it was written using Java there is a decent chance it would require some pretty complex configuration and possibly a license of some sort from Oracle. I might be misinterpreting the comment, but when I personally poke fun at Java or .NET for being "enterprise-y", this is more or less what I'm talking about.
Actually though, it's rather difficult to run into Mono incompleteness when making a web app these days. Mono's mostly lacking Windows-specific stuff like WPF (UI-framework). Used to lack Entity Framework but that's solved since MS open sourced that. You can take an existing ASP.NET app and there's a very high chance you can just build it with xbuild and host it with Mono's xsp server.
More generally, I do see your point but I believe it's a little outdated; the time that Java apps just had to be built on 200k lines of XML is long gone as well.
It's obviously a matter of taste, but I find it difficult to accept that well-written Python would be easier to read than well-written C#. C# is more verbose in places and less verbose in others. Writing crap code is about as easy in both.
Are there really places where C# is less verbose by any significant margin? The only thing I can think of is that a well-written LINQ library lets you abstract away a tremendous amount of heavy lifting into a clean and declarative query, but other than that pretty much everything requires more keywords, punctuation and declaration in C#.
Don't get me wrong, C# is relatively explicit and regular, which does wonders for its readability especially in large projects with many collaborators. But brevity is not one of its strong suits, nor should it be.
Indeed, lamdas and LINQ. The moment you're using functional primitives that don't fit in Python's list comprehensions well, C# becomes a lot less verbose, and certainly less obtuse.
The OP did not use any such language ("crappier").
As noted, Oracle uses the term "enterprise", which I take to imply a corporate approach to language implementation the coincides with service/support agreements and other business models.
For what it is worth, the JVM is second to none for interpreted languages in my book. At the same time, I don't use it and if I ever find myself going back, it will be for Scala. I don't much care for Oracle's brand of innovation (I don't think it is sustainable).
Tell me something, from your perspective: Why should an aspiring technologist learn Java over Python?
Java cannot be written without a code completion IDE (unless you are a masochist), python OTOH, does not have such limitations. Forget runtime performance, coding in Java sucks more than any other language in my 'limited' experience. com.java.cookie.JarFactoryMakingMonkeyWrenchFrenchFriedOnionTrainPlaneJaneSpain.... you get the point. Want to counter that? Show me tight, non-verbose, working code in Java. At the end of the day, what you call a 'pissing contest' is rooted in a figment of truth and reality.
Quite a few Versions of EJB's were pretty terrible, and early Java Web Technologies had a bit of obsession with XML. However, current Swing is pretty pleasant to work with, and I think that most of the Java have stems from early PHP developers. If you had worked with PHP, with database queries and page formatting in one file, all the crazy MVC crap with business objects and and stuff must have seem needlessly complicated. And even if noone does develop like that now (I hope, anyway), the meme that Java is terrible prevails.
EDIT: new Java, for example, looks about like this [1] and that's not all that complicated, even though I would like it more with webflow (technology for describing webpage in term of flows -- each flow is basically FSM with method calls specified on transitions and FMS-wide persistent storage).
Because java these days seems relegated to legacy code or the 'enterprise environment'. And that's fine with me, I've always hated it in any environment.
The concept of 'write once, run anywhere' is fine and dandy in concept. Until you realize that it's a huge install base AND that there are 40 or so 'subversions'(updates) to each version. If I had a dime for every time i've seen a dozen java installs on a box, I'd be a rich man.
It is truly the worst of both worlds. Python does the 'write once run anywhere' better. C/C++/Go/etc do compiled, binary work. Java is a bloated, half compiled mess.
It's funny that you defend it so, using the 'age' argument. You do know that python is years older than both Java and C#? It's popular because it's done right, and has a good, open community, not because it's "new and trendy."
Java and the JVM are in still in prolific use - the JVM is a terrific piece of engineering. It features prominently in a bunch of large-scale web architectures (be it as straight Java, Hadoop, Scala or whatever). Note of these are traditional enterprise or legacy environments.
I've never seem a major schism in Java or the JVM on the scale of the split between Python 2.x and 3.x. All my installs require (_at least_) two versions of Python as a result. In fact it was only just recently that Debian/Ubuntu consolidated from shipping with 3 versions of Python to 2.
