Congress may require ISPs to block fraud sites

The Internet industry is alarmed by a proposal to block access to scam sites or face fines, regardless of whether that's technically possible.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
4 min read

For the last decade or so, Internet service providers have been dealing with requests to block access to pornographic or copyright-infringing Web sites, or in China, ones that dare to criticize the government.

Now a U.S. House of Representatives bill is taking the unusual step of requiring Internet providers to block access to online financial scams that fraudulently invoke the Securities Investor Protection Corporation--or face fines and federal court injunctions.

The House Financial Services Committee approved the legislation on Wednesday by a 41 to 28 vote.

If you've never heard of the SIPC, you're not alone. It's a government-linked entity that aids investors when funds are missing from their accounts, up to a limit of $500,000 for stocks, bonds, and mutual funds. Only investor accounts that investors have opened with members of the SIPC--here's a list--qualify for its protection.

It turns out that occasionally, Internet fraudsters, scamsters, and other assorted malcontents have posed as legitimate brokerage firms that are SIPC members, often with a similar name or domain name. The scam may be a too-good-to-be-true offer to buy securities that asks the unwitting customer to pay fees in advance, or schemes involving fraudulent checks that eventually bounce.

That seems to be in part what prompted Rep. Paul Kanjorski, a Pennsylvania Democrat and chairman of a key subcommittee, to introduce the Investor Protection Act a few weeks ago. Section 508 of that bill says:

Any Internet service provider that, on or through a system or network controlled or operated by the Internet service provider, transmits, routes, provides connections for, or stores any material containing any misrepresentation (of the SIPC) shall be liable for any damages caused thereby, including damages suffered by the SIPC, if the Internet service provider...is aware of facts or circumstances from which it is apparent that the material contains a misrepresentation.

That section isn't mentioned in Kanjorski's press release dated October 1, which is why Internet providers were a bit taken aback when they found out about it a few days ago. The Internet Commerce Coalition sent a letter to Kanjorski before Wednesday's vote raising concerns with the bill, but the industry isn't terribly optimistic.

One potential problem with Kanjorski's bill is that most Internet providers simply don't have a good way to block access to any electronic "material" containing fake SIPC data. That wording is broader than just Web pages: it includes blocking certain e-mail, IM conversations, VoIP chats, and so on. And even the more straightforward task of blocking Web sites can be overly broad and problematic, which is why a federal judge in Pennsylvania declared a child porn filtering law to be unconstitutional in a landmark 2004 ruling.

Internet providers are also worried that Kanjorski's requirement--and the accompanying civil penalties and injunctions--would apply even if the blocking is not technically feasible. Or if it's impossible. (Other questions: Would this blocking requirement apply to private-sector employers? Schools and universities? Locally owned coffee shops that provide Internet service through Wi-Fi?)

Fraudulent Web sites have bedeviled the SIPC, off and on, for at least six years. In 2003, the group distributed a public warning against "brokerage identity theft" and followed up by asking the FBI to investigate a fake site that resembled the SIPC's own.

The SIPC does have a searchable database of its members, listing street addresses, but it doesn't take the obvious step of listing members' official Web sites, which other certification programs like Truste do.

Searching on San Francisco shows, for instance, that SIPC-listed Whitehall-Parker Securities has an address on Pacific Avenue. But an investor can't easily tell whether whitehall-parker.com is the actual site; a scammer could easily set up a fake site at whitehallparker.com (which, as of this writing, is available to be registered).

The Treasury Department's version of the Investor Protection Act of 2009 released in July doesn't seem to include the Internet-filtering section, meaning that the Obama administration concluded that it was unnecessary. So what prompted Kanjorski to insert it?

Addendum at 11:30 a.m. PT: Abigail McDonough, Kanjorski's spokeswoman, told me that her boss is open to modifying the language of the bill to reflect industry concerns. It also turns out that the language from the Investor Protection Act was borrowed from H.R. 2798, which was introduced in June by Rep. Michael Arcuri, D-N.Y., as part of a post-Bernie Madoff scandal effort to increase the level of SIPC guarantees for investors.

One Capitol Hill source says the SIPC asked for that language to be included in the Investor Protection Act. And a representative of SIPC says the organization may not have a response until Thursday because its president, Stephen Harbeck, is traveling from China.