> Well, this is one reason why the last three places I’ve lived don’t allow phone usage in the polling station and have processes for getting another ballot

Do they kindly ask people not to use phones inside the polling station, or do they actually bodyscan people for electronic devices when they go in the booth? Because if they just ask kindly, that's not preventing anything.

Finland also has processes for getting another ballot, but only until you cast a ballot. You can't invalidate a ballot that has already been cast. So that means you can go in the voting booth, take a picture of how you voted, and then ask for another ballot. This would be sufficient to fool anyone trying to buy votes en masse, but it wouldn't fool the spouse of the voter, who could be physically present at the polling station.

> none of the electronic systems can survive that level of control either

Some of them do, actually. Some electronic voting systems craft proofs which are convincing to the voter, but only to the voter. This means that the voter can cryptographically verify that their vote has been cast correctly, but the voter wouldn't be able to convince a potential vote-buyer how they voted, because the voter could have potentially forged the proof.

> Banking has key differences, though, which I think are significant: you can do non-anonymous audits, you don’t need deniability, and most importantly you can restore losses after the fact.

Yes, online banking is a much easier problem. Despite that the actual implementation is garbage fire from 1970s. I was just trying to say that getting people to trust a complicated system is possible (e.g. people trust online banking, despite it being a complete garbage fire). Therefore, it could be possible to get people to trust a cryptographically verifiable voting system as well.

> Some of them do, actually. Some electronic voting systems craft proofs which are convincing to the voter, but only to the voter. This means that the voter can cryptographically verify that their vote has been cast correctly, but the voter wouldn't be able to convince a potential vote-buyer how they voted, because the voter could have potentially forged the proof.

You’re positing a situation where someone can force them to vote at a specific time and place and either watch them or have them send proof of how they voted on paper. How realistic is it to think that an electronic system wouldn’t be at least as vulnerable to that same attack, even before you consider the likelihood that an attacker with that much control could use their credentials to vote or verify their history, install spyware, etc.? It’s one thing to have a game theoretical chance to deniably cast a vote and quite another to, say, be confident enough that you’ll be able to convince an abusive spouse to believe you.

Let's take Civitas as an example. In Civitas, a voter has both "real credentials" and "fake credentials" that they can use to vote. Let's say that the spouse of the voter forces them to vote on a malware-infested machine, at a specific time and and place, while physically watching them vote, and also capturing any forensic evidence available on the machine. In this hypothetical the voter can simply use their fake credentials to cast a fake vote, and later use their real credentials to cast a real vote in secrecy. Will an abusive spouse be convinced that the coercion worked? No, but there is nothing the voter can do to convince the spouse in this case anyway. Even if the voter uses their real credentials to vote, they still have the same problem: they have no ability to convince their spouse that they voted as requested.