Skip to content
Naked Security Naked Security

2 million stolen identities used to make fake net neutrality comments

Most crucially, two of those identities were senators who are now demanding the FCC find out who's behind the bots and the identity theft.

You may recall all those reports of fake and bot-generated comments left in what former New York Attorney General Eric Schneiderman called the “deeply corrupted” public comment period for net neutrality.
Now, it looks like two million stolen identities were used to make those fake net neutrality comments. Most crucially, two of those identities were stolen from senators.
On Monday, the two senators – Jeff Merkley (D-OR) and Pat Toomey (R-PA) – called on the Federal Communications Commission (FCC) to investigate identity theft and fraud in the public comments left for the agency during the time leading up to the decision to kill net neutrality in December.
From their letter, sent to FCC Chairman Ajit Pai:

Late last year, the identities of as many as two million Americans were stolen and used to file fake comments during the Federal Communications Commission’s (FCC’s) comment period for the net neutrality rule.
We were among those whose identities were misused to express viewpoints we do not hold. We are writing to express our concerns about these fake comments and the need to identify and address fraudulent behavior in the rulemaking process.

A public comment system that isn’t secured in some way can’t protect government agencies such as the FCC from fraudsters who pollute the process, the senators said; nor can it protect participants from having fraudsters assume their identities:

The first three words in our Constitution are, ‘We the People.’ The federal rulemaking process is an essential part of our democracy and allows Americans the opportunity to express their opinions on how government agencies decide important regulatory issues. As such, we are concerned about the aforementioned fraudulent activity. We need to prevent the deliberate misuse of Americans’ personal information and ensure that the FCC is working to protect against current and future vulnerabilities in its system.

Toomey and Merkley called on the FCC to employ simple security measures, such as CAPTCHA, or Completely Automated Procedures for Telling Computers and Humans Apart, to weed out bot-generated comments.

This technology would ensure that a human, not a machine, is using a computer to submit comments.

“Ensure?” Well, that’s giving CAPTCHA a bit more credit than it deserves, given all the ways that human researchers have found to automatically trick the tests.
The point of CAPTCHA or reCAPTCHA challenges is to act as a gateway that lets humans through but stops or slows down bots (software robots). A bot that can solve a CAPTCHA or reCAPTCHA automatically defeats the whole point of the test, but that’s what keeps happening.
But we get the point the senators are trying to make: just do something to stop these bots.
And while you’re at it, the senators want the FCC to figure out who’s behind the fake comments. They also want public disclosure on the total number of fake comments that were filed during the net neutrality public comment period.
The senators also have this list of specific questions for the FCC:

  • How is the FCC working with the Department of Justice to identify those who submitted fake comments?
  • Is the FCC working with state attorneys general to determine whether state crimes were broken when these identities were stolen?
  • What measures is the FCC taking to ensure this does not happen in the future?
  • How can the FCC track down who misused the identities of 2 million Americans?
  • Can the FCC determine how many of the fake comments on record were submitted by bots, a software application that runs automated tasks (scripts) over the internet?
  • Has the FCC considered using a CAPTCHA, or other security technology, to prevent fraudulent machine input?
  • Is the FCC aware of any foreign government submitting fake comments and for what purpose?

I don’t know how the FCC will go about finding out which of the 23 million comments it received last year were fake. But for what it’s worth, Gizmodo’s Dell Cameron found one that seemed a pretty cut-and-dried version of BS: it’s doubtful that Barack Obama would speak about his own net neutrality protections in this way:
https://twitter.com/dellcam/status/942974322838294528
According to Pew Research, only 6% of the comments were unique. Potentially millions could have been submitted by bots. What’s more, 57% of comments used temporary or duplicate email addresses, and seven popular comments accounted for 38% of all submissions.
The FCC refused to postpone its 14 December vote on net neutrality in order to investigate a public comment period that had obviously been clotted with bots, memes, and input from people who don’t actually exist. At any rate, it wasn’t even interested in hearing to the outpouring of support from Joe Schmoes. Rather, it was zeroing in on legal comments in the submitted content, as Brian Hart, the FCC’s head of media relations, told Wired:

The purpose of a rulemaking proceeding is not to see who can dump the most form letters into a docket. Rather, it is to gather facts and legal arguments so that the Commission can reach a well-supported decision.

