Lawfare Daily: DOJ’s Arun Rao on Consumer Protection, Elder Fraud, and Privacy

Published by The Lawfare Institute
in Cooperation With
On today's episode, Lawfare Contributing Editor Justin Sherman speaks with Arun G. Rao, the Deputy Assistant Attorney General for the Civil Division's Consumer Protection Branch at the Department of Justice.
They discuss DOJ’s consumer protection work, cyber crime and elder fraud, data privacy, and generative AI. You can find out more about Rao’s work at DOJ below:
To receive ad-free podcasts, become a Lawfare Material Supporter at www.patreon.com/lawfare. You can also support Lawfare by making a one-time donation at https://
Click the button below to view a transcript of this podcast. Please note that the transcript was auto-generated and may contain errors.
Transcript
[Introduction]
Arun Rao: As this
scale of this fraud has grown, understanding and addressing the various and
evolving types of fraud schemes in this area has become increasingly critical.
Justin Sherman: It's
the Lawfare Podcast. I'm Justin Sherman, contributing editor at Lawfare,
with Arun Rao, Deputy Assistant Attorney General for the Civil Division’s
Consumer Protection Branch at the Department of Justice.
Arun Rao:
Technological advances, whether in the form of robocalls, texts and emails,
social media, all of these have allowed fraudsters to refine their schemes to
target victims with a greater degree of precision and to increase their levels
of sophistication.
Justin Sherman: Today
we're talking about DOJ's consumer protection work, cybercrime and elder fraud,
data privacy, and Gen AI.
[Main Podcast]
Why don't you start by telling us more about yourself? How did
your career as an attorney begin?
Arun Rao: First of
all, Justin, thank you so much for having me and for the opportunity to speak
about the work of the Consumer Protection Branch, particularly with respect to
fraud and some of the rapid technological changes we've seen.
In terms of my background, I graduated from NYU Law School in
2001, and NYU is actually where I got bitten by the prosecutorial bug in my
third year of law school. I was a student in the prosecution clinic, which
allowed me to handle a small caseload as a student ADA in the Manhattan DA's
office. And that's really where I got the interest in prosecution. And so after
a stint at a law firm and a federal clerkship, I joined the Manhattan DA's
office, and from there went to the Department of Justice and have worked both
as an assistant U.S. attorney, as well as now a deputy assistant attorney
general for the Consumer Protection Branch.
Justin Sherman:
You've been in your current position at the Consumer Protection Branch since
2021. Tell us more about what the Consumer Protection Branch does at DOJ and
what case areas you focus on.
Arun Rao: It's a
wonderful part of the Department of Justice. It brings together both criminal
and civil cases impacting United States consumers.
We're based here in Washington, D.C., but we handle cases in
federal courts across the United States. We have nearly 250 staff, and this
includes federal agents, investigators, paralegals, and contractors, all of
whom work alongside more than a hundred trial attorneys. We frequently partner
with local counterparts at U.S. Attorney's offices around the country, and we
also work closely with a number of different federal agencies, including the
FDA, the FTC, the CPSC, the Department of Transportation, and multiple law
enforcement partners.
Given the breadth of expertise that we have at our disposal, as
a result of our work with these talented partners, we handle a broad and
diverse enforcement portfolio, but with a focus on protecting consumers health,
safety, economic security, and privacy. Our work benefits all Americans. For
example, we work with the DEA on combating the opioid epidemic. We work with
the FDA on food, drug, and medical device safety, and the enforcement of laws
related to tobacco products. We work with the FDA and the Postal Inspection
Service on fighting scams and telemarketing fraud and deceptive business
practices. And we work with the Consumer Product Safety Commission to prevent
dangerous products from harming consumers.
Our criminal and civil efforts fall broadly into two
categories. First, we take affirmative measures to protect consumers health and
safety. Those often target unlawful conduct relating to drugs, medical devices,
food, tobacco, motor vehicles, airplanes, and consumer products. We also take
affirmative measures to prevent and punish consumer fraud. This includes our
work with respect to deceptive practices, data privacy violations, as well as
our efforts to target schemes impacting seniors, immigrants, veterans, and
other vulnerable populations.
We recognize that all of the things I've mentioned are very big
problems and that these are not bad acts that are happening in isolation, and
so what we try to do is target what we describe as an ecosystem of bad actors
in the work that we do. And we recognize that there's not a one size fits all
approach here, and so we try to take advantage of the fact that we have dual criminal
and civil authority to apply a multiple tools approach against bad actors. This
includes criminal prosecutions where appropriate, civil lawsuits, injunctions,
other efforts that may not necessarily result in the filing of a federal case
--- those are things like warning letters, or working with foreign law
enforcement on disruption, or sometimes a combination of these tools.
