Home / Blogs

The Anti-Phishing Consumer Protection Act of 2008

John Levine

Last week Sen. Snowe filed bill S.2661, the Anti-Phishing Consumer Protection Act of 2008, or APCPA. While its goals are laudable, I have my doubts about some of the details.

The first substantive section of the bill, Section 3, makes various phishy activities more illegal than they are now in its first two subsections. It makes it specifically illegal to solicit identifying information from a computer under false pretenses, and to use a domain name that is deceptively similar to someone else's brand or name on the web in e-mail or IM to mislead people. So far so good, although I would think that all that would be illegal anyway under general anti-fraud laws.

Subsection 3(c) starts to get interesting, by mandating that commercial web sites have real WHOIS:

(c) WHOIS Database Information Accuracy-

(1) DOMAIN NAME REGISTRANTS ENGAGED IN COMMERCIAL ACTIVITIES - It is unlawful for the registrant of a domain name used in any commercial activity to register such domain name in any WHOIS database or with any other domain name registration authority with false or misleading identifying information, including the registrant's name, physical address, telephone number, facsimile number, or electronic mail address.

(2) DOMAIN NAME REGISTRARS, REGISTRIES AND OTHER AUTHORITIES - It is unlawful for a domain name registrar, registry or other domain name authority, directly or indirectly, via proxy or any other method, to replace or materially alter the contents of, or to shield, mask, block, or otherwise restrict access to, any domain name registrant's name, physical address, telephone number, facsimile number, electronic mail address, or other identifying information in any WHOIS database or any other database of a domain name registration authority if such registrar, registry, or domain name authority has received written notice, including via facsimile or electronic mail at such entity's facsimile number or electronic mail address of record, that the use of such domain name is in violation of any provision of this Act.

Part (1) seems perfectly reasonable to me, although I expect it will freak out the anonymous WHOIS crowd. While the US has a tradition of protecting anonymous political speech, anonymous commercial speech is nearly an oxymoron, and just as any business needs a business license that has real contact info, it's hard to argue against similar rules for real WHOIS data on commercial domains.

Part (2), on the other hand, is overbroad. It basically says that if you provide WHOIS privacy, you have to lift the veil if anyone, anywhere, sends you a notice claiming that the domain has been misused. Since there is no provision for checking that the notice is real, and no penalty for making false claims, we can assume that should this act be enacted into law, within about five minutes robots will be scouring WHOIS databases and automatically mailing off robonotices. I personally have little sympathy for registrar privacy services, since their main legitimate use seems to be to hide from spammers, which you can do other ways, but if you're going to allow them at all, there should be at least some provision similar to the DMCA to deal with bogus notices.
The next section says who can go to court, and is similar to CAN SPAM, allowing state attorneys general, the FTC, and ISPs to sue. Unlike CAN SPAM, it also allows trademark owners to file suit. This runs the risk of becoming yet another way that trademark owners can harass people who run protest sites and the like. Like CAN SPAM, it prescribes statutory damages and permits courts to award costs to the prevailing party, but unlike CAN SPAM those only apply to state agencies. If ISPs or trademark owners sue, all they can get is injunctions, actual damages, and perhaps punitive damages if a court agrees.

Sec. 6 has some criminal provisions, making it a crime to phish via a web site, sent or attempted e-mail or IM.

Sec. 7 covers preemption, a sore point with CAN SPAM, but in this case the preemption is pretty mild, only preempting state laws that are inconsistent, and specifically not preempting laws that provide greater protection.

So, assuming the WHOIS notice parts get fixed, how useful would this law be? I can't see that it would make much difference. Everything that it outlaws seems illegal already, so the most it'd do would be to make it a little easier to prosecute cases, by making the mere act of phishing punishable without having to find someone who took the bait and lost money. That's a pretty small advance, since it's unlikely anyone would go to the effort of suing in federal court unless the phish were good enough to have fooled someone. Indeed, in the absence of a victim a plausible defense would be that the material wasn't misleading since nobody was fooled.