If you're talking about install base then I guess you're limiting this to client apps - because none of the issues you mention are an issue for server environments... Unless you are running a dozen Java pieces of tech that all require a specific version? In the last 10-15 years I've only ever seen the need for two Java versions once. And that was on AIX. On POWER chips. And it was a vendor, not a technical requirement.
JVM works, but let's not get carried away there. It still has method size limit of 64Kb here in 21st century, it is stack-based (reducing the possible optimization space considerably), and has no provisions for proper lexical scoping.
People port languages to JVM for its ubiquity and massive amounts of library code, but I assure you none does it for some technical advantage.
Why do you think the use of a stack reduces the optimization space?
There are plenty of models for stack optimization. Even if you don't go down the purist track, plenty of approaches use register-allocation and optimize from there. Feels like an outdated CISC vs RISC argument.
People also use the JVM because of it's Memory Model and robust threading.
JIT is a feature to get around lack of performance in stack-oriented, archaic, bytecode VM. I'm not going to argue about it's practical performance merit, but it's not really an advantage over a native code compiler found in bunch of other languages (since it is a native code compiler itself).
GC has arguably been the best thing Java brought along into mainstream, but it has been a solved problem for a while. The strategy that Java GC adopts, while a natural fit for Java and a host of other procedural languages, is suboptimal for many others.
Could you perhaps expand a bit on what could be done on GC on non-procedural languages? I am suspecting that you mean that there are some tricks that could be employed by functional programming language runtimes.
Hotspot GC is not the best there is for all uses (as Azul Zing JVM manages to forego stop-the-world collections altogether), but I am not aware that any popular runtimes have GCs that perform even close to JVM (perhaps .NET?)
And for long running processes (where compilation time does not dominate), JIT is of course theoretically superior to AOT compilation.
I would also like to believe open source makes software more secure
I would think in general that it does, but you also would have to be certain that the software actually running on the official voting system is the same as the "open source" version. I think that's a tough one.
Common, not a single positive comment ? Things in the administration always take time. At least it's a move in the right direction. Next add a build CI to produce signed images. Then propose USB keys for people to boot their own system on the voting booth.
At least it's better than the Diebold debacle in the states.
-Estonia just released the source code to their voting system
Even if internet voting is a terrible idea, a transparent election system is a very good idea, and releasing the source code for your voting system is a big step in that direction.
Ill-advised or not, at lot of countries are considering e-voting.
I think it's a bad idea as well, but like you, I think it's weird to be upset that there are people who want to help achieve the best solution/compromise, in the event that your country's government vote to implement something like this.
I'm as pro-government as the next European, but we can all think of horrible government project failures.
Shrink the scope and decentralize to reduce risk. In this case, at a cultural level: don't vote on puppets, but vote on everything the puppets do. We have the technology to enable direct democracy.
I don't agree to that. Current elections are costly, slow and bloated, meaning they can't be conducted often. Internet voting could allow for new forms of democracy altogether.
Can you expand on that? I could probably blab for three minutes on either side of the argument, but I don't know if I have any strong opinions about it right now.
All voting systems that I know of require trust, with or without machines. Do you trust the person counting your ballot to count correctly? There's a district in the UK that prides itself on always being the first to return results. I would be fairly worried about the ballot counters there.
Eventually someone has to trust someone to execute correctly. Unless there's some voting system I'm not aware of that doesn't require humans and is easily verifiable at the point of voting by the average voter.
There are theoretical cryptographic systems where each voter can verify that his vote was counted properly, without revealing his vote to anyone. I don't think any have been implemented in practice.
That in itself is a problem because the ability for the voter to prove who they voted for opens them to coercion or bribery. Although doing it online (or by post) opens that risk anyway.
I read a paper on one that allowed up to a randomly selected 50% of votes to be audited and still preserve the secret ballot, but it was so complicated that I barely followed and I definitely don't think I could convince a room full of people it was safe.
This is a critical distinction. As a concrete example, here's how voting worked in a scheme I once read about. On any one ballot, the order of candidates was randomized. Then the way the scheme worked was that after voting, the voter tore off the candidate positions (but not their vote) and threw it away in a huge pile of them, burned it, or whatever. (Made it so that someone couldn't come behind them and figure out their position list, essentially.)