Justin Sherman: We'll
clearly have to drag either you or your colleagues back on quite a wide remit
on a lot of important issues. Two of the focus areas --- practice areas, I
guess is the exact term --- for the branch that I want to talk about today; one
is complex consumer fraud, and the second is deceptive practices,
telemarketing, and data privacy. So let's take those one at a time. What kind
of work does DOJ pursue on complex consumer fraud, and can you talk to us more
about what that term means?
Arun Rao: Yeah, I
think I'll start by talking a little bit about what consumer, complex consumer
fraud, the impact that it has on our society, and its tremendously significant
and negative impact, first in terms of the financial consequences, those are
often severe. We see cases where victims have been defrauded of their life
savings, their retirement funds, assets that they had hoped to pass on to their
families. These types of significant financial losses can unfortunately cause a
drastic change in lifestyle. Sometimes it can affect people's ability to afford
healthcare. It can cause increased dependency on other family members or on
social services. And these also carry significant psychological and emotional
effects. Victims of these types of consumer fraud often experience feelings of
shame, embarrassment, guilt for having been deceived. And this emotional
distress can lead to a decline in mental health, it can exacerbate conditions
like depression and anxiety, and it also has significant societal implications
in terms of eroding trust in legitimate businesses and services, particularly
in the realm of technology and communication.
These types of scams also end up straining the legal system and
the financial system as increasing resources are required to combat these types
of fraudulent activities and support affected individuals. And as this scale of
this fraud has grown, understanding and addressing the various and evolving
types of fraud schemes in this area has become increasingly critical. Some of
these include things like romance fraud, tech support scams, lottery fraud
schemes, government imposter schemes, and so-called grandparent scams.
Justin Sherman: So
that's a perfect segue because I want to talk also about the Elder Fraud
Initiative at the Department of Justice that focuses specifically on
prosecuting elder fraud crimes, and I'm imagining many of the things you just
mentioned. So what is the Elder Fraud Initiative and are there specific
categories or types of cases you typically pursue at DOJ as part of that
effort?
Arun Rao: Yeah, so
the Department's Elder Fraud Initiative takes what I would describe as a whole
of government multifaceted approach to the threat that's presented. We are
trying to hold fraudsters account for their targeting of this vulnerable
population, but we're also committed to collaborating with and enhancing the
efforts of state and local law enforcement to combat elder fraud and abuse. We
look to return victims’ funds where possible, and we are also devoted to
raising public awareness to empower older adults to avoid scams and frauds in
the first place, which is why podcasts such as this, Justin, are so, so
important.
All of the work that we do in this area is conducted in
partnership with our law enforcement partners including, as I mentioned before,
FBI, the Postal Inspection Service and others. And our work includes data
review --- we try to identify the most harmful types of schemes and the most
active perpetrators so that our efforts can be focused and impactful. We look
to bring prosecutions of individual schemes and participants where possible. We
work with the private sector to try to disrupt schemes and the infrastructure
that enables them. And then we also work with foreign law enforcement partners
around the world to investigate and halt frauds in progress.
In terms of the specific types of fraud schemes that we look
at, we are focused on some of the schemes I described a moment ago. Romance
fraud, tech support scams, lottery fraud schemes, government imposter schemes,
and so-called grandparent scams. I want to urge all of your listeners
particularly older Americans, to be on the lookout for potential scams, to
pause before turning over personal information, and to report fraud and abuse
whenever it occurs. The Department has a number of resources for individuals
who may have been impacted by these types of crimes. I want to direct your
listeners to the National Elder Fraud Hotline. That's 1-833-FRAUD11, or 1-833-372
8311. That's a tremendous resource, and it's a Department of Justice hotline.
It provides personalized support to callers by assessing the needs of the
victim and identifying the relevant next steps. There are case managers there
who identify appropriate reporting agencies, provide information to callers to
assist them in reporting, connect callers with the appropriate agencies and
then provide other resources and referrals. And it's available both in English
and Spanish, as well as a number of other languages.
Justin Sherman: Thank
you for highlighting that. That's, as you said, something that is good to know
and is not necessarily something everyone has heard about before. Continuing on
the elder fraud point for a moment, DOJ's most recent elder fraud report, issued
in 2023, highlighted a number of cases where the perpetrator was arrested ---
the perpetrators were arrested --- and sentenced in the U.S. There was one
case, for example, brought in the District of Maryland, where an individual had
worked with others to target older adults on social media, had pretended to be
government agents soliciting taxes and fees from those victims, and received
eight years in federal prison.
