Although the ancient Athenians were not Luddites - they had an elegant machine to randomise a large stratified sample of the population for jury duty and water clocks to time speeches - for the actual votes they just used pebbles or pieces of metal. That's because counting something up is simply not that complex and shouldn't be made complex unnecessarily just to pad the CV of some electoral commissioner or pad the wallet of the company making the machines.
In India, the threats were things like the ability to print enough forms without leaks to counterfeiters, transport them on Indian roads, store them until polling day in villages where no doors have locks, and so on. And while the counting was highly parallel and scrutinised by auditors, it was also painful, because here was a rule along the lines of "both vote forms and counters' hands must remain visible from when votes are unsealed until counting is complete". Sometimes the counters went for more than 24h without a bathroom break, so would you volunteer to count?
I wrote a blog posting about it, http://rant.gulbrandsen.priv.no/indian-election-machines, but the most relevant point here is:
When you consider security issues, START WITH THE THREAT MODEL. Always. And it's not the same threat model everywhere.
Speed is irrelevant, there's no reason why tallying the votes desperately needs to take a few hours less.
There are only two motives for voting machines: commercial interests and the desire to obscure the voting process. Neither of these should be trusted with foundations of the democratic vote.
On the latter subject: because the transparency of the voting process is so fundamental to democracy, most countries had laws in place that first needed to be scrapped or mutilated to allow voting machines in the first place. The people who wrote these laws were neither stupid nor Luddites.
Ironically, we've always send observers to third world countries and former dictatorships to judge whether their elections are truly free and democratic, using criteria that would never allow for voting machines to obfuscate the process. For starter, it would make such neutral observation pointless.
I'm lucky I live in country (Netherlands) that has abolished voting machines years ago. (After a campaign against them led by by old school hackers.)
(There's one movement in the Netherlands that openly advocates a return to voting machines. This movement is lead by Dutch mayors. The Netherlands is rather unique in the fact that mayors are not elected but appointed by political manoeuvring, which has been subject of debate for a long time. I do not believe these things to be a coincidence.)
For a place like India, the problems pretty much require electronic voting. I am old enough to still remember paper ballots in India. Imagine having to count of the order of 600 million(!) votes. Each with potential challenge from a partisan, validation, security. The costs and logistics were a nightmare. After polling, it used to take days just to get all the ballot boxes to centralized counting arenas. The machinery for the counting alone endedup involving about a million people!
India has very strict election codes - how many voters to a booth (few hundreds), how far a voter can be required from his place of residence to polling station (3 miles max), etc. We also do not require "registration" before polling like in the US for example. Once you are 18 and have obtained a voter ID, you can simply walk into a polling booth on the day and vote.
Indian Election Commission took a pioneering lead in using technology for polling - We have had near-universal electronic polling for 25+ years now. The trouble with the "moderm" voting machines is that they are way to complex and try to do too much. Indian design went the other way. Security of paper ballots was already an understood and mostly solved problem. The machines are simple - more in the league of a 8-bit microcontroller with 16 push buttons and 4x7 segment LED display. very old school. The machines rely on physical security. They cannot be opened without breakage, physical seals can be applied to their "reset" and "count" buttons, and access to them is controlled the same way as access to paper ballots and boxes would have been controlled. This allows even a poor country to deploy the order of half a million voting machines!
There are of course issues - there is no paper trail for example, which as a concept has never even arisen in Indian electoral design debates. I am not sure I am myself sold on the need for them - I do see the importance, but its not an absolute.
EVMs built on top for high end PCs, with Windows and millions of lines of custom code, manufactured by people who also build Slot machines (in the US atleast) is at least to my mind - simply another case of overdesign and overspending - typical of defence and government contracts. When security, reliability, are concerned, simplicity and even non-technical solutions combined with technology work better than compicated technology.
This scale argument is totally spurious. Australia is one of the older continuous democracies so we have had a lot of population growth since federation, vote counting hasn't slowed down each time the population has doubled (indeed I'd suspect it's gotten faster as people have telephones and over 100 years of institutional experience at the federal level). Counting votes scales because as the population scales you have more money and more people to count votes. Let's say you have two paid electoral officials and 100 volunteers for each 10,000 voters. A country with 20,000 people would have four paid electoral officials and 200 volunteers, a country with 1 million people would have 200 paid officials and 10,000 volunteers.
