On Wednesday 15th of March, there are (were) general elections in the Netherlands. A vote is cast by marking the chosen candidate with a red pencil on a (large) ballot. Vote counting is manual. Below is a short history of how the Netherlands got to this point.
Background: voting in the Netherlands
First up: voting in the Netherlands is rather different than voting in the USA. In the Netherlands, every voter gets to cast one vote. There's a huge list of candidates (400-600), who are grouped into ordered lists (i.e., the various parties).
There are 150 seats in the House. To get elected, you need.... 1/150th of the total number of votes.
(that sounds almost reasonable, right?)
If you're short (or over), the votes that aren't used by you default to the party. Seats are then assigned to the folks on the party's list in the order they appear on the list. So, if after everyone was directly elected, a party receives 6 / 150th of the votes, then the first 6 persons on the list who did not win a seat themselves, win a seat.
Usually this process does not allocate all seats, and there's a process for that as well (D'Hondt method, if you want to be precise).
The TL;DR version: people vote for exactly one candidate out of a few hundred candidates. Every vote counts. Even if your candidate is not elected, by voting you've raised the total number of votes, and therefore the threshold that needs to be passed (1/150th of the vote) to win a seat.
Machine voting in the Netherlands
The Netherlands enjoyed machine voting for a long time. Prior to my existence, mechanical devices were in use. These were superseded by electronic voting machines. The machine that was used the most was the Nedap machine: sort of an extra-large checkerboard of buttons, on which a ballot with candidates was placed. You'd press the button of the candidate of your choice, a tiny LED screen on top would list the party and the candidate's name of the button you had pressed, you press the 'confirm' button next to the tiny display and you had voted.
This system facilitated vote counting enormously. To count votes, you'd just press a button and out came a "shopping receipt" with the vote count. A recount was even easier: just press the button again! Couldn't be easier.
Of course, there's a few security issues with that, but hey :)
Back to the red pencil: security issues with machine voting
Around 2007, the heat was turned up under the feet of voting machines. They suffered from various flaws: no meaningful recounts, no meaningful way to verify that the result had any relation to the voter input, etc.
At one point, Nedap claimed their machines were not computers. An opposing party countered this claim by making one of the Nedaps play chess (by inserting their own PROM chip onto the board). This effectively demonstrated that the machine could do anything whatsoever, and that verification was completely impossible.
Amazingly enough, that was not the thing that got these machines banned. What got these machines banned was the displaying of the party's name. As it happens, there was exactly one party who's name includes an accent: CDA (fully known as "christen-democratisch appèl"). That one accent was enough to get voting machines banned.
As it turns out, the emanations from the ancient, tiny LED screen depended on what was displayed. Before you say "well gosh jolly, who'dda thunk": determining what was displayed based on those emanations was *hard*.
Except for the accented character. I believe it was due to that one character using an extra bit (8-bits instead of 7 bits). At any rate, the emanations for this character could be easily distinguished from emanations lacking this character. Moreover, both types of emanations could be distinguished from when the screen was off.
A group of hacktivists (before this term was widely used), by the name of "Wij Vertrouwen Stemcomputers Niet", seized upon this. They had already shown that the Nedap could play chess, but now they constructed a simple display (converted TomTom) with a large antenna. The display would show when a vote was cast, and whether that vote was a vote for CDA or not. From outside the precinct.
That got Nedaps banned. In the ensuing fallout, security of the other manufacturers' machines was also enormously under par, so in one fell swoop all voting machines got banned. Voting was done in the traditional fashion: paper ballots, and a red pencil.
Handcounting of votes
Of course, the paper ballots had to be hand counted. You could probably design a system that is able to read this A2.5-ish ballot and determine where the mark is, but a trustworthy system that is cheap enough to deploy to all precincts (guesstimate: about 10.000), and easy and robust enough to be used accurately by folks who have never seen this before?
Yup, it's counting by hand.
Aggregation of votes
Aggregating the votes is somewhat tricky. Each precinct handcounts its results, which then need to be aggregated. This happens first at the municipal level. Up to recently, special software was used for this. Again, security was an afterthought - in the software and in the procedures used.
