>After the election is complete, the tracker codes can be used by voters to confirm that their votes were not altered or tampered with and that they were properly counted.
In Estonian e-voting they allowed to change the vote later or re-vote offline. So that if someone sold their vote or was forced to vote, they can later change their mind.
But such scheme is still vulnerable: for example, imagine if a large state-owned or having close ties with government company forces their employees to vote online under supervision. If the employees are not very good with computers or don't own one, they cannot change their vote online later, and employer can set their shifts to a voting day so that they cannot visit the polling station.
It's not just that. Some UK researchers also demonstrated how it was possible to confuse voters whose devices were infected by malware. The trick basically was to display X to the voter and send Y instead.
What you really want is some way for the voter to create plausible deniability. Like the voter should have multiple secret keys, one which allows them to confirm their vote was correctly tallied for themselves, and another one that allows them to trick an adversary into thinking they voted for an arbitrary candidate.
If I understand correctly schemer could agree to pay for votes, but had no way to verify the ballot was indeed cast for that candidate. With this system they could first verify the vote before paying. It's made possible by the information which is used to verify the vote. It's supposed to be kept secret by the vote, but could be shared with the schemer in order to get paid. This would make vote-buying schemes much more manageable.
However, there seems to be considerable risk to the voter. What's to prevent the schemer from not paying up? The vote is already cast, and what can the voter do? Sue the schemer? For not paying for a bought vote?
Imagine I ask the voting machine to give me 100 sealed envelopes with "Alice" written in them and 100 sealed envelopes with "Bob" written in them. I open and destroy 199 of them, verify that Alice votes are Alice votes and Bob votes are Bob votes. I then walk out of the voting booth with a sealed Alice envelope, then deposit it into the ballot box.
That's the "verifiable" step in here.
The only way for you to know who I voted for is if you were in that booth with me.
> The combination of the tracker – which allows individual voters to verify that their votes have been accurately recorded – and the verifier – which allows anyone to verify that the recorded votes have been accurately counted – enables full “end-to-end verification” of the correctness of election results.
I understood this to mean that I am able to use the tracker to verify that my vote was cast for a particular candidate.
Right - the way you verify that is by asking for 100 sealed Alice envelopes, and opening 99 of them at random. If the machine was trying to trick you, you have a strong chance of catching it. You still walk out with a sealed envelope, and the would-be vote-buyer can't be sure it isn't a Bob envelope.
So what's preventing vote-buying schemes?