Cybersecurity & Tech

Lawfare Daily: DOJ’s Arun Rao on Consumer Protection, Elder Fraud, and Privacy

Justin Sherman, Arun G. Rao, Jen Patja
Wednesday, August 7, 2024, 8:00 AM
How is the Justice Department thinking about generative AI?

Published by The Lawfare Institute
in Cooperation With
Brookings

On today's episode, Lawfare Contributing Editor Justin Sherman speaks with Arun G. Rao, the Deputy Assistant Attorney General for the Civil Division's Consumer Protection Branch at the Department of Justice. 

They discuss DOJ’s consumer protection work, cyber crime and elder fraud, data privacy, and generative AI. You can find out more about Rao’s work at DOJ below: 

To receive ad-free podcasts, become a Lawfare Material Supporter at www.patreon.com/lawfare. You can also support Lawfare by making a one-time donation at https://givebutter.com/c/trumptrials.

Click the button below to view a transcript of this podcast. Please note that the transcript was auto-generated and may contain errors.

 

Transcript

[Introduction]

Arun Rao: As this scale of this fraud has grown, understanding and addressing the various and evolving types of fraud schemes in this area has become increasingly critical.

Justin Sherman: It's the Lawfare Podcast. I'm Justin Sherman, contributing editor at Lawfare, with Arun Rao, Deputy Assistant Attorney General for the Civil Division’s Consumer Protection Branch at the Department of Justice.

Arun Rao: Technological advances, whether in the form of robocalls, texts and emails, social media, all of these have allowed fraudsters to refine their schemes to target victims with a greater degree of precision and to increase their levels of sophistication.

Justin Sherman: Today we're talking about DOJ's consumer protection work, cybercrime and elder fraud, data privacy, and Gen AI.

[Main Podcast]

Why don't you start by telling us more about yourself? How did your career as an attorney begin?

Arun Rao: First of all, Justin, thank you so much for having me and for the opportunity to speak about the work of the Consumer Protection Branch, particularly with respect to fraud and some of the rapid technological changes we've seen.

In terms of my background, I graduated from NYU Law School in 2001, and NYU is actually where I got bitten by the prosecutorial bug in my third year of law school. I was a student in the prosecution clinic, which allowed me to handle a small caseload as a student ADA in the Manhattan DA's office. And that's really where I got the interest in prosecution. And so after a stint at a law firm and a federal clerkship, I joined the Manhattan DA's office, and from there went to the Department of Justice and have worked both as an assistant U.S. attorney, as well as now a deputy assistant attorney general for the Consumer Protection Branch.

Justin Sherman: You've been in your current position at the Consumer Protection Branch since 2021. Tell us more about what the Consumer Protection Branch does at DOJ and what case areas you focus on.

Arun Rao: It's a wonderful part of the Department of Justice. It brings together both criminal and civil cases impacting United States consumers.

We're based here in Washington, D.C., but we handle cases in federal courts across the United States. We have nearly 250 staff, and this includes federal agents, investigators, paralegals, and contractors, all of whom work alongside more than a hundred trial attorneys. We frequently partner with local counterparts at U.S. Attorney's offices around the country, and we also work closely with a number of different federal agencies, including the FDA, the FTC, the CPSC, the Department of Transportation, and multiple law enforcement partners.

Given the breadth of expertise that we have at our disposal, as a result of our work with these talented partners, we handle a broad and diverse enforcement portfolio, but with a focus on protecting consumers health, safety, economic security, and privacy. Our work benefits all Americans. For example, we work with the DEA on combating the opioid epidemic. We work with the FDA on food, drug, and medical device safety, and the enforcement of laws related to tobacco products. We work with the FDA and the Postal Inspection Service on fighting scams and telemarketing fraud and deceptive business practices. And we work with the Consumer Product Safety Commission to prevent dangerous products from harming consumers.

Our criminal and civil efforts fall broadly into two categories. First, we take affirmative measures to protect consumers health and safety. Those often target unlawful conduct relating to drugs, medical devices, food, tobacco, motor vehicles, airplanes, and consumer products. We also take affirmative measures to prevent and punish consumer fraud. This includes our work with respect to deceptive practices, data privacy violations, as well as our efforts to target schemes impacting seniors, immigrants, veterans, and other vulnerable populations.

