In the wake of fraudulent comments, Regulations.gov revises API policy
On March 1, we received a disturbing tip from a reader: Regulations.gov, which is operated by the Environmental Protection Agency, quietly suspended all application programming interface (API) keys without any explanation nor timeline for their restoration.
If you’re not familiar with Regulations.gov, the site is meant to be the front door for public participation in the rulemaking process for federal agencies. It has been improved in recent years, with a redesign in 2012 and further improvement in 2013 that added an API, enabling watchdogs, journalists and other third parties make queries about those rulemakings, including Sunlight’s (now deprecated) DocketWrench project.
When we checked the developers page on March 1, we confirmed the API was offline.
Our tipster also noted an issue on the Regulations.gov Github repository by Edgar Shvaykovsky that strongly suggested that that the API had been disabled back on January 20, 2018.
Hello,
From Jan 20 I have started to receive HTTP 403 unauthorized responses to all my requests to regulations.gov API.
The response looks like:
{ "error": { "code": "API_KEY_UNAUTHORIZED", "message": "The api_key supplied is not authorized to access the given service. Contact us at https://www.regulations.gov/contactUs for assistance" } }
Today I’ve registered a new API key and got the same 403 responses. Is something broken?
I will appreciate your help with this situation.
On March 8, one week after we asked the EPA what was going on, the agency confirmed, with a request from the press officer at the Office of Media Relations to attribute the following statement to an “EPA spokesman.”
The eRulemaking program had temporarily instituted some restrictions on API access to prevent service degradation to all users of the eRulemaking system while it evaluated options for balancing data download requests with other uses of the system.
In the next few days, the program will institute a new process for managing API keys. The program will continue evaluating how to best support multiple uses of the system.
On March 9, we found that the developer page had been updated with new restrictions — one account per organization — and a new restriction on approval for keys.
The Regulations.gov API is taking action to conserve system resources. Beginning immediately, we will limit access to one account per organization, and require approval for enabling accounts. Please contact the Regulations.gov Help Desk, if you would like to request an API key. Please provide your name, email address, organization, and intended use of the API.
The good news is that the API is back, but the agency has not only unilaterally restricted how and when public information can be accessed through this public interface but decided that it now has discretion regarding who will receive a key based upon use.
What activity led the agency to take the system offline? The EPA’s response to us suggested that misuse was degrading the system. That’s credible: overloading the API with requests could overload it for everyone.
Another possibility, however, is that the unknown entities that have been filing fraudulent comments in federal rulemakings in the name of real people led to the new restrictions. This API doesn’t enable users to write to the site — to post comments – but the timing is curious.
Without the EPA being more forthright about what happened, we can’t know for sure, but the lack of communication and new policy is cause for concern.
More broadly, if fake and fraudulent comments become the norm for federal rulemakings online, it will poison the potential for the Internet and to give the distributed public a voice in government, wherever we are connected. Regulators, independent agencies and Congress can and should do better.