At a high level, how much of the complex consumer fraud
involves malicious actors in the U.S. versus operating overseas? And if you
have matters that involve, say people based in a foreign country and they're
using a social media platform or email to reach people in the U.S., how does
DOJ approach those cases?
Arun Rao: Great
question, Justin. Many of the fraud cases we pursue involve perpetrators
located in foreign countries. If you look at some of the Consumer Protection
Branch's press releases for the past week, for example, you will see a pretty
broad cross section of our efforts. For example, in the last week alone, two
Dominican defendants were extradited to the United States from the Dominican
Republic for defrauding Americans in a massive grandparent scheme. We had a
case in which a Peruvian national was extradited to the United States and then
pleaded guilty to defrauding Spanish-speaking Americans. Another case involved
a Canadian national who was arrested while visiting the United States and then
pleaded guilty to stealing money from thousands of Americans’ bank accounts. As
well as a Nigerian national who was just sentenced in connection with his
involvement in an inheritance scam targeting Americans but perpetrated from
Spain. So as you can see, there are a number of different global connections in
the work that we do.
And in addition to extraditing perpetrators to the United
States, we also work with foreign law enforcement to disrupt and prosecute
abroad where we can. For example, again, just last week, the government of
India, law enforcement authorities who have been coordinating with the Consumer
Protection Branch and the Federal Bureau of Investigation, raided several
Indian call centers involved in tech support fraud. In that case, victims were
led to believe that their computers had been infected with viruses. The
fraudsters told the victims that they needed to make payments to remove the
virus or that they needed to move their money to what was purportedly going to
be a safe location to avoid losing it. But the victims didn't realize that they
would completely lose access to their savings after the money was moved to
these purportedly safe accounts.
And so as this example, again, just from last week,
illustrates, we're constantly working with law enforcement around the globe to
stop these schemes from victimizing Americans. We're also working with
technology companies to identify ways that they can prevent schemes from
reaching American victims. I want to be clear though, none of these efforts on
their own are going to be able to stop completely transnational scammers from
victimizing Americans. But the goal of this multifaceted approach that we're
taking is to try to achieve as much disruption as possible and to increase the
cost of doing business for these scammers.
Justin Sherman:
Related to both the overseas targeting piece and the technology element of this
--- there's been a lot of research looking at how the internet is both a vector
of choice, more and more, for criminals to scan and defraud elderly people. And
it's also, in some of these studies, a more effective way of doing it. I'm
recalling in 2020 and 2021, for instance, that the DOJ led cases into three
different data brokers, Epsilon, Macromark, and KBM Group, for each knowingly
selling data on vulnerable people, including in some cases people with
Alzheimer's to criminal scammers to facilitate a higher degree of targeting.
What kinds of trends is DOJ seeing in the elder fraud space with respect to
technology? And from your perspective, are there particular technological
developments or criminal developments in the elder fraud space that really
concerned you the most?
Arun Rao: So
technological advances are enabling fraudsters to target victims in a much more
sophisticated manner. As you pointed out we've had a number of recent cases
against data companies that provide useful examples here. These include matters
in which fraudsters were able to get their hands on the contact information for
hundreds of thousands of American seniors. These datasets are extremely
valuable for fraudsters. And in some of the transnational investigations,
including quite a few that I mentioned a moment ago, we have seen that
perpetrators of these foreign fraud schemes frequently discuss the importance
of data about potential victims as well as the length that they will go to
obtain that data.
Another trend that we've noticed is generative AI and other
emerging technologies. These potentially allow fraudsters to reach large number
of victims with ever more convincing schemes. Technological advances, whether
in the form of robocalls, text and emails, social media, all of these have
allowed fraudsters to refine their schemes to target victims with a greater
degree of precision and to increase their levels of sophistication.
I want to make clear, though, the Department appreciates that
these technological advances can also serve as an asset in the fight against
these fraud schemes. We are actively working to identify ways to use emerging
technologies to help protect consumers, including sometimes using that technology
to try to identify the most harmful schemes to investigate or, again, to
disrupt these schemes once they're identified. As Deputy Attorney General
Monaco explained in some recent remarks at the University of Oxford, the
Justice Department is using AI to support its crime fighting efforts. For
example, the DEA uses AI to classify and trace the geographic origins of
opioids and other drugs that are being analyzed through DEA's heroin and
cocaine signature programs.
