FOIA Inquiry on FCC DDoS Attacks Comes up Empty

Trump Administration gadfly American Oversight is circulating a collection of 1,300 pages of email it obtained from the FCC through a FOIA request. The emails, related to FCC comment system meltdowns, fail to disclose any new information.

Mainstream media passed on reporting the probe, but some trollish tech blogs took the bait. Gizmodo claimed: “FCC Emails Show Agency Spread Lies to Bolster Dubious DDoS Attack Claims” and Techdirt echoed: “E-Mails Show FCC Made Up DDOS Attack To Downplay The ‘John Oliver Effect'”. But these claims are false.

The emails simply show the FCC doing the same kind of public relations around a big issue that it always does. There are no emails about any coverup or any fake news. The entire claim about about dubious (or “made up”) DDoS attacks comes from comments by former Tom Wheeler operative (and Public Knowledge founder) Gigi Sohn to a blogger.

She Said, He Said; But He’s Right

Sohn says she didn’t understand why FCC officials thought there was a DDoS issue behind the comment system’s meltdowns:

“We didn’t want to say [there was a DDoS attack in 2014] because [former FCC CIO David Bray] had no hard proof that it was a DDoS attack. Just like the second time.”

Bray had plenty of evidence that something was amiss with the meltdowns, as he has explained in a Medium post, “On People and Service in Turbulent Environments”. As is frequently the case when technicians are scrambling to prevent a catastrophic system failure, the people involved didn’t document everything they saw and did in real time; they were too busy fixing the problem.

The lack of documentation provided an opening for the various gadflies (none of them technical, of course) to exploit.

Failure of Due Diligence at Gizmodo

Gizmodo failed to discuss the issue with David Bray, the former FCC CIO hired by Tom Wheeler who was on the job during both Oliver events. Its writer, Dell Cameron, claims he reached out to Bray, but Bray denies it:

Apparently today (05 June) a Gizmodo reporter wrote an article that claimed claims of a denial of service at FCC back in May 2017 were untrue — I found out about this not because the reporter had contacted me, rather a friend let me know. At the time of writing this the reporter has not contacted me for a comment before he wrote the story, which is disappointing.

Techdirt doesn’t even claim to have reached out, presumably because that would look too much like journalism. Their claims are downright false; the email trove doesn’t provide any evidence at all that there was not a DDoS attack.

An Ambiguous Story

The hard evidence of an attack is provided by Bray in his Medium post:

When the events of 08 May happened, my quick analysis of the ratio of 35,000 API requests per minute we were receiving per minute, relative to the number of 90,000 comments being filed in the first half of the day, indicated that ratio to be extraordinarily high and lopsided (the Team also relayed that the API requests were continuing to increase, so we were seeing at least 2 million API requests per hour around the middle of the day — yet not a similar number of comments being received). Separate from actual people wanting to comment, I was concerned we were also being spammed by something automated. If this continued, it might deny system resources from actual people wanting to comment on the high-profile issue.

This isn’t normal, but there are a couple of possible explanations: the extraordinarily high number of API requests could have been caused by a deliberate attack, or they could have been caused by incompetent activists delivering comments they collected from legitimate people through some very, very bad code.

The motives of the attacker[s] are important to the overall narrative, but they’re not really discernible at the technical level. So people like Sohn can demand “hard proof” of intent in full confidence that it can never be delivered.

The Cynical FOIA Ploy

FOIA has been weaponized by activists working on a number of issues. It’s especially prevalent in the food and agriculture debate. US Right to Know – an advocacy group founded by former Naderite Gary Ruskin and funded by the organic food industry – has used it to silence academics who research and advocate for biotech.

USRTK collected a pile of emails from a professor at the University of Florida and fed them to New York Times reporter Eric Lipton who turned them into a front page story. The story was so bad the scientist sued the Times for libel.

The FOIA ploy plays on the desire of reporters for attention in an era when they don’t have time to do careful research. So an advocacy group delivering thousands of pages of documents with highlighted passages that can be spun to support a conspiracy narrative has a fast path to the front page.

This Story is a Flop

Sensational headlines with no real work behind them are often irresistible. But not this time: except for bottom-feeding blogs, there has been no coverage of this alleged revelation.

Bray did have good reason to believe mischief was afoot in the two incidents of comment system collapse at the FCC occasioned by John Oliver’s rants. Somebody misused features of the comment system’s API that were added at Sohn’s request.

This API abuse caused a lot of system activity – data base locks – that sapped servers of CPU cycles. This slowed the system to a crawl and caused some comments to be rejected.

But it’s doubtful that either incident influenced the voting at the FCC. The voters on this issue are the five commissioners, not the television viewers, the activists, and the bots who submitted mindless comments.

The commissioners were more persuaded by their own reasoning than by John Oliver’s theatrics. And that’s as it should be.