The only way we’re going to make legal progress against phishing and spam is not by making bad guys’ actions more illegal, but by changing the rules so that the providers and intermediaries who enable them can’t escape responsibility

It is precisely those “providers and intermediaries” who are pushing this bill.

Citicorp and Bank of America will now sell you a credit card, and for an additional $50 per year, they will sell you ID theft protection.

This is like having your bank charge extra for putting your money in a vault with a lock, instead of leaving it on the counter in the lobby.

A careful read indicates that its primary effect is not to cover things that are already unlawful, but to broaden the scope of things that are unlawful.  A “brand” or a “name” is not the same thing as a trade or service mark.  I can form a company named “Dog Food Inc.” and I can sell dog food, but I cannot get a trademark in “Dog Food”.  By throwing in company names, which you didn’t notice and which most people won’t notice on a casual read, the bill renders unlawful a pretty broad swath of new things, and it does not have the same defenses or safeguards that were built into the Anti-CyberPiracy Consumer Protection Act.

Suggesting that network operators take prudent steps to secure their networks and detect botnet activity is anathema to the backers of this bill, and the intent here seems to be exactly what you believe it to be - to protect lazy or unconcerned service providers from liability for phishing activity.  Since the ISP interests are aligned with the intellectual property interests, this bill is a marriage made in heaven.

John Berryhill said:

A careful read indicates that its primary effect is not to cover things that are already unlawful, but to broaden the scope of things that are unlawful.

Using your read of the bill makes it even more dangerous.

One can easily argue that generic domain names, even when they aren’t a company’s primary brand name, are brands in their own right. For example, it has been pointed out that Bank of America’s use of loans.com generates a branding association between loans and Bank of America.

Thus, under your read of the bill, all uses of loans in domain names would be violations.

Regards,
Alex

A petition has been created, I encourage you all to sign it!

Sign the Petition: www.SnoweBill.com

There are also some insightful comments and thoughts to read from the other ~200 people who have signed the petition so far.

Mark Fulton
DotSauce Magazine

This bill goes way too far and threatens legitimate business.

The bill would make it unlawful if the domain name was identical or confusingly similar to the name or brand name of a government office, nonprofit organization, business or other entity.

Under this bill local governments across the US could seize their city domain names that were registered legally and in good faith and are being used today for legitimate business purposes. This law suggests for example that the Sacramento Bee (the major Sacramento newspaper) is acting unlawfully because they own and use the domain name Sacramento.com. They are not pretending to be the government of either the city or county of Sacramento so what misrepresentation are they doing? Why should they be treated now as criminals? This is completely wrong and will kill off a large private industry of providing localized information for cities across the US. Visit SanFrancisco.com, Chicago.com, LosAngeles.com, NewYorkCity.com, Dallas.com, do people actually think these websites are unlawful? This bill is ridiculous.

paul g said:

The bill would make it unlawful if the domain name was identical or confusingly similar to the name or brand name of a government office, nonprofit organization, business or other entity.

Please read the paragraph after that one.  It’s only illegal if you use the name to mislead people.

There’s plenty of things wrong with this bill, but this isn’t one of them. I agree that a clarifying “and” at the end of subsection A would be a good idead.

Egad, John B and I agree.  Alertthe media!

John Levine says:

Please read the paragraph after that one.  It’s only illegal if you use the name to mislead people.

So, I am wanting to by a Fram air filter for my car. To research the size I need I wanted to visit CADNA.COM, the TM holder for Fram, Purolator and other auto parts.

Instead I ended up on CADNA.ORG, the site promoting some non-sense about anti-phishing.

Not only are the names confusingly similar, they are identical.

I am now traumatized that I can not find the model number of the air filter for my 1959 Edsel ranger.

Who will get who’s name in a case like this?

.pH said:

John Levine says:

Please read the paragraph after that one.  It’s only illegal if you use the name to mislead people.

Sigh.  If you’re not willing to read the bill, why are you complaining about it?

It’s only illegal if you use the name to mislead people.

Unfortunately, subjective intent can wind up “proven” on circular grounds, as in “The domain name is Anytown.com.  This is inherently and manifestly misleading to anyone looking for the official website of Anytown.” I see arguments like that all of the time.  Sometimes they win.