Australia also has some of the most spread out and remote polling stations in the world due to our being much larger geographically than India so there goes that argument as well. Additionally it's far easier to get a cardboard ballot booth and paper ballots to various remote places than it is to get machines there. Not only do you have to lug machines around they need electricity and maintenance personnel. The Indian machines run on batteries, but how long until they need replacing if they are in storage for 5 years between each use? A more complex machine would need a lot more power than batteries could provide as well, and more complex machines would be needed. The Indian voting machines are having to add a printed validation, at great cost and adding complexity, so they are acknowledged as being flawed in their current state.
If you are insisting paper ballots worked well in India and machines don't, I can only imagine you don't know what you are talking about.
The scaling you speak of doesn't work - complexities scale superlinearly and so do costs. We know this in our daily lives, in our networking architectures, when we argue scaleup/scaleout, etc.
The economic scaling - money available per capita for spending on elections - also doesn't scale linearly like you seem to be implying. Even if, for the sake of argument, it did - I would prefer not to spend it like that if I can save money using EVMs. That money has better uses out here.
Even with one of the largest paramilitary forces in the world, India needs to stagger its elections across a couple of weeks as the security apparatus moves around. That also doesn't scale. Paramilitaries are not maintained as a proportion of the population, but as per the security needs of the country. Local police should scale as per population, but India is significantly underpoliced. Also the Election commission tends to not trust local police with election security as by definition the police reports to and is allied to the incumbents.
Elections don't happen once every five years - India has a central Election authority and the machines are constantly in use, shuttled all around the country as needed. I also don't understand what the trouble is with replacing batteries every few years? You have to remake cardboard booths and reprint ballots as well, don't you? No one said EVMs are cost free.
"_ so there goes that argument as well_"
Where are you "sending" these arguments? They don't seem to have gone anywhere at all. If you think polling 16 million people in a rich country is more complex than polling 815 million people in a poor one, please sit down and have a rethink. It is very very hard to fathom that difference in scale.
I think you have misunderstood my argument. I totally agree that the Indian election is more complex. But I argue that complexity comes from places other than the counting itself, and returning to the subject at hand that means India's size and complexity in no way leads to the conclusion that its elections or anyone else's elections "pretty much require electronic voting". So in what follows I will examine the "ideal" case and then the rest of the issues.
In the ideal case, if we imagine a theoretical Westminster system with first past the post voting, we can pay 10 people to organise 250 volunteers per electorate of a theoretical 200,000 voters. They all start counting at the same time when polls close. In this system there are always 800 votes per volunteer to count. It doesn't matter how big the population gets there are always 800 votes to count for each volunteer. Population of 1 million? 800 votes per volunteer. Population of 8 billion? There is still only 800 votes per volunteer. So the system is scaling with the population. Thus India having 51 times (using your figures) as many voters as Australia does not mean it's 51 times more complex to count up the votes. Similarly, nobody would claim that the counting the votes in the UK election is somehow magically 3 times as complex as the Australian one or that elections in Australia now are many times more complex that elections in Australia 100 years ago.
Of course, leaving the ideal case somewhat, due to natural human variability a larger system will have more electorates that return their results slightly later. Indeed in an infinitely large imaginary system there might be an electorate where all 10 officials in one electorate die of a heart attack and it takes two days to get officials from other electorates to show up and do the count. In the real world with real humans, but still presuming they were operating on the exact same rules, the larger system (say the UK or the USA versus Australia) would likely have later returning results, but not by much. It's also worth remembering at this point that in many elections the last electorate to return a result is often irrelevant to "the ultimate result" as someone already will have a majority much earlier, many elections are conceeded by the loser well before the final tally comes in.
That there, in the ideal case or the "same system" with real people, is the basis of my objection to your comment that "for a place like India, the problems pretty much require electronic voting. I am old enough to still remember paper ballots in India. Imagine having to count of the order of 600 million(!) votes". I am not saying there aren't other sources of complexity: many languages, poverty, illiteracy of some voters, poor transport and corruption will all take their toll. But those problems are not solved by voting machines either. I continue to maintain that 600 million votes does not in any way shape or form "pretty much require electronic voting".
If you have to evacuate an area using 4-seater cars - do you really not see the difference in complexity:
A - a village with 200 people, each household has their own car. You need 50 cars, maybe need to requisition/rent a few, the rest people bring by themselves. You don't need a police escort or barriade for orderly movement of 50 cars. People self organize, and you are good to go.
