The Anti-Phishing Consumer Protection Act of 2008

By Larry Seltzer  |  Posted 2008-03-05 Print this article Print

Opinion: Call it CAN-PHISH. A Senate proposal would make phishing and such activities redundantly illegal. Is there more than brownie points at stake?

Back when the CAN-SPAM act was passed, there were those who complained about various provisions in it. There have been prosecutions under it, but for the most part it's been a great legal irrelevancy. This sort of situation is the best we can hope for from Senate bill 2661, "The Anti-Phishing Consumer Protection Act of 2008."

The bill is sponsored by Sen. Olympia Snowe, R-Maine, and co-sponsored by Sen. Bill Nelson, D-Fla., and that Internet expert Sen. Ted Stevens, R-Alaska. Unfortunately, I can't link to the text of the bill. The Library of Congress' idiotic Web site only lets you view bill contents as a response to search queries, with transient URLs that die with the user's session. On the LOC's home page select the "Bill Number" search option and search for "s.2661".

Engineers everywhere are pronouncing on the legal implications. In CircleID, John Levine says mostly what I'm thinking, that the thrust of the bill is to ban practices that are illegal already, in federal and other jurisdictions. In this way, it shares a lot with CAN-SPAM, although it does not go as far as that law in pre-empting state laws.

The APCPA would make certain new rules about the use of domain names and whois records. It would be specifically illegal to register a domain name used in a commercial endeavor with false or misleading identification information. As Levine points out, some of the screwier privacy nuts will be bothered by this, but it's hard to make a good argument against it. And while it's overtly in violation of whois terms of service and other ICANN rules and can lose you your domain if InterNIC finds out, it may not be illegal, at least under federal law.

The other whois rule is another matter: Put briefly, the law would require a registrar that provided private whois registration services to turn over the actual registrant identification data upon receipt of a letter or fax indicating ... that the use of such domain name is in violation of any provision of this Act." A fax? This is a rather low bar to step over to impair a privacy arrangement. Nothing else in the bill requires the claim to be substantiated or mentions penalties for false or abusive notices. This is definitely unreasonable, and I certainly hope that it doesn't make it very far in the legislative process.

In a comment to Levine's piece, John Berryhill, an actual lawyer, claims the new rules are not as redundant as John and I suppose, but rather that it broadens the scope of that which is illegal. Current law, and current ICANN rules, restrict domain name protections to trademarks. Berryhill says that this bill would extend rules against registering confusingly similar names to "brands" that are not necessarily trademarks. OK, maybe this is not strictly redundant, but it's of no practical consequence except as a source of additional counts against big offenders who have already gotten in trouble, probably for violating trademarks. It doesn't make it really any easier for the little guy to protect himself.

Domainer blogs, talking to those who buy and sell domains for profit, are concerned about just these provisions. The ICA (Internet Commerce Association), a trade association (a.k.a. lobbying group) for domainers takes the same "we're opposed to phishing but this will cause trouble" position. The Domains calls on domainers to join the ICA to help fight it together. I could point to several other domainer blogs with a similar level of alarm.

Domainers call this an attack by trademark interests, and it's not really a Democratic or Republican issue. So it could just come down to who spreads the most money and the right money around. My money's on gridlock - what comes out of this process will be watered down and won't make much of a difference. That's good in a way, since very little in this business that the government touches gets better as a result.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel