Congress may require ISPs to block fraud sites

For the last decade or so, Internet service providers have been dealing with requests to block access to pornographic or copyright-infringing Web sites, or in China, ones that dare to criticize the government.

Now a U.S. House of Representatives bill is taking the unusual step of requiring Internet providers to block access to online financial scams that fraudulently invoke the Securities Investor Protection Corporation--or face fines and federal court injunctions.

The House Financial Services Committee approved the legislation on Wednesday by a 41 to 28 vote.

If you've never heard of the SIPC, you're not alone. It's a government-linked entity that aids investors when funds are missing from their accounts, up to a limit of $500,000 for stocks, bonds, and mutual funds. Only investor accounts that investors have opened with members of the SIPC--here's a list--qualify for its protection.

It turns out that occasionally, Internet fraudsters, scamsters, and other assorted malcontents have posed as legitimate brokerage firms that are SIPC members, often with a similar name or domain name. The scam may be a too-good-to-be-true offer to buy securities that asks the unwitting customer to pay fees in advance, or schemes involving fraudulent checks that eventually bounce.

That seems to be in part what prompted Rep. Paul Kanjorski, a Pennsylvania Democrat and chairman of a key subcommittee, to introduce the Investor Protection Act a few weeks ago. Section 508 of that bill says:

Any Internet service provider that, on or through a system or network controlled or operated by the Internet service provider, transmits, routes, provides connections for, or stores any material containing any misrepresentation (of the SIPC) shall be liable for any damages caused thereby, including damages suffered by the SIPC, if the Internet service provider...is aware of facts or circumstances from which it is apparent that the material contains a misrepresentation.

That section isn't mentioned in Kanjorski's press release dated October 1, which is why Internet providers were a bit taken aback when they found out about it a few days ago. The Internet Commerce Coalition sent a letter to Kanjorski before Wednesday's vote raising concerns with the bill, but the industry isn't terribly optimistic.

One potential problem with Kanjorski's bill is that most Internet providers simply don't have a good way to block access to any electronic "material" containing fake SIPC data. That wording is broader than just Web pages: it includes blocking certain e-mail, IM conversations, VoIP chats, and so on. And even the more straightforward task of blocking Web sites can be overly broad and problematic, which is why a federal judge in Pennsylvania declared a child porn filtering law to be unconstitutional in a landmark 2004 ruling.

Internet providers are also worried that Kanjorski's requirement--and the accompanying civil penalties and injunctions--would apply even if the blocking is not technically feasible. Or if it's impossible. (Other questions: Would this blocking requirement apply to private-sector employers? Schools and universities? Locally owned coffee shops that provide Internet service through Wi-Fi?)

Fraudulent Web sites have bedeviled the SIPC, off and on, for at least six years. In 2003, the group distributed a public warning against "brokerage identity theft" and followed up by asking the FBI to investigate a fake site that resembled the SIPC's own.

The SIPC does have a searchable database of its members, listing street addresses, but it doesn't take the obvious step of listing members' official Web sites, which other certification programs like Truste do.

Searching on San Francisco shows, for instance, that SIPC-listed Whitehall-Parker Securities has an address on Pacific Avenue. But an investor can't easily tell whether whitehall-parker.com is the actual site; a scammer could easily set up a fake site at whitehallparker.com (which, as of this writing, is available to be registered).

The Treasury Department's version of the Investor Protection Act of 2009 released in July doesn't seem to include the Internet-filtering section, meaning that the Obama administration concluded that it was unnecessary. So what prompted Kanjorski to insert it?

Addendum at 11:30 a.m. PT: Abigail McDonough, Kanjorski's spokeswoman, told me that her boss is open to modifying the language of the bill to reflect industry concerns. It also turns out that the language from the Investor Protection Act was borrowed from H.R. 2798, which was introduced in June by Rep. Michael Arcuri, D-N.Y., as part of a post-Bernie Madoff scandal effort to increase the level of SIPC guarantees for investors.