Later, after the votes were tallied, the voter could verify that their ballot was (1) counted and (2) counted towards their chosen candidate. But crucially, all they could verify was that the vote counted towards position 1, or position 2, or position 3, ...
The point is that since the voter couldn't prove to a coercing party that the position they voted for was (or was not) the candidate the coercer wanted them to vote for, they were immune to coercion. They could prove that they voted for position 2, sure. But which candidate was at position 2?
The voter knows the truth because they saw the position list. However, until we have mind-reading technology, a coercing party could only take the voter's word.
I'm not following how the counting is done. If all the counter has is a ballot with position 2 checked and the corresponding candidate name torn off, how does that vote get tallied to the proper candidate?
That doesn't verify anything. They are shuffling encrypted data between devices, but none of that is connected to the actual results. This isn't verification, it's smoke and mirrors.
That's not the point of this feature. The point is that if your computer is infected with malicious software that blocks or manipulates your votes then you can detect such things.
The International Association for Cryptologic Research (IACR) uses Helios Voting [1], an implementation of a cryptographic voting protocol [2], to vote for its directors. See the 2010 mock election [3,4] or the 2012 vote for the IACR directors [5]. You can find some other technology resources for Helios here [6].
Thats why any person can act as an observer if they so wish and oversee the person counting your ballot. I can not possibly do the same with a turing machine.
So why can't you be an observer of the sys admin when they install the software. Witness some chain of command that the software has come from an authorized source, meets a digital check-sum and is installed properly. It can then be secured by another party with a two password "lock box" type approach kind of like we use with our crypto system at work that guards our CC processing. There are systems invented and implemented in the world already that can rid your concern over some rogue sys admin. Takes all of 1 minute of critical thinking.
You don't seem to understand, so heres a whitepaper [1] from Rop Gonggrijp on how to play chess on a Nedap voting computer. And the Nedap machines are special-built and programmed to ensure the authenticity of the votes, using anything from printers to read only memory. Not fucking Python running on a loosely secured Linux box.
Despite the halting problem being unsolvable, formal verification is a huge area in computer science. News flash: you can not formally verify some web app running on Python running on Linux, being fed with input from a gigabit link to the complete outside world.
So the idea of using Python for an electric voting machine is dead from the onset, a complete no-starter.
(And yes, of course computer languages are inherently more or less secure by themselves, through the simple proxy of allowing programmers to make (or prevent) severe errors. Think C and fixed-size buffers on the stack.)
There are a number of checks that can (and are) put in place in physical paper based elections that mean large scale collusion is needed to make large scale fraud work.
1) Observers at polling stations.
2) Sealed ballot boxes.
3) Observers from many parties and neutrals at counts.
4) Physical votes retained and recountable.
It isn't going to be completely secure but if you measure the systems security by how few people you could rig an election with it is an order of magnitude harder [edit: to rig].
that can happen also with physical voting. I have personal experience (years ago) that I was sysadmin of voting result calculations machine, and I was asked to change some numbers to fit them to the calculation system, as some vote counters had messed or lost some ballot papers. You can verify individual physical votes, but in the big picture (which matters) you must also just trust some sys admins.
There usually are representatives of various political parties at each polling station during elections in my country.
How do you watch electroing vote counting? How do you recount in case of doubt?
With physical voting you need more than observers at the counting itself. One common means of electoral fraud is to introduce boxes full of pre-cast votes for your candidate into the counting process.
"I examine the question of how to design election-related software, with particular
attention to the threat of insider attacks, and propose the goal of simplifying the software
in electronic voting machines. I apply a technique called
prerendering
to reduce the
security-critical, voting-specific software by a factor of 10 to 100 while supporting similar
or better usability and accessibility, compared to today’s voting machines. Smaller and
simpler software generally contributes to easier verification and higher confidence.
