Cyber
The Next Frontier

The Democratic operative behind an AI-generated robocall impersonating President Joe Biden that reached thousands of New Hampshire voters earlier this year said he is cooperating with state and federal authorities and that a lawsuit filed against him is without merit — even as he claimed not to have seen it.

In a phone call with CyberScoop on Monday, Steve Kramer said he was currently in Europe “getting political work done” and he had not seen the lawsuit, filed March 14 by the League of Women Voters. That lawsuit accuses Kramer, Texas political marketing firm Life Corporation and telecommunications carrier Lingo Telecom of engaging in illegal voter suppression under the Voting Rights Act and the Telephone Consumer Protection Act. It seeks damages of $500 for each robocall sent to voters in New Hampshire and other states that urged Democrats not to vote in the presidential primaries. 

“I’ve gotten nothing from them, I’ve not been served, I’ve never seen the lawsuit,” he said. 

Kramer repeatedly told CyberScoop that he was unaware of the contents of the lawsuit. However, he also expressed skepticism that the effort would succeed.

“They can go ahead and sue but I’ve got to tell you, they’re not going to get anywhere,” he said. “I know why I did it, I know when I did it, I know how I did it.”

He then questioned the basis under which the lawsuit was brought.

“I don’t even know what they can sue for,” he said. “How can the League of Women Voters sue me when I told Democrats not to vote in the Republican primary? They’re not even allowed to vote in the Republican primary.”

The Biden robocall discouraged Democrats from voting in the New Hampshire primary on Jan. 23, where the incumbent president was competing against primary challenger Rep. Dean Phillips, D-Minn. Kramer was a paid consultant for the Phillips campaign, NBC News reported, and his firm, Get Out The Vote, was paid approximately $269,000 by the Phillips campaign in 2023 and 2024 for ballot access and voter contact services. The Phillips campaign has denied any involvement in the creation of the robocall and said it has since severed ties with Kramer.

While the fake Biden call did not specifically call out the Democratic or Republican primary, it included the lines “we know the value of voting Democratic when our votes count” and “your vote makes a difference in November, not this Tuesday.” It also spoofed the phone number of a former state Democratic party official running a write-in campaign for Biden in the New Hampshire Democratic primary, giving recipients the impression that the call was coming from the president’s supporters.

Kramer said he was cooperating with the New Hampshire Department of Justice, the New Hampshire Attorney General’s office and the Federal Communications Commission “to not only satisfy a subpoena but in the future help them to prevent the kind of artificial intelligence that I’ve tried to prevent.”

He also defended his actions, arguing that the creation of the robocall led to substantial national exposure about the dangers of AI-generated deepfakes, spurred regulatory reforms by the FCC and state governments and pushed lawmakers to take the threat of election-related deepfakes more seriously. He reiterated claims made in previous interviews that the robocall cost $500 to produce and generated “$5 million of media exposure.”

“I can’t name any other campaign or any other event that’s happened for $500 that got the [same] type of regulation change, exposure about the issue as well as the ability for legislators to finally be able to talk about it in their state legislatures,” Kramer told CyberScoop.

James Boffetti, New Hampshire’s deputy attorney general, declined to confirm or deny Kramer’s claims, telling CyberScoop that it is department policy not to comment on active investigations.

A Feb. 6 news release from the state Attorney General’s office did provide substantial details on the ongoing investigation, including the alleged involvement of Life Corporation and Lingo Telecom in the scheme.

No charges have been filed thus far in that case, and Kramer was not mentioned or identified in the Feb. 6 release. Asked for an update on the progress of that investigation, Boffetti again declined comment.

Calls to the FCC for comment were not returned.

Kramer’s claims of ignorance about the lawsuit and its contents came as lawyers for the League of Women Voters submitted filings in New Hampshire district court last week that detailed numerous attempts to serve Kramer or his representatives.

According to a sworn statement submitted to the court on April 18, attorneys for the plaintiffs said they have made “diligent and extensive efforts” to serve Kramer and his legal representation with the lawsuit, including seven unsuccessful in-person attempts at listed work and home offices in New York, Louisiana and Florida.

A sworn statement submitted by Kathy Sullivan, the former New Hampshire Democratic official whose phone number was spoofed in the robocall, claims that Kramer called her on March 14 and accused her of being behind the lawsuit. Sullivan is not listed among the plaintiffs.

In that phone conversation, Sullivan said that Kramer told her that he used her name and phone number in the New Hampshire robocall because he thought she would “do the right thing” and alert the press. Sullivan claims Kramer stated that other campaigns had reached out asking him to do “bad things,” something she “understood to mean running similar deepfake and/or spoofed political robocalls that will threaten or deceive voters.”

Before CyberScoop could ask about the alleged call with Sullivan, Kramer hung up, saying he had to go and to check back with him after he returned to the United States on April 30 or May 1. Follow-up questions about the call sent to Kramer by email were not returned.  

Sullivan previously told CyberScoop that she believes Kramer’s claim that he orchestrated the robocall to raise awareness about deepfakes was not genuine and was an attempt to “cover his tracks” after his involvement became public following the Feb. 23 NBC News article.

