• United States




Stolen identities and a lack of verification render public comment procedures meaningless

Jan 09, 20184 mins

The Federal Communication Commission’s call for comments on its repeal of net neutrality rules received over 22 million comments but millions of these comments were fake.

laptop office network server keyboard
Credit: Thinkstock

Before implementing policy and regulatory changes, federal agencies are legally required to permit the public to comment directly to the agency. At the end of the comment period, it is customary for the agency review the comments received and, occasionally, include comments received concerning the policy change or regulation.

Prior to the Federal Communication Commission’s decision to repeal the 2015 net neutrality rules, the FCC received over 22 million comments. If that sounds like a lot, it is. So many, in fact, that it prompted a closer look by the agency. As a result of its investigation, it determined that millions of these comments were fake. According to multiple researchers, more than one million of the 22 million cumulative comments were bots that used natural language generation to artificially amplify the call to repeal net neutrality protections. On June 19, 2017, nearly 500,000 comments were submitted in a mere second and nearly all of them were identical. In fact, about 7,000 comments were submitted under the name, “The Internet” and over 400,000 of them came from Russian email addresses. 

The FCC is not alone, as other agencies have received fake comments from living as well as dead Americans including the SEC, the Consumer Financial Protection Bureau, the Federal Energy Regulatory Commission and the Department of Labor (DOL).

The DOL has received thousands of comments relating to the planned rollback of the “fiduciary rule” requiring investment advisers who handle retirement accounts to act in the best interest of their clients. The Wall Street Journal reported that as many as 3,100 comments, posted under the identities of real Americans, were fake. The names, addresses and email addresses linked back to an individual identity, but in some cases, the person had been dead for many years. Mercury Analytics, Inc. was commissioned to survey these results and found that 40 percent of respondents reported that the comments were fraudulently submitted. Someone else had used their identity to submit a comment.  

Identity theft is not new and it is alarming that stolen identities are being used to drive regulations affecting 340 million Americans.  In the polarized political world we live in, public comments on proposed regulations requires a high level of confidence that the person submitting the comments is who they claim they are. 

The GSA launched in April 2017. offers the public secure and private online access to participating government programs while providing capabilities for authentication, including multi-factor authentication, as well as identity proofing and agency integration. Unfortunately, agencies have yet to utilize for public comment submissions. Doing so would help a great deal.

Adding a CAPTCHA on the form submission significantly increases the likelihood that a human completed the forms and submitted the comment and was not a bot.  To weed out identity thieves a combination of identity proofing and the issuance and usage of a two-factor authenticator, e.g. a one-time password, security key or biometric that has been bound to an individual, should be used when accessing the website and applying an electronic signature incorporating digital signature technology. The electronic signature creates a digital fingerprint of the document (also called a hash) that can be used at a later point to verify the integrity of the electronic record. If the form is tampered with, the e-signature will be visibly invalidated. Based on public-key cryptography, digital signatures secure signed forms, and verify the authenticity of a signed record. A digital signature alone, however, is not an e-signature and, therefore, cannot capture a person’s intent to sign a document. When used with an e-signing application, digital signature technology secures the e-signed data.

Based on the preposterous numbers of bogus comments received by the FCC and stolen identities submitted to the DOL, it is clear that tighter controls are necessary, especially when regulations like repealing net neutrality and repealing the “fiduciary rule” are at stake.


Michael Magrath is responsible for aligning OneSpan’s solution roadmap with standards and regulatory requirements globally.

He is Co-Chair of the FIDO Alliance’s Government Deployment Working Group and is on the Board of Directors of the Electronic Signature and Records Association (ESRA). He also served as a member of the Board of Directors for the Identity Ecosystem Steering Group’s (IDESG) and was Chair of the Health Information Management Systems Society (HIMSS) Identity Management Task Force.

Prior to OneSpan, he served as Director for Identity Solutions for DrFirst, a leading U.S. health IT solution provider, and focused on streamlining and securing the identity management process for healthcare providers nationwide and increasing the adoption of electronically prescribing controlled substances (EPCS).

Before DrFirst, Mike lead Gemalto’s market and business development activities in the U.S. government and healthcare markets and was a contributing member of the Health Record Banking Alliance, WEDI, HIMSS, the Medical Identity Fraud Alliance and the Secure ID Coalition.

He served as Chairman of the Secure Technology Alliance’s (formerly the Smart Card Alliance) Health & Human Services Council from 2010-2014 where he led initiatives to stimulate the understanding, adoption, use and widespread application of smart card technology in healthcare. He served as an advisor to the American Medical Association supporting a Center for Disease Control grant to develop and test the viability of a "Health Security Card" to identify and expeditiously treat victims in the event of a disaster.

Mike holds a Bachelor’s Degree in Psychology from the University of Massachusetts at Amherst. He is married with three children and resides in Northern Virginia.

More from this author