Introduction
Thank you for the opportunity to comment on this important proposal. I am the Head of AI Policy at the Abundance Institute, a mission-driven nonprofit dedicated to creating the policy and cultural environment where emerging technologies can develop and thrive in order to perpetually expand widespread human prosperity.
The FTC has an important role in protecting consumers from fraud. Impersonation fraud is a problematic source of significant financial loss. I support FTC enforcement to stop such fraudsters and make consumers whole again. Adopting rules can help the agency do this work – but they must be the right rules. Congress and the Constitution set limits on what the FTC may do, even in pursuit of noble purposes. I am concerned that the Supplemental Notice of Proposed Rulemaking (SNPRM) steps beyond those limits. In particular:
The proposed individual impersonation rule lacks the Congressionally required specificity, and indeed sweeps in a wide swath of the FTC’s fraud work.
Even were its breadth statutorily authorized, the proposed individual impersonation rule requires its own new section 18 rulemaking; it cannot be done through a “supplemental” rulemaking. This is particularly true because FTC leadership has characterized the SNPRM as a new tool to regulate AI - a goal never before mentioned in this proceeding.
The FTC has offered no evidence that violating Section 5 by providing the means and instrumentalities (M&I) for impersonation is a “prevalent” practice, as it must do to adopt a rule.
The proposed M&I rule leaves out one of the two key elements of Section 5 M&I liability, and thus the rule does not describe a Section 5 violation and cannot and should not be adopted.
This issue was raised in the record regarding the previously proposed M&I rule, and yet was not even discussed in the SNPRM. The agency must address it.
Both the Preliminary Legal Analysis and the Initial Regulatory Flexibility Analysis in the SNPRM evaluate the M&I rule’s effects under the mistaken presumption that it imposes the same liability as traditional Section 5 M&I liability. This presumption is false and thus their conclusions are suspect.
The Commission could mitigate these legal and process flaws by declining to adopt an individual impersonation rule, building a record supporting the need for a M&I of impersonation rule, and then fully incorporating the Shell Oil elements of Section 5 M&I liability into such a rule.
The Surprise Effect of the Proposed Rule on Artificial Intelligence Services and Products
The Commission Gave Little Notice that the SNPRM would Propose to Regulate AI Providers
This proceeding began on December 21, 2021, nearly a year before ChatGPT’s launch in November 2022. The FTC proceeded through an Advanced Notice of Proposed Rulemaking (ANPR), a Notice of Proposed Rulemaking (NPRM), an Initial Notice of Informal hearing, and the informal hearing.
“Artificial intelligence” or “AI” was not mentioned once in any of these documents or proceedings. To the best of my knowledge after searching the Federal Register record, neither of these terms was mentioned by any commenter in these proceedings.
It is surprising, then, that the press release for the SNPRM is titled FTC Proposed New Protections to Combat AI Impersonation of Individuals. In that release Chair Khan claims that “[f]raudsters are using AI tools to impersonate individuals with eerie precision and at a much wider scale” and that “voice cloning and other AI-driven scams [are] on the rise.” The press release further explains that “The Commission is also seeking comment on whether the revised rule should declare it unlawful for a firm, such as an AI platform that creates images, video, or text, to provide goods or services that they know or have reason to know is being used to harm consumers through impersonation.” The voting Commissioners also issued a joint statement which repeats the claim of generative AI technologies “turbocharging scammers’ ability to defraud the public.”
However, the press release and the FTC Commissioners’ focus on AI is not reflected in the SNPRM. The SNPRM’s only mention of AI is in footnote 98. The body of the document does not mention AI or ask any questions about artificial intelligence, voice cloning, deepfakes, or related tools.
The Proposed Amendments Would Make Generative AI Providers and Developers Liable When Users Abuse AI
Despite this lack of notice in the official SNPRM, a wide range of AI providers could face civil penalties of tens of millions of dollars under the proposed means and instrumentalities rule despite never having violated the FTC Act. The proposed rule would prohibit AI providers from providing services “with knowledge or reason to know” that those services will be used to deceptively pose as government or business entities or individuals. Interpreting “with knowledge or reason to know” would be left to the agency on a case-by-case basis. On one reading, mere awareness by a developer that people have used similar AI systems to deceptively impersonate others could subject the developer to a $51,544 fine per instance of actual user malfeasance.
Such fines could far outstrip the actual fraudulent impact even though the developer or AI platform did nothing themselves to deceive others. As discussed in detail below, this unjust outcome is a direct result of the proposed rule improperly capturing the legal standard for means and instrumentalities liability.
This malformed rule would potentially apply to integrated AI-services like OpenAI, cloud computing AI providers like AWS, or even to individual open source model developers like the thousands of individual AI programmers that share models on Github or Hugging Face. It would raise the risks of deploying new AI service and could motivate significant surveillance and vetting of users and chill investment.
