Critics Doubt Effectiveness of California Anti-Phishing Law

News Analysis: The new law signed by Gov. Arnold Schwarzenegger does not outlaw phishing-it makes it a civil violation, legal analysts say.

A law signed late last week by California Gov. Arnold Schwarzenegger will likely fail in its goal of deterring online "phishing" attacks that seek to dupe Internet users into disclosing personal identity information and financial account passwords, but may create a huge new liability for Internet service providers, according to legal and IT industry analysts.

"Contrary to the state of Californias press release, the new law does not outlaw phishing," said Dan Venglarik, an attorney at Dallas-based law firm Davis Munck.

"It makes it a civil violation, not a criminal wrongdoing. As you know, theres a big difference between the two."

The law, believed to be the first of its kind in the United States, enables victims of online identity theft to recover up to $500,000 for each proven violation.

Lawmakers are increasingly concerned about phishing attacks against financial institutions—banks and credit card issuers.

A report last month by computer security company Symantec Corp. indicated that phishing attacks were up 100 percent this year, compared to 2004, resulting in an increase in the loss of confidential financial information during that time.

This bill, some experts think, may even increase phishing against California residents, at least for the short-term.

"Phishers will soon send e-mails to California residents asking them to register for an Anti-Phishing Registry using the ruse to prevent California residents e-mail accounts from being obtained by phishers," said Robert Siciliano, an Internet safety and security analyst based in Boston.

It would probably be more effective for legislators to require banks to have several layers of authentication and password protection for customers using online services than to create penalties against the criminals themselves—who are often overseas and quite elusive, Siciliano said.

Other IT security analysts agreed.

"The best defense against phishing is a combination of effective messaging security technology to stop phishing attacks before they reach the intended victims, and end-user education so people can readily recognize phishing scams," said Sandra Vaughan, senior vice president of Proofpoint Inc., a messaging security technology company based in Cupertino, Calif.

"This combination grows more important with each passing day, as phishing scams become increasingly effective, most recently with the spear phishing phenomenon where phishers target victims with e-mails that appear to come from their own employers," Vaughan said.

Though Silicon Valley-based firms such as IT security consultancy IronPort, of San Bruno, Calif., support the legislation, ultimately "we believe legislation alone will not solve the problem," said Pat Peterson, IronPorts chief technology officer.

"Phishing and identity theft are already blatantly illegal," he noted.

/zimages/6/28571.gifClick here to read more from columnist Larry Seltzer about anti-phishing software.

But Venglarik observed that one reason the law was written as a civil measure, and not as a criminal measure, against phishers and hackers, is that civil cases require a lower burden of proof and can often be filed across a number of territories.

Nonetheless, there are still concerns as to its effect.

"Bottom line, while the law is likely to be ineffective, and while its doubtful that anyone will ever collect on a judgment against a phisher, there is real potential liability for ISPs and Web site hosting services if they dont start investigating and acting on complaints that their resources are being used for phishing," said Venglarik.

Research by Symantec demonstrates that one out of every 125 e-mails sent over the Internet is a phishing attack attempt, an increase of 100 percent from 2004, and the response by the government in California is seen by some as pure grandstanding by the pols.

"This bill is a perfect example of politicians beating their chests, saying elect me," said Siciliano. "Phishers operate all over the globe and dont care about Californias no teeth, no impact, fluffy laws."

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.