We recognize that all of the things I've mentioned are very big problems and that these are not bad acts that are happening in isolation, and so what we try to do is target what we describe as an ecosystem of bad actors in the work that we do. And we recognize that there's not a one size fits all approach here, and so we try to take advantage of the fact that we have dual criminal and civil authority to apply a multiple tools approach against bad actors. This includes criminal prosecutions where appropriate, civil lawsuits, injunctions, other efforts that may not necessarily result in the filing of a federal case --- those are things like warning letters, or working with foreign law enforcement on disruption, or sometimes a combination of these tools.

Justin Sherman: We'll clearly have to drag either you or your colleagues back on quite a wide remit on a lot of important issues. Two of the focus areas --- practice areas, I guess is the exact term --- for the branch that I want to talk about today; one is complex consumer fraud, and the second is deceptive practices, telemarketing, and data privacy. So let's take those one at a time. What kind of work does DOJ pursue on complex consumer fraud, and can you talk to us more about what that term means?

Arun Rao: Yeah, I think I'll start by talking a little bit about what consumer, complex consumer fraud, the impact that it has on our society, and its tremendously significant and negative impact, first in terms of the financial consequences, those are often severe. We see cases where victims have been defrauded of their life savings, their retirement funds, assets that they had hoped to pass on to their families. These types of significant financial losses can unfortunately cause a drastic change in lifestyle. Sometimes it can affect people's ability to afford healthcare. It can cause increased dependency on other family members or on social services. And these also carry significant psychological and emotional effects. Victims of these types of consumer fraud often experience feelings of shame, embarrassment, guilt for having been deceived. And this emotional distress can lead to a decline in mental health, it can exacerbate conditions like depression and anxiety, and it also has significant societal implications in terms of eroding trust in legitimate businesses and services, particularly in the realm of technology and communication.

These types of scams also end up straining the legal system and the financial system as increasing resources are required to combat these types of fraudulent activities and support affected individuals. And as this scale of this fraud has grown, understanding and addressing the various and evolving types of fraud schemes in this area has become increasingly critical. Some of these include things like romance fraud, tech support scams, lottery fraud schemes, government imposter schemes, and so-called grandparent scams.

Justin Sherman: So that's a perfect segue because I want to talk also about the Elder Fraud Initiative at the Department of Justice that focuses specifically on prosecuting elder fraud crimes, and I'm imagining many of the things you just mentioned. So what is the Elder Fraud Initiative and are there specific categories or types of cases you typically pursue at DOJ as part of that effort?

Arun Rao: Yeah, so the Department's Elder Fraud Initiative takes what I would describe as a whole of government multifaceted approach to the threat that's presented. We are trying to hold fraudsters account for their targeting of this vulnerable population, but we're also committed to collaborating with and enhancing the efforts of state and local law enforcement to combat elder fraud and abuse. We look to return victims’ funds where possible, and we are also devoted to raising public awareness to empower older adults to avoid scams and frauds in the first place, which is why podcasts such as this, Justin, are so, so important.

All of the work that we do in this area is conducted in partnership with our law enforcement partners including, as I mentioned before, FBI, the Postal Inspection Service and others. And our work includes data review --- we try to identify the most harmful types of schemes and the most active perpetrators so that our efforts can be focused and impactful. We look to bring prosecutions of individual schemes and participants where possible. We work with the private sector to try to disrupt schemes and the infrastructure that enables them. And then we also work with foreign law enforcement partners around the world to investigate and halt frauds in progress.

In terms of the specific types of fraud schemes that we look at, we are focused on some of the schemes I described a moment ago. Romance fraud, tech support scams, lottery fraud schemes, government imposter schemes, and so-called grandparent scams. I want to urge all of your listeners particularly older Americans, to be on the lookout for potential scams, to pause before turning over personal information, and to report fraud and abuse whenever it occurs. The Department has a number of resources for individuals who may have been impacted by these types of crimes. I want to direct your listeners to the National Elder Fraud Hotline. That's 1-833-FRAUD11, or 1-833-372 8311. That's a tremendous resource, and it's a Department of Justice hotline. It provides personalized support to callers by assessing the needs of the victim and identifying the relevant next steps. There are case managers there who identify appropriate reporting agencies, provide information to callers to assist them in reporting, connect callers with the appropriate agencies and then provide other resources and referrals. And it's available both in English and Spanish, as well as a number of other languages.

Justin Sherman: Thank you for highlighting that. That's, as you said, something that is good to know and is not necessarily something everyone has heard about before. Continuing on the elder fraud point for a moment, DOJ's most recent elder fraud report, issued in 2023, highlighted a number of cases where the perpetrator was arrested --- the perpetrators were arrested --- and sentenced in the U.S. There was one case, for example, brought in the District of Maryland, where an individual had worked with others to target older adults on social media, had pretended to be government agents soliciting taxes and fees from those victims, and received eight years in federal prison.

