Millions of records that the FCC’s top lawyer once fought to hold back from state law enforcement officials now serve as key evidence in a year-long probe into cases of Americans being impersonated during the agency’s latest net neutrality proceeding. Analysis of the data would lead investigators last fall to consider, as one of many potential sources of fraud, the owner of an influential Washington, D.C., newspaper, whose advocacy business may have served as a pipeline for one of the most notorious of all fake comments.
In May 2017, dozens of Americans came forward with claims that their identities had been used, without their consent, in a campaign to inundate the Federal Communications Commission with public comments critical of the Obama-era policy. Some told reporters that they’d never heard of net neutrality. Twenty seven signed an open letter to FCC Chairman Ajit Pai demanding a response. A year on, each of their names and addresses are still displayed on the federal agency’s website, right above, as the letter puts it, “a political statement that we did not sign onto.”
What was most curious, however, is that each of these people had supposedly submitted the very same comment; a veritable word salad of telecom industry talking points. In particular, the comment was a rebuke of the Obama administration’s exercise of “unprecedented regulatory power” in pursuit of net neutrality, a policy which it accused of “smothering innovation, damaging the American economy, and obstructing job creation.”
Internal FCC logs reviewed by Gizmodo for the first time offer clues as to why the matching comments led investigators in October to the doorstep of CQ Roll Call, a company that, while running an august newsroom in the nation’s capital, is also in the business of helping lobbyists construct digital “grassroots” campaigns aimed at influencing policymakers, and specifically, those controlling the FCC’s rulemaking process.
The logs, obtained in response to a Freedom of Information Act (FOIA) lawsuit, document in exhaustive detail each time an organization such as CQ—the advocacy side of the company—submitted a comment using the FCC’s API system. What’s more, they include the IP addresses of the uploaders themselves, as well as timestamps that record, down to the millisecond, precisely when floods of comments came pouring in from any given source.
While it’s FCC policy to accept and help manually upload spreadsheets containing batches of comments collected by virtually anyone, it also offers access to an API system that give groups like CQ, Fight for the Future, and the Electronic Frontier Foundation the ability to create their own submission pages that feed directly into the agency’s Electronic Comment Filing System (ECFS). The API, which helped funnel millions of comments to the agency in 2017, is maintained by the General Services Administration (GSA).
Last week, the GSA turned over the API logs in response to a records request from a reporter who had sued it and the FCC to pry them loose.
On review, they are the same records that the FCC refused to provide the New York attorney general’s office in December 2017, while claiming the state’s chief legal officer had no authority “to investigate a federal agency’s rulemaking process,” or otherwise compel the production of any materials. According to a December 2017 letter, the FCC’s general counsel had further argued that releasing the records (and in particular, any IP addresses) would “invade the personal privacy of legitimate commenters, and be overly burdensome to the agency.”
Yet the agency’s efforts at stonewalling proved inevitably futile. New York’s Bureau of Internet and Technology would ultimately obtain the API logs—likely, according to the statements of former New York attorney general Eric Schneiderman, from the FCC’s own inspector general, whose work is intentionally segregated from other offices at the agency.
Armed with both legal and technical expertise, the bureau’s investigators would comb the data and eventually produce multiple leads in its investigation of potential state violations, including criminal impersonation under New York law.
“Unprecedented regulatory power”
The millions of public comments amassed by the FCC about net neutrality over the summer of 2017 are only one facet of process known as “notice and comment” rulemaking. Under federal law, whenever the FCC intends to set forth new, legally binding rules, it is required to give notice. It must then, for no fewer than 30 days, allow the public to comment in response.
In contrast to the 3.9 million comments received during the debate over the Open Internet Order, which led to the adoption of federal net neutrality rules four years ago, the Trump administration’s effort to repeal those rules, known as the Restoring Internet Freedom Order, brought in over 22 million.
As of October 2018, investigators in New York had isolated a batch of roughly 9.35 million comments, which they had deemed suspicious and potentially attributed to Americans whose names had been used without their permission.
The investigations into the fake comments largely stem from reports published almost simultaneously on May 10, 2017, by Gizmodo, Verge, and ZDNet, all of which focused on identical comments that were submitted to the FCC several hundred thousand times. The language used in the comments—which are now suspected of having been uploaded using CQ’s software—was eventually traced back to a conservative nonprofit called the Center for Individual Freedom (CFIF).
The comment reads in full:
“The unprecedented regulatory power the Obama Administration imposed on the internet is smothering innovation, damaging the American economy and obstructing job creation. I urge the Federal Communications Commission to end the bureaucratic regulatory overreach of the internet known as Title II and restore the bipartisan light-touch regulatory consensus that enabled the internet to flourish for more than 20 years.”
