The Federal Communications Commission must stop withholding records that may shed light on fraudulent comments submitted in the FCC's net neutrality repeal proceeding, a US District Court judge ruled last week.

The ruling came in a lawsuit filed in September 2017 by freelance journalist Jason Prechtel, who sued the FCC after it failed to provide documents in response to his Freedom of Information Act (FoIA) request. Prechtel sought data that would identify people who made bulk comment uploads; many of the uploads contained fraudulent comments submitted in other people's names without their knowledge.

Prechtel called the ruling "a huge victory for transparency over an issue that has gone unanswered by the FCC and its current leadership for too long."

Making the documents public will allow scrutiny of the FCC's process for taking comments on the net neutrality repeal, said the ruling written by Judge Christopher Cooper of US District Court for the District of Columbia.

"In addition to enabling scrutiny of how the Commission handled dubious comments during the rulemaking, disclosure would illuminate the Commission's forward-looking efforts to prevent fraud in future processes," Cooper wrote.

Disclosure "would clarify the extent to which the Commission succeeded—as it assured the American people it had—in managing a public-commenting process seemingly corrupted by dubious comments," Cooper also wrote.

While Cooper didn't give Prechtel everything he asked for, the judge's ruling ordered the FCC to turn over the email addresses that were used to submit .CSV files, which contained the bulk comments. Cooper also ordered the FCC to work with Prechtel on potentially releasing the .CSV files themselves—if the FCC can locate those files.

Cooper wrote:

Disclosure of the email addresses and .CSV files will enable interested observers to scrutinize that action (or its absence) by defining the scope of the problem. It may be the case, for example, that hundreds of comments were submitted in bulk .CSV files by plainly fake email addresses, or that the comments submitted through .CSV files were all above board and most problematic comments were submitted through other means. In either instance, Prechtel seeks information that sheds light on the suitability of the Commission's efforts to prevent future public-commenting fraud and abuse. It is surely in the public interest to further the oversight of agency action to protect the very means by which Americans make their voices heard in regulatory processes.

The FCC argued that revealing bulk submitters' email addresses would be an invasion of privacy. But during the net neutrality proceeding, the FCC warned bulk comment submitters that their email addresses and other information would be made public, "mitigating any expectation of privacy," Cooper wrote.

FCC may or may not still have files

It's not clear whether the FCC still has the .CSV files. "The Court therefore directs the parties to meet and confer regarding the release of the .CSV files, applying the analysis set forth in this opinion to the relevant facts. If a dispute remains, the Commission may file a renewed motion for summary judgment on this issue," Cooper wrote.

Prechtel says he expects to get both the email addresses and .CSV files.

"I am confident that the FCC has access to the .CSV files I have requested and I won't have any trouble receiving them," Prechtel told Ars. "I believe the Court has effectively ruled that the FCC must produce the bulk .CSV comment files, should they be unable to prove they can't produce them."

However, Cooper ruled against Prechtel's request for FCC server logs.

"The judge ruled against my request for logs from the FCC's servers that would provide further details about which specific email addresses posted which bulk .CSV comments to their system," Prechtel wrote in a Medium post yesterday. "Similarly, the judge ruled in favor of maintaining the FCC's redactions in a suspicious email thread the FCC provided to me weeks after I filed my lawsuit."

Those redactions affected emails written by former FCC CIO David Bray to CQ Roll Call, which sought the FCC tech department's help with submitting millions of comments on behalf of clients that have not been identified publicly. Cooper accepted the FCC's argument that it could redact the emails because of the "deliberative process" exemption in public records law.

The emails contain "internal deliberations among IT staff regarding how to respond" to an inquiry about comment submissions. "This is precisely what the deliberative process privilege is designed to protect: the agency staff's ability to have candid discussions and weigh options before making a final decision," the judge wrote.

Bray is the same former FCC official who falsely claimed that the comment system was hit by multiple DDoS attacks.

The judge also ruled against Prechtel's request for server logs detailing the dates and times that .CSV files were submitted. The FCC argued that the logs contain both non-sensitive information and sensitive information related to how the FCC protects the system from attacks and that separating the two is too difficult. Cooper accepted the FCC's explanation.

What happens next

When contacted by Ars, the FCC declined comment on the ruling and on whether it will appeal the ruling.

Prechtel said he doesn't know when he'll get the records but speculated that it could take months. He also said it's premature to talk about whether he'll appeal the parts of the ruling he lost, because the case isn't over.

"For now, the judge has declined to rule on the other bulk tool that is likely the biggest culprit for the mass FCC comment fraud—the Data.gov API (Application Programming Interface), which is maintained by a different federal agency, the General Services Administration (GSA)," Prechtel wrote.

After he receives all the public records he's able to obtain, Prechtel said he will analyze them and post them online.

"As you know, the whole point of this FOIA request-turned-lawsuit is to find out who exactly posted bulk comments to the FCC's public comment system and to see if any of the already confirmed fake comments can be linked to a particular bulk submitter's email address or API key registration info," Prechtel told Ars. "Whatever I ultimately win determines what kind of analysis I can do, but after I present my findings in whatever manner seems most appropriate, I will put the records online for others to conduct their own analysis."