The New York Times, The FCC and Net Neutrality

Why is the FCC claiming that releasing information that is already publicly available would jeopardize its system security?

Things are a little bit different in the Snow household. Take, for example, dinnertime conversation. Last week that was definitely the case after we found an article detailing a recently filed lawsuit by the New York Times against the Federal Communications Commission. This topic alone generated nearly an hour of discussion and examination as dinner wound down and we started clearing up.

What was so fascinating? To us, it was the responses of the FCC to the lawsuit in question.

Going Back To The Beginning

As the battle over the preservation of Net Neutrality raged, the ability for Americans to comment on their preferences on the issue became a hot button topic. In one famous example often known colloquially as the John Oliver Effect, the British comedian dedicated a long segment of his show to the issue of Net Neutrality and it’s importance. He implored his viewers to flood the FCC comment page with comments on the issue during the open comment period, and he definitely got his wish. He succeeded in making the technical and arcane issue so understandable to so many people, that users attempting to heed his advice and leave comments in support of Net Neutrality overwhelmed the capacity of the infrastructure supporting the comment feature and the website crashed.

When the vote on whether or not to repeal Net Neutrality regulations was held in 2017, the battle over comments on the issue was raging once again. It was discovered that millions of the comments on the website were fake and appeared to have been generated by bots. The existence of the fake comments muddied the waters around the issue, but there is one important thing to note: The most popular fake comment was in support of Net Neutrality rules, but the next six most popular comments were against Net Neutrality protections, according to an analysis by the Pew Research Center.

The Origins of the Lawsuit

In March 2018, FCC Commissioner Jessica Rosenworcel penned an opinion piece for The Washington Post which claimed that not only were Russians attempting to influence US Elections, they were also attempting to influence the Net Neutrality debate. She noted that internal investigations had identified half a million comments had been sent from Russian e-mail addresses.

Fast forward to July of this year. US Special Counsel Robert Mueller, who has been tasked with investigating Russian interference in the 2016 US Election, announces an indictment against 12 Russian Intelligence Officers for, among other things, hacking the servers of the Democratic National Committee.

That same month, Cybersecurity Research company GroupSense published a report which connected the dots: The Russian e-mail addresses identified by Mueller in his investigation were also involved in the Net Neutrality Fake Comment controversy.

The New York Times was already investigating the issue, and had submitted a Freedom of Information Act (FOIA) Request to the FCC to obtain information and comments relevant to the Net Neutrality debate. In particular, the Times appeared to be requesting an archive of the full comments, along with publically available technical information including the date/time stamp of the comments and the originating IP Address for comments submitted to the system during a specified time frame. The FCC denied the request. So the Times narrowed their request for information, which the FCC again denied. At least four times the paper re-submitted narrowed requests, which the FCC rejected on every occasion, although often with shifting reasons and rationales.

Thus, last week, the New York Times filed their lawsuit.

What’s So Fascinating?

The topic of conversation within the Snow household related to this issue was around one of the reasons the FCC gave for not releasing the information: Doing so would result in the release of sensitive security information about the comment system, and would put the entire system at risk.

Normally that reasoning would be enough to stop the debate. But if you look at what the New York Times was requesting, especially in the narrowed-down versions of the requests (when this same reason for rejection was still being used), it doesn’t pass the smell test. The reason?

All of the information the New York Times was requesting was publically available and does not have any security implications. 

As an example, take the third round request made by the New York Times. In this request, the New York Times was seeking:

The Comment – This was the text that was left by the user on the comment board. Though this was initially identified as a potential risk by the FCC because it may contain Personally Identifying Information (PII), the Times correctly pointed out that because it was a comment left on a public forum there is no expectation of privacy. Numerous court decisions, including People vs. Harris, have determined that if you post a tweet or comment publicly on the internet, you have no expectation of privacy. In addition, under FOIA requests, the FCC would have the right to redact any information in a comment it considered to be PII.

From a technical perspective, there is nothing in the text of the comment itself that should disclose any sensitive security infrastructure or methods of protecting the data.  

The Originating IP Address – For the uninitiated in the tech world, this is basically the address of your computer or device on the internet. This could tell you if a computer that was leaving the comment was connected to the internet in a foreign country, which could give you a hint on whether the commenter was an American Citizen. However, from a tech perspective this is not only not a threat to the security infrastructure of the FCC, it also likely wouldn’t be of much use.

Your IP Address is logged every time you visit any website on the internet. That is how your ISP and website track your surfing habits. Sites like Google and most of the Social Media Giants collect and sell this information to advertisers, which is how you suddenly are surrounded by ads for running shoes after you visit a page with an article profiling the best type of running shoes. Again, this information is publically available and is readily sold on a daily basis.

More to the point this information would probably not be very useful in this case. It is easy to spoof IP Addresses by using a Virtual Private Network (VPN) service, which changes your device’s IP Address so you look like you are somewhere else. It’s a fairly safe assumption that Russian Intelligence Officers would have taken the precautions to use a VPN before setting loose their bots on the FCC comment page, and even if the IP Addresses were identified as originating from a server that provides VPN services, it would be extraordinarily difficult to trace the original IP Address before it went through the VPN services.

The Date/Time Stamp – This is also publicly available information which would likely be posted right along with the comment that was left on the website. From a use perspective, it is helpful to identify bot-related activity. For example, if a chunk of thousands of comments all hit the system with a date/time stamp within a few seconds of each other, it’s highly likely it was bot generated.

From the technical side, this is also something that is publically collected and sold every time you cruise the web, so it’s not anything that has any security implications…other than indicating that a service’s security is woefully inadequate if the comments are found to be bot produced.

The User/Agent Header (User Name) – Also publically available right on the comment page, and of course also easily spoofed. The Pew Study indicated that one of the most common User Names for comments on this issue was “The Internet”, which is not particularly helpful. Attackers are unlikely to use their real names, and often use common names or even the names of dead people in order to log comments in an attack like this. Pew noted that several of the comments appeared to come from dead celebrities and even the names of children.

None of this information could compromise the security infrastructure or security methods of a comment system. We spent almost an hour trying to find ways that it could, and couldn’t come up with anything that would fit that justification. If by some chance it truly could, then the security of the FCC’s system is in serious trouble 24×7 because all of these pieces of information are publically available and could be used at any time.

Our suspicion is not necessarily that someone is trying to hide interference by the same Russian sources indicted by Mueller…at this point that is a given. We both wonder whether the data was scrubbed after the vote, either by accident, negligence or out of conspiracy to hide something. In this case, the data wouldn’t exist and couldn’t be provided, which would go a long way to explain the FCC protestations.

In either case, it will be fascinating to watch this lawsuit works it way through the courts.  Stick a pin in this one…I’m sure we will be back here again.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: