> Why is this such a complicated problem?

Because a software/hardware solution is inherently inscrutable to the overwhelming majority of the population. It's amenable to hacking and not amenable to auditing.

The problem is NOT "build a zero-stakes voting web app", it's more like "build a voting machine which ensures the voter can audit their vote and election auditors can audit election tallies with full transparency, and with a threat model of people trying to hack the voting machines to control election results". Getting better than pencil, scannable paper ballots, and auditors from all (political) parties involved in that election to cover vote counting / recounts –– that's the really, really hard part.

There are eyes on your ballot and the voting urn, and there may be observers from different political parties present at your polling location, also keeping eyes on the ballots and the urns.

At your polling place, you count the number of ballots going into each urn, and you count the number of ballots coming out of each urn when voting is over. You do a preliminary counting of the ballots, and then they get put back into the urns, that are then sealed, and sent off to some central place for a second counting.

So at every step there are multiple eyes on all pieces, and there are many points where you can discover discrepancies that might indicate cheating. And you can have as many observers as you like at any part of the process, from opposing political parties. So you use their distrust of each other to create trust in the process.

Voting systems are like banks or computer systems: it's not humanly possible to invent one that is safe from fraud, malfeasance, or even human error. Except unlike banks and computer systems, voting systems are by their very nature designed and operated by the very people who would benefit from manipulating them.

Political distrust only goes so far, because winning elections tends to give you more control over the government, which in turn allows you to manipulate elections so that you continue to win them. On the local level, the opposition party often diminishes to the point where not only do they lack the manpower and organization to effectively even contest elections, but the national party effectively abandons the area entirely.

> Political distrust only goes so far, because winning elections tends to give you more control over the government, which in turn allows you to manipulate elections

In banana republics, sure, in civilized countries, not so much.

> On the local level, the opposition party

Again, I'm sorry the US has the incredibly shitty first-past-the-post election shit, because that is the cause of the inevitable two-party system shit.

If the US had a better representative democracy, this wouldn't be a problem.

However, even with the situation you describe, it should be possible to guess which districts will be the closest in margin, and make sure you put more eyes on those districts, in favor of districts that are sure to go either way. That's good enough to secure the election result.

> Again, I'm sorry the US has the incredibly shitty first-past-the-post election shit, because that is the cause of the inevitable two-party system shit.

It's not just the US; it's every English-speaking country except New Zealand. Proportional representation doesn't really stop governments from manipulating their elections either--for example, the Russian Duma has proportional representation.

That's an interesting point. We could require voting software and hardware be open-source, but I guess there's still opportunity for it to be tampered with during its deployment an operation. Hardware and software are complicated, so it's not as easy for the average worker at the polling location to verify.

We could have a solution where the hardware and software are developed independently and both include logic to independently verify the other's authenticity... but that's still open to attack vectors (however difficult they may be).

All that said, the urn system you described does not reflect any experience I've had. I've always been asked to fill out a single paper form with choices for multiple offices and submit the form to either a ballot box or a worker at the polling location. That complicates the tallying process, but I can definitely see how it is still easier to audit than a voting machine.

You can have machines that receive and scan the ballot (instead of a simple box), without losing the paper trail, and keeping a count of the number of submitted ballots (the number of used ballots is also controlled and counted).

Many places do this.

> When I vote, it is my understanding that when I stuff my paper ballot into the box (or sometimes even just hand it over to someone), I am forced to trust the staff to account for my vote. Personally, I don't feel like I'm any more protected against bad actors by using pencil-and-paper.

Can't you just stay and watch the process?

> Why is this such a complicated problem? There doesn't seem to be any many issues to consider when designing the interface, logic, and storage for one of these machines. I feel like many programmers could develop something like this in a matter of hours.

I have just watched a video recently posted on youtube showing the innards of the Brazilian electronic ballot (which will be used for the 2nd turn elections on the whole country this Sunday): https://www.youtube.com/watch?v=4wrMLzqgKEI (unfortunately, in Portuguese only). He mentions some issues, for instance reliability: with tens of thousands of these devices, some will break, and you must be able to replace the device without losing votes. The device must be resistant to vandalism. The votes must be scrambled after each ballot so that it's not possible to discover who you voted for after the fact. For the same reason, it must be hard to insert a keylogger registering the keypresses. The central counting must be auditable. And so on.

The system that's currently spreading records votes with pen and paper and then scans them with a machine, which can be audited and recounted and all that, and it tests very well. The entire state of California uses it successfully, plus a bunch of other places.

I imagine that one issue is that of simultaneously satisfying many disparate state/county regulations?