Using the Internet to steal someone's account information by masquerading as a bank, brokerage, or credit card company has been illegal for many, many years.
At least seven states have enacted antiphishing legislation, and companies including Microsoft and Amazon.com have used those laws to target Internet scammers. Plus, fraud has been prohibited for hundreds of years at common law. In short, there's no obvious lack of laws prohibiting fraud in the form of phishing attacks.
But that's not stopping Congress, which, in the spirit of creating a department of redundancy department, is considering new antiphishing legislation that appears to serve no useful purpose.
Democratic Sen. Bill Nelson (Fla.) and Republicans Olympia Snowe (Wash.) and Ted Stevens (Alaska) introduced a bill this week called the Anti-Phishing Consumer Protection Act. It contains 31 pages of new regulations that could raise the cost of doing business for legitimate companies--but will do little to stop the malcontents behind phishing attacks.
Remember, phishing is already a crime.
"Phishers are targeting Alaskans, particularly seniors, and trying to acquire bank account information," Stevens said in a statement. "This legislation empowers states and the federal government to pursue these criminals with significant fines and imprisonment."
It's easy enough to guess why Nelson, Snowe, and Stevens are doing this: they can now claim to have taken aggressive steps to stamp out the dread menace of phishing, or something to that effect. I'm sure it'll help them seem tech-savvy; Stevens, especially, needs all the help he can get.
If their bill merely duplicated existing criminal laws, it would be more redundant than worrisome. Except that one section is actively harmful to the privacy of Americans who own domain names and want to protect their privacy. The bill says:
It is unlawful for the registrant of a domain name used in any commercial activity to register such domain name in any Whois database with false or misleading identifying information, including the registrant's name, physical address, telephone number, facsimile number, or electronic mail address...
It is unlawful for a domain name registrar...to shield, mask, block or otherwise restrict access to, any domain name registrant's name, physical address, telephone number, facsimile number, or electronic mail address, or other identifying information in any Whois database...if such registrar...has received written notice, including via facsimile or electronic mail at such entity's facsimile number or electronic mail address of record, that the use of such domain name is in any violation of any provision of this Act.
So let's get this right. Those folks who, reasonably, prefer not to give their actual physical address and telephone number when registering a domain name for themselves or their family are now going to be violating federal law. (Here's something I wrote on Whois privacy in 2004.)
And if someone is using a private domain name registration feature--which companies like GoDaddy and Dynadot offer--all it takes is a single unverified complaint to the domain registrar about phishing to make their name, physical address, and phone number public?
So much for privacy and due process. Even the Digital Millennium Copyright Act, for all its flaws, requires a sworn statement made "under penalty of perjury" before a hosting service needs to do anything about a copyright complaint.
Other sections of the Nelson-Snowe-Stevens bill prohibit using misleading domain names (like baankofamerica.com) for fraudulent purposes, and soliciting account information "by means of false or fraudulent pretenses or misleading representations."
One winning section involves doling out authority to police online misbehavior to agencies including the Director of the Office of Thrift Supervision, the National Credit Union Administration, the Securities and Exchange Commission, state insurance commissioners, the Secretary of Transportation, the Agriculture Department--all of who are, of course, deeply learned experts on Internet malfeasance.
To be sure, phishing is a real and serious problem. OpenDNS' report says that one unique phishing scam is launched every two minutes. Even intelligent people can be bamboozled by e-mail claiming to be from a bank or PayPal, and criminals have proven to be innovative and relentless.
But when something like phishing is already illegal and already the subject of prosecutions and civil lawsuits from the feds, another law saying it's illegal won't do much good. It's a little like passing a law proposing that murderers face new fines--when a death penalty is already on the books. (More precisely, a new U.S. law won't affect phishing sites in China and Russia--education and technological countermeasures are what's needed.)
Remember when the FTC warned legislation-happy politicians that antispyware laws could do more harm than good? The same is true with this new antiphishing legislation, which will probably do as much to stop e-mail and Web scams as Congress' Can-Spam Act did to end junk e-mail.