FTC Targets AI and Potentially More in Impersonation-Fraud Rulemaking
On February 15, 2024, the Federal Trade Commission (FTC) issued a Supplemental Notice of Proposed Rulemaking (SNPRM) that proposes to hold liable entities that provide “goods or services” used by fraudsters to illegally impersonate business or government entities or officers. If approved, liability would attach to entities have “knowledge or reason to know that those goods or services will be used to” commit impersonation fraud. Although the SNPRM does not explain the full scope of this proposal, Chair Lina Khan issued a statement, joined by the other two Commissioners, explaining that the SNPRM would apply to the developer of an “AI software tool” and other “upstream actors” that meet the “knowledge or reason to know” standard. Such statements suggest a potentially broad sweep of the newly proposed rule, going significantly beyond the agency’s newly adopted Impersonation Rule, which targets the imposters themselves.
Below we discuss the context for the FTC’s Impersonation Rule, the potential implications of the broader SNPRM, and opportunities for stakeholders to weigh in with the FTC.
FTC Issues Trade Regulation Rule on Impersonation Fraud
The FTC issued its SNPRM in tandem with a final Trade Regulation Rule on Impersonation of Government and Business (“Impersonation Rule”). The final Impersonation Rule follows a lengthy regulatory process and declares it unfair and deceptive to “materially and falsely pose as” a “government entity or officer thereof” or a “business or officer thereof” – a prohibition that attracted significant commenter support. By codifying this prohibition as a Trade Regulation Rule, the FTC may now obtain civil penalties against impersonation fraudsters under Section 19(b) of the FTC Act.
In promulgating the final Impersonation Rule, the FTC declined to impose a broader form of liability that would reach third parties other than the actual imposter. Specifically, the FTC originally proposed in its Notice of Proposed Rulemaking (NPRM) that the rule would make it “unlawful to provide the means and instrumentalities for” impersonation fraud. As the FTC explained, the quintessential violation under this “means and instrumentalities” approach would be “a person who fabricates official-looking Internal Revenue Service (IRS) Special Agent identification badges for sale.” But some commenters pushed back on the potential breadth of this approach, and in response, the FTC decided not to adopt it and instead issued an SNPRM to separately address this issue.
FTC Simultaneously Issues an SNPRM on Means-and-Instrumentalities Liability
The FTC’s SNPRM proposes, among other things,[1] a new provision under the heading of a “means-and-instrumentalities” prohibition – but with different language than what was originally proposed in the NPRM. Under the new proposal, the FTC would declare it unfair and deceptive “to provide goods or services with knowledge or reason to know that those goods or services will be used to" commit impersonation fraud. The SNPRM suggests that this new formulation is narrower because it includes a “knowledge component.”
However, this proposal could also be read broadly – and the FTC is signaling that it may do so. For one, the new formulation generally references “goods or services” that are used to commit fraud, not just “means and instrumentalities.” The Commissioners’ statement likewise says the provision would apply to “AI software tools” and “upstream actors” who the FTC considers “best positioned to halt unlawful use of their tools.” Read broadly, the proposal might not go after only makers of fake IRS badges but also makers of neutral tools that could be used to “generate deepfakes of IRS officials.”
To be sure, the SNPRM also suggests that its new formulation is subject to the “long line of case law” on means-and-instrumentalities liability. These cases have often focused on bad actors and parties that produce deceptive materials, like false retail-price lists. But the potentially broad scope of “goods and services” and the focus on AI services and “upstream actors” suggest that the FTC may be pursuing a broader reading.
There Is Still Time to Participate in the Rulemaking
Commenters will have 60 days to comment on the SNPRM after it is published in the Federal Register. The SNPRM asks, among other questions, whether the FTC should adopt its new “goods and services” provision. It also asks whether the standard is “ambiguous” and how it could be improved.
* * *
Wiley’s Telecom, Media & Technology and Artificial Intelligence attorneys are deep in the weeds of rulemaking at the FTC and elsewhere. Reach out to any of the authors on this alert for more information.
[1]The SNPRM also proposes to broaden the Final Rule to prohibit impersonating individuals (in addition to the newly codified prohibition on impersonating governments and businesses).