There are two models, the stand alone data capture device model, the (DREs)Direct Recording Equipment, and the self-service transaction model which is a system model. The latter can provide more useful and consolidated physical evidence which can demonstrate how the result is derived, by linking votes to their use.
Half measures like electronic voting cannot work for a number of reasons. It is logically impossible to test electronic voting systems like the DRE(Direct Recording Equipment) satisfactorily. In the lab known test input is used to predict the defined output. When the defined output is produced by the equipment the program is assumed to work.
These tests are not valid since they do not replicate the live situation. In an election, the input is unknown - secret ballot - , the output cannot be predicted, and consequently, there can be no guarantee that the program is identical to the one which was tested.
The test procedure should replicate the live situation and the live use of the program should continuously provide evidence of its correct operation. These two conditions cannot be met by DREs capturing secret ballots. It is a flawed concept if there is no conceivable test strategy which passes muster.
If it is impossible to test the equipment satisfactorily, it is impossible to guaranteeing the proper operation of many hundreds of thousands of devices. Certifying the equipment or the results cannot be meaningful.
The DRE is a data capture system. It reduces a vote to an addition to a count. The difficulty is that the voter's secret vote alters these counts but the voter has no idea what they stood at before the vote, or what they stood at after the vote. The voter has no idea if it was electronically applied correctly. Neither can anyone else know since the vote is a secret.
Since the system relies on the anonymity of the voter and the secrecy of the vote, there is absolutely no means of proving the equipment is operating correctly.
Nonetheless, the touch screen gives the impression to the voter that the vote was applied correctly. Unfortunately, there is no means of proving that the visual and electronic records are the same.
Electronic Voting is the modern equivalent of the "Emperor's New Clothes." It takes the innocence of a child to make this unwelcome observation.
The DRE venture into electronic voting is a very poor concept and a very costly mistake - $5 billion and counting.
Most activist organizations who are aware of these issues think they can solve the problem with more hardware and paper records at the polling place. More "Emperor's new clothes" provide little more than a fig leaf. The solution lies in integrating the system and showing how the vote contributed to the result. No amount of equipment or paper at the start of the process helps to secure the eventual use of the vote.
Electronic Elections are a different concept. They provide an end to end proof of how each vote is applied. The voter can verify the use of the vote. This is orders of magnitude more precise and secure than any former approach. Information cannot be secured effectively without retaining the knowledge of the information being secured. In a secret ballot system the voter is the only one entitled to this information. The voter has to be engaged in the process. The self-service transaction model is used prolifically in e-commerce because it is the correct model for applications like this. Confidential information is routinely handled using this model. The model never relies exclusively on the electronic system for the safe keeping of information and routinely provides evidence of what is being done.
This model is right for elections. It enables elections and the results to be based on detailed public evidence.
Electronic Elections can ensure that voters and the electorate have the evidence and therefore own the process again. The Election Administrators and their suppliers are restored to their proper role as facilitators. It relieves them of responsibilities which they are incapable of discharging on behalf of the electorate. By definition they cannot be sure that they preserved the security of secret and anonymous data when they cannot know what the input was or what the output result should be.
They cannot currently identify all errors or guarantee there has been no malicious intrusion. In E-Commerce, when a user initiates a transaction with a supplier, a physical information token is established which can be subsequently used to ensure the goods or services are rendered. It is a legal contract and is admissible evidence.