Stolen email accounts used to target the Net neutrality repeal, study finds

Could public comments submitted to the Federal Communications Commission from stolen email addresses represent the latest hacking-assisted attempt to tip the scales in U.S. politics? A new study by San Francisco-based think tank Startup Policy Lab indicates as much.

According to SPL’s Truth in Public Comments project, unprecedented levels of fraud marred the FCC’s public-comments process during the debate leading to the FCC’s decision to rescind Net neutrality protections Thursday. The Open Internet Order, the repeal of which is expected to be challenged in court, mandates Internet service providers to treat all Internet traffic equally, in terms of connection quality and throughput.

Proponents of the order—and more broadly of Net neutrality—argue that the structure of the Internet hangs in its balance; with a repeal, they say, ISPs stand to gain tremendous wealth and influence over our daily lives, including our digital privacy and security. Others argue that the order will make Internet service a more competitive marketplace, hardly affecting our privacy or security at all.



READ MORE ON NET NEUTRALITY:
Why losing Net neutrality wouldn’t hurt your privacy or security
Forget Pai. Net neutrality’s privacy benefits are already neutralized
Broadband privacy regulations fall into a gray area


The TiPC study, which took six random samples of approximately 86,000 comments each, and found fairly consistent results in all six samples, augments similar findings from the Pew Research Center and the New York Office of the Attorney General.

Co-author Jeff Kao, whose statistical analysis at data science boot camp Metis inspired the study, says he and his SPL colleagues found massive statistical discrepancies when they attempted to verify the public comments through an email survey sent to the associated addresses.

The study found that many of the 23 million comments posted to the FCC site were likely submitted by bots or other nonhuman sources. Kao says 16 percent of the responses his team received from the commenter email addresses suggested that the Net neutrality comments were submitted without permission. His team further found that 88 percent of public comments in favor of repealing Net neutrality were likely made using stolen identities, compared with 4 percent of comments against the repeal.

“When you see 88 percent of the respondents saying, ‘No, I didn’t submit this statement,’ I think that’s a pretty good indication that [the anti-Net neutrality] campaign is not legitimate,” Kao says.

“It seemed obvious that someone had cheated,” says Vivek Bhaskaran, founder of survey company QuestionPro, which helped design and conduct the TiPC study. “We were expecting the people who said, ‘No, that’s not my comment’ would be evenly distributed between pro-Net neutrality commenters and anti-Net neutrality commenters. When we looked at the data, it seemed obvious that one camp had clearly orchestrated a campaign” opposing Net neutrality.

“The weird part is, the [anti-Net neutrality] responses had a low rate of bounce-back,” Kao says, referring to nonexistent emails that bounced survey queries. “That indicates to me that someone is really putting in the effort to procure and use real people’s emails,” rather than computer-generated fake addresses, to influence the FCC’s stance on Net neutrality.

“Great care is taken to ensure that the results of voting machines are legitimate. The same care and effort needs to be extended into this area.”—Rand Waltzman, senior information scientist, Rand Corp.

Public comment, says Catherine Sandoval, a former senior FCC manager who is now an associate professor of law at Santa Clara University, “is the bedrock of democratic decision making for government institutions like the FCC.” And the FCC’s public-comments “procedure appears to be infected by identity theft and potential criminal behavior on a massive scale that is unprecedented in FCC jurisprudence,” she says.

“I’ve been practicing in this field for 25 years. This is the worst FCC comment process I have ever witnessed. It is well below the standards of the Administrative Procedures Act,” she says, referring to the 1946 statute that requires federal agencies to seek public input during rulemaking. “This is an attack on a basic mechanism of democratic decision making that affects everything we do.”

The FCC did not respond to requests for comment.

Sandoval says people should be alarmed by the fact that the FCC, citing insufficient resources, has declined to investigate the apparent hijacking of its public-comment process. Its response thus far, inconsistent with its legal duties, is “mystifying,” she says.

Each fraudulent public comment made with a stolen email address amounts to false filing on the part of the perpetrator, a potential felony, she says. Whether it also technically amounts to identity theft might depend on whether a state has included a financial motive in its definition.

Sandoval also notes that because some ISPs offer service through federal or state-issued licenses granted to them as telephone corporations, the comment fraud could point to manipulation of the debate by a stakeholder that stands to gain from Net neutrality’s repeal.

“It is important to figure out who did this,” she says. “If this was done by people who hold FCC or state licenses, or their agents, who stand to gain from repeal of Net neutrality rules, or by someone paid to submit the allegedly false comments, that fits within the test of whether a benefit, value, or financial gain was sought.”

Kao and Bhaskaran declined to speculate which entity or entities might be behind the fake comments. And ISPs that might benefit from the Net neutrality repeal, including Comcast, Verizon, and AT&T, did not return multiple requests for comment.

Sandoval says there is more than enough evidence of false filing and identity theft to justify state and federal investigations. And considering widespread concerns over foreign interference in U.S. elections, she recommends that authorities investigate whether foreign actors were involved.

“You need to take the problem seriously,” says Rand Waltzman, a senior information scientist at Rand Corp., referring to the integrity of the public-comment process. “Great care is taken to ensure that the results of voting machines are legitimate. The same care and effort needs to be extended into this area.”

Waltzman compares the attacks on the FCC’s site to old-fashioned forms of voter fraud, through which ballots are cast using names of dead people still on the books.

“New-media technology offers opportunities for this type of fraud, as well as many new types,” Waltzman says, “on a scale previously unimagined.” And the methods used today aren’t necessarily advanced, expensive, or hard to detect.

“If you look at the types of techniques bad actors are using, they’re pretty brazen,” Waltzman says. So far, he says, the perpetrators of fraudulent public comments “haven’t gotten a lot of pushback. If there’s no resistance, why would you invest the resources to make it more sophisticated?”

SPL Chief Executive Charles Belle, who co-authored the TiPC study, worries that interference in the Net neutrality debate is only one of many such attempts to influence public policy.

“The FCC is the canary in the coal mine,” Belle says, adding that the study results point to an opportunity to use data science to improve the integrity and legitimacy of structures that facilitate democracy.

“We can can start to look at different agencies, and look at how we protect ourselves,” Belle says. “Some people look at this and say it’s about Net neutrality. For Startup Policy Lab, this is about democracy.”