"I demonstrate and validate the prerendering approach by presenting Pvote, a
vote-entry program that allows a high degree of freedom in the design of the user
interface and supports synchronized audio and video, touchscreen input, and input
devices for people with disabilities. Despite all its capabilities, Pvote is just 460 lines of
Python code; thus, it directly addresses the conflict between flexibility and reliability that
underlies much of the current controversy over electronic voting. A security review of
Pvote found no bugs in the Pvote code and yielded lessons on the practice of adversarial
code review. The analysis and design methods I used, including the prerendering
technique, are also applicable to other high-assurance software."
No matter how open the code is. It is extremly hard, if not impossible, to ensure this code is running on the actual systems.
E-voting sounds intersting in theory, but in practice it is basically not worth the trouble. It is way more complex than a regular system with ballots and the only gain is that the results can be published sooner.
Actually, E-voting could revolutionalize politics.
Right now, we have to have presidents, prime ministers, even kings; making all the big decisions for us because that was the only practical way.
E-voting makes it possible for the population to be consulted on any major decision. This, IMHO, is the reason it's so unpopular amongst politicians.
Right now in the UK, for instance, MPs get to vote on their own salary increases. Wouldn't it be nice if they were obliged to ask the voters instead?
Recent years have seen several unpopular wars begun by Western countries - if political leaders had been unable to start those wars unless they'd had majority approval from their populace, the world might well be a more peaceful place right now.
E-voting is something with a lot of promise. But if diminishes the power of the people who would have to implement it. So don't expect to see it widespread any time soon.
Consulting everyone on every major decision isn't the best way to make decisions (who says the majority is right?). Most people wouldn't understand the issues they are voting on and would be heavily swayed by the media.
Once there is an easy online system in place then alternatives to an all or nothing vote could be established. For example, you may vote for a representative every X years and this representative would vote for you when you opted not to. Over the course of X years there are hundreds of votes, but you are passionate about 20 of them. You could directly cast a vote on those 20 issues, but your representative would cast votes, as a proxy, for the rest of the issues.
What happens when there's a big decision that heavily affects media interests? They start using their sway on public opinion to make the decision important, and a disproportionate number of people become "passionate" about an issue they don't really know more than they were fed.
There are probably other problems, but I don't think this one is small.
I don't disagree. There are other potential problems also, such as protection of minorities. But right now I don't have the OPTION to vote directly, even if I do know more than my elected official. Online election systems can provide such options. Was my elevator spiel for one possible method perfect - no. But hopefully it got you and other readers thinking about the general concept (it appears it got you thinking about it), possible challenges (it definitely got you thinking about it), and possible benefits (yet to be seen).
well that's exactly what happens every couple years and is called "president/parliament elections". and then people are locked up with shitty options for years and can do nothing about it.
Agreed. There are interesting intermediate forms of representative democracy though. Most forms of voting are actually delegation and it would be nice to be able to do that in a more nuanced way than "kick the bums out, and empower other bums with basically the exact same views"
I do not think this is a good idea at all. Take a look at California where voters are constantly being asked to vote on tax increases and ballot initiatives. It's hard to argue that the state is better off for it.
You could easily make a rule that MPs can't raise their own salary without changing the fundamentals of a representative democracy.
If it was as fluid as up-voting posts on HN, maybe it could? If for even every minor decision you could vote directly or pass your vote to a representative (who could either vote for all collected votes or pass them forward to another representative), then maybe this kind of fluid, real-time changing network democracy could work?
I have no clues about potential issues or failure modes of this, but the concept is interesting and - I think - worth discussion.
(1) Even the simplest paper ballots are already counted by computer (central tabulators). Central tabulators that run on insecure computers and do all of their math using the most rudimentary microsoft access databases (no password protection, little user control, remote access via dial-up modem).
(2) Slot machines are already protecting millions upon millions of dollars from countless people who would love to be able to modify those machines' behavior.
(3) A backup-paper trail would reduce error and allow for recounts. You vote, a receipt gets printed, you confirm that the printed paper represents your vote, and you're done. (The paper stays with the election commission)
1) Maybe in some jurisdictions but not in others. For the most part in the UK we have rooms of people counting and bundling papers.
2) Yes but the people who control those machines don't want to modify them (they want some winners for publicity but mostly losers and they are preconfigured for profit without modification).