I hope this bill is not enacted in anything like its current form, not because it would do anything bad, but because once it's passed, it's unlikely the Congress would consider a more effective law for a long time. (After four years of CAN SPAM, spam is worse than ever, but there's no hint of new legislation.) The only way we're going to make legal progress against phishing and spam is not by making bad guys' actions more illegal, but by changing the rules so that the providers and intermediaries who enable them can't escape responsibility by claiming (perhaps truthfully) that they didn't know what was going on. This will be a lot harder to do, but so long as the conduits don't care enough about spam or phishing to spend their own money to stop it, nothing's going to improve.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: DNS, Domain Names, Privacy, Security, Spam, Whois

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Re: The Anti-Phishing Consumer Protection Act of 2008 John Berryhill  –  Mar 04, 2008 12:09 PM PDT

The only way we’re going to make legal progress against phishing and spam is not by making bad guys’ actions more illegal, but by changing the rules so that the providers and intermediaries who enable them can’t escape responsibility

It is precisely those "providers and intermediaries" who are pushing this bill.

Citicorp and Bank of America will now sell you a credit card, and for an additional $50 per year, they will sell you ID theft protection.

This is like having your bank charge extra for putting your money in a vault with a lock, instead of leaving it on the counter in the lobby.

A careful read indicates that its primary effect is not to cover things that are already unlawful, but to broaden the scope of things that are unlawful.  A "brand" or a "name" is not the same thing as a trade or service mark.  I can form a company named "Dog Food Inc." and I can sell dog food, but I cannot get a trademark in "Dog Food".  By throwing in company names, which you didn't notice and which most people won't notice on a casual read, the bill renders unlawful a pretty broad swath of new things, and it does not have the same defenses or safeguards that were built into the Anti-CyberPiracy Consumer Protection Act.

Suggesting that network operators take prudent steps to secure their networks and detect botnet activity is anathema to the backers of this bill, and the intent here seems to be exactly what you believe it to be - to protect lazy or unconcerned service providers from liability for phishing activity.  Since the ISP interests are aligned with the intellectual property interests, this bill is a marriage made in heaven.

Re: The Anti-Phishing Consumer Protection Act of 2008 Alex Tajirian  –  Mar 05, 2008 2:38 PM PDT

John Berryhill said:

A careful read indicates that its primary effect is not to cover things that are already unlawful, but to broaden the scope of things that are unlawful.

Using your read of the bill makes it even more dangerous.

One can easily argue that generic domain names, even when they aren’t a company’s primary brand name, are brands in their own right. For example, it has been pointed out that Bank of America’s use of loans.com generates a branding association between loans and Bank of America.

Thus, under your read of the bill, all uses of loans in domain names would be violations.

Regards,
Alex

Re: The Anti-Phishing Consumer Protection Act of 2008 Mark Fulton  –  Mar 05, 2008 5:56 PM PDT

A petition has been created, I encourage you all to sign it!

Sign the Petition: www.SnoweBill.com

There are also some insightful comments and thoughts to read from the other ~200 people who have signed the petition so far.

Mark Fulton
DotSauce Magazine

Re: The Anti-Phishing Consumer Protection Act of 2008 paul g  –  Mar 06, 2008 1:41 PM PDT

This bill goes way too far and threatens legitimate business.

The bill would make it unlawful if the domain name was identical or confusingly similar to the name or brand name of a government office, nonprofit organization, business or other entity.

Under this bill local governments across the US could seize their city domain names that were registered legally and in good faith and are being used today for legitimate business purposes. This law suggests for example that the Sacramento Bee (the major Sacramento newspaper) is acting unlawfully because they own and use the domain name Sacramento.com. They are not pretending to be the government of either the city or county of Sacramento so what misrepresentation are they doing? Why should they be treated now as criminals? This is completely wrong and will kill off a large private industry of providing localized information for cities across the US. Visit SanFrancisco.com, Chicago.com, LosAngeles.com, NewYorkCity.com, Dallas.com, do people actually think these websites are unlawful? This bill is ridiculous.

