Last week Sen. Snowe filed bill S.2661, the Anti-Phishing Consumer Protection Act of 2008, or APCPA. While its goals are laudable, I have my doubts about some of the details.
The first substantive section of the bill, Section 3, makes various phishy activities more illegal than they are now in its first two subsections. It makes it specifically illegal to solicit identifying information from a computer under false pretenses, and to use a domain name that is deceptively similar to someone else's brand or name on the web in e-mail or IM to mislead people. So far so good, although I would think that all that would be illegal anyway under general anti-fraud laws.
Subsection 3(c) starts to get interesting, by mandating that commercial web sites have real WHOIS:
(c) WHOIS Database Information Accuracy-
(1) DOMAIN NAME REGISTRANTS ENGAGED IN COMMERCIAL ACTIVITIES - It is unlawful for the registrant of a domain name used in any commercial activity to register such domain name in any WHOIS database or with any other domain name registration authority with false or misleading identifying information, including the registrant's name, physical address, telephone number, facsimile number, or electronic mail address.
(2) DOMAIN NAME REGISTRARS, REGISTRIES AND OTHER AUTHORITIES - It is unlawful for a domain name registrar, registry or other domain name authority, directly or indirectly, via proxy or any other method, to replace or materially alter the contents of, or to shield, mask, block, or otherwise restrict access to, any domain name registrant's name, physical address, telephone number, facsimile number, electronic mail address, or other identifying information in any WHOIS database or any other database of a domain name registration authority if such registrar, registry, or domain name authority has received written notice, including via facsimile or electronic mail at such entity's facsimile number or electronic mail address of record, that the use of such domain name is in violation of any provision of this Act.
Part (1) seems perfectly reasonable to me, although I expect it will freak out the anonymous WHOIS crowd. While the US has a tradition of protecting anonymous political speech, anonymous commercial speech is nearly an oxymoron, and just as any business needs a business license that has real contact info, it's hard to argue against similar rules for real WHOIS data on commercial domains.
Part (2), on the other hand, is overbroad. It basically says that if you provide WHOIS privacy, you have to lift the veil if anyone, anywhere, sends you a notice claiming that the domain has been misused. Since there is no provision for checking that the notice is real, and no penalty for making false claims, we can assume that should this act be enacted into law, within about five minutes robots will be scouring WHOIS databases and automatically mailing off robonotices. I personally have little sympathy for registrar privacy services, since their main legitimate use seems to be to hide from spammers, which you can do other ways, but if you're going to allow them at all, there should be at least some provision similar to the DMCA to deal with bogus notices.
The next section says who can go to court, and is similar to CAN SPAM, allowing state attorneys general, the FTC, and ISPs to sue. Unlike CAN SPAM, it also allows trademark owners to file suit. This runs the risk of becoming yet another way that trademark owners can harass people who run protest sites and the like. Like CAN SPAM, it prescribes statutory damages and permits courts to award costs to the prevailing party, but unlike CAN SPAM those only apply to state agencies. If ISPs or trademark owners sue, all they can get is injunctions, actual damages, and perhaps punitive damages if a court agrees.
Sec. 6 has some criminal provisions, making it a crime to phish via a web site, sent or attempted e-mail or IM.
Sec. 7 covers preemption, a sore point with CAN SPAM, but in this case the preemption is pretty mild, only preempting state laws that are inconsistent, and specifically not preempting laws that provide greater protection.
So, assuming the WHOIS notice parts get fixed, how useful would this law be? I can't see that it would make much difference. Everything that it outlaws seems illegal already, so the most it'd do would be to make it a little easier to prosecute cases, by making the mere act of phishing punishable without having to find someone who took the bait and lost money. That's a pretty small advance, since it's unlikely anyone would go to the effort of suing in federal court unless the phish were good enough to have fooled someone. Indeed, in the absence of a victim a plausible defense would be that the material wasn't misleading since nobody was fooled.
I hope this bill is not enacted in anything like its current form, not because it would do anything bad, but because once it's passed, it's unlikely the Congress would consider a more effective law for a long time. (After four years of CAN SPAM, spam is worse than ever, but there's no hint of new legislation.) The only way we're going to make legal progress against phishing and spam is not by making bad guys' actions more illegal, but by changing the rules so that the providers and intermediaries who enable them can't escape responsibility by claiming (perhaps truthfully) that they didn't know what was going on. This will be a lot harder to do, but so long as the conduits don't care enough about spam or phishing to spend their own money to stop it, nothing's going to improve.