3) If the receipt indicates your vote this opens the voter to bribery or coercion. If it doesn't how does it confirm that you vote was correctly recorded. Even if it does indicate your vote it is still non-trivial to confirm the validity of the election from it. You basically need to publish all the votes (with receipt numbers) and anyone whose vote doesn't match their receipt could flag it as rigged. This doesn't do anything to prevent digital ballot stuffing though.
> (2) Slot machines are already protecting millions upon millions of dollars from countless people who would love to be able to modify those machines' behavior.
There difference is motivation. If a slot machine pays out too much, the company that makes them won't get any more business. If a voting machine favours certain candidates, those candidates benefit from letting that continue (if they weren't instigating it to begin with) and often they might have been the ones in power when they voting machines in question where chosen.
> (3) A backup-paper trail would reduce error and allow for recounts. You vote, a receipt gets printed, you confirm that the printed paper represents your vote, and you're done. (The paper stays with the election commission)
This I agree with, and it would satisfy most concerns with electronic voting if you combined it with paper recounts of some random districts and, say, and districts with small margins or unusually large shifts.
Focusing all that much on the security of the voting machines is a sideshow, IMHO. You need some level of security, but pretty much any security mechanism you introduce will be inferior to recounts based on receipts collected using tried and true methods of paper, sealed boxes and independent observers.
Focusing on a solid recount solution that includes rules for when to trigger automatic manual paper recounts won't just catch malevolent interference with machines but also reduce the chance of problems due to bugs, hardware and software failures and all kinds of other problems.
But of course it'll cost more than switching to a purely electronic system, and that extra money won't go in vendors pockets.
Slot machines will also happily record a timestamped log of every interaction with the system and the outcome. Which is exactly what you don't want in a voting machine.
The main gain is that people can vote from home, from abroad, or from work. Which increases turnout (especially among young and busy people). However, I'm not sure if the risks are worth that convenience.
I don't agree with that last sentence though. It's not more complex because you don't need to spread booths all around the country, get volunteers to sit a whole day at the booths, secure the ballots, count the ballots, recount the ballots, etc... It takes a lot of logistics to do papervoting and it's probably more expensive too, compared to a centralized datacenter. They probably still have booths for people without computers, but they surely need less.
Also, if voting is not compulsory, there's a lot less friction to actually go vote from the comfort of your home, whenever you want, than there is to get to a booth and stand in a queue on voting day, it would surely result in a higher turnout.
Austria allegedly has a problem with nursing homes getting many (mail) votes for the parties who have political influence on staff decisions. I can imagine that there are similar problems everywhere, but electronic votes might cause much bigger issues because it's too easy for ruling parties to manipulate the central systems where votes are stores/counted (they were planned to be deployed in the interior ministry here, the one held by Ernst Strasser [https://en.wikipedia.org/wiki/Ernst_Strasser#2011_cash_for_i...] for 4 years).
It fixes it somewhat, depending how far the person will go to claim those votes: iirc you get a week to vote, and the last vote you make counts. So even though your father might stand next to you and watch as you vote for his candidate, you can always recast your vote later. This doesn't solve the problem in case the person keeps an eye on you from the time you voted until the deadline, or steals your ID card until after the deadline.
You can build in some tolerances of this to the system like you say cast vote at any time however surely at some point these people must call the police about their situation. Technology can't fix this issue it can only kid of accomodate it.
The license (Creative Commons
Attribution-NonCommercial-NoDerivs 3.0) is a strange choice for a project published on Github. Github encourages forking and making changes, which goes against the NoDerivs part of the license, unless I'm misunderstanding something.
The "Creative Commons
Attribution-NonCommercial-NoDerivs 3.0 Unported License" is an "open source" license. The source code itself is "open" and can be redistributed for free (beer not speech). But it is disappointing that they have opted to prohibit derivatives, and it makes their posting of the code to GitHub an interesting choice.
IANAL, but as I understand the license, yes it would violate the license. Although, if I released something under a no-derivatives license on github, I'd be less worried about pull requests and more worried about derivatives made outside GitHub.
No, the default state of software is copyrighted and not redistributable. You need a specific license to give you the right to modify and/or redistribute software (though I think copyright should be changed to allow private modification for certain purposes).
