The general idea is to implement an interface on the Wikimedia side for receipt verification. The user will submit their receipt and their idea of what they voted for, and Wikimedia will thank them and record that information. Then statistics can be shown to election administrators on the agreement between receipts and secondary votes. This is what I've been calling bi-organisational verification, and it checks one system against the other.

You can't have a receipt which shows who they voted for in the clear, with a signature attached, because that allows vote-buying. And for the same reason, you can't have an interface which confirms that a given receipt was a vote for a particular person. The best you can do is confirm that the receipt was accurate for a random sample of voters.

I have no idea what you mean by "vote-buying".

What I expect when I hear receipt is a record of what I voted for plus some signature verifying authenticity. In other words the receipt would be as valid a proof that a vote was cast as the electronic record on the server. This would then be coupled with some electronic means to allow a person to submit their receipt and verify that the corresponding vote was included in the record.

Regardless of anything else, the post-vote page should still show a confirmation that vote X was cast for Y, even if nothing about the receipt is changed. Multiple people thought being handled a block of encrypted text with no readable summary was a sign of an error.

(In reply to comment #2)

I have no idea what you mean by "vote-buying".

Say if Microsoft offered $10 per vote cast in favour of Bill Gates for a Board position. If receipts were remotely verifiable, then they could set up a website where you just nominated your paypal account and submitted your receipt. They could verify the receipt automatically and send the money. If there is no remotely verifiable receipt, then people can vote for whoever they want and claim to Microsoft that it was Bill Gates, thus undermining the vote-buying system and significantly reducing Microsoft's ability to influence the election.

It doesn't help to require the user's password before verifying the receipt, since users will happily hand over their password to Microsoft in exchange for money.

So if a receipt does state who the user voted for in cleartext, we would have to make it clear to the voter that that part of the receipt is forgeable, and provide instructions on how to forge it. I think it would be simpler to just change the introductory text to explain why there is no cleartext confirmation.

This was basically reopened in T22023. I think it might be worth re-evaluating since our infrastructure etc has presumably evolved quite a bit since 2009.