Re: The Anti-Phishing Consumer Protection Act of 2008 John Levine  –  Mar 06, 2008 1:51 PM PDT

paul g said:

The bill would make it unlawful if the domain name was identical or confusingly similar to the name or brand name of a government office, nonprofit organization, business or other entity.

Please read the paragraph after that one.  It's only illegal if you use the name to mislead people.

There's plenty of things wrong with this bill, but this isn't one of them. I agree that a clarifying "and" at the end of subsection A would be a good idead.

Re: The Anti-Phishing Consumer Protection Act of 2008 John Levine  –  Mar 06, 2008 2:02 PM PDT

Egad, John B and I agree.  Alertthe media!

Re: The Anti-Phishing Consumer Protection Act of 2008 John Levine  –  Mar 06, 2008 2:26 PM PDT

.pH said:

John Levine says:

Please read the paragraph after that one.  It’s only illegal if you use the name to mislead people.

Sigh.  If you're not willing to read the bill, why are you complaining about it?

Re: The Anti-Phishing Consumer Protection Act of 2008 John Berryhill  –  Mar 06, 2008 2:31 PM PDT

It’s only illegal if you use the name to mislead people.

Unfortunately, subjective intent can wind up "proven" on circular grounds, as in "The domain name is Anytown.com.  This is inherently and manifestly misleading to anyone looking for the official website of Anytown." I see arguments like that all of the time.  Sometimes they win.

IF we want to target phishing, then it would seem to make sense to make it illegal if the domain name is used for phishing - i.e. it is advertised in email and/or is used to operate a website which obtains personal data (other than IP address) for the purpose of compromising the security of the visitor's identity.  I'm sure that someone can come up with suitable alternative verbiage better than that off-the-cuff sentence, but I'm sure you get the idea.

If the point is just to deal with consumer confusion from cybersquatted domain names - we have that already. 

I can see the intent limitation there, but I am all too familiar with the proclivities of them what drafted it, and what they believe constitutes proof of intent. 

Egad, John B and I agree.

That's a sure-fire indication that this bill is in serious need of surgery.

Re: The Anti-Phishing Consumer Protection Act of 2008 paul g  –  Mar 06, 2008 2:54 PM PDT

John Levine said:

paul g said:

The bill would make it unlawful if the domain name was identical or confusingly similar to the name or brand name of a government office, nonprofit organization, business or other entity.

Please read the paragraph after that one.  It's only illegal if you use the name to mislead people.

There's plenty of things wrong with this bill, but this isn't one of them. I agree that a clarifying "and" at the end of subsection A would be a good idead.

But who gets to decide what is misleading?

It is already unlawful and fraudulent to misrepresent yourself as a government office or official so what purpose does this language in the bill serve?

The real goal here is to make it easy to seize domains simply because to some the mere existence of it is confusing regardless of how it is being used. irs.com is a perfect example where it is considered to be a fake Internal Revenue Service website simply because the name is the same. These are not my words, but the opinion of Congressman Ed Markey http://markey.house.gov/index.php?option=content&task=view&id=2632&Itemid=125

Where would this domain seizure stop? Better to not let it start in the first place.

Re: The Anti-Phishing Consumer Protection Act of 2008 Eric Brunner-Williams  –  Mar 06, 2008 10:33 PM PDT

Reading S.2661 is depressing. Here's the worst crud from the "Findings". I put a call into Olympia Snowe's Portland office this morning.

(2) Phishing e-mails are becoming more sophisticated by having malicious spyware attachments that once opened covertly record the keystrokes and passwords of computer users, or install malware software.

