Independent researchers have discovered that not only were most of the comments submitted to the Federal Communications Commission public consultation on net neutrality generated by bulk-uploading bots, but one million were submitted using fake Pornhub email addresses.
Leah Figueroa, the lead engineer at data analytics firm Gravwell, presented the findings and methodology of her detailed investigation at the Shmoocon information security conference on Saturday in Washington, D.C.
Pulling the 22 million comments submitted to the FCC, the researchers aimed to separate organically submitted comments from those by automated bulk-uploading bots which showed signs of fraudulent data. The team did this by applying several filters to the comment batch.
“The first of the exploratory data analyses showed some anomalies in how comments were submitted,” Figueroa said, explaining that time stamp, text replication and “steady rate” of submission indicated bot activity.
In one case, the team noticed that batch submissions occurred across four days in July and happened at exactly midnight each time. The mass comment text replication also drew the attention of the researchers. One particular comment template was submitted one million times. In the end, it was discovered that only 17.4% of comments were unique.
“The all-caps addresses, indicating the emails were likely either generated by a program or pulled from a database, matched up with other hallmarks of bot-submitted comments about 99% of the time,” she continued.
Further analysis of the email addresses used also flagged bulk submissions. Figueroa’s team found that over one million of the comments submitted came from email addresses associated with the pornhub.com domain.
“As of July 2017, Pornhub had only 55 employees, which means either they sent all out over 18,000 submissions per person or there was something unusual going on,” she joked.
There were bulk submissions from other email addresses too. Over 1,000 comments came from the address [email protected], triggered after Last Week Tonight host John Oliver allowed public comment submissions on his website. Another 1,000 used the gmail address of an Indian software developer, found on GitHub, while 7,000 were submitted using example@example.com.
The problem as a whole was partly caused by the FCC’s flawed submission system, which does not require the verification of email address and thus opened the form to spam. The comments did not need to be taken into account at all by commissioners in making their decision on net neutrality, and the absence of this most basic security measure seemingly underlines the agency’s passive and dismissive approach to public consultation and opinion.
