> P6/7 would normally be green for in person paper

I doubt that. Are there voting schemes out there which prevent people from bringing mobile phones inside a voting booth? If not, then spouses can walk to a polling station together, and one spouse can walk inside the voting booth alone, take a picture of the filled-out ballot, and then drop the ballot to the box in view of their spouse. If there is no method of preventing photography inside the voting booth, and no method of invalidating a cast vote afterwards, then spouses can easily prove to each other how they voted.

> More importantly, however, it’s a mistake to give all of those equal weight.

Fully agreed.

> it is much harder to build public confidence in a system which a fraction of a percent of the population understands

I agree that more complicated systems are harder to understand than simpler systems, especially to laypersons. That said, I do not think that laypersons have a very in-depth understanding of how their paper-voting schemes currently work. There's an element of trust that goes into it, like surely some smart people have verified that the voting system in place is alright. If we had a more complicated system in place, then laypersons would need a bit more of that trust.

Laypersons have trust in things like online banking, even though it's technically a flaming garbage fire. People could just as well have trust in a cryptographically verified voting scheme.

> I doubt that. Are there voting schemes out there which prevent people from bringing mobile phones inside a voting booth?

Well, this is one reason why the last three places I’ve lived don’t allow phone usage in the polling station and have processes for getting another ballot, but also none of the electronic systems can survive that level of control either — most of them make it substantially easier for the attacker, especially at scale. That last part is important because the more people are required to pull off an attack the less likely it is to be successful.

> Laypersons have trust in things like online banking, even though it's technically a flaming garbage fire. People could just as well have trust in a cryptographically verified voting scheme.

Banking has key differences, though, which I think are significant: you can do non-anonymous audits, you don’t need deniability, and most importantly you can restore losses after the fact.

> Well, this is one reason why the last three places I’ve lived don’t allow phone usage in the polling station and have processes for getting another ballot

Do they kindly ask people not to use phones inside the polling station, or do they actually bodyscan people for electronic devices when they go in the booth? Because if they just ask kindly, that's not preventing anything.

Finland also has processes for getting another ballot, but only until you cast a ballot. You can't invalidate a ballot that has already been cast. So that means you can go in the voting booth, take a picture of how you voted, and then ask for another ballot. This would be sufficient to fool anyone trying to buy votes en masse, but it wouldn't fool the spouse of the voter, who could be physically present at the polling station.

> none of the electronic systems can survive that level of control either

Some of them do, actually. Some electronic voting systems craft proofs which are convincing to the voter, but only to the voter. This means that the voter can cryptographically verify that their vote has been cast correctly, but the voter wouldn't be able to convince a potential vote-buyer how they voted, because the voter could have potentially forged the proof.

> Banking has key differences, though, which I think are significant: you can do non-anonymous audits, you don’t need deniability, and most importantly you can restore losses after the fact.

Yes, online banking is a much easier problem. Despite that the actual implementation is garbage fire from 1970s. I was just trying to say that getting people to trust a complicated system is possible (e.g. people trust online banking, despite it being a complete garbage fire). Therefore, it could be possible to get people to trust a cryptographically verifiable voting system as well.

> Some of them do, actually. Some electronic voting systems craft proofs which are convincing to the voter, but only to the voter. This means that the voter can cryptographically verify that their vote has been cast correctly, but the voter wouldn't be able to convince a potential vote-buyer how they voted, because the voter could have potentially forged the proof.

You’re positing a situation where someone can force them to vote at a specific time and place and either watch them or have them send proof of how they voted on paper. How realistic is it to think that an electronic system wouldn’t be at least as vulnerable to that same attack, even before you consider the likelihood that an attacker with that much control could use their credentials to vote or verify their history, install spyware, etc.? It’s one thing to have a game theoretical chance to deniably cast a vote and quite another to, say, be confident enough that you’ll be able to convince an abusive spouse to believe you.

Let's take Civitas as an example. In Civitas, a voter has both "real credentials" and "fake credentials" that they can use to vote. Let's say that the spouse of the voter forces them to vote on a malware-infested machine, at a specific time and and place, while physically watching them vote, and also capturing any forensic evidence available on the machine. In this hypothetical the voter can simply use their fake credentials to cast a fake vote, and later use their real credentials to cast a real vote in secrecy. Will an abusive spouse be convinced that the coercion worked? No, but there is nothing the voter can do to convince the spouse in this case anyway. Even if the voter uses their real credentials to vote, they still have the same problem: they have no ability to convince their spouse that they voted as requested.