Keystroke logging software developed by the Federal Bureau of Investigation is pervasively deployed, and is "not detected" by commercial anti-virus software. As we mentioned in RFC 2048, building wiretap into the network, at the physical forwarding elements or application layer filtering, which is what anti-virus software is, creates an exploitable mechanism for uniformed, and non-uniformed criminals.

(6) The United States is consistently 1 of the top 3 countries that host the most phishing websites. In November 2007, the United States hosted approximately 24 percent of phishing websites.

This is a baffling factoid. There are 150m second-level entries in the global namespace, 70m are in .com, 10m are in .net, so half the global namespace is published by VGRS and easily half of the A records published by VGRS' resolve to ipv4 addresses in blocks allocated by ARIN, so one could just as well have written "Verisign" as "United States", and then relied upon existing contract, rather than ignoring existing contract, involving the DoC, the NTIA, ICANN and VGRS.

(7) A form of phishing known as `Spear Phishing' targets companies and government agencies to gain unauthorized access to their computer systems in order to steal financial information, trade secrets, or even top secret military information.

The final example of masquerading as a trustworthy entity, using socially engineered payloads against specific targets, to acquire valuable information, usually usernames, passwords and credit card details, but here "top secret military information" is reasonable, if you believe that DISNET is connected to MILNET and MILNET to "the Internet", and that each connection is a policy-free (non-filtering) gateway.

When I ran SRI's largest internal (and external) network, I'd one of the seven MILNET to ARPANET mail gateways in my shop. Neither MILNET nor ARPANET (modernly "the Internet") were classified networks. In the basement was a SCIF, on DISNET. I once "broke" the ARPANET by adding subnets for a Usenix meeting. That got me a same-day call from the ARPANET NOC at BBN. If I'd connected my DISNET node to either my MILNET IMP (modernly, router) or my ARPANET IMPs (ditto), I'd probably still be inside Leavenworth.

Whoever wrote the final cherry on that slice of pie was either plain ignorant or interestingly dishonest.

I've probably tossed them by now, but back when I hosted Barry's Amptoons his URL earned several multi-hundred node DDOS attacks, and I was always amused to find military assets, pwned of course, in the logfile of each attack. Calling their owners was always good for a laugh.

(9) Phishing operators utilize deceptive domain names for their schemes. They routinely register domain names that mimic the addresses of well-known online merchants, and then set up websites that can fool consumers into releasing personal and financial information.

This mixes two issues, to the loss of sense of both. The appearance of a domain name in the payload of some phish isn't the same thing as the actual domain name. This is why, when you look at a phish payload you often find that Sears or Bank of America appear to be operating out of Russia, the Ukraine, and China. The problem is "HTML-enabled" email. It makes pretty, and it makes hiding all kinds of neat toys, from web beacons that disclose every reading of a payload by an "HTML-enabled mail reader", to the bones of every phish.

The other issue is what is really at play in S2661. Trademark. This is more overtly discovered in the 12th Finding:

(12) Deceptive domain names, and the abuses for which they are used, threaten the integrity of domain name system. Businesses, small and large, rely upon the integrity of the domain name registration to ensure that their brands aren't misrepresented. The World Intellectual Property Organization reported in April 2007, that the number of Internet domain name cybersquatting disputes increased 25 percent in 2006.

Remember, you got here because the Peoples Liberation Army or someone is spear fishing in the third deck of E-ring, the SCIF that houses the secure-side of the office of the SecDef, the senior staffers of the OSD, and all the happy campers awaiting the return of Donald Rumsfeld. Where you're about to go to prevent this critical disclosure of "top secret military information" is ... a bunch of Intellectual Property lawyers in Geneva (I'm actually going there next week, not just to Geneva, but to the World Intellectual Property Organization) and a more accurate WHOIS database.

That's sure to foil the PLA, the KGB, and reverse Global Warming too.

I'll cover other parts of this gem in the near future. I operate an ICANN Accredited Registrar, one with its operational facilities in Portland and Bangor. The pointy end of S.2661 is aimed at Registrars, apparently because we either control the PLA, the KGB, and the melting point of ice, or because Markmonitor is using Olympia Snowe's office for marketing.

