Being open source is a very good idea, but it doesn't mean the software that's actually loaded into the machines isn't compromised.

The way to minimize the risk of that is to have two voting machines, with independently developed software in each. Then see if the two produce the same result.

What's important for voting confidence is having the count be auditable, which is much more important than having the machines be secure. After all, banks learned how to do that with money long ago. Banking software has been compromised in the past, but the audit ability catches it.

I believe the generally accepted way of solving this problem is to do Risk Limiting Audits of the system; randomly sample districts, and then manually recount until you're confident to X sigma that the results are correct (or, if the audit diverges, you trigger a full manual recount). Citation: https://verifiedvoting.org/audits/whatisrla/

There's a recent report that goes into a lot of details on the various improvements that should be prioritized in the current system: https://nap.nationalacademies.org/catalog/25120/securing-the....

I don't really understand why we are always stuck in the past on things like this. 155 million votes, spread out over thousands of polling stations is a minuscule number. Why not have each voting station digitally scan/print every ballot cast, and then once the stations close - upload everything to a centralized and publicly accessible server organized by station and their reported polling result. If anybody wants to do a recount, they can - to whatever degree of confidence, and using whatever method they prefer.

One might still make claims of ballot stuffing or exclusion, but there would be literally zero doubt that the count itself was accurate.

In particular, purely-digital systems are widely regarded to be too vulnerable to hacking to be safe. What you're describing sounds like DRE with VVPAT, which isn't considered to be a secure option, though it's better than DRE without VPAT since as you note you can in principle audit it. (However, note that most jurisdictions don't yet do RLAs to randomly audit, so right now digitizing, even with VPAT, could weaken the system.)

I think the basic idea here is -- if paper is secure and will be your fallback, and digital is insecure, you should just build your process to be optimized for paper-first, rather than digital-first. Digitizing as you suggest doesn't really gain anything over paper (except perhaps reporting provisional results faster, but you'd still need to do a risk-limiting audit to verify that your digital votes didn't get hacked so this might be a wash), but it does add more attack surfaces along the chain of custody.

Ultimately, paper is a very robust solution to the problem of making the system hard to subvert at scale; you can think of it as a sort of "proof of work", where it would be extremely difficult for, say, Russia, or the DNC / RNC to tamper with large quantities of ballots across the nation. Compare that robustness with a digital system, where IF it works you have the same properties... but around here we all know that almost all digital systems can be owned by a persistent enough adversary.

If you're willing to relax some of the requirements around refutability, there are some interesting e-voting schemes, for example you can do some cool stuff with homomorphic encryption like https://github.com/microsoft/electionguard/. But there is something to be said for having a tallying algorithm like "count the pieces of paper" that doesn't require a PhD to understand.