Federal law regulates the process for agencies conducting public comment periods on proposed policy changes, but agencies have less definite guidance on how to deal with the identity of those submitting comments, according to a Government Accountability Office report released July 26.

“The [Administrative Procedure Act] requires agencies to allow any interested party to comment on [Notices of Proposed Rulemaking]. The APA does not require the disclosure of identifying information from an interested party that submits a comment. Agencies therefore have no obligation under the APA to verify the identity of such parties during the rulemaking process,” the report said.

“With the discretion afforded by the APA, selected agencies’ treatment of commenters’ identity information varies, particularly when posting duplicate comments (identical or near-identical comment text but varied identity information). Generally, officials told GAO that their agencies (1) post all comments within the comment system; or (2) maintain some comments outside of the system, such as in email file archives. However, within these broad categories, posting practices vary considerably — even within the same agency — and identity information is inconsistently presented on public websites.”

(Government Accountability Office)
(Government Accountability Office)

By law, agencies must either make use of the governmentwide comment system, regulations.gov, or maintain their own system for receiving and processing public comments electronically.

GAO investigated the public comment policies and practices of eight agencies using the governmentwide system and two relying on their own systems: the Bureau of Land Management; the Centers for Medicare and Medicaid Services; the Consumer Financial Protection Bureau; the Employee Benefits Security Administration; the Environmental Protection Agency; the Fish and Wildlife Service; the Securities and Exchange Commission; the Wage and Hour Division; the Federal Communications Commission; and the Food and Drug Administration.

Public comment policy came under particular scrutiny after the Federal Communications Commission received millions of comments on their proposed policy on net neutrality, when reports alleged that some people were submitting the same comment multiple times under different aliases.

The EPA has also come under fire for opting to change policy without offering a public comment period.

Commenters are, in general, only required to include the content of their comment, but some agencies require more identifying information for a person to submit their thoughts. The Wage and Hour Division and the FCC, for example, require both a person’s name and address, while others only require one or neither.

But required information does not guarantee that the commenter is not submitting multiples of the same comment or using another person’s information on the form without their permission.

“Regardless of the fields required by the comment form, the selected agencies all accept anonymous comments in practice. Specifically, in the comment forms on regulations.gov, [the FCC’s Electronic Comment Filing System] and SEC’s website, a commenter can submit a comment under the name ‘Anonymous Anonymous,’ enter a single letter in each required field, or provide a fabricated address,” the report said.

“In each of these scenarios, as long as a character or characters are entered into the required fields, the comment will be accepted. Further, because the APA does not require agencies to authenticate submitted identity information, neither regulations.gov nor the agency-specific comment websites contain mechanisms to check the validity of identity information that commenters submit through comment forms.”

The Department of Justice and Office of Management and Budget recently proposed including a disclosure statement in public comment forms, requiring the person submitting to verify that they are not using someone else’s identity, but that proposal would still allow for anonymous comments and has not yet been approved.

And while the comment sites collect information such as country of origin, browser type and the timestamp of a commenter’s visit, that information is not tied to individual comments to validate identity or determine whether one person is submitting multiple forms from one location.

GAO made recommendations to eight agencies, calling for the creation, update or finalization of public comment identity policies. The agencies generally agreed with these recommendations.