Founded in 1998, CFIF is a reportedly a dark-money group whose early roots lie in defending Big Tobacco, but which supported the repeal of net neutrality more recently and has campaigned aggressively against state laws requiring political groups like itself to disclose the sources of its funding. Along with CQ, the group is among the 14 entities subpoenaed by the New York attorney general last fall, as first reported by former BuzzFeed reporter Kevin Collier in October.
As late as last February, CFIF President Jeffrey Mazzella praised the FCC’s rollback of the Title II classification of broadband service underlying net neutrality in the Daily Caller, labeling the policy an “unprecedented power grab by the Obama administration,” which, he claimed, upended “two decades of bipartisan consensus for light-touch regulation of the internet sector.”
Notably, Mazzella’s article was coauthored with David Williams, president of the Taxpayers Protection Alliance (TPA), another group subpoenaed in New York. Comments linked to TPA appear to have been submitted by the same individual who aided another group known as Free Our Internet, whose comments were ascribed to Americans who told Gizmodo their identities had been stolen.
Attempting to confirm or disprove the alleged link between CQ and CFIF, Gizmodo initiated its own review of the API data logs last week, focusing on comments from dozens of people who claim they were impersonated online. Emails previously obtained under FOIA, which show conversations between FCC officials and CQ’s chief technology officer, Dan Germain, who now serves as a FiscalNote senior VP overseeing research and development, provided additional context regarding the company’s operations.
The Center for Individual Freedom and FiscalNote, which purchased CQ Roll Call in August 2018, did not respond to multiple requests for comment.
Germain, however, was interviewed by Gizmodo twice in 2017, and served up various insights into how the company had amassed and delivered “millions of comments” to the FCC.
Analysis of API logs
While Germain declined to identify any of CQ’s clients “without explicit permission,” timestamps contained in the API logs reveal an unmistakable correlation between the use of CQ’s API key and numerous identical comments containing CFIF’s text about former President Obama’s “unprecedented regulatory power.”
APIs are a ubiquitous part of the internet and power user interactions with everything from Google to Grindr. To control access to them, APIs are usually given a “key” system, which produces long, unique strings of characters, not dissimilar to a password. This enables system administrators to give explicit access to an individual or company and track how the keys are being used.
The FCC is the only agency whose public commenting system uses API keys issued by Data.gov, a branch of the General Services Administration.
The purpose of GSA’s system is to “make it easier for agencies to release and manage” data while offering a variety of ways to track and analyze its use, according to its website. As many as 19 federal agencies rely on the Data.gov API for a variety of purposes, including the FCC, which specifically promotes it as a way to deliver public comments in bulk.
While some identifying information in the logs is fully or partially redacted, they contain the following data: timestamps of every instance an API submission was made; the IP addresses of every individual who requested API keys; the IP addresses of the servers used by them to submit comments; and standard number codes that indicate whether a comment submission was successful.
But while the logs detail precisely when comments were submitted and by whom, they do not contain the actual comments themselves, nor the names of the individuals to whom they’re attributed. Nor do the logs, which span roughly 7-months, indicate to which specific FCC docket a comment was submitted. Because of this, the timestamps are pivotal to pairing specific comments with the API keys used to submit them.
By comparing the API logs to comment data that the FCC had already made publicly available, Gizmodo found more than a dozen comments containing CFIF’s boilerplate language that were registered within milliseconds of CQ’s key being used.
A comment by Cynthia Duby of Desert Hot Springs, California, regarding Obama’s “unprecedented regulatory power,” for example, was registered by the comment system fractions of a second after CQ used its key on May 11, 2017. (The timestamp on Duby’s comment reads, “16:33:09.794,” while the Data.gov API logs show CQ submitting a comment at “16:33:09:0.16.”)
The timestamps on the comment data and API data rarely if ever sync perfectly. The disparity—at most two seconds, but more often much shorter—could be explained by server latency, or the fraction of time that passes after a message is sent but before it’s received by a server.
Duby is one of the 24 people who signed the open letter in May 2017 demanding that her comment be removed by the FCC. Of 14 others who said their names were “used to file comments we did not make,” Gizmodo was able to duplicate the experiment 12 times. In each successful case, the comments were received by the FCC while CQ’s API key was in use, with the logs reflecting deviations in the timestamps roughly equivalent to the blink of an eye. (For reasons unclear, two of the signatories’ comments could not be located.)