B - a town with 10000 people, 20% households have their own car. Now the administrator needs to arrange for 1000s of vehicles, make sure fuel is available for all of them. You will need to appoint "marshalls" for each block cause you won't be able to handle everything yourself. You also can't expect anyone to self organize at that scale.
Lets say you appointed 50 marshalls. You probably can't even manage all those by yourself. So you appoint 5 "chiefs" - 10 to a marshall.
You need additional staff to manage and track each vehicle. You also need enough police on hand to provide escort. You need to define "assembly points" so that people know where to show up.
Do you seriously not see the complexity that arises when you have 20,000 counters vs a million?
The difference between running a startup with 20 employees - you can do that in your house. No need for HR, building services etc.
Versus a 1000-employee company?
And vote counters at least in India are not volunteers - that would be a disaster. THey are govt employees on deputation. Similarly after polling you don't simply take the ballot boxes to the corner and count. There are a handful of counting arenas - heavy security, representatives of all candidates present etc. Senior "notaries" have to remain present, inspect every box for tempering and certify, with agreement from the candidate reps. WHen you are thinking of a million counters, do you seriously think there can be a say 10,000 notaries present to certify, and a million representatives of candidates keeping their eye on each vote counter? Thats not how the real world scales man.
Stop thinking in terms of 800 votes/counter - theres a MUCH MUCH larger structure there, you keep missing that.
The reason EVMs help is they are smaller and faster. A set of notary, election officer, candidate reps can process a machine in about 10 minutes when counting. An average machine may have 400-500 votes on it. So that means that one set of people can now count about 3000 votes an hour or 25000 votes per day. To count 600 million votes, you need 25,000 sets country wide.
With paper ballots, counting 500 votes would take half a day. So one set would count 1000 votes a day. Now you either need 625,000 sets of counters or more days.
Theres also the issue of securely printing, transporting, storing, issuing 600 million ballots, vs 1.2 million machines.
In anycase - the biggest flaw in your argument is you are arguing theory - 800/counter, so no complexity - and simply ignoring the real world 25 year long experience.
Things simply don't scale like you think they do. 100 page views/ web server doesn't mean you can simply install a million servers and serve out google.com. Saying this added complexity is "not from web serving" makes no sense.
India has a population of 1.25 billion.
Here voting machines don't print the votes, only the machines can "count", and the source and hardware are not open to inspection.
Also, recently the government started to rollout a system where you can only vote by using a biometric fingerprint scanner on the machine.
To me the machine has a very clear purpose: do nefarious stuff, and NOT help the elections (Brazil electoral court always makes a point of expending money to PR about how great it is that we can count 99% of presidential election votes in 40 minutes after the end of the elections... but that is useless, here the elections, for all elected positions, happen MONTHS before anyone take office).
If implemented correctly (ie without fraud), there are huge potential benefits
* Cost savings. India's general election cost the taxpayer $600m and state elections will cost a similar amount. If there are early elections, the cost is repeated.
* Turnout. Right now certain sections of society in any country are more likely to turn out, to the detriment of democracy. A large part of election campaigning is getting people to turn up to the booths. This is so hard that rarely are the turnout percentages higher than 60%, which is a pitiful number. If we could make it simpler and quicker to vote, this would be less of an issue.
To be honest I don't know how we would implement such a system. Certainly today's machines that rely on secrecy for security are a joke and should be replaced.
I don't think there will be cost savings, and these machines will need to be replaced regularly as well so it won't be a one-off cost. And the present system isn't really expensive as elections aren't held every year, so that $600m price tag for the Indian election has to be weighed against the GDP of an entire electoral cycle of five years. We are talking about a price tag of around $120m a year for India then, against a GDP per annum of almost two trillion (if not higher, I am just going by 1.87 trillion for 2013). Per capita that's something like just under 10 cents a year from each Indian. I somehow doubt an IT project, which also has to accommodate all of India's many languages and scripts, is going to make a significant saving on that.
I am not aware of any research linking voting machines to turnout, have you got a source for that? I imagine some older people might even get frustrated and stay away. Australia has something like ~95% turnout through implementing a small fine for not voting (the tasty BBQs at many polling stations may also have an effect). There are also limited polling booths open before the election for those that expect to not be able to vote on the day.
So the benefits just aren't there, and as you say yourself "I don't know how we would implement such a system".