IF we want to target phishing, then it would seem to make sense to make it illegal if the domain name is used for phishing - i.e. it is advertised in email and/or is used to operate a website which obtains personal data (other than IP address) for the purpose of compromising the security of the visitor’s identity.  I’m sure that someone can come up with suitable alternative verbiage better than that off-the-cuff sentence, but I’m sure you get the idea.

If the point is just to deal with consumer confusion from cybersquatted domain names - we have that already. 

I can see the intent limitation there, but I am all too familiar with the proclivities of them what drafted it, and what they believe constitutes proof of intent. 

Egad, John B and I agree.

That’s a sure-fire indication that this bill is in serious need of surgery.

John Levine said:

paul g said:

The bill would make it unlawful if the domain name was identical or confusingly similar to the name or brand name of a government office, nonprofit organization, business or other entity.

Please read the paragraph after that one.  It’s only illegal if you use the name to mislead people.

There’s plenty of things wrong with this bill, but this isn’t one of them. I agree that a clarifying “and” at the end of subsection A would be a good idead.

But who gets to decide what is misleading?

It is already unlawful and fraudulent to misrepresent yourself as a government office or official so what purpose does this language in the bill serve?

The real goal here is to make it easy to seize domains simply because to some the mere existence of it is confusing regardless of how it is being used. irs.com is a perfect example where it is considered to be a fake Internal Revenue Service website simply because the name is the same. These are not my words, but the opinion of Congressman Ed Markey http://markey.house.gov/index.php?option=content&task=view&id=2632&Itemid=125

Where would this domain seizure stop? Better to not let it start in the first place.

John Levine said:

.pH said:

John Levine says:

Please read the paragraph after that one.  It’s only illegal if you use the name to mislead people.

Sigh.  If you’re not willing to read the bill, why are you complaining about it?

I have read the bill over and over and over.

I have been studying this for days.

Perhaps you failed to see the sarcasm in my comments.

CADNA is a TM by the group that holds the control over those car products. They can be located on CADNA.com

CADNA is also a TM by this group trying to pass this legislation. They are located on CADNA.org. If Senator Snowe’s or Sen. Nelson’s office does mass mailings, either by email or snail mail, on behalf of the Anti-Phishing bill using the CADNA TM or CADNA.org moniker, then this bill seems to allow CADNA.com to sue for the intent and the confusingly similar TM usage.

In essence, either of these two TM holders could go after the other and seize their domain name and claim “confusingly similar”, or as JB stated, a “subjective intent” not proven.

We already have enough of that going on without making it seemingly easier.

Simply making that claim to “misleading people” would be enough and is simple enough to bring a screeching halt to some legitimate internet commerce.

We know TM’s can be held by multiple companies representing multiple products or services at the same time. And most lawmakers know this.

Yet, allowing one to file claim against the other CAN BE enough to put the one out of commission on the internet while the domain name is tied up.

Nor does this bill address the issue of:

When? If I grab the TM for circlID right now, too bad. This site is shut down while I file action to seize this domain name claiming it is mine.

Who? Who would decide the final outcome as for the claimant? We already have these measures in place.

What? What is purpose of this bill other than grandstanding for the election year when all these measures are already in place and on the books? Placing anything before your constituents that reads to protect the consumer is quite nice and sure to drum up votes.

And, again, who? Who pays for this oversight? The US taxpayer.

In essence, either of the two TM holders for CADNA could go after the other and seize their domain name and claim “confusingly similar”, or as JB stated, a “subjective intent” not proven.

This has far reaching implications just not on the shores of the good old US of A. VeriSign controls the .com and .net registries. Many premiere and trusted registrars are based on U.S. soil.

But there are also an additional 260+ domain extensions. Why would one be of more importance than the other? And why would I want to be further burdened with paying my taxes to enforce seizure (or an attempt) to take cirleID.jp, .org, .net, .biz, .de and so on.

As domainers, we know why we would choose one domain extension over the other.

But take your knowledge of domaining, litigation, WIPO, URDP, TM, and all you know and writeabout domains OUT OF THE EQUATION for the moment.

You are now a consumer.

Most consumers and businesses are not domainers. I would generalize most of the population does not knowthe value of a domain, the necessity of a brandable URL and not really caring in the first place.

