Is a Key Federal Elections Panel Doing Trump’s Bidding on Voting Machines?
On the eve of the government shutdown, the U.S. Election Assistance Commission (EAC) quietly posted a press release to its website. While the announcement didn’t spark much notice, it could result in severe consequences for future elections.
And it’s causing concern that the commission — a bipartisan body whose mission is to help states administer elections more effectively — is taking its orders from President Donald Trump. That kind of partisanship and capitulation could pose a serious threat to the midterms.
Get updates straight to your inbox — for free
Over 450,000 readers rely on our daily and weekly newsletters for the latest in voting, elections and democracy.
The press release said the EAC met with the voting system manufacturers to initiate a formal review of equipment running commercial software that has reached “end-of-life” for “potential decommissioning.” The bipartisan quartet of commissioners included a statement boasting that “[r]emoving systems from active certification” would improve the sustainability of election technology. In other words, the EAC is taking steps to decertify election equipment that uses old software that no longer receives security updates.
The move comes after Trump issued an executive order in March that directed the EAC to take several actions, including potentially decertifying voting systems that use QR or barcodes to record and count votes, but the order said nothing about systems with outdated software. The EO caused panic among election officials and stakeholders.
At an event last week held by the America First Policy Institute, a think -tank founded to advance Trump’s agenda, EAC Commissioner Christie McCormick admitted that the commission’s effort was initiated “in accordance with the president’s order.”
In the wake of Trump’s order earlier this year, at several meetings with its advisory boards, the EAC commissioners assured worried election officials that the EAC would not decertify any voting systems. Now, it appears to have reversed course. In theory, addressing outdated software is a sound and much-needed policy, and probably something most of us assumed the EAC would already be doing. But the EAC has actively neglected this matter for decades, so there are reasons to ask why the agency is finally addressing this significant security gap now, and how decertification of voting systems may affect the 2026 election.
Very little is known about the EAC’s plan because it did not make the meeting public, publish the meeting minutes or provide any further information about this new initiative. (And if a quorum of commissioners was present, the meeting likely violated the Sunshine Act, which requires federal agency meetings to be announced and open to the public.)
We do know that, if the EAC aims to decertify election equipment before November 2026, it could cause chaos for countless jurisdictions. This would include the entire state of Georgia, multiple counties across Pennsylvania, North Carolina, Texas, and many other states. It could also cause repercussions for states that don’t require federal certification, but are using EAC-certified equipment with outdated software, such as the entire state of Maine.
That the EAC privately met with the vendors to discuss its plan is troubling enough. The EAC’s sudden attention to end-of-life (EoL) software, in light of its past actions, triggers even more alarms.
Since the EAC launched the federal testing and certification program in 2006, computer scientists and election security advocates have warned that commercial software, like operating systems, will age out and the EAC should adopt policies to cause the vendors to transition to newer software. The EAC ignored those recommendations for more than a decade.
In 2019, a few years after the revelations that Russian intelligence had probed U.S. election infrastructure looking for vulnerabilities, the Associated Press published a story that went viral: “Exclusive: Outdated software makes even new election systems vulnerable to hackers.” In the face of national embarrassment, the EAC held a public meeting with the voting system vendors to show that it was taking action. Because of the complexities of voting system certification, an effective policy would require an informed and considered approach. The meeting was a reasonable first step. At that time, the EAC decided that decertification was not on the table. In response to questions from the Committee on House Administration, the EAC asserted that it didn’t have “grounds to decertify” any systems running outdated software.
There has been a great deal of concern that Trump will try to direct policy at the EAC to disrupt or undermine elections.
Once it was out of the headlines, the EAC dropped the issue. As a result, no course of action was adopted and today there are federally certified voting systems in use that are running Windows 7, Microsoft Server 2008, Windows 10, and other outdated software.
Running election equipment on outdated, unpatched software is contrary to computer security best practices and is certainly not advisable. The failure by the EAC to implement a plan to deal with EoL is emblematic of the EAC and voting system vendors’ lax and sloppy approach to cybersecurity, but it is not a reason to abruptly decertify these systems. It is good that the EAC is finally addressing this, but it should be done through a thoughtful, intentional and deliberate policy.
That’s why the EAC’s sudden attention to EoL software and statements about removing active certification are so concerning. Why is the EAC rushing to address this now, after ignoring it for so long? Why isn’t the Commission first developing requirements in the existing testing and certification program to cause vendors to update systems in a timely way, before it contemplates decertification? Why is the EAC reversing its previous stance that ruled out decertification?
Election officials and the public are rightly worried about the potential politicization of the EAC and other entities that oversee elections. There has been a great deal of concern that Trump will try to direct policy at the EAC to disrupt or undermine elections. The media covered Trump’s executive order extensively, and it drew a robust response and multiple lawsuits challenging its legality, slowing down any action that the EAC might take. In contrast, the notice about potentially decertifying systems with outdated software hasn’t even caused a ripple.
The election community needs to take notice and demand answers. To foster confidence in the process and quell any concerns, the EAC must make public any minutes, recordings, or materials generated from the meeting it held with the vendors. It should immediately hold multiple meetings to brief its advisory committees and election officials about its proposals. It should solicit feedback from administrators, technical experts, and stakeholders. Congress should exercise oversight and demand answers.
Addressing outdated software is long overdue, but it must be done publicly, transparently, and thoughtfully, so that it will not disrupt upcoming elections.
Nothing less than full transparency is necessary.
Susan Greenhalgh is the Senior Advisor on Election Security for Free Speech For People. Ms. Greenhalgh has previously served as vice president of programs at Verified Voting and at the National Election Defense Coalition, advocating for secure election protocols, paper ballot voting systems and post-election audits.