At a high level, how much of the complex consumer fraud involves malicious actors in the U.S. versus operating overseas? And if you have matters that involve, say people based in a foreign country and they're using a social media platform or email to reach people in the U.S., how does DOJ approach those cases?

Arun Rao: Great question, Justin. Many of the fraud cases we pursue involve perpetrators located in foreign countries. If you look at some of the Consumer Protection Branch's press releases for the past week, for example, you will see a pretty broad cross section of our efforts. For example, in the last week alone, two Dominican defendants were extradited to the United States from the Dominican Republic for defrauding Americans in a massive grandparent scheme. We had a case in which a Peruvian national was extradited to the United States and then pleaded guilty to defrauding Spanish-speaking Americans. Another case involved a Canadian national who was arrested while visiting the United States and then pleaded guilty to stealing money from thousands of Americans’ bank accounts. As well as a Nigerian national who was just sentenced in connection with his involvement in an inheritance scam targeting Americans but perpetrated from Spain. So as you can see, there are a number of different global connections in the work that we do.

And in addition to extraditing perpetrators to the United States, we also work with foreign law enforcement to disrupt and prosecute abroad where we can. For example, again, just last week, the government of India, law enforcement authorities who have been coordinating with the Consumer Protection Branch and the Federal Bureau of Investigation, raided several Indian call centers involved in tech support fraud. In that case, victims were led to believe that their computers had been infected with viruses. The fraudsters told the victims that they needed to make payments to remove the virus or that they needed to move their money to what was purportedly going to be a safe location to avoid losing it. But the victims didn't realize that they would completely lose access to their savings after the money was moved to these purportedly safe accounts.

And so as this example, again, just from last week, illustrates, we're constantly working with law enforcement around the globe to stop these schemes from victimizing Americans. We're also working with technology companies to identify ways that they can prevent schemes from reaching American victims. I want to be clear though, none of these efforts on their own are going to be able to stop completely transnational scammers from victimizing Americans. But the goal of this multifaceted approach that we're taking is to try to achieve as much disruption as possible and to increase the cost of doing business for these scammers.

Justin Sherman: Related to both the overseas targeting piece and the technology element of this --- there's been a lot of research looking at how the internet is both a vector of choice, more and more, for criminals to scan and defraud elderly people. And it's also, in some of these studies, a more effective way of doing it. I'm recalling in 2020 and 2021, for instance, that the DOJ led cases into three different data brokers, Epsilon, Macromark, and KBM Group, for each knowingly selling data on vulnerable people, including in some cases people with Alzheimer's to criminal scammers to facilitate a higher degree of targeting. What kinds of trends is DOJ seeing in the elder fraud space with respect to technology? And from your perspective, are there particular technological developments or criminal developments in the elder fraud space that really concerned you the most?

Arun Rao: So technological advances are enabling fraudsters to target victims in a much more sophisticated manner. As you pointed out we've had a number of recent cases against data companies that provide useful examples here. These include matters in which fraudsters were able to get their hands on the contact information for hundreds of thousands of American seniors. These datasets are extremely valuable for fraudsters. And in some of the transnational investigations, including quite a few that I mentioned a moment ago, we have seen that perpetrators of these foreign fraud schemes frequently discuss the importance of data about potential victims as well as the length that they will go to obtain that data.

Another trend that we've noticed is generative AI and other emerging technologies. These potentially allow fraudsters to reach large number of victims with ever more convincing schemes. Technological advances, whether in the form of robocalls, text and emails, social media, all of these have allowed fraudsters to refine their schemes to target victims with a greater degree of precision and to increase their levels of sophistication.

I want to make clear, though, the Department appreciates that these technological advances can also serve as an asset in the fight against these fraud schemes. We are actively working to identify ways to use emerging technologies to help protect consumers, including sometimes using that technology to try to identify the most harmful schemes to investigate or, again, to disrupt these schemes once they're identified. As Deputy Attorney General Monaco explained in some recent remarks at the University of Oxford, the Justice Department is using AI to support its crime fighting efforts. For example, the DEA uses AI to classify and trace the geographic origins of opioids and other drugs that are being analyzed through DEA's heroin and cocaine signature programs.

The FBI has been using AI to triage and understand the more than one million tips the public submits to the FBI each year through the Threats Intake Processing System, or TIPS, and the Department has been using AI to synthesize huge volumes of evidence collected in some of our most significant cases. And so, we expect that as the field of data analytics increasingly relies on the use of AI technologies, that AI is going to become an increasingly important component of our work to combat a range of crimes, including fraud. The Department also is building out its own technologists and expertise in AI, led by a chief AI officer.