And an even greater bet would be that most of our congress knows nothing about domaining other than telling their voters which website to go to to make their donation pledge.

Reading S.2661 is depressing. Here’s the worst crud from the “Findings”. I put a call into Olympia Snowe’s Portland office this morning.

(2) Phishing e-mails are becoming more sophisticated by having malicious spyware attachments that once opened covertly record the keystrokes and passwords of computer users, or install malware software.

Keystroke logging software developed by the Federal Bureau of Investigation is pervasively deployed, and is “not detected” by commercial anti-virus software. As we mentioned in RFC 2048, building wiretap into the network, at the physical forwarding elements or application layer filtering, which is what anti-virus software is, creates an exploitable mechanism for uniformed, and non-uniformed criminals.

(6) The United States is consistently 1 of the top 3 countries that host the most phishing websites. In November 2007, the United States hosted approximately 24 percent of phishing websites.

This is a baffling factoid. There are 150m second-level entries in the global namespace, 70m are in .com, 10m are in .net, so half the global namespace is published by VGRS and easily half of the A records published by VGRS’ resolve to ipv4 addresses in blocks allocated by ARIN, so one could just as well have written “Verisign” as “United States”, and then relied upon existing contract, rather than ignoring existing contract, involving the DoC, the NTIA, ICANN and VGRS.

(7) A form of phishing known as `Spear Phishing’ targets companies and government agencies to gain unauthorized access to their computer systems in order to steal financial information, trade secrets, or even top secret military information.

The final example of masquerading as a trustworthy entity, using socially engineered payloads against specific targets, to acquire valuable information, usually usernames, passwords and credit card details, but here “top secret military information” is reasonable, if you believe that DISNET is connected to MILNET and MILNET to “the Internet”, and that each connection is a policy-free (non-filtering) gateway.

When I ran SRI’s largest internal (and external) network, I’d one of the seven MILNET to ARPANET mail gateways in my shop. Neither MILNET nor ARPANET (modernly “the Internet") were classified networks. In the basement was a SCIF, on DISNET. I once “broke” the ARPANET by adding subnets for a Usenix meeting. That got me a same-day call from the ARPANET NOC at BBN. If I’d connected my DISNET node to either my MILNET IMP (modernly, router) or my ARPANET IMPs (ditto), I’d probably still be inside Leavenworth.

Whoever wrote the final cherry on that slice of pie was either plain ignorant or interestingly dishonest.

I’ve probably tossed them by now, but back when I hosted Barry’s Amptoons his URL earned several multi-hundred node DDOS attacks, and I was always amused to find military assets, pwned of course, in the logfile of each attack. Calling their owners was always good for a laugh.

(9) Phishing operators utilize deceptive domain names for their schemes. They routinely register domain names that mimic the addresses of well-known online merchants, and then set up websites that can fool consumers into releasing personal and financial information.

This mixes two issues, to the loss of sense of both. The appearance of a domain name in the payload of some phish isn’t the same thing as the actual domain name. This is why, when you look at a phish payload you often find that Sears or Bank of America appear to be operating out of Russia, the Ukraine, and China. The problem is “HTML-enabled” email. It makes pretty, and it makes hiding all kinds of neat toys, from web beacons that disclose every reading of a payload by an “HTML-enabled mail reader”, to the bones of every phish.

The other issue is what is really at play in S2661. Trademark. This is more overtly discovered in the 12th Finding:

(12) Deceptive domain names, and the abuses for which they are used, threaten the integrity of domain name system. Businesses, small and large, rely upon the integrity of the domain name registration to ensure that their brands aren’t misrepresented. The World Intellectual Property Organization reported in April 2007, that the number of Internet domain name cybersquatting disputes increased 25 percent in 2006.

Remember, you got here because the Peoples Liberation Army or someone is spear fishing in the third deck of E-ring, the SCIF that houses the secure-side of the office of the SecDef, the senior staffers of the OSD, and all the happy campers awaiting the return of Donald Rumsfeld. Where you’re about to go to prevent this critical disclosure of “top secret military information” is ... a bunch of Intellectual Property lawyers in Geneva (I’m actually going there next week, not just to Geneva, but to the World Intellectual Property Organization) and a more accurate WHOIS database.

That’s sure to foil the PLA, the KGB, and reverse Global Warming too.