Re: The Anti-Phishing Consumer Protection Act of 2008 Domain Rights  –  Mar 08, 2008 10:04 AM PDT

John,
Just to reiterate each Section of this bill is stands alone.

Section A covers phishing
Section B covers infringing names and then more troublesome "confusingly similar" language
Section C covers WHOIS

Just to reiterate
These Sections are not in anyway linked together - so you can violate Section B by merely owning a domain name and displaying an Under Contruction page. Your domain name is vulnerable even if you don't collect information (Section A) and you have complete and full id information in your WHOIS record (Section C). Also if you register a name and don't have any content on the page and use private registration you violate Scetion C. 

All the Sections use the same Fines but again they are not conditional.

At the beginning of the bill they are use language that attempts to create a link between Phishing and Domain Names and Private WHOIS in the reader's mind. A three legged stool.

But the bill ignores any links between Phishing and Domain Names and private WHOIS . Perhaps in the hope that people will read the title of the bill, glance over it and mistakenly ASSUME that you have to be suspected of Phishing to worry about Section B or Section C.

Read it again and you will see these sections are OR not AND.  They is likely an attempt to sneak section B past everyone since they have carefully attempted to make you think Phishing is a required element.

Also in Section B who has rights among the various TLDs?  does a .com name override a .net name or maybe .us is better than .org?

Very few domain registrants own all the top 5 or 6 TLDs for generic names and as you point out even trademarks rarely avoid bumping TLDs.

So under this bill it appears that UTube.com now demand that YouTube.com cease and desist and pay them millions in fines.

This is simply a pandora's box that will put more stress on small business owners that use a generic domain name for their business address. 

If you are really concerned about small business and their ability to use the internet for commerce then don't pass a bill that will make them afraid to invest in their website - you wouldn't build a five star hotel on land that could be taken away from you at a moment's notice. 

By the way in Section 6 D they create exceptions for most govt related agencies so the domain names in the prior post would probably be exempt from this type of legislation. 

I don't like Phishing but truthfully over 66% of attacks come from outside the US and most use infringing email text links and use trademark names only as subdomains early on in very long URLS.
The actual domain names used for phishing are either IP addresses or nonsense domain names (i.e asdjkl.info) that only have a lifetime of 24 to 48 hours before they are shutdown. 

This bill is either naive or just another pro big business bill being sold under the false pretense of Consumer Protection. 
Either way it should be killed. 

Perhaps someone will propose a BETTER BILL that actually does address criminal penalties for Phishing attempts without denying domain owners their rights, their due process, and their ability to hide their home address, phone number and email from the entire world.

Mr Domain Owner: Please don't sit on your hands and expect others to take care of this.

Domain owners have been bullied since day 1 and it is time to unite and stop our government from passing legislation that will make reverse hijacking even easier than ever.

I would assume ICANN would have a position on this as their WHOIS policies and there domain dispute policies are seemgingly tossed aside for US domain owners if this were to become law.

Using the internet should be safe and fun but you can't protect every user ALL the time.  Roads and Highways are great but if I walk out onto a major interstate highway I will most likely be hit and killed.

Anti-phishing software, OPenDNS and other easy, affordable tools exist to protect the average user from being Phished. This bill would do next to nothing.

Re: The Anti-Phishing Consumer Protection Act of 2008 Domain Rights  –  Mar 08, 2008 10:20 AM PDT

Snowe is likely just the entry/access point

The roots of this bill can be traced here

http://www.alston.com/paul_martino/
http://www.alston.com/firm/News/Detail.aspx?news=2311

Martino works with
Coalition Against Domain Name Abuse who clearly supports this bill
http://www.cadna.org/en/press-release-february-26-2008.html

In case you want to vote with your wallet.
CADNA Member List

American International Group, Inc. (AIG Insurance )
Bacardi & Company Limited
Compagnie Financière Richemont SA
Dell Inc.
Eli Lilly and Company
Hilton Hotels Corporation
HSBC Holdings plc
Marriott International, Inc.
Verizon Communications Inc.
Wyndham Worldwide Corporation

Seeing Dell here is a real bummer because I love their laptops.