Senators, respectfully, forget CAPTCHA. What the FCC really needs to do is to read the how-many-bots analysis carried out by Wired after the FCC declined to look itself at how gunky the comments were. The magazine relied on the help of FiscalNote, a company that processes public comments on behalf of corporations to help them make sense of the policy landscape.
One of the techniques FiscalNote employed (its researchers had previously identified nearly one million bot submissions in the FCC’s comments, all of them opposing net neutrality) was to detect paragraph patterns, such as stringing together 35 synonymous words and phrases in a particular order to form similar, but not identical, comments.
Sources told Gizmodo last year that Pai quietly issued a directive telling the FCC’s staff to back away from filtering out fake comments during the proceeding. Doing so would likely backfire, the thinking went: it could lead to accusations that the agency was censoring pro-net neutrality comments.
Well, that’s fair, actually. Pro- and anti-net-neutrality bots turned that comment process into a bot romper room. From Gizmodo:

Over 7 million comments included the phrase: ‘I am in favor of strong net neutrality under Title II of the Telecommunications Act.’

We may side with one or the other bot groups, but given that WANAL (We, as in most all of us except lawyers, Are Not A Lawyer) the FCC couldn’t give a hoot about what our chattering, identity-thieving, non-legal-argument robots sputter on about.


12 Comments

It would be interesting to see if the FCC did implement CAPTCHA technology and reopened the net neutrality docket for comments. I’m sure the results would be quite different.

Well the *comments* would have been different – as to the *results*, I think the fix was already in.

I was going to mention that acccording to the W3C the CAPTCHA or reCAPTCHA are classed as “Experimental” technologies… But you were astute enough to mention their possible flaws.
Well Done.

Unfortunately all of these systems are flawed in the end. This is why public comments on websites don’t count as official votes in any election. It’s far too easy influence it, CAPTCHA or not. The only way you could hope to make something like this somewhat “fair” would be to verify someone’s identity before letting them post. Imagine some sort of “government account” that everyone would dislike for privacy reasons and worry about being hacked (rightfully so).
The sad truth I see in this is that it’s likely getting this degree of attention because the senators themselves were impacted. It may not have risen to this degree of scrutiny without that.
Sincerely,
FCC Chairman Ajit Pai

On the last bit about the phrase repeated 7 million times: I recall emails urging us to file comments and at least some of those included instructions to use that specific language. Hence that might not be as telling a sign as it at first appears,

I was thinking the exact same thing. The content isn’t the only factor they should be looking into and duplicate comments shouldn’t automatically disqualify an entry.

I agree that probably explains a large amount of the duplicates (and/or similar language uses), but according to the quote of Brian Hart (in the article), the FCC doesn’t even care about these comments. My reading of that is that they really don’t care what the public support, but are rather looking for any facts or legal arguments they may have not taken into consideration.
If that’s the case, why not just remove all duplicates, then the bots have no more weight than any other single person.

On the last point, many people used that specific language in their comments to be as specific in what they were supporting as possible. I used this language in my comment because the FCC has demonstrated it’s inability understand the meaning of common parlance. Just look at the title of the act
that has caused this debate.

The only way that I can think of is if people left video comments with their face. If you don’t have the guts to defend your opinion publicly then your vote doesn’t get counted.
Hell I believe this is how anyone in office should be voted in to begin with too. This whole anonymity thing is just chaos in places where opinions hold weight.

Imagine the time taken to count the votes. They received 23million comments on this topic. If each video is say 10 seconds long, and we assume that even half of them are bot comments, that still means 10 * 11.5M seconds, or roughly 133 days worth of video.
Of course, each video would have to be reviewed by multiple people, to ensure that no fraud has occured. Of course, we could reduce the time taken by using multiple people, but now imagine the cost of hiring those people to count the votes.

I find disingenuous of the Senators to express their concern over “…the need to address fraudulent behavior…”
What they have demonstrated is their utter and complete incompetence at taking actionable steps to protect U.S. citizen’s personal data.
As for the comment process itself, I believe the FCC is performing their duty under existing regulations. However, as usual, automation of what used to be a legitimate business process has made a sham of it.
P.S. I love your political cyber coverage Lisa! Forever your devoted fan.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?