I’ll cover other parts of this gem in the near future. I operate an ICANN Accredited Registrar, one with its operational facilities in Portland and Bangor. The pointy end of S.2661 is aimed at Registrars, apparently because we either control the PLA, the KGB, and the melting point of ice, or because Markmonitor is using Olympia Snowe’s office for marketing.

Anything “phishy” about this?

http://thecaucus.blogs.nytimes.com/2008/03/06/rnc-snaps-up-domain-names/
March 6, 2008, 3:50 pm
R.N.C. Snaps Up Domain Names

We have cases of politicians winning back their domain name from common folks:

http://www.arb-forum.com/domains/decisions/414641.htm

But now find political parties involved in the same cybersquatting and potentially phishing schemes that Sen Snowe seeks to prevent with The Anti-Phishing Consumer Protection Act of 2008 (S. 2661).

Part of this proposal is to
”prohibit related abuses, such as the practice of using fraudulent or misleading domain names, by defining them as deceptive practices under the FTC Act.”

(from first paragraph of http://blog.thehill.com/2008/02/29/protect-internet-consumers-from-fraud-and-theft-sen-olympia-snowe/, Protect Internet Consumers from Fraud and Theft - Sen. Olympia Snowe)

Domains registered by the R.N.C . or on servers used by the committee:

2007
calculatingclinton.com
canttrustclinton.com
clintonbabbit.com
clintoncleland.com
clintoncohen.com
clintonisbad.com
clintoniscorrupt.com
clintoniswrong.com
clintonkerrey.com
clintonlibrarycard.com
clintonlibraryresolution.com
clintonomalley.com
clintonsalazar.com
clintonschweitzer.com
clintontruthwatch.com
hillaryiswrong.com
hillarymythfact.com
hillaryrecords.com
hillaryspendometer.com
hillarytaxplan.com
hillarytruthsquad.com
hopelesshillary.com
outwithhillary.com
thetwohillarys.com

2008
amateurobama.com
barackisliberal.com
barackiswrong.com
baracknotready.com
barackobamanotready.com
barackobamatheliberal.com
baracktheamateur.com
barackthebeginner.com
fauxbama.org
hesnotready.com
meetbarackobama.com
norealexperience.com
nowecannot.com
nowecannot.net
nowecannot.org
obamaisliberal.com
obamaiswrong.com
obamanotready.com
obamaspendometer.com
obamatheamateur.com
obamathebeginner.com
yeswecandowhat.com
yeswecanwhat.com

Seeing that this is a bi-partisan bill, I thought the Honorable Senator would want to keep up on such things so a copy of the New York Times article was sent to her office.

John,
Just to reiterate each Section of this bill is stands alone.

Section A covers phishing
Section B covers infringing names and then more troublesome “confusingly similar” language
Section C covers WHOIS

Just to reiterate
These Sections are not in anyway linked together - so you can violate Section B by merely owning a domain name and displaying an Under Contruction page. Your domain name is vulnerable even if you don’t collect information (Section A) and you have complete and full id information in your WHOIS record (Section C). Also if you register a name and don’t have any content on the page and use private registration you violate Scetion C. 

All the Sections use the same Fines but again they are not conditional.

At the beginning of the bill they are use language that attempts to create a link between Phishing and Domain Names and Private WHOIS in the reader’s mind. A three legged stool.

But the bill ignores any links between Phishing and Domain Names and private WHOIS . Perhaps in the hope that people will read the title of the bill, glance over it and mistakenly ASSUME that you have to be suspected of Phishing to worry about Section B or Section C.

Read it again and you will see these sections are OR not AND.  They is likely an attempt to sneak section B past everyone since they have carefully attempted to make you think Phishing is a required element.

Also in Section B who has rights among the various TLDs?  does a .com name override a .net name or maybe .us is better than .org?

Very few domain registrants own all the top 5 or 6 TLDs for generic names and as you point out even trademarks rarely avoid bumping TLDs.

So under this bill it appears that UTube.com now demand that YouTube.com cease and desist and pay them millions in fines.

This is simply a pandora’s box that will put more stress on small business owners that use a generic domain name for their business address. 

If you are really concerned about small business and their ability to use the internet for commerce then don’t pass a bill that will make them afraid to invest in their website - you wouldn’t build a five star hotel on land that could be taken away from you at a moment’s notice. 

