The FCC’s public comment system is a bloody mess. Over the past two years, it’s become apparent that political lobbyists, usually acting on behalf of the telecom industry itself, are prepared to manipulate the agency’s rulemaking process and impersonate everyday Americans just to create the illusion of public support where, in reality, none exists.
Last week, the FCC was forced to admit in court that its Electronic Comment Filing System (ECFS) was never designed to keep track of where comments originate. Not only is the system not designed to prevent fraud or the use of bots, it said, when incidents of identity theft are widely reported, the system is not equipped to determine who’s responsible.
In response to allegations that millions of comments submitted to the FCC about net neutrality in 2017 were fabricated—using the names and home addresses of Americans without their consent—the New York Times is actively seeking access to the FCC’s internal logs under the Freedom of Information Act. Its reporters have specifically asked the FCC to turn over records that contain every comment and the IP addresses from which they originated. But the commission is fighting back.
For starters, the FCC is denying the Times access to these records on privacy grounds: releasing the IP addresses, it says, would “constitute a clearly unwarranted invasion of personal privacy.” It further alleges that releasing the logs would compromise the security of the ECFS, which is essentially a crime scene at this point thanks to concurrent state and federal investigations.
The notion that the system is in any way “secure” to begin with is comical, since one doesn’t need to actually commit a computer crime to flood it with bogus comments. If one were to email the agency and ask for instructions on how to submit comments in large batches, not only will it gladly provide that information, it will load them into the system regardless of whether they’re real or not.
Comments attributed to Americans who have been saying for over a year that their identities were stolen can still be found on the FCC’s website, right next to political (and in some cases veiled anti-Semitic) remarks that they did not write.
But there’s another reason the FCC is refusing to hand over the logs. In a more technical explanation offered in a motion filed on March 14, the commission argues that producing evidence of where comments originate is a “painstaking process” that would be “highly complicated and burdensome, even if it is possible to do the correlation in the first place.”
“The retracing process would allow the FCC to identify several requests made close in time to the second the comment appears in the database, and guess which one is the actual originating request,” it said. “However, the FCC cannot directly and conclusively correlate one ECFS request with one ECFS comment.”
The process of figuring out where particular comments originate, in the FCC’s own words, is complete guesswork. The system is not designed to prevent fraud, and if fraud does occur, it is not designed to detect it, nor produce evidence of who is culpable.
It is a system that is inadvertently designed to be gamed; though, granted, it was never designed to handle millions of comments at all. (Not until net neutrality was the public at large even aware it existed.)
To a certain extent, Gizmodo can confirm that what the FCC is saying is true. Last month, we reviewed some of the logs sought after by the Times, disclosed in a separate lawsuit by a different agency. Gizmodo reported on multiple sources of fraudulent comments in two articles this year. Each required a considerable amount of time and legwork.
The FCC’s argument that it can’t release the logs on the basis of privacy is undercut by the fact that the General Services Administration, which manages the API system used by the FCC, already released them—or at least part of them. The API system is only one of three ways comments are submitted; the Times is seeking access to logs related to the other methods as well.
The API logs, which Gizmodo has reviewed—and the New York Times and Wall Street Journal both have access to now—do include at least dozens of IP addresses belonging to groups that uploaded millions of comments combined.
Gizmodo was able to trace the origin of known fake comments using the same process that’s being used by law enforcement investigators in New York, and likely at the Department of Justice as well. It is essentially the same “painstaking process” that the FCC says would be too “burdensome” for it to execute in response to a FOIA request. (It is likely correct on this point since the law doesn’t require it to commit vast resources and time to fulfill a single request.)
On a technical level, the issue is that the logs of when comments are submitted do not actually contain the comments themselves; they merely track when comments were uploaded and by whom. To track an individual comment back to its source, investigators have had to compare the timestamps on the comments to the logs identifying the uploaders. But timestamps on the comments and the logs do not match perfectly, likely due to server latency. The timestamps are on average off by a few hundred milliseconds (two seconds at most), indeed making it difficult to confidently ID the source of a fake comment, based on our experience.
The process for tracking down instances of comment fraud at the FCC is, as its lawyers accurately portrayed in court, a fucking headache. But what this really means is, if the commission is going to continue to use the ECFS to solicit public comments—something it is legally obligated to do in a lot of its rulemaking—the system needs to be retrofitted or completely re-built to facilitate fraud detection. FCC Chairman and two-time Courage Award winner Ajit Pai stated himself three months ago that a “half-million comments” about his net neutrality proposal were “submitted from Russian e-mail addresses.”
Going forward, Americans should not have to worry about whether malicious political statements, which they did not write and do not stand by, are being published by their own government, in their name, without their consent. And at the very least, when and if this type of crime does occur, it should be the FCC’s responsibility to ensure that it’s technologically possible to figure out who the culprits are.
If not, its notice-and-comment rulemaking is finished and this is all just administrative theater.
Correction: The original version of this article stated that FCC’s API logs contained “thousands” of IP addresses. While there are thousands of records, the logs contain only dozens of unique IPs. We regret the error.