I was thinking something along the lines of voting online. There is significant research to support the idea that more people vote when it requires less time and effort to do so. Not just research, there are many political parties in America and elsewhere that try to improve their chances at the polls by making it more difficult to vote and keeping turnout low.
Voting online would improve the situation greatly, but it isn't easy to implement. To wit, the problems are
1. How to authenticate a user
2. How to map each voter to a vote, without keeping a record of whom he voted for
3. How to prevent fraudulent votes
I've thought about it but I couldn't come up with a good solutions to these.
I'd argue that we're stretching the limits of paper ballots with the current senate situation. There are significant chances for it to go wrong, like when the Western Australian senate election had to be rerun after the High Court voided the previous result due to lost ballots.
Even if machines had the same problems as paper they it could be faster and cheaper to recover from them..
If you read that link you posted you would realise this is the first time it has happened on this scale. Ever.
The implementation of electronic voting in NSW has had its own problems. Candidates missing from the screen, hacks allowing anonymity or votes to be compromised. Representative democracy voting shouldn't be fast or cheap. It should be careful and methodical.
Also, there is a fix proposed to the senate paper situation, allowing optional preferencing above the line, and optional preferencing below the line of 6 or more. Of course, both major parties have since all but rejected this as being too democratic.
So in this context, what is the point of electronic voting?
When I look at a ballot paper, I can see that it is what it is. When I stand in front of a voting machine, there is no was to validate that it's running the software that it's supposed to run. No way to validate it hasn't been tampered with, no way for the election scrutineers to validate it hasn't been tampered with before counting.
With a paper ballot, the scrutineers can lock the ballot box, and ensure it remains unopened and untampered with, aside from depositing ballots in it, simply by watching it.
I'm also a Spanish national, where the voting system is admittedly much simpler (closed party lists with provincial constituencies), but you can take the paper system from my democracy's cold, dead hands. Meaning the temptation for fraud would be too high for a country used to shortcuts.
A machine approach to the Senate ballot would also be problematic as you'd also have to display the candidates across multiple views on an app. Should said app have a "next" button or should we swipe to the next "card"? Should it scroll? Will older people know how to scroll it? Is some "GUI rockstar" going to inflict a drag-and-drop candidate ordering on us? Which OS are we going to use? Is the nation where the hardware is made democratic or does it have to be made here? I can see it ballooning in complexity as many government run IT projects do. The paper ballot, perhaps with fewer parties via the mechanisms I highlight above, is solid and proven.
Existing electronic voting systems provide a guide for what to expect. There have been US cases where the touch screen was so poorly calibrated it was selecting the wrong candidate, cases of election officials taking machines home (machines later proven to be hackable with that kind of access), in some places there weren't enough machines provisioned. The security question extends to the machines for weeks before the election, they have to be protected for all that time. And now you need the equivalent of IT support services at every polling booth, or a significant increase in the costs of training the volunteers. I can't see how all of that, on top of R&D and the cost of the machines, is going to cost less. Also how do you handle a power outage on polling day? Or do we need to add more complexity, and fork out even more money, to have batteries sufficient to handle a whole day power outage? What happens when someone pours some water into a machine with 10,000 votes in it near the end of the day?
You can't say, as you did in your reply to someone else, voting machines have “different security problems rather than more”. They are more complex, more complex things can indeed have more security problems. A computer has more potential security problems than a piece of paper. That's why the Russian FSO, who know a thing or two about security, are buying typewriters.
Most times these arguments boil down to the machines having to print out a paper ballot or receipt to be credible, anyone who has dealt with computers and printing knows what a barrel of laughs it's going to be to have people dealing with jammed machines or machines that are out of paper. I can picture an irate voter having their ballot secrecy violated as their crumpled ballot is pulled out of the slot by some highly paid technician. And given the spacing of elections, the machines would become outdated quickly so we'd have to go through the whole rigmarole of designing or commissioning new ones every three or four electoral cycles.
Finally, I don't think we should underestimate the benefits of getting large numbers of people involved in the counting. There is a social good in getting those volunteers to become knowledgeable about the process. They carry that civic knowledge around with them so it's available when someone needs the Senate voting explained to them at a weekend BBQ or someone wants to run an election for a role in a non-profit or a club.
Whether we can actually do that, is not certain.
You could (in theory) also get better accounting of votes and detect oddities.
Corruption is chronic there. I traveled to Brazil with a friend , he did a mistake(not using common sense) an his camera and the bag we used with several electronic tools was stolen. He went to the police, and was beaten by the police!!