After completing the count, the count would be entered into a TXT file, which was saved onto a USB key. Then, someone would take the USB key to town hall. (I kid you not.) After that, the software would take over. The software, which could be installed on any system, including Windows XP (which was known to be on the way out when the software was developed). The software has its share of problems (installs a webserver but doesn't need internet, using HTTP to connect to local webserver, using SHA1, storing SHA1 hashes with the data they are "securing", emailing result-files without encryption,...). This was found out thanks to an ethical hacker, who did a teardown of this software based on a Youtube instruction video (I am not making this up!):
I am now at 03:44 minutes into this epic instruction video...
The responsible minister could do little else but hire a security company to perform a security audit of the software. Unsurprisingly, they reached more or less the same conclusions as the ethical hacker. They did state some rules under which the software could be used as a backup.
Determining the results of the 2017 elections
Which is where we are now. Each precinct will hand-count the votes. These results are then aggregated manually at the municipal level and at higher levels. Software may be used on stand-alone, unconnected computers to validate the result of the manual aggregations. Paper is leading, meaning that if the two aggregations differ, we will turn to the paper count and recount that to verify that it is correct.
Wrapping up
So that is that: we were using machines but they were horrendously insecure. We were using software to aggregate votes in a horrendously insecure way. We are voting today (yesterday?) with red pencil and paper, hand counting votes and manual aggregation of votes.
Every once in a while, someone suggests a "better" way to do it. Usually "better" translates into "more convenient, broken security". Some folks call the current system old-fashioned. To me, old-fashioned may be a downside for clothing, but I don't mind it in a voting system.
(Score: 1, Interesting) by Anonymous Coward on Thursday March 16 2017, @07:24AM (19 children)
Human counters are slow and not very accurate, and trying to lock down a general purpose computer for voting is a very difficult security problem, even if you do it right, which they obviously didn't.
You really have to build a vote counter that counts mechanically, using punch cards, optical scanners, or the like, and which doesn't have any CPU at all but only special-purpose, non-programmable computations. It can store its result onto some sort of physical record, like another punch card, a paper printer, or whatever meets the physical security requirements.
Everything could be implemented into an ASIC for a reasonable cost (by ASIC standards), and the source design implemented in FPGA first and published so security researchers can try to break it. When everyone is sufficiently confident, burn the ASIC. You don't need any fancy cryptography or anything else. Just a machine that only does one thing.
You'd still have a few side channel attacks (which human counters also have, and probably more severe) and you'd have to maintain the physical security of the vote counting machine, but since the physical counting machine wouldn't be open to the public (who only need to drop their punch card in the ballot box), the opportunity for attacks is minimized.
This problem is not hard. It's just that people often insist on doing it wrong. More technology is always better! Well, no. Not always.
(Score: 0) by Anonymous Coward on Thursday March 16 2017, @07:35AM
I don't get it. A car analogy... pretty please?
(Score: 5, Interesting) by Shimitar on Thursday March 16 2017, @08:10AM (11 children)
Slow is not bad... at all!
And accuracy is not correctness... You can be 100% accurate, but completely wrong.
In elections, you don't need speed or accuracy. You need accountability and recheckability (is this even a word?). Elections issues are people issues, and no more guarantees of results can come from computers, unless computers can fix humans...
... i would rather substitute politicians with computers than voting systems.
Coding is an art. No, java is not coding. Yes, i am biased, i know, sorry if this bothers you.
(Score: 2) by FatPhil on Thursday March 16 2017, @08:58AM (3 children)
However, you are right that verifiability is an absolutely essential attribute in any election - recounts must be possible.
I've only just noticed the similarity between another security-related field - that of idenitfication (in particular authentication, or "authentifying" as they now seem to call it). Passwords, the something you know, seem to have fallen out of favour for situations where security is very important - and two-factor, bringing in the second factor of something you have, seems all the rage.
Isn't an electronic ballot the computer tallying something it knows (your vote), and a paper ballot has the counters (which can be mechanical) tallying something it has (the ballot paper)? To see pressure back towards paper ballots is hardly surprising whilst thing-you-have is gaining popularity in other security fields.
Could be bullshit, I've literally only just thought of it just now, and have never seen such a parallel drawn before.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2, Insightful) by Anonymous Coward on Thursday March 16 2017, @12:33PM
The advantage of paper ballots is that their manipulation is subject to the rules of classical physics, which cannot be changed and to the degree needed are perfectly well known to anyone, so everyone can easily estimate the security of the vote, without requiring special knowledge. Moreover, the whole process involves only objects which are visible with the naked eye, so verification also doesn't need any tools that could themselves be manipulated.