Justin Sherman: That's interesting. And I want to return towards the end to Gen AI from the risk standpoint, but appreciate the description of the ways it's being leveraged for investigations. As you said, that's another important part of the picture and an interesting set of policy questions as well. So we covered just now a lot of important work around complex consumer fraud and the legal and tech issues there. Let's turn now to that second practice area I mentioned, which is deceptive practices, telemarketing, and data privacy. So talk to us about your team's work in this area and does this overlap with the complex fraud? Is this a different kind of focus area? What does that Venn diagram look like?

Arun Rao: There's certainly overlap, Justin. The branch brings a wide range of cases against both companies and individuals who engage in unfair and deceptive practices, whether through use of the telephone or through online platforms and services. I'll start with the telephone, for example. The branch has handled several, what we call, spoofing cases in which unscrupulous individuals and companies use fake caller IDs to induce consumers to pick up the telephone. Only then upon answering, they're subjected to unwanted robocalls or telemarketing pitches some of which are quite malicious.

One I want to highlight is a matter earlier this year in which the branch secured a nearly $10 million civil penalty in a case against a defendant by the name of Scott Rhodes. Mr. Rhodes was a white nationalist. He was using spoofed caller IDs to call thousands of consumers all over the country. Those who were tricked into answering the phone and listening to these messages were subjected to offensive, inflammatory, racist speech that many of them found deeply upsetting. In that case, the court imposed an injunction as well as the civil penalty. The injunction is designed to prohibit any future violations of the Truth in Caller ID Act and the Telephone Consumer Protection Act.

In addition to the Rhodes matter, last month we settled a case with a company called Cerebral. Cerebral is an online provider of mental health services. And they paid $5 million in consumer redress and $2 million in civil penalties in connection with misleading consumers about the costs of enrolling in its online services and its prescription drug prices, and then making it difficult or impossible for consumers to cancel the service. I do want to spend a minute to talk a little more detail about the Cerebral matter, because I think it's an indication of how pervasive these types of issues are, particularly given the current prevalence of online services, including with respect to health.

Cerebral is a company that provides online mental health and related services on what's called a negative option basis. That means that consumers are automatically charged unless they cancel the services. And in this case, consumers who sign up and use the company services provide detailed personal data. This includes not just home and email addresses and birthdays, but also medical and prescription history, payment account information as well as information about their treatment plan, their pharmacy and health insurance plan, and other personal data, sometimes including sexual orientation. And as the complaint in this case lays out, Cerebral violated its customers privacy by revealing some of the most sensitive mental health conditions across the internet and in the mail. And to address this violation, we were able to obtain a first of its kind prohibition that bans the company from using any health information for most advertising purposes.

This matter and others like it demonstrate that the Department is firmly committed to stopping companies and their executives from mishandling and misusing individual sensitive personal health information and from implementing predatory billing practices. Consumers who are going to these telehealth companies for treatment, certainly expect that their sensitive health information is going to be handled with great care, that companies are going to abide by the representations they have made, rather than simply flouting those policies for the sake of profit, for the sake of growth. And this case again demonstrates the Department's commitment to making sure that these companies are following the law and that they aren't taking shortcuts on privacy or security or otherwise hindering patients from canceling services once they no longer need them.

Justin Sherman: The Federal Trade Commission is something else I want to bring into the picture here because the FTC also has its own authorities and powers related to deceptive business practices as well as protecting consumer privacy. The Cerebral case you mentioned is very interesting. I also saw in looking at that settlement announcement that was a case led along with the FTC.

Talk to us about how does DOJ work with the FTC on these issues? How do those authorities sit next to each other? What does that look like to a consumer who's worried about, say, their privacy?

Arun Rao: Yes, as you pointed out, the Cerebral matter was a matter that was worked with the FTC and the Department. The FTC Act authorizes the FTC to investigate and develop cases against entities and individuals, including Cerebral, for example, who engage in unfair and deceptive practices and then seek both injunctive relief and civil penalties in certain cases. Under the laws FTC must refer civil penalties cases to the Department of Justice and the Department has discretion whether to accept the referral and bring the case. The FTC and the Department have a very strong relationship and work very closely together on these cases which involve a wide range of unfair and deceptive practices.