The post Democratic operative behind Biden AI robocall says lawsuit won’t ‘get anywhere’ appeared first on CyberScoop.

The Biden administration should adopt less-strict standards about what triggers a proposed prohibition on data brokers selling bulk sensitive information to adversarial foreign entities, industry groups argued in public comments due last week.

Among their biggest suggestions is that any potential rules should make exceptions for anonymized data. Another is that they should raise the volume threshold for what counts as bulk information.

The groups’ comments, which were submitted by Friday under a Department of Justice deadline, broadly reflect their desire to scale back those potential rules directed by a February executive order.

“We recommend that the regulations do not treat data that is protected via anonymization, pseudonymization, de-identification, or encryption as sensitive personal data,” wrote the Interactive Advertising Bureau, which represents digital ad marketers. “Such data does not present the same level of threats to U.S. national security and foreign policy given that countries of concern would not be able to use this data to track and build profiles on specific U.S. individuals for the nefarious purposes described in the” DOJ rulemaking notice.

But a prominent expert on data brokerage said that treating anonymized or de-identified data differently could leave Americans dangerously exposed. “There is an ever-evolving body of computer science and statistics literature demonstrating the ways in which companies, governments, and other organizations can combine large datasets together or analyze datasets to link data points back to specific individuals,” wrote Justin Sherman, a senior fellow at Duke’s Sanford School of Public Policy, where he runs its data brokerage research project, and a nonresident fellow at the Atlantic Council’s Cyber Statecraft Initiative.

The executive order is part of a recent U.S. government trend toward taking action to prevent abuses by data brokers, which collect and sell massive amounts of sensitive information like geolocation data or health data. The efforts include two House–passed bills, a bipartisan House-Senate privacy measure that includes data broker provisions and proposed regulations from the Consumer Financial Protection Bureau.

At least eight of the industry organizations that supplied public comments during an advanced notice of proposed rulemaking — ranging from organizations representing CEOs to major tech companies to clinical researchers — said the Justice Department should make exceptions to the definition of sensitive personal data under the proposed rules.

“Likening such data with other sensitive personal data that is unprotected or unmasked fails to distinguish the significant harm reduction afforded to U.S. persons when their data is encrypted or rendered unintelligible through anonymization,” representatives of the Bank Policy Institute wrote.

While Sherman said that there are some ways to protect sensitive datasets, in some cases it simply isn’t feasible. “It is incredibly difficult if not sometimes virtually impossible to effectively ‘anonymize’ device-level geolocation data while still leaving the data in a form that companies find usable for their desired business purpose,” he wrote.

According to its public notice, the Justice Department is looking at establishing ranges of bulk dataset thresholds to which regulations apply based on the kind of data. For example, the low total for personal financial data would be 1,000 U.S. persons, with a high of 1 million.

Most industry groups favored the higher ranges, or a wholesale rethinking of those thresholds.

“Biopharmaceutical firms, from small- and medium-sized biotech companies to multinational biopharmaceutical companies, are likely to exceed the minimum bulk volume thresholds that are proposed in the rules in the normal course of their research and business operations and, thus, potentially risk engaging in prohibited bulk volume transfers of sensitive personal data of U.S. individuals,” the Biotechnology Innovation Organization wrote.

Said the U.S.-China Business Council: “At a minimum, we suggest that the DOJ substantially raise its thresholds until it has provided further guidance to industry.”

The Center for Democracy and Technology, however, argued for adopting the lower thresholds.

“The goal of this proceeding is to prevent as much information about US individuals from being sold to countries of concern,” it said. “To best achieve that goal, and to best protect people’s privacy generally, the bulk definition should be as low as reasonably possible.”

The issues of sensitive personal information anonymization and bulk threshold definitions attracted the most attention from commenters, but they weren’t the only kinds of feedback directed to the DOJ.

The Future of Privacy Forum, for instance, said that the definition of the kind of “persons” covered under the rules should exclude organizations like businesses or nonprofits, while adding in data related to “households,” like residential utility usage.

Sherman further contended that DOJ should use a wider definition of “personal health data” since, as proposed, it would exclude “numerous wearable device vendors, mobile apps, telehealth companies, social media platforms, advertising technology firms, and data brokers.”

Others suggested that the department develop a different method of identifying “countries of concern” to whom the prohibition applies, which as of now foresees that list as China, Russia, North Korea, Iran, Cuba and Venezuela. A group of industry organizations representing communications providers suggested tying the list to the Commerce Department’s list of foreign adversaries.

The Information Technology Industry Council, meanwhile, questioned the overall approach of the DOJ’s proposed rulemaking. It “sets out a multilayered regulatory regime that establishes and regulates multiple classes of prohibited transactions, restricted transactions, exemptions, categories of sensitive data with different bulk data thresholds, and licensing requirements,” the organization wrote. “There are important upfront questions about whether this proposed regulatory approach will be successful in addressing the articulated national security threat.”

The post Proposed data broker regulations draw industry pushback on anonymized data exceptions, bulk thresholds appeared first on CyberScoop.