So the threat model is someone hijacks the firmware in a voting machine to record votes other than what the voter selected, and it's much easier for someone to flip millions of digital bits without being detected than for someone to change the box which is ticked on millions of bits of paper.

The threat model is "any attack that could work will be tried"--elections tend to be about huge power, and there is pretty much nothing some people wouldn't try to obtain that power.

In a properly functioning democracy, any citizen can go and watch the voting process, they can look into the empty ballot box at the start of the day, and watch the people coming to vote all day, to see who gets to vote and how many ballots they get to put into the box, and that voters are effectively being prevented from showing their vote to anyone, and then they can watch the ballot box being emptied and the votes being counted at the end of the day.

Also, in a properly functioning democracy, the voter can rather easily verify that noone is watching them as they vote.

Pretty much none of that is possible with electronic voting.

> Would the same be true if the machines weren't networked and basically dumb counting machines?

1. Yes.

2. How could you verify that there is no network connection anyway?

3. "Network connections" can be accidental. There was the case of the Nedap voting computers in the Netherlands where people from the CCC and Rop Gonggrijp showed that due to non-intentional radio frequency emissions of the machine's circuits, you could find out how people were voting with a short-wave receiver from the other side of the street.