bots, FCC, identity theft, Information Security, Jeff Merkley, Law & order, Net neutrality, Pat Toomey, Top News

2 million stolen identities used to make fake net neutrality comments

You may recall all those reports of fake and bot-generated comments left in what former New York Attorney General Eric Schneiderman called the “deeply corrupted” public comment period for net neutrality.

Now, it looks like two million stolen identities were used to make those fake net neutrality comments. Most crucially, two of those identities were stolen from senators.

On Monday, the two senators – Jeff Merkley (D-OR) and Pat Toomey (R-PA) – called on the Federal Communications Commission (FCC) to investigate identity theft and fraud in the public comments left for the agency during the time leading up to the decision to kill net neutrality in December.

From their letter, sent to FCC Chairman Ajit Pai:

Late last year, the identities of as many as two million Americans were stolen and used to file fake comments during the Federal Communications Commission’s (FCC’s) comment period for the net neutrality rule.

We were among those whose identities were misused to express viewpoints we do not hold. We are writing to express our concerns about these fake comments and the need to identify and address fraudulent behavior in the rulemaking process.

A public comment system that isn’t secured in some way can’t protect government agencies such as the FCC from fraudsters who pollute the process, the senators said; nor can it protect participants from having fraudsters assume their identities:

The first three words in our Constitution are, ‘We the People.’ The federal rulemaking process is an essential part of our democracy and allows Americans the opportunity to express their opinions on how government agencies decide important regulatory issues. As such, we are concerned about the aforementioned fraudulent activity. We need to prevent the deliberate misuse of Americans’ personal information and ensure that the FCC is working to protect against current and future vulnerabilities in its system.

Toomey and Merkley called on the FCC to employ simple security measures, such as CAPTCHA, or Completely Automated Procedures for Telling Computers and Humans Apart, to weed out bot-generated comments.

This technology would ensure that a human, not a machine, is using a computer to submit comments.

“Ensure?” Well, that’s giving CAPTCHA a bit more credit than it deserves, given all the ways that human researchers have found to automatically trick the tests.

The point of CAPTCHA or reCAPTCHA challenges is to act as a gateway that lets humans through but stops or slows down bots (software robots). A bot that can solve a CAPTCHA or reCAPTCHA automatically defeats the whole point of the test, but that’s what keeps happening.

But we get the point the senators are trying to make: just do something to stop these bots.

And while you’re at it, the senators want the FCC to figure out who’s behind the fake comments. They also want public disclosure on the total number of fake comments that were filed during the net neutrality public comment period.

The senators also have this list of specific questions for the FCC:

  • How is the FCC working with the Department of Justice to identify those who submitted fake comments?
  • Is the FCC working with state attorneys general to determine whether state crimes were broken when these identities were stolen?
  • What measures is the FCC taking to ensure this does not happen in the future?
  • How can the FCC track down who misused the identities of 2 million Americans?
  • Can the FCC determine how many of the fake comments on record were submitted by bots, a software application that runs automated tasks (scripts) over the internet?
  • Has the FCC considered using a CAPTCHA, or other security technology, to prevent fraudulent machine input?
  • Is the FCC aware of any foreign government submitting fake comments and for what purpose?

I don’t know how the FCC will go about finding out which of the 23 million comments it received last year were fake. But for what it’s worth, Gizmodo’s Dell Cameron found one that seemed a pretty cut-and-dried version of BS: it’s doubtful that Barack Obama would speak about his own net neutrality protections in this way:

According to Pew Research, only 6% of the comments were unique. Potentially millions could have been submitted by bots. What’s more, 57% of comments used temporary or duplicate email addresses, and seven popular comments accounted for 38% of all submissions.

The FCC refused to postpone its 14 December vote on net neutrality in order to investigate a public comment period that had obviously been clotted with bots, memes, and input from people who don’t actually exist. At any rate, it wasn’t even interested in hearing to the outpouring of support from Joe Schmoes. Rather, it was zeroing in on legal comments in the submitted content, as Brian Hart, the FCC’s head of media relations, told Wired:

The purpose of a rulemaking proceeding is not to see who can dump the most form letters into a docket. Rather, it is to gather facts and legal arguments so that the Commission can reach a well-supported decision.

Senators, respectfully, forget CAPTCHA. What the FCC really needs to do is to read the how-many-bots analysis carried out by Wired after the FCC declined to look itself at how gunky the comments were. The magazine relied on the help of FiscalNote, a company that processes public comments on behalf of corporations to help them make sense of the policy landscape.

One of the techniques FiscalNote employed (its researchers had previously identified nearly one million bot submissions in the FCC’s comments, all of them opposing net neutrality) was to detect paragraph patterns, such as stringing together 35 synonymous words and phrases in a particular order to form similar, but not identical, comments.

Sources told Gizmodo last year that Pai quietly issued a directive telling the FCC’s staff to back away from filtering out fake comments during the proceeding. Doing so would likely backfire, the thinking went: it could lead to accusations that the agency was censoring pro-net neutrality comments.

Well, that’s fair, actually. Pro- and anti-net-neutrality bots turned that comment process into a bot romper room. From Gizmodo:

Over 7 million comments included the phrase: ‘I am in favor of strong net neutrality under Title II of the Telecommunications Act.’

We may side with one or the other bot groups, but given that WANAL (We, as in most all of us except lawyers, Are Not A Lawyer) the FCC couldn’t give a hoot about what our chattering, identity-thieving, non-legal-argument robots sputter on about.


Source : Naked Security

Previous ArticleNext Article
Founder and Editor-in-Chief of 'Professional Hackers India'. Technology Evangelist, Security Analyst, Cyber Security Expert, PHP Developer and Part time hacker.

Send this to a friend