On the other hand, computers follow the rules of their programming, which isn't directly accessible, but only can be accessed using tools that themselves may be manipulated (think of rootkits), and which can easily be manipulated. And you need specialized knowledge to even consider verifying them.
(Score: 2) by Immerman on Thursday March 16 2017, @02:34PM
Indeed, they seem to be confusing accuracy (correctness) and precision (amount of "detail")
Two factor is indeed a major security upgrade as it makes security considerably more difficult to bypass - but it relies on *both* factors being used. Without the something you know, it's just a standard key-based lock - anyone who can steal the physical "something you have" can get past the security unchallenged, and if there's any "pickable" flaws in the lock they don't even need that.
As security improves there is indeed motion towards "something you have", because it was not previously present. But importantly, there is not a corresponding motion away from "something you know", at least not among those concerned with actual security.
I don't see that is has anything to do with voting though - electronic ballots aren't "something you know" or "something you have" - there's no "what's the password" security to get past, they're just electronic data. And electronic data is *extremely* easy to tamper with remotely without leaving traces. Especially when being handled by general purpose computers with lackadaisical security and an internet connection. The tampering can even take place long before the election by infecting the machines with vote-switching malware that deletes itself after stealing the election.
The push back to paper ballots is simply because physical ballots are considerably more difficult to tamper with - doing so requires that actual physical ballots be "lost", and/or phony ones be "found" - tasks that require a criminal to be physically present, and can be easily guarded against by alert independent watchers (or a group of watchers with conflicting allegiances). The price - the potential for physical ballots to be improperly completed (hanging chads, mismarked sheets) is greatly outweighed by the increased difficulty in stealing the election in the face of well-understood and easily verified security, as well as the ability to do a recount.
An electronic ballot system can eliminate mistakes (perfect precision), but can't meaningfully guarantee accuracy (votes can be silently changed wholesale) . Hybrid systems could theoretically work - using an electronic voting machine that generates a human-verified paper ballot, but that's a lot of expense to eliminate a small margin of error. Plus, it seems that once you have involved machines in the process at all, they tend to end up doing the counting, since they're so fast and precise about it. But they can't be trusted, and once they've done the job, nobody wants to count the ballots by hand to make sure nobody cheated. Involving computers at all seems to just place the entire election on a slippery slope, where human eagerness, laziness, and inclination to trust the accuracy of computers under normal circumstances, all conspire to destroy the integrity of election.
(Score: 0) by Anonymous Coward on Friday March 17 2017, @03:00AM
really? to lazy too even google ....
http://www.diffen.com/difference/Accuracy_vs_Precision [diffen.com]
here's with colors in case you get too tired of reading:
http://www.mathsisfun.com/accuracy-precision.html [mathsisfun.com]
(Score: 1) by khallow on Thursday March 16 2017, @12:17PM (6 children)
Slow is not bad... at all!
It does allow for more opportunity to throw an election. There's more opportunity for skullduggery with, for example, a week long delay in vote count than a one day delay, for physical vote counting.
(Score: 2) by FakeBeldin on Thursday March 16 2017, @12:42PM (4 children)
Funny thing: I kept linking "skullduggery" to tweets by candidates in hypothetical scenarios :)
At any rate, tweeting doesn't affect the count. It might affect how people think about various candidates, but not the process of counting.
So I'm wondering how taking it slow allows for more opportunity to "throw an election".
Note that the process that is slow is the aggregation of the polling station counts. Each polling station finishes the count on the evening itself. Those folks are home by midnight (if the polling station closed at 21.00 - not all did as some ran out of ballots and others were open longer to compensate). Aggregating this all up takes more time: there are about 10,000 polling stations, divided into 20 districts, each of which has its own candidate list. Normally these lists largely overlap, but they're not required to. I have no clue how seats would be assigned in the completely theoretical case where one party gets so many votes that the differences between the lists in different electoral districts suddenly become important.
Anyway, I digress. Point is: counting is finished before the morrow. Actual aggregation of those counts will take a while, but the day after the elections the most likely distribution of seats is already known.
So, I'm wondering what "skullduggery" one could enact that would help "throw an election".
(actually, I am wondering that in general, not just for Dutch elections, so do please respond!)
(Score: 1) by khallow on Thursday March 16 2017, @12:56PM (1 child)
Anyway, I digress. Point is: counting is finished before the morrow.