Yet it is not clear that this is the intended effect of the rule. As noted below, the text of the SNPRM properly quotes the M&I standard from the case law. Furthermore, the Commissioner’s joint statement on the SNPRM offers an example of an AI company subject to the rule that does properly meet the M&I standard:
“Under this approach, liability would apply, for example, to a developer who knew or should have known that their AI software tool designed to generate deepfakes of IRS officials would be used by scammers to deceive people about whether they paid their taxes.” (emphasis added)
This hypothetical situation includes the “known or should have known” element but also includes a deceptive act on behalf of the AI developer: the creation of a tool designed to generate deepfakes of IRS officials. This fits the established M&I standard.
However, the rule as drafted would apply far beyond the above situation. It would also apply, for example, to a developer who did nothing deceptive but who knew or should have known that their AI software tool designed to generate generic artificial personas (or text or images) was being used by scammers to deceive people about whether they paid their taxes.
This M&I rule would be particularly problematic for developers of open source or open weights AI models. Such developers have very little practical control over how others use their models once they are released.
The SNPRM Fails to Follow Congress’s Established Procedures for FTC Rulemaking
The FTC has authority to establish “rules which define with specificity acts or practices which are unfair or deceptive acts or practices in or affecting commerce.” The FTC may issue a notice of proposed rulemaking to establish such rules “only where it has reason to believe that the unfair or deceptive acts or practices which are the subject of the proposed rulemaking are prevalent.” The FTC may determine that unfair or deceptive acts or practices are prevalent “only if it has issued cease and desist orders regarding such acts or practices,” or if it has information indicating “a widespread pattern of unfair or deceptive acts or practices.”
Proposed changes to the impersonation rule do not meet this standard. In particular, the definition of “individual” is so broad that the prohibition on impersonating individuals would sweep in a vague but wide variety of fraudulent activity.
In addition, the SNPRM offers no evidence that would provide a reason for the Commission to believe that there is a “widespread pattern” of businesses illegally providing “means and instrumentalities” for impersonation.
The Proposed Rule Amendments Do Not Define Unfair or Deceptive Acts or Practices “With Specificity”
The proposed rule would cover a wide, amorphous range of fraud. The language of the proposed rule prohibits, among other things, “materially and falsely pos[ing], directly or by implication” as an individual, “whether real or fictitious.” The SNPRM argues that this amended rule would allow the agency to pursue romance and relationship-based scams.
But the text of the rule covers conduct far broader than romance and family scams. The rule would cover a wide swath of the FTC’s fraud portfolio. In particular, the inclusion of “fictitious” persons in the definition of “individual,” paired with “by implication” in proposed rule 461.4, creates an impermissibly broad and non-specific rule.
What does it mean to “materially and falsely pose… by implication” as a fictitious person? It must mean something different than posing under an assumed name, which would be directly posing as a fictitious person. A straightforward reading is that it covers individuals who adopt a fake persona or role, such as an “plumber” or “tech support” or “recruiter” or “honest businessman.” Yet nearly all fraud under the FTC’s jurisdiction involves a perpetrator adopting a false persona of some kind. For example, scammers making unsubstantiated health or weight-loss claims for supplements pose – often directly, but always by implication – as health experts. Similarly, investment scam and business opportunity scam perpetrators pose as trusted and experienced investors or businesspersons.
In the broadest sense, all fraudsters pose as trustworthy persons of some kind. It is difficult to identify a fraud case brought by the FTC that could not be reframed as a form of impersonation under the proposed rule. As a result, the proposed rule would appear to, in one fell swoop, create a regulatory prohibition on a wide swath of fraudulent acts or practices.
Undoubtedly the FTC would like to mitigate its post-AMG monetary relief restrictions in a single rulemaking. But this sweeping corrective is not within the FTC’s authority. Congress limited the Commission’s rulemaking authority to rules that “define with specificity acts or practices.” A rule that applies to such a wide range of fraudulent behavior lacks such specificity.
The breadth of the proposed rule modification, even were it authorized, is certainly not appropriate for a supplemental notice of proposed rulemaking. This is not a continuation of the previous rulemaking, which covered a relatively narrow set of practices. This “supplement” would swallow the existing rule and would apply to a wide range of conduct.
The Record Offers No Evidence of a “Widespread Pattern” of Businesses Illegally Providing M&I for Impersonation
As noted above, the Commission may engage in rulemaking “only where it has reason to believe that the unfair or deceptive acts or practices which are the subject of the proposed rulemaking are prevalent,” with prevalence being demonstrated through past FTC cease and desist orders, or through other information demonstrating a widespread pattern of the behavior.