Ariehl Kimbrough, another apparent condemnor of “unprecedented regulatory power,” told Gimzodo in May 2017, that not only had she not submitted the comment bearing her name and address, but that she had never even heard the phrase “net neutrality.”
The FCC data shows the comment attributed to Kimbrough was received on May 9, 2017, at 7:31pm. As with the signatories of the open letter, the API data shows that a key assigned to CQ Roll Call was, at that very moment, in the process of uploading a batch of comments. The timestamps are within one-tenth of a second apart.
In response to an investigation by the Wall Street Journal, whose researchers spoke to some 7,800 people who had claimed their names had been used without consent in various agency dockets, an FCC spokesperson said comments from the general public are “generally not substantive, so thus have no impact on a rulemaking.” They added: “We err on the side of keeping the public record open and do not have the resources to investigate every comment that is filed.”
Only when it was politically advantageous did FCC Chairman Ajit Pai speak to the impact of the fake comments on the process.
In December, while attacking what he called “overheated rhetoric about net neutrality,” the chairman claimed in an FCC memo that as many as “half-million comments” supporting net neutrality had been “submitted from Russian e-mail addresses” and that “nearly eight million comments” had been filed using email accounts “associated with FakeMailGenerator.com.”
The FCC did not respond to a request for comment.
“Millions of comments”
Prior to CQ becoming a subject of interest in an ongoing criminal investigation, Germain explained at length that his company had created a platform specifically to direct comments to the FCC and that it had been operational since at least 2016.
“Before we submit these comments (via the API) we remove any bad or questionable submissions,” he told Gizmodo. “On a technical level, a few of the things we do include running the email address through an email validator, eliminate duplicate records with the same email address, and remove multiple submissions from the same IP address.”
If CQ found comments that appeared particularly questionable, he said, the company would call the individual and inquire whether they submitted it. “Sometimes they don’t remember until we read the actual message,” he said, “and then they light up in full support of it!”
In emails to FCC from April 2017, Germain explains that CQ is seeking to deliver “about 250,000 comments per day,” and that it would need to “set up multiple servers to the API simultaneously to meet the needs” of its clients. Whereas many of the groups responsible for uploading millions of comments requested only one or two API keys, logs show that CQ, over a period of several months, requested no fewer than 114.
Registered between April 28 and August 14 that year, the keys linked to the company—by email account or IP address or both—contributed nearly 2.1 million API submissions. This includes a nearly month-long gap between mid-May and mid-June. A query for the CFIF comment about “unprecedented regulatory power” reveals an overlapping gap that aligns with the periods in which CQ Roll Call is shown to have made API post requests.
Above all, Germain stressed that its advocacy business was entirely separate from its news products. “The newsrooms of both CQ and Roll Call have editorial independence and have no involvement in the creation or management of our advocacy tools,” he said, adding: “They certainly would not know what our advocacy customers were doing with our tools.”
Incidentally, one of Roll Call’s reporters was physically accosted by security officials while trying to ask questions of Republican FCC Commissioner Michael O’Rielly following a May 2017, hearing about the net neutrality rules.
Beyond CQ, 12 additional entities were likewise subpoenaed by the New York attorney general, including Free Our Internet, an organization founded by a former Trump campaign statewide director; and Ethan Eilon, a GOP consultant, whose firm, Conservative Connector, received more than $31 million from the Trump campaign and Republican National Committee during 2016 election.
With patterns of repetitive text and timestamps consistently formatted across the data, it’s possible that API submissions and FCC comments can be easily matched with a reasonably high degree of confidence. If a culprit is eventually found, it will likely be as a result of intense analysis of the API data, aided by the sloppiness of uploaders who left their digital fingerprints all over it.
At an agency with a recent history of covering up minor technical flaws with disproportionately large lies, the attempt by top FCC officials to prevent law enforcement from examining its logs only serves to cast further doubt and suspicion on the agency’s motives, and its future ability to conduct rule-making processes within the spirit of the law.
Saying the agency’s failure to investigate this “corrupted record” would ultimately undermine its ability to “seek public input in the digital age,” FCC Commissioner Jessica Rosenworcel reached the conclusion more than a year ago that the data so closely guarded by her Republican colleagues would ultimately prove central to solving this mystery.
“To put it simply, there is evidence in the FCC’s files that fraud has occurred,” she said, “and the FCC is telling law enforcement and victims of identity theft that it is not going to help.”
The New York attorney general’s office declined to comment for this story citing an ongoing investigation.
If you have a tip you’d like to share, email the author at firstname.lastname@example.org, or contact us securely with SecureDrop.