Then it's not slow.
(Score: 3, Interesting) by Immerman on Thursday March 16 2017, @02:40PM
Sure it is, it take hours. Electronic voting is done counting the moment the last ballot is cast.
Think of the news media cycle man, think of the media cycle!
...actually, I'm kind of surprised the media isn't a big proponent of manual counts - they draw out the anticipation for many hours or days, which means more time of people watching talking heads speculate on the outcome as results trickle in, and more ads sold.
(Score: 1) by khallow on Thursday March 16 2017, @01:03PM (1 child)
So, I'm wondering what "skullduggery" one could enact that would help "throw an election".
Ugh, forgot to include this. If the only thing left is a complex algorithm, then there's no point to taking human time to compute it when a computer can do it instead. Just crank it out on in a fraction of a second, have the various parties verify with their own computations. Any "slow" method will be far more prone to error.
(Score: 2) by Immerman on Thursday March 16 2017, @03:00PM
Except there is no complex algorithm - there's just the generation of trustworthy regional tally sheets. Everything else is just simple inter-regional aggregation rules - publicly post the initial tally sheets as soon as they're confirmed, and anyone who wants to can quickly verify that the aggregation is done correctly. And there's really only two options to get those tally sheets:
1) have humans do the counting - preferably using redundant counters with different allegiances, with any discrepancies being resolved immediately on a box-by-box basis, and the entire process being watched and recorded to make it as difficult as possible for anybody to fraudulently "lose" or "find" any ballots.
2) have a computer do the counting - in which case you have to *completely* trust the hardware manufacturer, every piece of software that's supposed to be on the machine, the electronic security against remote hacking, and every person who has ever been alone with the computer for more than 30 seconds. Any single flaw in any of those is enough to completely compromise the election.
Theoretically you could do both, but in practice if the computer has already done all the work, nobody wants to do it by hand. Besides, given how completely untrustworthy computer tallying is, what exactly is it contributing? Is it really that important to have a completely untrustworthy "first guess" right away? The election won't have any real impact until weeks or months later, so what exactly is gained by knowing the outcome a few hours earlier, even if you *could* trust it?
(Score: 2) by compro01 on Thursday March 16 2017, @09:58PM
Sure, but no realistic system will have that much of a delay. In Canada, the counting of the paper ballots is done within hours of the polls closing, then phoned into the returning office. I've done this in both federal and provincial elections.
(Score: 2, Touché) by Anonymous Coward on Thursday March 16 2017, @08:12AM
This problem is not hard. It's just that people often insist on doing it wrong.
Great. The most important thing is that the security much be such that any voter (that includes my mother and my 94 years old grandfather) can verify that the vote put in at one end is what is counted at the other end.
Everything could be implemented into an ASIC for a reasonable cost (by ASIC standards)
If it's not hard, why are you one of those who - by your own words "insist on doing it wrong"?
(Score: 1, Insightful) by Anonymous Coward on Thursday March 16 2017, @10:09AM (1 child)
From the point of democracy, the most important aspect is that the inner workings of the system are public, understandable and verifiable (by anyone, not just some technocratic cabal). Even 100% accuracy comes way after that since if 49.99% candidate gets counted as 50.01% the actual issue is in those 49.99%, not 0.02%. The speed and cost of counting shouldn't even be in the list of important things.
(Score: 5, Insightful) by FakeBeldin on Thursday March 16 2017, @12:44PM
As prof Dan Wallach put it:
The purpose of an election is not to name the winner, it is to convince the losers that they lost.
(as phrased by Douglas Jones)
(Score: 3, Insightful) by The Mighty Buzzard on Thursday March 16 2017, @10:37AM
s/very difficult/unpossible/
Take it from a guy with a hardon for security that's been writing billing code for over twenty years. You cannot write perfectly secure software. You will always miss something. This is why I use nothing but pre-paid Wal-Mart debit cards with the exact amount I need on them when I'm forced to make online purchases.
And that's not even speaking of hardware, human, or unscrupulous admin type vulnerabilities.
My rights don't end where your fear begins.
(Score: 3, Informative) by azrael on Thursday March 16 2017, @11:51AM (1 child)
Human counters can be quite quick, but yes, they can make mistakes. That said, there is oversight to mitigate this. In the UK where counting is done by hand I have attended election counts several times (as a count agent for a political party). There will be a whole bunch of count agents from most if not all parties contesting the election who stand opposite counters and watch everything they do.
