The Government Accountability Office released a review of online government commenting systems, which shows rampant use of stolen identities by those posting comments on proposed government regulations that are on federal websites.
Public comments are used by regulators when making final decisions that have the force of law. Agencies such as the Environmental Protection Agency, Bureau of Land Management, and Fish and Wildlife Service are three such agencies that make rules that get many comments and that apply to Alaska.
The entire report, at this federal link, shows the difficulty in using online commenting systems for the basis of public policy.
The report reveals there has been no recourse for those who have had their identities stolen to post comments, and that more than 100,000 comments contained profanity and threats of violence. Other comments were designed to flood the systems, such as those containing entire movie scripts or the text of Leo Tolstoy’s War and Peace, according to Sen. Rob Portman, who called for the review.
The main way people submit comments is through online commenting systems—either Regulations.gov or websites hosted by specific agencies, like the Federal Communications Commission’s Electronic Comment Filing System.
Through an exhaustive survey of 10 agencies, the GAO discovered up to 30 percent of commenters who provided email addresses said they did not submit the comment associated with their identities. Commenters can enter any identity information when submitting a comment, whether it is theirs, someone else’s, or fabricated, the report said.
In recent years, some of the rule-making proposed by agencies have received an exceedingly large number of comments.
“For example, during the public comment period for an Environmental Protection Agency (EPA) 2014 rulemaking on greenhouse gas emissions, the agency reported that it received more than 4 million total comments,” the report said.
Up to 25 percent of those surveyed about their received comments on EPA regulations said they had either not commented or were unsure if they had commented. Those surveyed were people who had given email addresses, an indication that EPA was receiving a significant number of comments from stolen identities that came from data breaches.
“In May 2021, the New York State Attorney General reported that one entity submitted comments to FCC using data that had been stolen in a data breach and posted online, related to approximately 1.4 million people,” the report added.
“We surveyed people whose email addresses were attached to public comments on proposed rules from 10 federal agencies. From 5% to 30% of the people (depending on the agency) said they did not make the comment. At 8 agencies, most of the comments did not have email addresses,” according to the GAO.
“Agencies aren’t required to collect information on or verify commenters’ identities. While almost all of the agencies we reviewed share comment data online, they didn’t always make limitations like this clear when they described the public comment data,” the GAO said.
The findings illustrate the need for ongoing efforts to ensure the validity of comments and commenter identities, said Portman. According to the GAO, agencies who participated in the survey are at least trying to let users know the limitations of the ability to determine the veracity of the comments.