Stolen identities and a lack of verification render public comment procedures meaningless

Before implementing policy and regulatory changes, federal agencies are legally required to permit the public to comment directly to the agency. At the end of the comment period, it is customary for the agency review the comments received and, occasionally, include comments received concerning the policy change or regulation.

Prior to the Federal Communication Commission’s decision to repeal the 2015 net neutrality rules, the FCC received over 22 million comments. If that sounds like a lot, it is. So many, in fact, that it prompted a closer look by the agency. As a result of its investigation, it determined that millions of these comments were fake. According to multiple researchers, more than one million of the 22 million cumulative comments were bots that used natural language generation to artificially amplify the call to repeal net neutrality protections. On June 19, 2017, nearly 500,000 comments were submitted in a mere second and nearly all of them were identical. In fact, about 7,000 comments were submitted under the name, “The Internet” and over 400,000 of them came from Russian email addresses. 

The FCC is not alone, as other agencies have received fake comments from living as well as dead Americans including the SEC, the Consumer Financial Protection Bureau, the Federal Energy Regulatory Commission and the Department of Labor (DOL).

The DOL has received thousands of comments relating to the planned rollback of the “fiduciary rule” requiring investment advisers who handle retirement accounts to act in the best interest of their clients. The Wall Street Journal reported that as many as 3,100 comments, posted under the identities of real Americans, were fake. The names, addresses and email addresses linked back to an individual identity, but in some cases, the person had been dead for many years. Mercury Analytics, Inc. was commissioned to survey these results and found that 40 percent of respondents reported that the comments were fraudulently submitted. Someone else had used their identity to submit a comment.  

Identity theft is not new and it is alarming that stolen identities are being used to drive regulations affecting 340 million Americans.  In the polarized political world we live in, public comments on proposed regulations requires a high level of confidence that the person submitting the comments is who they claim they are. 

The GSA launched Login.gov in April 2017. Login.gov offers the public secure and private online access to participating government programs while providing capabilities for authentication, including multi-factor authentication, as well as identity proofing and agency integration. Unfortunately, agencies have yet to utilize Login.gov for public comment submissions. Doing so would help a great deal.

Adding a CAPTCHA on the form submission significantly increases the likelihood that a human completed the forms and submitted the comment and was not a bot.  To weed out identity thieves a combination of identity proofing and the issuance and usage of a two-factor authenticator, e.g. a one-time password, security key or biometric that has been bound to an individual, should be used when accessing the website and applying an electronic signature incorporating digital signature technology. The electronic signature creates a digital fingerprint of the document (also called a hash) that can be used at a later point to verify the integrity of the electronic record. If the form is tampered with, the e-signature will be visibly invalidated. Based on public-key cryptography, digital signatures secure signed forms, and verify the authenticity of a signed record. A digital signature alone, however, is not an e-signature and, therefore, cannot capture a person’s intent to sign a document. When used with an e-signing application, digital signature technology secures the e-signed data.

Based on the preposterous numbers of bogus comments received by the FCC and stolen identities submitted to the DOL, it is clear that tighter controls are necessary, especially when regulations like repealing net neutrality and repealing the “fiduciary rule” are at stake.