Re: The Anti-Phishing Consumer Protection Act of 2008 Michael Collins  –  Mar 09, 2008 6:15 PM PDT

John Levine,

Thank you for a good article. You are correct that this is a bad bill. However, as has been pointed out by JB, Domain Rights and others, it isn't that easy to fix it. It is essentially a trademark bill posing as a consumer protection bill. Trademark owners do not need to prove that a domain is used for phishing, only that it is misleading (confusingly similar). If passed, it will create trademark rights far superior to current rights and without the requirement to actually register a trademark. Brand owners will only have to have a "brand" or company name to seek protection under the Snowe bill.

I can't agree that this bill does not do anything bad, but will agree with you that if passed "it’s unlikely the Congress would consider a more effective law for a long time". Internet Commerce Association strongly supports legislation that really addresses phishing. However, we are devoting a lot of our association's resources to stop this bill and welcome responsible businesses involved in internet commerce to join or donate at InternetCommerce.org.

Re: The Anti-Phishing Consumer Protection Act of 2008 DomainProjections  –  Mar 17, 2008 6:22 PM PDT

First of all, I greatly appreciate you addressing this legislative documentis such a insightful manner.

Upon reading the Anti-Phishing Consumer Protection Act of 2008 and researching its supporters and sponsors, it is obvious that there is a large movement within the corporate powers that be to take control of the domain name market from the public.

This market is currently accessible to investors with limited resources, allowing them to buy access to available domain names for less than $10, than put their creative entrepreneurial minds to work creating income from their efforts. 

Phishing is definitely an unjust and currently illegal and fraudulent activity.  I have personally been violated by similar activity, but this bill before the US Congress is a wolf in sheep's clothing.  It alludes to addressing Phishing, but is written to take away our ability to monetize investment in domain names.

Over the last 10 years, limited-capital investors have been pushed out of many of the markets through the monopolizing of large corporate structures, government legislation, and manipulation by our financial institutions.  The Domain Name market is one of the only havens left for this limited resource adventurer.

Normally I attempt to limit my public actions in political realms, but passing of this act would totally invade my ability to produce income in my industry of choice.  Therefore I also have started creating articles addressing this injustice on my website www.domainprojections.com).  Feel free to read and comment on my articles.  Again, thank you for your open addressing of this issue.

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

New gTLD .WANG Launched - Here Is Why "Wang" Is Both "King" and "Net" to the Chinese

Public Interest Registry Announces Sunrise Period for New Internationalized Domain Names

General Availability Period for New .RED Top-Level Domain Opens

General Availability Period for New .BLUE Top-Level Domain Opens

General Availability Period for New .PINK Top-Level Domain Opens

New Chinese "Mobile" Top-Level Domain Now Available

New .KIM Domain Goes Live

Welcome .SHIKSHA! General Availability Now Open

Adrian Kinderis Appointed as Chair of Domain Name Association

Internet Reaches 271 Million Domain Names in the Fourth Quarter of 2013

Why We Decided to Stop Offering Free Accounts

The Future of Chinese Domain Names (a Panel Discussion)

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

Tony Kirsch Announced As Head of Global Consulting of ARI Registry Services

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

Afilias Chairman Appointed to Domain Name Association Board

.BUILD Enters Landrush with Support of ARI Registry Services

Dyn Acquires Managed DNS Provider Nettica

Radix Awards Contracts for .website, .host, .space, and .press to CentralNic plc

Afilias Welcomes "Dot Chinese Online" and "Dot Chinese Website" Top-Level Domains to the Internet

Sponsored Topics