The FBI has been using AI to triage and understand the more
than one million tips the public submits to the FBI each year through the
Threats Intake Processing System, or TIPS, and the Department has been using AI
to synthesize huge volumes of evidence collected in some of our most
significant cases. And so, we expect that as the field of data analytics
increasingly relies on the use of AI technologies, that AI is going to become
an increasingly important component of our work to combat a range of crimes,
including fraud. The Department also is building out its own technologists and
expertise in AI, led by a chief AI officer.
Justin Sherman:
That's interesting. And I want to return towards the end to Gen AI from the
risk standpoint, but appreciate the description of the ways it's being
leveraged for investigations. As you said, that's another important part of the
picture and an interesting set of policy questions as well. So we covered just
now a lot of important work around complex consumer fraud and the legal and
tech issues there. Let's turn now to that second practice area I mentioned,
which is deceptive practices, telemarketing, and data privacy. So talk to us
about your team's work in this area and does this overlap with the complex
fraud? Is this a different kind of focus area? What does that Venn diagram look
like?
Arun Rao: There's
certainly overlap, Justin. The branch brings a wide range of cases against both
companies and individuals who engage in unfair and deceptive practices, whether
through use of the telephone or through online platforms and services. I'll
start with the telephone, for example. The branch has handled several, what we
call, spoofing cases in which unscrupulous individuals and companies use fake
caller IDs to induce consumers to pick up the telephone. Only then upon
answering, they're subjected to unwanted robocalls or telemarketing pitches
some of which are quite malicious.
One I want to highlight is a matter earlier this year in which
the branch secured a nearly $10 million civil penalty in a case against a
defendant by the name of Scott Rhodes. Mr. Rhodes was a white nationalist. He
was using spoofed caller IDs to call thousands of consumers all over the
country. Those who were tricked into answering the phone and listening to these
messages were subjected to offensive, inflammatory, racist speech that many of
them found deeply upsetting. In that case, the court imposed an injunction as
well as the civil penalty. The injunction is designed to prohibit any future
violations of the Truth in Caller ID Act and the Telephone Consumer Protection
Act.
In addition to the Rhodes matter, last month we settled a case
with a company called Cerebral. Cerebral is an online provider of mental health
services. And they paid $5 million in consumer redress and $2 million in civil
penalties in connection with misleading consumers about the costs of enrolling
in its online services and its prescription drug prices, and then making it
difficult or impossible for consumers to cancel the service. I do want to spend
a minute to talk a little more detail about the Cerebral matter, because I
think it's an indication of how pervasive these types of issues are,
particularly given the current prevalence of online services, including with
respect to health.
Cerebral is a company that provides online mental health and
related services on what's called a negative option basis. That means that
consumers are automatically charged unless they cancel the services. And in
this case, consumers who sign up and use the company services provide detailed
personal data. This includes not just home and email addresses and birthdays,
but also medical and prescription history, payment account information as well
as information about their treatment plan, their pharmacy and health insurance
plan, and other personal data, sometimes including sexual orientation. And as
the complaint in this case lays out, Cerebral violated its customers privacy by
revealing some of the most sensitive mental health conditions across the
internet and in the mail. And to address this violation, we were able to obtain
a first of its kind prohibition that bans the company from using any health
information for most advertising purposes.
This matter and others like it demonstrate that the Department
is firmly committed to stopping companies and their executives from mishandling
and misusing individual sensitive personal health information and from
implementing predatory billing practices. Consumers who are going to these
telehealth companies for treatment, certainly expect that their sensitive
health information is going to be handled with great care, that companies are
going to abide by the representations they have made, rather than simply
flouting those policies for the sake of profit, for the sake of growth. And
this case again demonstrates the Department's commitment to making sure that
these companies are following the law and that they aren't taking shortcuts on
privacy or security or otherwise hindering patients from canceling services
once they no longer need them.
Justin Sherman: The
Federal Trade Commission is something else I want to bring into the picture
here because the FTC also has its own authorities and powers related to
deceptive business practices as well as protecting consumer privacy. The Cerebral
case you mentioned is very interesting. I also saw in looking at that
settlement announcement that was a case led along with the FTC.
Talk to us about how does DOJ work with the FTC on these
issues? How do those authorities sit next to each other? What does that look
like to a consumer who's worried about, say, their privacy?