One Capitol Hill source says the SIPC asked for that language to be included in the Investor Protection Act. And a representative of SIPC says the organization may not have a response until Thursday because its president, Stephen Harbeck, is traveling from China.

[freemarket--2008]

Leab it to da gubmint to come up wid anudder stoopid idear.

[Michichael]

Yeah this is flat out impossible. There is no way to block data on the internet without invasive measures that will send your customers up in arms and out the doors. WTB non-idiots in congress. I swear, our country isn't going to move forward in any real way for another 10 years when the internet generation can get into politics and put a stop to this rampart stupidity.

[gnesterenko]

I disagree. if the internet forums such as this, TomsHarrdware and ZDnet are any indication, the internet generation will never be able to come to any consensus about anything, with any discussion resorting to personal attacks and flame-wars... in other words pretty much the same thing we have in politics today. Politics are politics - they've been the same since the time of the Greeks and Romans and a simple generation change is not going to change politics. It would be nice, but in the perspective of history, I think we can expect to see much more of the same. It will take a paradigm shift in the moral values and thinking of the entire civilized world before any real change happens. And that shift will probably take some sort of cataclysmic event that forces us to evolve our thinking. Fortunately (or un-, depending how you look at it) we are slated for a whole menu of cataclysmic events. Over-population, shortage of drinkable water/food/other resources and the wars that will result, climate change, viral epidemics - these are all viable options with a pretty much 100% certainty of occuring within our lifetimes (those of us under 35 or so anyway). I've a suggestion to keep you all occupied... learn to swim.

"The views expressed here are mine and do not reflect the official opinion of my employer or the organization through which the Internet was accessed."

[billstewart]

Blocking access to single IP addresses is easy and non-invasive, if you don't mind littering your routers with lots of /32 routes to null0. Unfortunately, one IP address may have multiple web sites from multiple users, not just the Evil site, so that censors lots of other people as collateral damage, and forces _every_ ISP in the US to block access to those IP addresses because the web site and domain name server may be outside the US. It's possible for an ISP to get fancier (and more invasive to the collateral-damage sites) - route the /32 to a web proxy box that allows the safe traffic to pass and only drops the Evil site's traffic - but every ISP that handles that traffic has to do that, so the collateral-damage victims may get filtered 10 times before maybe reaching the server it's intended for.

Has anybody registered the site Paul-Kanjorski-Official-Congressmeddler-Website.com yet? Just about any cheap web page server in the world will do it, and many of them will be happy to register the name for $10 or less.

[gavin_cutshall]

Perhaps Congress should just pass a law that all common carries block telephone calls where false information is relayed, then leave it up to the carries to determine what is false.

Why not pass a law that says automakers cannot build a car that can get into a crash. Think of all the lives that would be saved!

This is another sign of the breathtaking ignorance of our legislative body. They do not want to enforce existing laws, so they try and burden the channels that law-breakers use at the expense of everyone involved.

Secondarily, I feel very little sympathy for anyone who would make an investment decision based on an e-mail or webpage without performing some form of due diligence.

Declan, thanks for bringing this issue to light.

[Pete Bardo]

Two things wrong with this, well maybe more.
1. Republicans and Democrats all seem to think the solution to every problem is more laws.
2. How are they going to reconcile this with net neutrality laws?

If laws are the solution to every problem, how about a law against making stupid laws?

[SergeM256]

Law applies "if the Internet service provider...is aware of facts or circumstances from which it is apparent that the material contains a misrepresentation" which makes it kind of useless - ISP doesn't know and doesn't want to know who and how uses their network. ISP is not in a business of policing and monitoring their customers.

[CyR00k]

The MPAA, RIAA and ASCAP think that that is exactly the job of ISPs.

[signal7svr]

Well, I guess this proves that congress is full of abject morons....The FCC's perusing net neutrality and threatening ISP's with increased regulation, while congress is threatening to fine them for not imposing the opposite of net neutrality. I say it's a telco plot to destroy the net neutrality push.