Neither the NPRM nor the SNPRM point to any FTC cease and desist orders regarding companies that have violated Section 5 by providing the means and instrumentalities for impersonation. The ANPRM cites exactly one case of a business providing the means and instrumentalities for impersonation while providing dozens of cases for impersonation of companies and government. The SNPRM does not cite record or other evidence that illegally providing the means and instrumentalities for impersonation is a prevalent business practice.
The NPRM and SNPRM does cite several commenters who use the term “means and instrumentalities” when referring to services and products used by impersonators. For example, the NPRM describes how the National Association of Attorneys General’s comment refers to “marketing companies, call centers, attorneys, third-party mailing services, payment processors, lead list providers, remote offices . . . [d]ating websites, and social media ....” as providers of means and instrumentalities. Apple’s comment claims that gray markets where products bought using stolen gift cards are resold are “means and instrumentalities.” Microsoft refers to payment processors and affiliate marketing services.
None of these fact patterns demonstrate means and instrumentalities violations of Section 5, properly understood. As noted elsewhere in this comment, direct Section 5 liability under means and instrumentalities requires that the service or product provider themselves create and pass on a deceptive product or service. Payment processors, for example, that accurately transfer funds, or dating websites that enable users to post or send messages, or product markets where people sell goods to each other – without more specifically alleged behaviors, these businesses are not directly liable for deceptive behavior of their users. Even if such providers knew or should have known of deceptive behavior by their users (and the record does not demonstrate that acting with this level of knowledge is a prevalent business practice), these practices cannot support a claim that means and instrumentalities violations are prevalent and thus deserving of a rule.
Several NPRM commenters reference the Telemarketing Sales Rule as a template for liability for such services. However, as the NPRM and SNPRM note, the TSR authorizes assisting-and-facilitating, a form of indirect liability, which the Commission cannot impose here. All fact patterns in the record that fall under an assisting-and-facilitating theory do not support a means and instrumentalities rule.
Given the lack of evidence that there is a prevalent business practice of providing, in violation of Section 5, the means and instrumentalities for impersonation, the FTC cannot adopt the M&I rule.
The Proposed M&I Rule Fails to Describe a Section 5 Violation
The initial NPRM proposed a rule intended to impose liability for means and instrumentalities. After significant feedback in comments and at the informal hearing, the Commission declined to finalize that proposed rule, but proposed a modified means and instrumentalities rule in the SNPRM.
The proposed means and instrumentalities rule should again be rejected. The proposed rule does not describe a Section 5 violation and in fact would impose a form of indirect liability that the FTC is not authorized to impose.
The Proposed Rule Deviates Substantially from Settled Section 5 Law
The proposed M&I rule reads in part as follows:
§ 461.5 Means and Instrumentalities: Provision of Goods or Services for Unlawful Impersonation Prohibited. It is a violation of this part, and an unfair or deceptive act or practice to provide goods or services with knowledge or reason to know that those goods or services will be used to: (a) materially and falsely pose as, directly or by implication, a government entity or officer thereof, a business or officer thereof, or an individual, in or affecting commerce as commerce is defined in the Federal Trade Commission Act …
The SNPRM claims that this proposed rule merely codifies the existing standard for M&I. It argues that “the standard ‘know or have reason to know,’ … reflects current law.” Likewise, the Initial Regulatory Flexibility Analysis argues that “[b]ecause … section 5 similarly makes unlawful providing the means and instrumentalities for a violation of section 5 of the Act, the SNPRM would not change the state of the law in terms of what is legal and what is illegal.” But the final rule leaves out a key element of the Section 5 standard for means and instrumentalities liability.
This is surprising, given that the text of the SNPRM states the correct legal standard, quoting the foundational Shell Oil Company case:
[A] long line of case law describes a form of direct liability for a party who, despite not having direct contact with the injured consumers, “passes on a false or misleading representation with knowledge or reason to expect that consumers may possibly be deceived as a result.” (emphasis added)
Shell Oil thus sets out two prongs of means and instrumentalities liability. First, the party passes on a false or misleading representation. Second, the party has knowledge or reason to expect that consumers may possibly be deceived as a result. Indeed, in the above-quoted passage from Shell Oil, the FTC calls this two-prong standard “well settled law.”
M&I liability is direct liability because the party itself conveys a deception, even though they do not convey it to the final customer. Shell Oil further reinforces the importance of the “passing on” element, where the FTC concludes that “the means and instrumentalities doctrine is intended to apply in cases … where the originator of the unlawful material is not in privity with consumers.”
Again, knowledge of misuse is not by itself sufficient: the materials supplied must also themselves be false or misleading. For example, consider a case where the FTC sued a company for distributing prints with forged signatures:
“[I]n FTC v. Magui Publishers, Inc., the court found the defendant directly liable for providing the means and instrumentalities to violate Section 5 when it sold Salvador Dali prints with forged signatures to retail customers, who then sold the prints to consumers.”