We are from Spain and he simply expected a behavior in institutions that does not exist there. In Brazil you are either rich or poor, and police protects the rich(or the highest bidder) with iron fist. They are rude and you better not resist.
Argentina by the way has Spanish and Italian "picaresca" on their veins. "Ser un vivo" and fool other people is not only ok, but something to brag around.
Electronic voting could work on Switzerland or Denmark, and even there I will only trust it for menial tasks, like what they do in Switzerland asking people opinion on the new street lights(they do it using mail!!) and so on, but never with serious things like who gets in power.
Last time I was in Argentina,there were elections, and the politicians were literary buying the vote of poor people with crumbs even renting buses for them.
And an Indian General Election is no menial task. In the latest election of 2014, 814.5 million people were eligible to vote, making it the largest-ever election in the world. A total of 8,251 candidates contested for 543 seats in the Indian parliament. The average election turnout was around 66.38% .
Indeed, some political parties give buses and free food to people as "motivation" to vote (even though voting is mandatory).
Since being a child I've known that on a long distance bus, or airplane, you never put anything remotely valuable in our luggage, and carry those things with you. Otherwise they'll be stolen. It's not "they might be stolen", it's very much a hard rule.
corruption and vote manipulation will happen either way. but that way it's at least a little more ecological and economical for the tax payers. not to mention two days earlier to get results so you know alpha corrupt du jour (and two less days for the former one to screw things even more for the new one during the murky transition period)
It is important to note that the computer security and bitcoin scene are very strong in Argentina. See http://www.ekoparty.org/eng/index.php
It definitely makes me respect all non-English coders even more, for happily putting up with the ASCII status quo...especially those from non-Latin languages, such as Matz.
It's just that people are too eager to scream "vulnerability!" without properly checking it before.
In Argentina we have the top development team of BitPay, developing cutting edge stuff like Copay, Bitcore Wallet Service, etc. People like Matias Alejo Garcia, and Manuel Araoz (now a BitPay alumni). Look at: https://github.com/bitpay/bitcore-wallet-service and other projects.
We have Sergio Lerner, one of the top security researchers and the official Bitcoin Core security reviewer. Look at his blog: https://bitslog.wordpress.com/
We have also projects like Xapo.
And many many others like https://streamium.io/
Otherwise, why would you juxtapose the irrelevant mention of bitcoins? It's not hard to pay someone (i.e. this is completely irrelevant) except if the payment is for criminal activity - then it's hard.
This is sad, as bitcoin and other blockchain technology is cool. Your comment is just a data point (I won't list other ones, just keep an eye out for them in the future) that shows that a functional society requires a legal layer baked into the peer to peer currency protocol (at a minimum self-reporting regarding identities involved). Nobody wants to live in a world where people can anonymously purchase election counting source code from an employee of that company, using the online equivalent of a suitcase full of cash, (except probably without anyone knowing and nothing else being involved except network traffic) then the same night turn around and purchase the untraceable services of a security firm located in a totally different city (or who knows where), again using the online equivalent of a suitcase full of cash. I am positive nobody wants that.
That means that there is a huge, huge market opportunity for a non-criminal distributed online currency. I bet half the people I know would prefer to use that over bitcoin. Yes, because they have nothing to hide: but also, because they do not trust that criminals who are able to buy elections have nothing to hide.
I realize that technical solutions are preferable to legal solutions; but there are some things technology can't solve, and "untraceably buying elections from the people tasked with computer counting them, by untraceably bribing employees for source code and then surreptitiously supplying it to blackhat security firms and purchasing an attack vector, without any connection to the former" is one of these.
Bitcoin is absolutely great. It will be better when it comes with a social contract.
This page - https://bitcoin.org/en/download
should have 2 versions "[ ] With social contract", "[ ] Client only", where the one with the social contract lets governments trace your transactions the same as they can with bank transfers. (Not sure of the mechanism.) I don't mind making bank transfers, or the government seeing this, and I don't prefer cash to using my card etc etc etc. An online currency is supremely cool, far more convenient, and I would have no problems downloading the version with the social contract. (I think governments should have the same level of access as they do to bank transfers.)
I consider it a genuine problem that I don't even have this choice.
Also with an annual inflation rate of 25% - 35% you don't want to have your savings in pesos. That's why many people buy dollars on the street if they can't get it in legal ways. Also BitCoin is usable as it can change in any kind of currency without to much red tape.