Some of these cases recently have included lawsuits against companies and individuals that used social media to unlawfully collect and retain children's information, companies that deceived consumers about how their data is used and protected online, companies that may have engaged in unfair subscription and pricing practices that force consumers to continue paying for online services they no longer want, and companies that may have, as I as mentioned before, engaged in telemarketing violations that subject consumers to unwanted telemarketing solicitations. So there is a great synergy between the FTC and the DOJ, and we very much appreciate our partners.

Justin Sherman: We've talked a fair amount already, and you've made some interesting points about technology quickly evolving, both how this has been happening for years and years with, as you said, telemarketing, robocalls, and now with Gen AI, but there are also interesting developments like with online targeting and telemarketing matters and whatnot.

I want to return to the Gen AI point you made earlier, which is that in addition to ways that regulatory agencies and others are potentially using tools for investigative purposes. There's also the potential and in some cases reality of criminals and other actors exploiting Gen AI to perpetuate scams and fraud. I'm wondering if you can talk to us about how do you see those risks evolving? And is that something already seeing happen a lot? Or is that more so we're concerned about it coming up, but it's a bit over the horizon at this point.

Arun Rao: It's a great question, Justin. The Department and in particular, the Consumer Protection Branch has spent a lot of time thinking about the potential risks posed by large language models or generative AI as a species of AI in particular, given that it's these tools are becoming widely available via the internet to consumers. And what we're seeing is broad experimentation with these tools, which can be a great thing. But unfortunately, some of those who are experimenting with this technology are also bad actors.

There has been public reporting on the use of deepfakes in grandparent scams, in romance scams, and other types of fraud targeting consumers. And there's also been a fair bit of reporting on how criminals can use AI or large language models to very rapidly conduct transactions and move criminal proceeds, which is a particularly acute concern where cryptocurrency, for example, is involved. There has been public reporting about the creation of malicious versions of generative AI to help create phishing messages and malware or to develop very sophisticated fake content to further fraud schemes. We've also heard reports of this type of technology being used to convincingly impersonate trusted sources in correspondence or to generate simulated work product to advance a criminal scheme. Again, I want to emphasize as I did earlier, AI is an extremely useful product for businesses and government, but it does have risks, and these include algorithmic bias, loss of control of decision making, and I think the important thing to remember at this stage is that the use of AI does not excuse anybody from existing legal obligations.

As it's become a consumer product, we are seeing AI companies, large and small, release their product to be used sometimes for a small fee or no fee online. And any technology that lowers the bar to entry for criminal activity presents a potential concern. But we're not just focused on the bad actors who are using these tools. We're also looking to ensure that the entities that are making these tools and that are releasing them broadly are doing so with the appropriate controls.

Justin Sherman: Is there anything else you'd like to add for our listeners?

Arun Rao: The Department has many capable investigators and prosecutors with significant experience prosecuting the perpetrators of fraud schemes. And as these threats are increasingly global in nature, we have strengthened our partner relationships with foreign law enforcement partners. We have regularly engaged with the private sector to try to identify and disrupt these schemes, but it very much takes people like you and the Lawfare Podcast to help us inform the public and to warn those listening that there are financial predators both here in the United States and abroad using every tool, including new emerging technologies, to try to steal money from hardworking Americans. And so constant vigilance by law enforcement, by private industry, and by individuals themselves is critical. So, thanks again for the opportunity. I'm very grateful.

Justin Sherman: The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter through our website, lawfaremedia.org/support. You'll also get access to special events and other content available only to our supporters.

Please rate and review us wherever you get your podcasts. Look out for our other podcasts, including Rational Security, Chatter, Allies, and the Aftermath, our latest Lawfare Presents podcast series on the government's response to January 6th. Check out our written work at lawfaremedia.org. The podcast is edited by Jen Patja, and your audio engineer this episode was Cara Shillenn of Goat Rodeo. Our theme song is from Alibi Music. As always, thank you for listening.


Justin Sherman is a contributing editor at Lawfare. He is also the founder and CEO of Global Cyber Strategies, a Washington, DC-based research and advisory firm; a senior fellow at Duke University’s Sanford School of Public Policy, where he runs its research project on data brokerage; and a nonresident fellow at the Atlantic Council.
Arun G. Rao is the Deputy Assistant Attorney General for the Consumer Protection Branch in the Department of Justice.
Jen Patja is the editor and producer of the Lawfare Podcast and Rational Security. She currently serves as the Co-Executive Director of Virginia Civics, a nonprofit organization that empowers the next generation of leaders in Virginia by promoting constitutional literacy, critical thinking, and civic engagement. She is the former Deputy Director of the Robert H. Smith Center for the Constitution at James Madison's Montpelier and has been a freelance editor for over 20 years.

Subscribe to Lawfare