The forged paintings were themselves deceptive, and were passed on with the knowledge that they would be used to deceive customers, triggering direct liability under M&I.
The NPRM offers another example that fits the proper M&I standard:
“An example of a violation of proposed § 461.4’s prohibition on providing the means and instrumentalities for impersonation is a person who fabricates official-looking Internal Revenue Service (IRS) Special Agent identification badges for sale.”
By contrast, an art supply company that sells paint and canvas to a forger is not directly liable for deceptively providing M&I even if the art supplier has “knowledge or reason to know” that the painter forges artwork. Same for a manufacturer of generic badge-making machines, even if the manufacturer knows or should know that a purchaser intends to forge official badges. And likewise for “an AI platform that creates images, video, or text, to provide goods or services that they know or have reason to know is being used to harm consumers through impersonation.” Absent passing along of a deceptive claim or counterfeit item, these practices do not trigger means and instrumentality liability.
As a result, despite the SNPRM’s claims, the proposed rule does not “reflect[] current law.” The SNPRM’s proposed rule includes the knowledge element but lacks any requirement that the product or service itself be deceptive. By not including this element, the proposed rule would impose indirect liability for knowingly assisting another’s deceptive act. “[T]he Commission cannot do so” for reasons stated clearly in the SNPRM:
“Some commenters suggested that the Commission impose liability on a broader set of actors, namely those who assist and facilitate violations. The Telemarketing Sales Rule (‘TSR’) does so, but the Commission cannot do so here. The TSR provides express statutory authorization for assisting-and-facilitating liability, a form of indirect liability. Sections 5 and 18 of the FTC Act contain no such express authorization.”
Continuing to Ignore the Gap Between the Proposed Rule and the “Well Settled Law” would be Arbitrary and Capricious
This comment is not the first to raise this concern over incorrectly capturing the legal standard in the rule. In both its initial comments to the NPRM and its statement during the hearing, NCTA—the internet and Television Association raises this exact issue, urging that any means and instrumentalities “liability requires both providing deceptive means and instrumentalities, e.g., providing false or misleading claims or counterfeit items, and actual knowledge that the deceptive representations or goods will be used to commit impersonation violations.” The American Bar Association Section of Intellectual Property Law suggested that the Commission could “explicitly include the language … from Shell Oil Co.” Furthermore, in my own oral statement at the informal hearing, I argued that the “FTC must clearly articulate the proper scope of the rule, potentially by putting the standard for means and instrumentalities in the rule itself.”
The SNPRM acknowledges but simply does not respond to these arguments. The SNPRM correctly summarizes NCTA’s position and oversimplifies my position as requesting “a knowledge requirement for liability.” And while it properly states the “well settled” standard for M&I liability, the SNPRM fails to offer any explanation for why the proposed rule deviates from that standard. Adopting the proposed M&I rule without addressing this key substantive issue would be arbitrary and capricious, and the Commission should not do it.
Request to Present at an Informal Hearing
I request the opportunity to make an oral submission at an informal hearing. My interest in the proceeding is as the Head of AI Policy at a non-profit policy organization focused on creating a policy environment where new technologies can develop, thrive, and deliver widespread benefits. This rulemaking could affect the development and deployment of generative artificial intelligence in particular.
An informal hearing is warranted for three reasons. First, there was a lack of effective notice to the artificial intelligence sector that this “supplemental” rulemaking could potentially create tens of millions of dollars in liability. Second, the SNPRM glossed over a significant and repeatedly raised legal issue that a hearing could help resolve. Finally, the disputed factual issue below must be resolved. At the hearing I expect to present an oral statement consistent with this comment.
I also propose to add the following disputed issues of material fact for resolution during the hearing:
The record contains reports of business practices described as “means and instrumentalities” violations. But none of the reports identify even a single incident (let alone a “prevalent” practice) of a party “pass[ing] on a false or misleading representation” as is necessary to meet the first prong of the two-prong test for M&I violations of Section 5.
Conclusion
For the reasons above, the FTC should not adopt the proposed rules in their current state. Instead, the FTC should mitigate the legal and process flaws detailed above by 1) declining to adopt an individual impersonation rule; 2) building a record supporting the need for a M&I of impersonation rule; and, 3) if such a record supports the adoption of a M&I rule adopting a rule that fully incorporates both Shell Oil elements of Section 5 M&I liability.
_______________________________________
Impersonation SNPRM, R207000
Regulations.gov Docket No. FTC-2023-0030
Submitted: April 30, 2024
The Abundance Institute is a mission-driven non-profit dedicated to creating the policy and cultural environment where emerging technologies can develop and thrive in order to perpetually expand widespread human prosperity. This comment is designed to assist the agency as it explores these issues. The views expressed in this comment are those of the author(s) and do not necessarily reflect the views of the Abundance Institute.