This year I signed up as a poll worker to help, and to learn more.
One choice is voting by mail. You sign up to vote by mail, get a ballot in the mail, fill it in, sign the envelope, and mail it back (or stick it in a voting dropbox), and you're done.
First, you're supposed to turn up at your assigned polling precinct. You can ignore this and still vote (provisionally), and I'll get to that, but you're supposed to turn up at the assigned one.
The list of people assigned to a precinct is posted outside the precinct.
You then go off to a voting booth, and vote, privately. You're given a little folder thing so that when not in the booth you can maintain the privacy of your cards.
In short, we basically can't turn people away from voting: voting provisionally is always an option.
(easy for me, not ever needing to say no zeroes the chances of doing it incorrectly and having legal issues)
Envelope has a stub with some numbers on it.
One important property is that nobody -- not even you -- can find out who you voted for. The ballot card doesn't have your name on it. The ballot card ID isn't noted down with your name anywhere.
Already got a vote by mail ballot? Sorry, give it back or vote provisionally.
Spoiled your ballot? Give it back before you get another one.
That is, ultimately the entire election can be verified by counting the results on these anonymous ballots. Another (related) property.
I'd argue there's a fourth property: obviousness: to a large part, what you need to do in the voting booth should be obvious. You're allowed to request assistance, and we do tell you things about voting, but we shouldn't need to
Well, first off, I want to emphasize that voter fraud isn't a major problem in the US, and is far less prevalent than suppression, tradeoffs between fraud and suppression have an easy answer.
We can sneakily submit extra ballots.
Wait, no, ballot counts have to match the voter rolls. Can't cross people off prematurely, there's a chance of being caught (same problem as previously)
To do any of this all of the poll workers have to collude anyway, it would be easy to notice this otherwise. And poll watchers exist too, so this is tricky/impossible.
Wait, no, they can't. All the receptacles non-defaced ballots end up in are secured with a seal. The numbers on these seals are known so you can't replace them.
Not quite the same thing, but relevant.
(They also seem to have a shortage of bilingual workers, at least in these parts, so if you speak languages that are locally common, help!)
It's kinda okay for machines used only in cases when folks can't cast a paper ballot, but still problematic.
Secrecy: any method of verifying the actual contents of your vote post-election is broken. Verification must be something you can do then and there and *only* then and there.
The moment you say blockchain, you've already lost.
Not in any of these systems.