By the way in Section 6 D they create exceptions for most govt related agencies so the domain names in the prior post would probably be exempt from this type of legislation. 

I don’t like Phishing but truthfully over 66% of attacks come from outside the US and most use infringing email text links and use trademark names only as subdomains early on in very long URLS.
The actual domain names used for phishing are either IP addresses or nonsense domain names (i.e asdjkl.info) that only have a lifetime of 24 to 48 hours before they are shutdown. 

This bill is either naive or just another pro big business bill being sold under the false pretense of Consumer Protection. 
Either way it should be killed. 

Perhaps someone will propose a BETTER BILL that actually does address criminal penalties for Phishing attempts without denying domain owners their rights, their due process, and their ability to hide their home address, phone number and email from the entire world.

Mr Domain Owner: Please don’t sit on your hands and expect others to take care of this.

Domain owners have been bullied since day 1 and it is time to unite and stop our government from passing legislation that will make reverse hijacking even easier than ever.

I would assume ICANN would have a position on this as their WHOIS policies and there domain dispute policies are seemgingly tossed aside for US domain owners if this were to become law.

Using the internet should be safe and fun but you can’t protect every user ALL the time.  Roads and Highways are great but if I walk out onto a major interstate highway I will most likely be hit and killed.

Anti-phishing software, OPenDNS and other easy, affordable tools exist to protect the average user from being Phished. This bill would do next to nothing.

Snowe is likely just the entry/access point

The roots of this bill can be traced here

http://www.alston.com/paul_martino/
http://www.alston.com/firm/News/Detail.aspx?news=2311

Martino works with
Coalition Against Domain Name Abuse who clearly supports this bill
http://www.cadna.org/en/press-release-february-26-2008.html

In case you want to vote with your wallet.
CADNA Member List

American International Group, Inc. (AIG Insurance )
Bacardi & Company Limited
Compagnie Financière Richemont SA
Dell Inc.
Eli Lilly and Company
Hilton Hotels Corporation
HSBC Holdings plc
Marriott International, Inc.
Verizon Communications Inc.
Wyndham Worldwide Corporation

Seeing Dell here is a real bummer because I love their laptops.

John Levine,

Thank you for a good article. You are correct that this is a bad bill. However, as has been pointed out by JB, Domain Rights and others, it isn’t that easy to fix it. It is essentially a trademark bill posing as a consumer protection bill. Trademark owners do not need to prove that a domain is used for phishing, only that it is misleading (confusingly similar). If passed, it will create trademark rights far superior to current rights and without the requirement to actually register a trademark. Brand owners will only have to have a “brand” or company name to seek protection under the Snowe bill.

I can’t agree that this bill does not do anything bad, but will agree with you that if passed “it’s unlikely the Congress would consider a more effective law for a long time”. Internet Commerce Association strongly supports legislation that really addresses phishing. However, we are devoting a lot of our association’s resources to stop this bill and welcome responsible businesses involved in internet commerce to join or donate at InternetCommerce.org.

First of all, I greatly appreciate you addressing this legislative documentis such a insightful manner.

Upon reading the Anti-Phishing Consumer Protection Act of 2008 and researching its supporters and sponsors, it is obvious that there is a large movement within the corporate powers that be to take control of the domain name market from the public.

This market is currently accessible to investors with limited resources, allowing them to buy access to available domain names for less than $10, than put their creative entrepreneurial minds to work creating income from their efforts. 

Phishing is definitely an unjust and currently illegal and fraudulent activity.  I have personally been violated by similar activity, but this bill before the US Congress is a wolf in sheep’s clothing.  It alludes to addressing Phishing, but is written to take away our ability to monetize investment in domain names.

Over the last 10 years, limited-capital investors have been pushed out of many of the markets through the monopolizing of large corporate structures, government legislation, and manipulation by our financial institutions.  The Domain Name market is one of the only havens left for this limited resource adventurer.

Normally I attempt to limit my public actions in political realms, but passing of this act would totally invade my ability to produce income in my industry of choice.  Therefore I also have started creating articles addressing this injustice on my website www.domainprojections.com).  Feel free to read and comment on my articles.  Again, thank you for your open addressing of this issue.