Senate antiphishing bill outlaws...what's already illegal
Using the Internet to steal someone's account information by masquerading as a bank, brokerage, or credit card company has been illegal for many, many years.
Back in 2004, the Justice Department won a criminal conviction against a phishing scammer who pretended to be AOL's billing center. The Federal Trade Commission has been busy filing civil lawsuits.
At least seven states have enacted antiphishing legislation, and companies including Microsoft and Amazon.com have used those laws to target Internet scammers. Plus, fraud has been prohibited for hundreds of years at common law. In short, there's no obvious lack of laws prohibiting fraud in the form of phishing attacks.
But that's not stopping Congress, which, in the spirit of creating a department of redundancy department, is considering new antiphishing legislation that appears to serve no useful purpose.
Democratic Sen. Bill Nelson (Fla.) and Republicans Olympia Snowe (Wash.) and Ted Stevens (Alaska) introduced a bill this week called the Anti-Phishing Consumer Protection Act. It contains 31 pages of new regulations that could raise the cost of doing business for legitimate companies--but will do little to stop the malcontents behind phishing attacks.
Sen. Ted Stevens
Remember, phishing is already a crime.
"Phishers are targeting Alaskans, particularly seniors, and trying to acquire bank account information," Stevens said in a statement. "This legislation empowers states and the federal government to pursue these criminals with significant fines and imprisonment."
It's easy enough to guess why Nelson, Snowe, and Stevens are doing this: they can now claim to have taken aggressive steps to stamp out the dread menace of phishing, or something to that effect. I'm sure it'll help them seem tech-savvy; Stevens, especially, needs all the help he can get.
If their bill merely duplicated existing criminal laws, it would be more redundant than worrisome. Except that one section is actively harmful to the privacy of Americans who own domain names and want to protect their privacy. The bill says:
It is unlawful for the registrant of a domain name used in any commercial activity to register such domain name in any Whois database with false or misleading identifying information, including the registrant's name, physical address, telephone number, facsimile number, or electronic mail address...
It is unlawful for a domain name registrar...to shield, mask, block or otherwise restrict access to, any domain name registrant's name, physical address, telephone number, facsimile number, or electronic mail address, or other identifying information in any Whois database...if such registrar...has received written notice, including via facsimile or electronic mail at such entity's facsimile number or electronic mail address of record, that the use of such domain name is in any violation of any provision of this Act.
So let's get this right. Those folks who, reasonably, prefer not to give their actual physical address and telephone number when registering a domain name for themselves or their family are now going to be violating federal law. (Here's something I wrote on Whois privacy in 2004.)
And if someone is using a private domain name registration feature--which companies like GoDaddy and Dynadot offer--all it takes is a single unverified complaint to the domain registrar about phishing to make their name, physical address, and phone number public?
So much for privacy and due process. Even the Digital Millennium Copyright Act, for all its flaws, requires a sworn statement made "under penalty of perjury" before a hosting service needs to do anything about a copyright complaint.
Other sections of the Nelson-Snowe-Stevens bill prohibit using misleading domain names (like baankofamerica.com) for fraudulent purposes, and soliciting account information "by means of false or fraudulent pretenses or misleading representations."
One winning section involves doling out authority to police online misbehavior to agencies including the Director of the Office of Thrift Supervision, the National Credit Union Administration, the Securities and Exchange Commission, state insurance commissioners, the Secretary of Transportation, the Agriculture Department--all of who are, of course, deeply learned experts on Internet malfeasance.
To be sure, phishing is a real and serious problem. OpenDNS' report says that one unique phishing scam is launched every two minutes. Even intelligent people can be bamboozled by e-mail claiming to be from a bank or PayPal, and criminals have proven to be innovative and relentless.
But when something like phishing is already illegal and already the subject of prosecutions and civil lawsuits from the feds, another law saying it's illegal won't do much good. It's a little like passing a law proposing that murderers face new fines--when a death penalty is already on the books. (More precisely, a new U.S. law won't affect phishing sites in China and Russia--education and technological countermeasures are what's needed.)
Remember when the FTC warned legislation-happy politicians that antispyware laws could do more harm than good? The same is true with this new antiphishing legislation, which will probably do as much to stop e-mail and Web scams as Congress' Can-Spam Act did to end junk e-mail.
Declan McCullagh, CNET News' chief political correspondent, chronicles the intersection of politics and technology. He has covered politics, technology, and Washington, D.C., for more than a decade, which has turned him into an iconoclast and a skeptic of anyone who says, "We oughta have a new federal law against this." E-mail Declan. 
Cavemen would understand more about the Internet than this man, and we are letting him write laws. Absolutely terrifying.
</vent>
What this really does is put a crimp on the registries that do not provide the owner of the domain's contact information. Primarily scammers and spammers use them.
But why do you say "your personal information should be both correct and public?"
In the case of someone with a real need for privacy, should their home address be "public?" How about a whistleblower? To use your physical world analogy, if I can print a newspaper anonymously, why should I be legally unable to print its virtual equivalent anonymously? Does such a U.S. law agree with the protections in anonymous speech in the U.S. Constitution? Why is it necessary to make contact information "public" when any litigant can find it quickly enough with a subpoena?
It's easy to say "correct and public." But sloganeering doesn't get you very far.
All a domain needs to be is similar to the name of any business or entity anywhere in the United States.
So if someone owns the domain name carloans.com and someone in Montana has a business called car loans, the owner of carloans.com could be in violation of the Bill and subject to having the domain taken from them and fined 6 million dollars.
It is way overbroad that will lead to litigation, abuse by the government and private sector and must be rejected.
In this case, when I want to own a domain and remain anonymous - I will simply buy my domain name from a company overseas, or transfer it there if I already own it.... so what just happened? Another US business losing customers to countries without such draconian regulatory governmenets
- Dumb Politics
- by asen_sotirov March 6, 2008 12:14 AM PST
- I can't imaging a person, so stupid, that he claims that to use domain in email or IM is unlawful. I really hope these guys will be thrown out of the congress, because they can do big mess.
- Like this Reply to this comment
-
(13 Comments)Anyway... the hunger of united states to control what people write (or maybe think) will end very bad