Lot's of proposals have been submitted on the bitcoin forums for some sort of cryptocurrency solution/proof of work online voting, where there is full transparency by looking at the block chain to see how many votes somebody had, and prevention of a malicious actor forging votes. Of course you have to trust whoever is mining the coins and handing them out, and trust end users sytems aren't compromised.
I would expect in my country anyways that any online voting would be DDOS'd by idiots looking for a soap box the media will pay attention to and create a huge debacle resulting in them scrapping it and forcing a regular ol' paper vote.
In the US, we officially supported secret ballots in 1892. Still, I wonder if we all found the strength to open up the ballot, if that wouldn't eliminate some of the viability of voting fraud?
Yes everything about voting gets simpler if you throw away the anonymity aspect. The election can be better audited[1] and you can be too if you voted for the wrong party. You would also probably get to discover the market price of votes in marginal constituencies.
[1] Audited, fired from a government job, beaten, not to mention social, religious or family pressures to vote in a particular way. The reality or fear of these things could influence elections if not so much in the West but if these standards were adopted where elections are a little more life threatening (I'm thinking of Kenya but there are probably many other examples too).
In Italy, there's a strict ban on phones or cameras in the voting booths because, like you say, it's a way to verify that you voted for who you did, and consequently, get paid for it.
A lot of people are in circumstances where those they can't escape from (parents, abusive boyfriends, etc) will physically assult you for voting for the guy they didn't like. In the more general case, you can lose friends not going with the collective choice, and open ballots expose that, which makes more people vote for the guy their friends want rather than what they want to maintain social acceptance.
There's plenty of other cases as well. What about someone who bribes people to vote for them, and can check up on it? Or if your boss tells you who to vote for and threatens to fire you otherwise?
In 2000, there was a voting scandal regarding the presidential election in the USA. It involved allegations of votes being paid for, to secure a victory for Bush in Florida, among other states.
@Fargren: I would argue votes are easier to sell, with a secret ballot. The seller would be whoever is counting the votes. There could be a huge monetary gain for that one counter (Diebold for instance), as opposed to relatively small amounts for individual voters.
That being said, buying votes directly is illegal. If ballots were open, and someone bought votes, there would now be a paper trail.
Secrecy of votes is the foundation of the system. Just imagine how many people would be willing to sell their vote if they could prove it to a third party.
Sadly many of the identifiers are named in estonian. Limiting this project to estonian developers only. I'm aware that this is _estonians_ voting system, but i'm sure there are developers all around the world who would be interested in contributing (especially security audits would be interesting) to this project without the necessity to reverse engineering/translating the code.
We all know naming things is one of the most difficult things in programming. Give the guys a chance, let them do it in the language they are fluent in, rather than the language you grew up with
Must be Estonian thing. I had to deal with the system that was also born in Estonia but went international later. Estonian comments and names did not make it easier.
This is anecdotal but I worked (shortly) somewhere where a developer did not write comments, variable, functions, etc in English on purpose, so that the code would not be outsourced in the future. The fact that it did not raised any eyebrows showed that overall the place had other issues all around...
There has been significant work in the academic community about electronic voting schemes. For example, Civitas (http://www.cs.cornell.edu/Projects/civitas/) is a voting system developed by researches at Cornell that provides universal verifiability, voter verifiability, anonymity, and coercion resistance. It is also implemented in a security-typed programming language, which provides additional guarantees about the correctness of its implementation.
“You can't solve social problems with software.” (Marcus Ranum).
It isn't clear from the talk, that:
- you cannot inject votes digitally (within parts of the system) - you may only verify your own vote, and may or may not know about "extra" votes, especially under low turnout, which is very frequent (the euphemism is "democratic deficit")
- supersedes chain voting: it is not clear, that voters cannot be bribed, where the briber can ask for your receipt to verify your voting (currently this is done by buffering voting slips: the first is taken out, filled out in front of the briber and exchanged for the clean copy inside the booth, which in turn is taken out etc.).
You should read the book "ein König für Deutschland" (a King for germany) - it very reasonably makes clear why computer-based voting always will be Much easier manipulable and why democracies should stay with paper based Voting.
https://github.com/vvk-ehk/evalimine/blob/master/ivote-serve...