[BCF1968]

The problem is that most of Congress is over the age of 50 with many being over 65. It'll take another 20 years before we get a Congress full of people that have at least a rudimentary understanding of the "internets" and the "tubes" they run on.

[CyR00k]

Telecoms should not now or ever have any authority over what is on the 'net and what their customers are viewing. There is and has been for years software available that already performs this function. Rep. Paul Kanjorski, have you ever even used a computer to access the internet? Don't write bills about things that you don't understand.

[ibeetle]

Let me guess; any site that has anything with the word torrent will be considered fraudulent.

[gerrrg]

We don't need ISPs to block, we just need more browsers and anti-malware software to use website blacklists.

[codynews]

Perfect example of a "sounds good but isn't" law.

Cody

[kaibelf]

From what I read, this rule is limited only to websites fraudulently claiming to be connected to a federal entity. What does it have to do with torrenting, net neutrality, or really anything else you're complaining about?

[kaiman75]

I don't understand why they are trying to go after ISPs with these laws, it seems terribly misguided...

Privacy aside, its not like every ISP is going to be a able to monitor every website that every customer visits and block the ones that the government wants, even if they wanted to.

If they want to go after anybody, how about the web hosting companies that host these websites? It seems like they should go after them, just as they go after email providers whose servers become the source of spam and get blacklisted.

I don't disagree with Congress that something needs to be done, but is this really the answer? No.

[networksniff]

ISP's really need to face much burden on this specific phishing sites apart from legal interception and details of it clients and source .
there need to develop less gap between domains and clients.

sekhar,
http://www.networksniff.com/blog

[troppp]

I'm not in favor of the gov's nose in the Internet at all, but in this case, they are aiming at government impersonators.

Ok, I'll let this one slide...

[troppp]

well, maybe they should just go and prosecute these people instead of putting the burden on the ISP's...

[baisa]

Thin edge of a trial balloon (to mix metaphors.)

Step 1. Establish precedent of forcing ISPs to block some isolated specific "bad" content.
Step 2. Expand the measure to force blocking of a much broader list of "bad" (but still objectively bad.)
Step 3. Add all manner of liberal nonsense, such as "hate speech" etc. -- all manners of legitimate speech -- watch Conservatives jump on the bandwagon when liberals let them ban all their favorite taboos as well.

[247mark]

Yet another ignorant, old-as-dirt legislator writing laws to regulate the internet.. Are you friends with Ted Stevens? Stick to regulating what you know and here' s a hint - it's not technology.

[mechengineer1400]

If we could get some REAL net neutrality legislation passed - ISP's forbidden to regulate, control,examine, censor, throttle, prioritize, OR HAVE ANY KNOWLEDGE of the content of packets flowing thru their equipment, then the point would be moot.

[Endbringer]

What would be the companies' incentive to create the infrastructure needed to make the Internet work? Why spend billions of dollars building fiber lines only to have some startup have free use of your investment? Do you see why a net neutrality law isn't set in reality? I'm not saying I want a company to censor to restrict their network, but if a company does just that, don't use them. Using the power of your money will force companies to change.

[KimTaylor aka Finiky]

I would think Congress has better things to do than to dream up stupid laws that can't be enforced.

[Endbringer]

This Paul Kanjorski guy also wants to give the imperial federal government the power to destroy any company that the federal government thinks is "too big to fail", whatever that means. http://www.politico.com/news/stories/1109/29153.html. This guy completely ignores the powers the federal government has been granted. Of course, most of the liberals in Congress do the same as well as most of the republicans.

Pennsylvania should be ashamed that this guy represents them.

[inachu1]

Would be nice to have a program similar to Kasersky antivirus but to go one further such as not just scanning the link ahead but if the whois information is the same as other infected sites then no need to load the website at all which bypasses the infection and then put a block/deny acccess notice to a database it controls as KAV phone home to fill up the database then as it grows then just block out the entire country...If that country gets upset/angry about being on the list then they should do something about their malware in their country and the list will not be dropped until they make noticable efforts in their country webservers/domain names and punish those evil doers.