[Cross-posted to the Command Post; note that I've also posted several entries about possible voting fraud or error in this category at the same site. Please leave comments about this entry at the first link, not here]

I'd like to know if this eVoting system is used already, and if someone can point out flaws:

It's a two step process.

The voter first fills out a normal paper ballot using some standard technique: filling in circles, connecting arrows, etc.

Then they walk over to a scanner with a monitor and insert the ballot into the scanner. The monitor displays their selections. If the voter sees everything is OK, they press "OK" and the ballot is ejected from the machine. The monitor (or keyboard) only has two choices: "OK" and "Cancel." The voter can't use the scanner/monitor to change their votes, they can only accept or reject the selections shown. If the voter chooses "OK", the voter then puts that ballot into an envelope and puts that envelope into the ballot box.

Poll workers make sure no one can put a ballot into the ballot box without first putting it through the scanner; perhaps the ballot could be marked by the scanner with a mark identifying the exact machine but not using a sequential number that could be used to identify the voter.

The scanner records a preliminary count which stands as the official count unless something unexpected happens. A memory card in the scanner is physically transported to a central tabulator and the votes are read and published. The scanner would not have a modem. (Someone switching in a fake memory card here would need to be addressed in some way).

Random samples of precincts are done to ensure that the machines worked OK and the data on the memory card(s) from that precinct matches the votes on the physical ballots.

There would be a possible series of random samples of widening sizes, depending on errors found. If, in the first random sample no errors are found, then the preliminary count is assumed to be correct. However, if a certain percentage of problems are found, then a larger sample is taken. At some point, the whole state would be recounted if enough problems are found in the preceding samples. When doing a sample, the physical ballots would be counted by hand using a group of observers from all major parties.

In the case of a recount, the physical ballots are counted and they take precedence over the electronic count.

If, during the voting procedure, the voter says the scanner's output doesn't match how they voted (i.e., they press "Cancel"), that ballot is placed in a special bin, perhaps together with a note about the specific discrepancy. Then, the voter is given a completely new ballot and has to go through the process from the beginning. These "canceled" ballots could be inspected later to investigate problems or to correct flaws in the system.

If enough voters notice discrepancies, then we have first warning of a problem with that scanner or the ballot or other things.