Remember the millions of fake net neutrality comments? They weren't as kosher as the FCC made out

Data was pulled from 2016 credentials hack

Boss leans back comfortably in desk. Pic via Shutterstock

Comment One of the key arguments behind the Federal Communications Commission's decision to repeal net neutrality was the number of supportive emails it had received for its proposals. But an investigation has shown that a huge number of these were faked by lobbyists.

What's more, the company responsible – LCX Digital – used a dataset stolen by hackers to flood the public comment period, and has continued to use the same dataset for a number of other public comment periods in both local and federal legislation processes.

That's the upshot of an investigation by BuzzFeed, published today, which analyzed and tracked the phoney comments back to industry lobbying group Broadband for America.

According to the report, Broadband for America hired two companies – Media Bridge, based in Virginia, and LCX Digital, based in California – to file comments from American citizens into the FCC's controversial public comment period, held in 2017.

Millions of those comments were identical or subtly changed in order to appear different, but they were all sent seemingly from different people, using real citizens' details. Far from it being a campaign in which people were encouraged to send the same message, however, people's identities were simply stolen and used to send messages of support they had never seen.

Countless individuals – including members of Congress – have since said they never sent the response. Some of the people listed were actually dead at the time they supposedly weighed in on the matter.

Blocked call

Despite the New York Attorney General's office announcing an investigation into the misuse of his state's citizens' identities, the federal regulator that solicited and received the fake comments, the FCC, has persistently refused to look into the issue, and has even blocked others' efforts.

Regardless, BuzzFeed was able to track the identities that were used to a hack that took place in October 2016 of data storage and database hosting company cloud Modern Business Solutions (MBS), based in Austin, Texas. Its MongoDB database with 58 million users details on it was hacked and subsequently posted online.

LCX Digital used a bulk upload feature on the FCC website – which has been criticized as unnecessary and an open invitation to post fake comments – to throw in 1.9 million comments and the identities they used matched 94 per cent to the hacked identities in the MBS data breach.

LCX denied the connection between their filed comments and the hacked database, claiming that every one of the comments had been made by real people. Although it failed to say how it gathered those responses, or explain how dead people were able to access a system that doesn't appear to exist to send their comments, or explain why people listed as supporting the abolition of net neutrality rules have since said publicly that they did not send the comment and actually believe the opposite.

LCX's denials ring even hollower when you consider another fact that BuzzFeed was able to dig out: the same people commented all over again a year later on a completely different topic.

What a coincidence!

That topic was an effort by the FCC to force cable companies to open up their set-top boxes to third parties – something that results in an annual $20bn consumer rip-off – and was vehemently opposed by the industry. The comment period was flooded by seemingly real people. And LCX again mass-posted comments. An amazing 99.9 per cent of those comments, however, purported to come from the same people that had posted in the net neutrality comment period.

A review of LCX Digital reveals that its CEO, John Hilinski, is a persistent liar. He claims to have co-founded AltaVista but BuzzFeed tracked down the early search engine's real co-founder who said he had never heard of him. Likewise Hilinski's claim to have toured with the band Jane's Addiction: the band's manager had also never heard of him. And Hilinski's claim to have an MBA from the University of Southern California? Also bullshit.

BuzzFeed also dug out a deposition from a lawsuit that one of Hilinski's co-founders of LCX lodged against the company in which he said, under oath, that the company was "completely fraudulent" and stated that the company was misusing personal information that it had purchased, pretending that those people had provided their information to the company when inquiring about its services.

This use of real people's identities to post fake comments stretches beyond just the FCC, however: the same issues have popped up in Texas on school issues and in South Carolina over an energy deal.

In each case, the names and address of real people living in that state have been used to express the same view as the industries that hired LCX and MediaBridge to run campaigns. Except they were all fake: those people never posted the comments.

Instead, it seems a mini-industry has grown up that uses stolen data to flood public comment periods – and industry lobbyists, which appear to have close ties with right-wing pressure groups, are paying for that service.

Blind eye

Aside from the fact that this activity is illegal and the companies behind it have, so far, managed to escape scrutiny or prosecution, there is the flipside of this coin in which state and federal bodies are allowing comments to be uploaded in bulk with no restrictions or checks.

While it is not possible to be 100 per cent sure that a comment is real if it is sent through the internet – you can always fake email address and names – it is very easy to make the posting of thousands, or millions, of comments much, much harder and time-consuming.

unhappy party

They did it! US House reps pulled their finger out, voted to restore net neutrality in America!

READ MORE

The age-old method of requiring someone to verify their email address before accepting a comment is the most obvious one. Ending bulk uploading of comments is another. IP address detection and running periodic checks against verified address is another. These are not new or novel solutions – they are in place in hundreds of thousands of businesses and can be introduced using off-the-shelf software.

Why doesn't an organization like the FCC already have such systems in place? The answer is as depressing as the question. It's because the millions of fake comments gave the current FCC majority sufficient leeway to pretend that feelings on its proposal were heavily split and so enable it to move forward.

In reality, an extensive review of comments sent to the 2017 net neutrality comment period that were not fake or sent through an automated service showed that 98.5 per cent were opposed to the change.

Everybody knows that lobbyists are paying third parties to fudge and break systems that are supposed to give the public a chance to weigh in on important matters. But it has just become a little bit harder for them – and the bodies seeking comment – to pretend otherwise. ®

Sponsored: Technical Overview: Exasol Peek Under the Hood

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER




Biting the hand that feeds IT © 1998–2019