In the 2009 Security Protocols Workshop, the Pretty Good Democracy scheme was presented. This scheme has the appeal of allowing voters to cast votes remotely, e.g. via the Internet, and confirm correct receipt in a single session. The scheme provides a degree of end-to-end verifiability: receipt of the correct acknowledgement code provides assurance that the vote will be accurately included in the final tally. The scheme does not require any trust in a voter client device. It does however have a number of vulnerabilities: privacy and accuracy depend on vote codes being kept secret. It also suffers the usual coercion style threats common to most remote voting schemes.
In this paper we investigate how to counter the above threats by introducing modest cryptographic capabilities, and modest trust assumptions, to the voting client. Of course, we are simply shifting trust, but we are transforming it and, arguably, making the trusted devices more accountable. Which design is deemed more secure will depend on the threat environment.