Scratch, click, and vote

Scratch, Click, and Vote is a proposed voting protocol which was developed by Miroslaw Kutylowski and Filip Zagorski of Wroclaw University of Technology, located in Poland. The idea behind this system is protection against viruses. Voters need a scratch-off card before voting, and use the information contained on that card to vote without letting their computer know who they voted for. A serial number is contained on the card so that the vote can be tallied. The entire system is also end to end verifiable.

Infrastructure attack protection
All internet voting systems are vulnerable to denial-of-service attacks. There are defenses against these kind of attacks, but they can't stand up to an adversary given sufficient computing power. In the event of such a situation voters would have to vote in person (or by mail)

Outsider hacking protection
The election authority is catchable if the voters' receipt differs from data in the table. Also, Proxy (which communicates to the EA) commits to the voter's choice before it knows the serial number. Both systems would have to be compromised which would be difficult.

Malware and virus protection
Users have a fair amount of protection against viruses. This is because the computer itself doesn't know which candidate the voter is voting for - that information is on the coding card. However, it would be possible for a virus to just scramble the content of the voter's vote, making it random which candidate the voter's computer chooses. Voters can verify their vote was included in the final tally, yet it may be unclear when the amount of people who claim they had a virus on their computer is high enough to warrant a recount via other means.

Man in the middle attack protection
This would be somewhat difficult because an observer wouldn't know the content of a voter's choice. They could try to intercept and then not send the message but that would be noticeable by Proxy. In the worst case the voter has a receipt. Ultimately, there's nothing useful that the man in the middle can do.

Insider attack protection
This hasn't been addressed because this system is theoretical. This is a big issue however. It can be partially addressed by 1) open source software and 2) security of the systems themselves - at least there are less machines to deal with compared with DREs.

Coercion resistance
There are protections against coercion - a voter could use a coding card separate from the one shown to the observer, or could connect to a "decoy service" - but these may not be practical. Such a system might allow voters to vote at a polling station as well which may help mitigate this issue as well.

Ensuring one person, one vote
So long as the cards are passed out correctly, then voters should only be allowed to vote once. How to implement this process is an open question - voters need a username+password to log into an election website run by a Proxy (account registration might be tricky to implement)

Counting and tallying accuracy
Pre-election and post-election audits are put in place to help ensure accuracy of vote tallying. Theoretically anyone can verify that their vote was counted using their receipt.

Voter anonymity
So long as the Proxy and the Election Authority aren't both corrupt the condition of anonymity should be met. Proxy doesn't know the permutation used on the ballot, and EA doesn't know the voter's identity.

Voter verifiability
The system is voter verifiable after the election in theory - the voter gets a receipt which can be used to check if it appears in the table containing election results. But it may be unclear as to what should happen in the event that a voter discovers that their receipt differs from the value published in the election results. Unless receipts can't be falsified (which would harm anonymity) there is always a chance someone will 'cry wolf' and say that the system recorded their vote incorrectly. This possibility needs to be addressed.

Immediate results protection
Immediate results are on the election authority server - they have to be trusted not to be published. This assumes that the election authorities aren't curious. Of course, it's a theoretical system and so there might be a possible solution to this that's not mentioned in the paper introducing Scratch, Click, and Vote.

Ease of performing a recount
The election can be audited but provides no service for a recount to be done. Voters would have to vote at a polling place if the election is deemed corrupt. However, it may be hard to determine if the election was corrupt or not without disclosing its results (which would violate the principle of Fairness.) So long as voting is done sufficiently in advance (and assuming the election can be certified in this way) recountability will not be a major problem.

Usability
It's a theoretical system, but even the authors conclude that it might not be simple to use - a voter would need to click next to every candidate and find the right candidate on the scratch-sheet. Scratching the film off the sheet may be hard for voters with disabilities. But there are likely solutions to these problems.