If we see a counter put a vote into the wrong pile we point it out. Where a voter's intention isn't clear it goes into a separate pile and then these are gone through by agents and an official to determine if a vote is spoilt, intended for one candidate or another, etc. (I have seen count agents argue that a drawing of a penis next to their candidate's name is actually a vote for their candidate - this is usually a successful argument as it is a clear mark against a name. Good tip for voters, don't draw penises against names of candidates you don't want to vote for without also clearly marking your paper as not wanting it to count as a vote cast for them.
So the manual method may be slow but there is a lot of oversight to make it as accurate as possible.
(Score: 0) by Anonymous Coward on Thursday March 16 2017, @10:39PM
I have seen count agents argue that a drawing of a penis next to their candidate's name is actually a vote for their candidate - this is usually a successful argument as it is a clear mark against a name.
That seems like a dick move.
(Score: 5, Interesting) by Shimitar on Thursday March 16 2017, @07:51AM (1 child)
I really agree with you.
I would never trust any form of eletronic or mechanical vote where there is no direct way to check manually at all times.
Having been working for elections in Italy for the last 11 years, i can have my say.
First of all, in Italy, we have tons of elections, we love them some might say. Every year we vote for something somewhere. We have a fully manual system too. Paper ballots (sometimes A3 sized sheets or slightly smaller) with lots of parties and hundreds of possible names, ofter names are hand-written on the paper sheet by the voter, sometimes they are crossed, depends on election type. Voters must use a special pencil which cannot be deleted and has a special "signature" mark which can be distiguished by pencil or pen marks.
This is how it works, in short.
Before the election, a "president" and a "staff" is selected by the town hall for each constituency. So you have one president of the constituency and 5-6 staff members of the constituency. A "constituency" has more or less from 600 to 1000 voters. Can be more in smaller towns, less in bigger cities where it's easier to arrange more constituencies. The day before the election the constituency is set-up by the staff, all the ballots are checked, verified, signed by two members of the staff and stamped by the president with the random-selected stamp of the constituency.
The number of ballots is carefully checked and counted, and it will be checked and checked again with the number of voters who showed up for the lenght of the election.
The constituency president is selected by the local court from a list of "volunteers", so you need to register to this list beforehand (one year before at least), you need to be a voter in the same city and to have a high school degree. The staff, instead, is selected (from another list you need to register to, you need to be a voter in the same city and have a middle school degree) by the parties, so they can select their friends or just randomly, it depends on every town is different.
The president can select a "secretary" of his/her choice and trust. This last person records on paper everything happens but cannot take part in the counting process.
So you have a total of 6-8 people in the constituency, mostly strangers to each other, and of random selection. The only accountable person is the president, who is also the only one who can have the definitive say on assigning ballots (with an exception, noted below). I stress that presidents are selected by the court and not by the politicians.
Election day is sunday, so everybody can go to vote, and usually it's from 7:00 to 22:00, so even if you go having fun, you can still vote. You usually vote in schools, elementary, middle or high scools, the closest one to your house. To vote, you need a "voting card" which has a stamp for each election to took part into, and is delivered to your door or can be obtained in less than 10minutes at the local city hall or public office. You can get as many replacements as you need. To vote, you need an I.D. (mostly anything works) and this card.
The constituency staff has a list of the voters admitted to vote in the constituency room, and if you change your address or move close to election, it might be you still need to vote at your "old" precint, so you need to check before hand with the town hall.
The day of the election this is how it works:
1. the voter enters the room and is authenticated (I.D. checked, matched with the voter's list, his "voting card" is checked)
2. the voter receives the ballot
3. the voter goes behind a screen and cast the vote according to the election's rules (they vary of course! Usually one or more crosses and/or writing a name)
4. the paper sheet is folded and given back to the president of the constituency
5. the president put it into the sealed box.
At the end of the election, the sealed box is opened and all the ballots are checked, one by one, by the constituency staff. Votes can be: valid (assigned to a party/candidate/choice), invalid, blank or contested. All the numbers must match, which means that the total number of checked ballots must match the total number of voters in the constituency and must match the sum of the total valid ballots plus blank ballots, plus invalid ballots, plus contested ballots.