1) First, I found the complete lack of security puzzling. I mean, they don't even use SSL in their site logins. You use md5 to check firmware...and the coders are obviously capable of using proper cryptography, but they won't. It's like they completely gave up on any kind of security whatsoever. Is this something deliberate?
2) Why the RFID to store the vote? why not a qr-code? it's hard to read? RFID tags are hundreds of times more expensive, they can be unlocked, re-written, must be protected with a weird faraday cage that do not work correctly (Faraday cages must be grounded!) they are a nightmare. I'm sure there must be a good reason.
> they don't even use SSL in their site logins.
Which sites? The only one I can think of having a login is the transmission site, and it not only uses SSL, it even has two way certs validation, so even the client has to have valid SSL certs which the server validates.
> You use md5 to check firmware
No. They use SHA256, not MD5, and to check the CD software, not firmware (there is no way you can checksum a firmware securely if the firmware wants to lie to you).
> and the coders are obviously capable of using proper cryptography, but they won't
Yes, they use encryption, where it makes sense, like the double SSL in transmission.
But I guess you are referring to the unencrypted chip data. It would be useless to encrypt that. Think for a second: the machine needs to be able to read that chip on the counting step. So you are distributing the unencryption keys in hundreeds of public CDs that very same day. Having the data on the chips encrypted would accomplish nothing, they keys to unencrypt them would be public. It's like puting a padlock in your bike, but leaving the key along the padlock.
So no, nobody has given up on security, you just probably have read misleading things.
2) Again, several wrong things, will answer separatedly:
> why not a qr-code? it's hard to read?
This is the only one I can't answer with full knowledge, but I think it had something to do with them being hard to read because of the quality of the print (thermical fast printing)
> they can be unlocked, re-written
No, they can't. It's a physical process that burns and cuts connections on the chip, you can't "rebuild" them to unlock it again.
The thing you probably saw was people rewriting demo ballots, which are created with the machine configured in demo mode, in which it doesn't burn the chips, to be able to reuse the same in several demos. The people claiming that even published photos of the supposed "real" ballots they where rewritting, and the ballots had in really big letters crossing all the print, the text "DEMOSTRACION USO NO OFICIAL". So, no, they weren't rewriting real ballots, it's obvious those where demo ones.
> with a weird faraday cage that do not work correctly
Reallity doesn't agree with you, hehe. Even people opposing the system had tried and weren't able to read the chips through the shield. It's simply a shield which has enough mass to absorb the signal that the chip emits.
The tech login sites.
>They use SHA256, not MD5
>hard to read because of the quality of the print
print them bigger? change the printer? this makes no sense, unless you want to have the ability to change the vote. It's the only logical explanation.
>I guess you are referring to the unencrypted chip data.
No, I'm referring, for example, to software package signatures.
>No, they can't. It's a physical process
This is simply not true. Even if you had the power to physically burn something in the chip (you do not), many RFID chips allow unblocking with a special password, because they do not really burn anything. You don't know how the rfid chip works internally because the design is not public, and there are no ways to check the model of chip used.
> Even people opposing the system had tried
Who? were they qualified RF engineers or just some dudes with a commercial RFID reader? No signal can be "absorbed" completely.
The machines basically print an electronic voting bill, that has an RFID chip which is reportedly vulnerable.
The paper is a backup. The votes are also recorded by the software. But the paper can be read by hand if necessary, or by a scanner which reads the bar codes. So recounts are possible and checkable by all parties.
The point here is that voting machines must be open source and its hardware completely public to analyze it. This can't be the weakest link in a democracy.
Now, if the hardware instead
1) could be provided by the voters themselves,
2) was easily auditable
3) was used in their daily lives providing a ubiquitous understanding of the technology involved
only THEN would it be appropriate for use in elections. So far, only pen and paper fulfils all of those criteria.
and if you satisfy all those requirements, and other, congratulations, you've probably just invented the worlds most expensive printer.
Even in less corrupt countries, electronic voting is a terrible idea: it's vulnerable to hacking and, because the system is opaque to the average citizen, erodes trust.
Richard Stallman has been emphatic on this point: https://stallman.org/evoting.html
The more at stake, the greater the temptation, the greater the likelihood of fraud. Leave online decisions to scheduling problems a la doodle.com
People should recognize that sometimes paper is superior to bits.