In general, I agree with the recommendations several security experts wrote condemning the new overseas military voting system SERVE, because voters used unsecure Windows PCs to vote.
However, in thinking over the matter, I suggest the following method and open it for criticism. It still has many of the flaws in such systems - no physical audit trail, and like all remote voting systems including mail-in absentee ballot, it allows non-secret ballot and vote buying, though it is not much worse than mail-in in that respect.
Here's the proposal. For each registered voter, generate a paper instruction book. In the book, list the choices they can vote for, and with each choice provide a multi-digit number to enter. Also provide a longer master number for the whole ballot. In addition, after each number, provide a second "ack" number.
Thus you might see a ballot with:
- George Bush: 8741 / 9832
- Al Gore: 9843 / 4382
- Ralph Nader: 0438 / 2833
The numbers are different on each ballot. The voter enters the master number and then the sub-numbers. The election server, combining the numbers can determine who the vote is for. Only the exact numbers will work (any other will generate an error, and only so many errors will be allowed.) It should not be possible for a program not knowing a secret known only to the master computer to map the numbers to a choice.
When the vote is cast, the master server responds with the ACK number, which again only it knows how to generate. The voter confirms the ACK number is correct. The voter -- if they trust the master voting web server -- can be assured that their vote was registered, as desired with the master voting web server.
There's nothing a man-in-the-middle, including a trojan program that has taken over the PC, can do to circumvent this. They can't change the vote, see who the vote was for, or stop the vote from being recorded without the secrets known only to the master vote computer.
And thus it should work from any unsecure web browser and in fact would work fine from a telephone. As long as the numbers are long enough to avoid any guessing attacks.
Though again, we are completely trusting the master web server and its security.
Vote buying is easy with all mail-in ballots. Just ask the bought voter to give you the ballot to mail (or to fill in) and you can check it first. It's also easy to do here. It is slightly easier because you can provide software to confirm it but it's really not a lot easier.
To the system, voting can still be anonymous, as there is no need to connect a registered voter with a particular ballot card. Let them, once confirmed, pull a random ballot card from the pile, or mail them one. Of course the ballot cards with the magic numbers must remain secure, as must all mail-in ballots.
Anybody find a window into this system?