Imagine I ask the voting machine to give me 100 sealed envelopes with "Alice" written in them and 100 sealed envelopes with "Bob" written in them. I open and destroy 199 of them, verify that Alice votes are Alice votes and Bob votes are Bob votes. I then walk out of the voting booth with a sealed Alice envelope, then deposit it into the ballot box.
That's the "verifiable" step in here.
The only way for you to know who I voted for is if you were in that booth with me.
> The combination of the tracker – which allows individual voters to verify that their votes have been accurately recorded – and the verifier – which allows anyone to verify that the recorded votes have been accurately counted – enables full “end-to-end verification” of the correctness of election results.
I understood this to mean that I am able to use the tracker to verify that my vote was cast for a particular candidate.
Right - the way you verify that is by asking for 100 sealed Alice envelopes, and opening 99 of them at random. If the machine was trying to trick you, you have a strong chance of catching it. You still walk out with a sealed envelope, and the would-be vote-buyer can't be sure it isn't a Bob envelope.
If you're willing to assume the attacker is into the voting booth, you're no worse off with this.