The Anti-Phishing Consumer Protection Act of 2008

Opinion: Call it CAN-PHISH. A Senate proposal would make phishing and such activities redundantly illegal. Is there more than brownie points at stake?

Back when the CAN-SPAM act was passed, there were those who complained about various provisions in it. There have been prosecutions under it, but for the most part it's been a great legal irrelevancy. This sort of situation is the best we can hope for from Senate bill 2661, "The Anti-Phishing Consumer Protection Act of 2008."

The bill is sponsored by Sen. Olympia Snowe, R-Maine, and co-sponsored by Sen. Bill Nelson, D-Fla., and that Internet expert Sen. Ted Stevens, R-Alaska. Unfortunately, I can't link to the text of the bill. The Library of Congress' idiotic Web site only lets you view bill contents as a response to search queries, with transient URLs that die with the user's session. On the LOC's home page select the "Bill Number" search option and search for "s.2661".

Engineers everywhere are pronouncing on the legal implications. In CircleID, John Levine says mostly what I'm thinking, that the thrust of the bill is to ban practices that are illegal already, in federal and other jurisdictions. In this way, it shares a lot with CAN-SPAM, although it does not go as far as that law in pre-empting state laws.

The APCPA would make certain new rules about the use of domain names and whois records. It would be specifically illegal to register a domain name used in a commercial endeavor with false or misleading identification information. As Levine points out, some of the screwier privacy nuts will be bothered by this, but it's hard to make a good argument against it. And while it's overtly in violation of whois terms of service and other ICANN rules and can lose you your domain if InterNIC finds out, it may not be illegal, at least under federal law.

The other whois rule is another matter: Put briefly, the law would require a registrar that provided private whois registration services to turn over the actual registrant identification data upon receipt of a letter or fax indicating ... that the use of such domain name is in violation of any provision of this Act." A fax? This is a rather low bar to step over to impair a privacy arrangement. Nothing else in the bill requires the claim to be substantiated or mentions penalties for false or abusive notices. This is definitely unreasonable, and I certainly hope that it doesn't make it very far in the legislative process.

In a comment to Levine's piece, John Berryhill, an actual lawyer, claims the new rules are not as redundant as John and I suppose, but rather that it broadens the scope of that which is illegal. Current law, and current ICANN rules, restrict domain name protections to trademarks. Berryhill says that this bill would extend rules against registering confusingly similar names to "brands" that are not necessarily trademarks. OK, maybe this is not strictly redundant, but it's of no practical consequence except as a source of additional counts against big offenders who have already gotten in trouble, probably for violating trademarks. It doesn't make it really any easier for the little guy to protect himself.

Domainer blogs, talking to those who buy and sell domains for profit, are concerned about just these provisions. The ICA (Internet Commerce Association), a trade association (a.k.a. lobbying group) for domainers takes the same "we're opposed to phishing but this will cause trouble" position. The Domains calls on domainers to join the ICA to help fight it together. I could point to several other domainer blogs with a similar level of alarm.

Domainers call this an attack by trademark interests, and it's not really a Democratic or Republican issue. So it could just come down to who spreads the most money and the right money around. My money's on gridlock - what comes out of this process will be watered down and won't make much of a difference. That's good in a way, since very little in this business that the government touches gets better as a result.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.