If all metches, the final numbers and ballots are passed to the central reporting point (depends on the size of the town/city) and aggregated. If something does not match, the staff in the constituency recounts, And recounts. Until the next day when matters are lifted from their hands to the court, and the president will have a serious issue. Things are NOT so simple, as in many cases a single ballot can have more than ONE vote (for example, you can vote the party, the major and one or more "candidates" to the town hall, and they do not need to be on the same list, thus you have one to four or five different votes in one ballot)
Anyway, if numbers don't add up or match, or if there are contested ballots, then the judiciary sistem steps in and do a full independent recount of the ballots.
Votes can be contested due to the complexity of some elections, and to the fact that people from the parties can assist the couting phase of the election, thus can "contest" what the president of the room decides. Sometimes (more than not) also the room staff are memebers of one of the parties, so that can also lead to contestation. To be honest, contestation is rare, if the president of the constituency is reasonable, and it never happened in 11 years of my experience. Maybe because the goal of everybody in the constituency is to finish quickly and go home, or just there is not so much political heat anymore. The counting is done the same day at the end of the election, so you have been there from 6:30am to 22:00, then start counting... and sometimes you finish well beyond midnight... You actually have up to 14:00 next day, but that is laughable of course, that would be over 32 hours without sleeping.
Of course, tons and tons of safeguards to ensure the sealing of the box overnight, police at the doors all the day and the night before, tamper-detect seals on windows, constand counting and checking of I.D. of voters, sometimes call the callcenter when a voter name does not match and so on. At the end, the sealed and anti-tampered boxes with all the counted votes are collected and personally by the president delivered to the collection points. The president is checked by the staff and the staff is checked by the president. Well, in 11 years, i am 100% sure nobody has even tampered with the elections i took part into, in the constituency where i was working.
.... then it dawned on me. One little detail. Nobody ever checks the ballots BEFORE they are delivered to the constituency, unvoted. Or better, i positively confirmed that the number of delivered ballots NEVER matches the number of ballots indicated on the delivery box. Which means that either the printing press is "skimming", deliverying less paper sheets than contractually agreed (to increase profits) or somebody somewhere has "collected" some unvoted ballots for... well, you might guess...
Ok, long post. In short: very tight and complex hand-paper voting system to ensure the maximum possible safety from rigging, then the major flaw is BEFORE it all starts.
As a side note, yes, all the "room staff" including the president get paid by the city hall for their work, albeit very little, and (this is why i do it) gets two days off work (paid leave) the next week.
Any question?
Coding is an art. No, java is not coding. Yes, i am biased, i know, sorry if this bothers you.
(Score: 2) by Immerman on Thursday March 16 2017, @03:19PM
>I would never trust any form of eletronic or mechanical vote where there is no direct way to check manually at all times.
I would go one step further - I wouldn't trust any vote where such a check isn't preformed as a matter of course, *especially* electronic ones - just because the last N elections weren't stolen, doesn't mean this one won't be. And the *only* reliable to detect a compromised tally is to do a secure one by hand.
And if you're doing a manual count because the electronic one is far too easy to steal, then what exactly is the benefit of doing the electronic one at all?
I would say that your worry about ballots "disappearing" ahead of time isn't such a big deal though - so long as there's enough ballots for everyone who wants to vote, I can paper the walls of my house with stolen blank ballots without hurting anything. My having a few cases of blank ballots is irrelevant - heck, with a few good clear photos I could print them out by the truckload myself. The only way it becomes a problem is if I can mark those ballots and then smuggle them back in to be counted. Which is why the official ballots are (should be) guarded all the way to the tallying place - so that they can't be tampered with, and that includes having a few extra boxes added to the stack.
(Score: 5, Interesting) by TheRaven on Thursday March 16 2017, @08:42AM
sudo mod me up
(Score: 0) by Anonymous Coward on Thursday March 16 2017, @10:51PM
An inquiry was held into eVoting by the parliament of Victoria (a southern state of Australia). Here is a knowledgeable and well reasoned argument from an industry expert who has worked on such machines. Short summary: internet voting is a stupid idea, while voting machines can work but you must be extremely careful (and no-one actually is), so paper trails are quite important.
http://www.parliament.vic.gov.au/images/stories/committees/emc/Inquiry_into_Electronic_Voting/Submissions/No_30_Craig_Burton_Amended.pdf [vic.gov.au]