Skip to content
Naked Security Naked Security

Have you inadvertently joined a Trump-supporting robot army?

If your data was exposed in one of two recent breaches, there's a good chance your details have been used by an army of bots to support the proposals to end net neutrality

Last week, we told you about the travails of the US Federal Communications Commission’s comments website, which crashed after John Oliver sent hundreds of thousands of pro-net-neutrality commenters their way – and someone else sent a major DDoS attack.

We told you that our spotcheck of the comments found that the vast majority seemed to oppose FCC commissioner Ajit Pai’s plans to overturn Obama’s strict net neutrality rules and liberate service providers to play favorites with internet traffic if they so desire.

Then, suddenly, hundreds of thousands of identical comments supporting Pai began to pour in. Citizens all over the country apparently rose up to tell the FCC, quote:

The unprecedented regulatory power the Obama Administration imposed on the internet is smothering innovation, damaging the American economy and obstructing job creation. I urge the Federal Communications Commission to end the bureaucratic regulatory overreach of the internet known as Title II and restore the bipartisan light-touch regulatory consensus that enabled the internet to flourish for more than 20 years.

Astroturf lobbying campaigns that coax people into submitting similar comments aren’t new. But the scale (and absolute identicality) of these comments raised eyebrows. Especially when Techdirt noticed that Pai’s supporters had somehow “magically organized themselves” to file their views consecutively in perfect alphabetical order.

It didn’t take long for ZDNet, The Verge, and other media outlets to start contacting the commenters, whose names, postal addresses, and Zip codes were displayed publicly. Many had no idea they’d gone on record supporting the Trump administration’s net neutrality policies. Some actually opposed the FCC’s plans, and others had no clue what net neutrality was.

By May 10, there were 128,000 evidently fake pro-Pai comments; by May 12, Gizmodo had tallied more than 440,000.

Meanwhile, over at Medium, developer Chris Sinchok performed a detailed analysis of the bot traffic. Disproportionate percentages of the names and addresses were among those swept up in two enormous recent data breaches – the River City Media breach and the one at Modern Business Solutions – strongly suggesting that “the bot programmers are working with breach data directly, or with a data warehouse whose lists ended up in one of these breaches”.

The fake commenters didn’t include their email addresses, which would have permitted the FCC to send a confirmation of receipt. (Sinchok attempted to filter out all bot comments, and estimated that 395,353 “real” commenters supported keeping the Obama rules, with only 743 “real” commenters agreeing with Pai.)

Why was it so easy to hack the FCC’s comment site? For one thing, The FCC offers an API that can be used to submit comments automatically, and getting an API key is easy and free. Then, as MIT’s Nathaniel Fruchter notes, the FCC apparently hasn’t implemented any rate limiting or authentication to restrict mass commenting. It’s also worth noting that the comment site itself contains no “I am not a robot” Captcha feature.

By the way, the pro-Pai language apparently originates from the Center for Individual Freedom (CFIF), a free-market advocacy organization which has been running a digital media campaign encouraging citizens to support Pai. But CFIF denies it has anything to do with the automated bot, and there’s no reason to doubt them.

Whether you’re a bot or a citizen, you’ll find comments temporarily closed, consistent with routine FCC policy for the seven days before the agency votes. If, as everyone expects, the commissioners move forward with the process of repealing net neutrality, comments will reopen between the end of this week and the anticipated final vote in August.

Pai has been explicit about where he’s headed with all this: “This is a fight that we intend to wage and it is a fight we are going to win.” Of course, just as telecoms and cable companies sicced their lawyers on the FCC after it imposed net neutrality, plenty of folks are revving up their legal arguments against Pai’s reversal.

In the meantime, the FCC’s CIO, David Bray, might be feeling a bit beleaguered. Bray – who previously earned praise and awards for his work leading the FCC’s digital transformation – retweeted Wired’s piece about “just how hard it is to turn the web into a platform for democratic participation”.

No doubt if mass impersonation on behalf of political causes becomes widespread, it will be much harder for governments to reflect public input even if they want to. Will political bots soon be linked to machine learning systems capable of generating individualized messages which look every bit as real as the barely original messages many “actual” citizens send? Once that happens, the old saying that “the cure for bad speech is more speech” will be officially obsolete.


 

2 Comments

FCC apparently hasn’t implemented any rate limiting or authentication to restrict mass commenting
It can’t get much more poetic that these are the dudes still in charge of Carlin’s Seven Words.

That MADCOM article at Medium is rather unsettling…though not so surprising I’m disappointed to say. As this article illustrates, we know at least 743 people** have fallen for false claims and will/would unknowingly vote against their own interest. With personalized, reactive, and targeted persuasion that paradigm will snowball…ouch.

** okay, there are likely a few comments made by Verizon/Comcrap brass who will genuinely profit from the rules being removed, but you know what i mean

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?