Arun Rao: Yes, as you
pointed out, the Cerebral matter was a matter that was worked with the FTC and
the Department. The FTC Act authorizes the FTC to investigate and develop cases
against entities and individuals, including Cerebral, for example, who engage
in unfair and deceptive practices and then seek both injunctive relief and
civil penalties in certain cases. Under the laws FTC must refer civil penalties
cases to the Department of Justice and the Department has discretion whether to
accept the referral and bring the case. The FTC and the Department have a very
strong relationship and work very closely together on these cases which involve
a wide range of unfair and deceptive practices.
Some of these cases recently have included lawsuits against
companies and individuals that used social media to unlawfully collect and
retain children's information, companies that deceived consumers about how their
data is used and protected online, companies that may have engaged in unfair
subscription and pricing practices that force consumers to continue paying for
online services they no longer want, and companies that may have, as I as
mentioned before, engaged in telemarketing violations that subject consumers to
unwanted telemarketing solicitations. So there is a great synergy between the
FTC and the DOJ, and we very much appreciate our partners.
Justin Sherman: We've
talked a fair amount already, and you've made some interesting points about
technology quickly evolving, both how this has been happening for years and
years with, as you said, telemarketing, robocalls, and now with Gen AI, but
there are also interesting developments like with online targeting and
telemarketing matters and whatnot.
I want to return to the Gen AI point you made earlier, which is
that in addition to ways that regulatory agencies and others are potentially
using tools for investigative purposes. There's also the potential and in some
cases reality of criminals and other actors exploiting Gen AI to perpetuate
scams and fraud. I'm wondering if you can talk to us about how do you see those
risks evolving? And is that something already seeing happen a lot? Or is that
more so we're concerned about it coming up, but it's a bit over the horizon at
this point.
Arun Rao: It's a
great question, Justin. The Department and in particular, the Consumer
Protection Branch has spent a lot of time thinking about the potential risks
posed by large language models or generative AI as a species of AI in
particular, given that it's these tools are becoming widely available via the
internet to consumers. And what we're seeing is broad experimentation with
these tools, which can be a great thing. But unfortunately, some of those who
are experimenting with this technology are also bad actors.
There has been public reporting on the use of deepfakes in
grandparent scams, in romance scams, and other types of fraud targeting
consumers. And there's also been a fair bit of reporting on how criminals can
use AI or large language models to very rapidly conduct transactions and move
criminal proceeds, which is a particularly acute concern where cryptocurrency,
for example, is involved. There has been public reporting about the creation of
malicious versions of generative AI to help create phishing messages and
malware or to develop very sophisticated fake content to further fraud schemes.
We've also heard reports of this type of technology being used to convincingly
impersonate trusted sources in correspondence or to generate simulated work
product to advance a criminal scheme. Again, I want to emphasize as I did
earlier, AI is an extremely useful product for businesses and government, but
it does have risks, and these include algorithmic bias, loss of control of
decision making, and I think the important thing to remember at this stage is
that the use of AI does not excuse anybody from existing legal obligations.
As it's become a consumer product, we are seeing AI companies,
large and small, release their product to be used sometimes for a small fee or
no fee online. And any technology that lowers the bar to entry for criminal
activity presents a potential concern. But we're not just focused on the bad
actors who are using these tools. We're also looking to ensure that the
entities that are making these tools and that are releasing them broadly are
doing so with the appropriate controls.
Justin Sherman: Is
there anything else you'd like to add for our listeners?
Arun Rao: The Department
has many capable investigators and prosecutors with significant experience
prosecuting the perpetrators of fraud schemes. And as these threats are
increasingly global in nature, we have strengthened our partner relationships
with foreign law enforcement partners. We have regularly engaged with the
private sector to try to identify and disrupt these schemes, but it very much
takes people like you and the Lawfare Podcast to help us inform the
public and to warn those listening that there are financial predators both here
in the United States and abroad using every tool, including new emerging
technologies, to try to steal money from hardworking Americans. And so constant
vigilance by law enforcement, by private industry, and by individuals
themselves is critical. So, thanks again for the opportunity. I'm very
grateful.
Justin Sherman: The Lawfare
Podcast is produced in cooperation with the Brookings Institution. You can
get ad free versions of this and other Lawfare podcasts by becoming a Lawfare
material supporter through our website, lawfaremedia.org/support. You'll also
get access to special events and other content available only to our
supporters.
Please rate and review us wherever you get your podcasts. Look
out for our other podcasts, including Rational Security, Chatter,
Allies, and the Aftermath, our latest Lawfare Presents
podcast series on the government's response to January 6th. Check out our
written work at lawfaremedia.org. The podcast is edited by Jen Patja, and your
audio engineer this episode was Cara Shillenn of Goat Rodeo. Our theme song is
from Alibi Music. As always, thank you for listening.