SVG
Commentary
Hudson Institute

Ending the Hacker’s Paradise in Administrative Proceedings

harold_furchtgott_roth
harold_furchtgott_roth
Senior Fellow and Director, Center for the Economics of the Internet
kirk-arner
kirk-arner
Legal Fellow, Center for the Economics of the Internet

Imagine if 500,000 Russians, Richard Nixon, and Elvis Presley were able to successfully cast votes in an American election today.

While the King of Rock won’t be casting a ballot any time soon, those individuals appeared to have made their voices heard in the 2017 Restoring Internet Freedom proceeding at the Federal Communications Commission. 

This happened because of the lack of limits on who can comment on an agency’s proposed rules. To comment, you don’t need to be an American citizen. You can comment as often as you’d like, using your own name or even a computer-generated comment with a fictitious name. It’s a hacker’s paradise. 

Though none of this would be allowed in a U.S. election, it is all too often the norm in the creation of federal rules affecting American businesses and individuals.

These rules are written not by the traditional legislative process, but instead by an army of independent and executive agencies tasked with enacting broad, and often intentionally vague, legislative mandates via federal rulemakings.

The Administrative Procedure Act establishes the rules of the road for these rulemakings. An agency must give notice to the public that it proposes to write new rules; then, the public can comment on those proposals. The agency must then review the record before publishing an order detailing its final rules, along with the legal and policy rationales for enacting them.

No doubt, these “notice and comment” rulemakings are a far cry from the preferred style of lawmaking conducted by publicly-elected legislators held accountable by the voting public. 

This reality makes a recent Senate report detailing myriad abuses of various agencies’ online commenting systems all the more concerning. According to the report, “[m]ost federal agencies lack appropriate processes to address allegations that people have submitted comments under fraudulent identities.” Consequently, countless comments have been submitted under stolen identities, with no potential recourse for victims. Even more contain profane and threatening language, including threats against government officials.

Perhaps most amazingly, the FCC’s Electronic Comment Filing System allows individuals to post fully executable installation files as attachments to their comments—including malware. This means that your computer can become infected simply because you visit a federal government website.

The full range of these problems was illustrated by the FCC’s Restoring Internet Freedom proceeding. Leading up to the proceeding, pundits and politicians alike criticized the Commission for moving to repeal Obama-era Internet rules and urged the public to comment on the proceeding. Consequently, the record contains nearly 24 million comments—the most for any proceeding in the agency’s history.

Of these 24 million comments, 500,000 were linked to Russian email addresses. Nearly 8 million more came from email domains associated with FakeMailGenerator.com. According to the former New York Attorney General, two million were filed using a stolen identity. Hundreds of thousands contained various forms of profanity, as well as hundreds more with suicidal threats. More than one hundred comments were submitted by “Adolf Hitler,” “Richard Nixon,” “Ronald Reagan,” and “ Elvis Presley.” Multiple commenters submitted the entire texts of War and Peace and Les Misérables.

According to the Pew Research Center, only 6% of all comments in the proceeding were unique. The other 94% were submitted multiple times—sometimes, hundreds of thousands of times. The seven most-prevalent comments were submitted more than 500,000 times each, comprising 38% of all submissions. On nine separate occasions, more than 75,000 comments were submitted at the same exact second. According to the Wall Street Journal, in a random sample of 2,757 comments, 72% of respondents surveyed claimed that they had not submitted comments that were in fact listed under their names.

Clearly, the way in which agencies collect and maintain comments is fundamentally broken. But there is a potential solution. And to discover it, we need merely look to the past.

Before the advent of electronic commenting, interested parties to federal rulemakings submitted comments via the postal system. The essential applicable element of this system to our current predicament was friction. This friction served as a barrier to the types of fraudsters and other bads actors harming today’s rulemakings. By introducing a small fee for electronic public comments—perhaps the price of a postage stamp—we can reintroduce this friction.

A foundational element of American democracy is the ability of everyday Americans to have their voices heard. But because of today’s broken federal commenting system, the average American’s voice is silenced by malicious, fraudulent, and duplicative noise. It’s past time to end this hacker’s paradise. By charging a nominal fee to post comments, lawmakers can restore these voices while simultaneously forgoing privacy and security concerns that would prove inevitable with alternative proposals.