Last week Sen. Snowe filed bill S.2661, the Anti-Phishing Consumer Protection Act of 2008, or APCPA. While its goals are laudable, I have my doubts about some of the details.
The first substantive section of the bill, Section 3, makes various phishy activities more illegal than they are now in its first two subsections. It makes it specifically illegal to solicit identifying information from a computer under false pretenses, and to use a domain name that is deceptively similar to someone else's brand or name on the web in e-mail or IM to mislead people. So far so good, although I would think that all that would be illegal anyway under general anti-fraud laws.
Subsection 3(c) starts to get interesting, by mandating that commercial web sites have real WHOIS:
(c) WHOIS Database Information Accuracy-
(1) DOMAIN NAME REGISTRANTS ENGAGED IN COMMERCIAL ACTIVITIES - It is unlawful for the registrant of a domain name used in any commercial activity to register such domain name in any WHOIS database or with any other domain name registration authority with false or misleading identifying information, including the registrant's name, physical address, telephone number, facsimile number, or electronic mail address.
(2) DOMAIN NAME REGISTRARS, REGISTRIES AND OTHER AUTHORITIES - It is unlawful for a domain name registrar, registry or other domain name authority, directly or indirectly, via proxy or any other method, to replace or materially alter the contents of, or to shield, mask, block, or otherwise restrict access to, any domain name registrant's name, physical address, telephone number, facsimile number, electronic mail address, or other identifying information in any WHOIS database or any other database of a domain name registration authority if such registrar, registry, or domain name authority has received written notice, including via facsimile or electronic mail at such entity's facsimile number or electronic mail address of record, that the use of such domain name is in violation of any provision of this Act.
Part (1) seems perfectly reasonable to me, although I expect it will freak out the anonymous WHOIS crowd. While the US has a tradition of protecting anonymous political speech, anonymous commercial speech is nearly an oxymoron, and just as any business needs a business license that has real contact info, it's hard to argue against similar rules for real WHOIS data on commercial domains.
Part (2), on the other hand, is overbroad. It basically says that if you provide WHOIS privacy, you have to lift the veil if anyone, anywhere, sends you a notice claiming that the domain has been misused. Since there is no provision for checking that the notice is real, and no penalty for making false claims, we can assume that should this act be enacted into law, within about five minutes robots will be scouring WHOIS databases and automatically mailing off robonotices. I personally have little sympathy for registrar privacy services, since their main legitimate use seems to be to hide from spammers, which you can do other ways, but if you're going to allow them at all, there should be at least some provision similar to the DMCA to deal with bogus notices.
The next section says who can go to court, and is similar to CAN SPAM, allowing state attorneys general, the FTC, and ISPs to sue. Unlike CAN SPAM, it also allows trademark owners to file suit. This runs the risk of becoming yet another way that trademark owners can harass people who run protest sites and the like. Like CAN SPAM, it prescribes statutory damages and permits courts to award costs to the prevailing party, but unlike CAN SPAM those only apply to state agencies. If ISPs or trademark owners sue, all they can get is injunctions, actual damages, and perhaps punitive damages if a court agrees.
Sec. 6 has some criminal provisions, making it a crime to phish via a web site, sent or attempted e-mail or IM.
Sec. 7 covers preemption, a sore point with CAN SPAM, but in this case the preemption is pretty mild, only preempting state laws that are inconsistent, and specifically not preempting laws that provide greater protection.
So, assuming the WHOIS notice parts get fixed, how useful would this law be? I can't see that it would make much difference. Everything that it outlaws seems illegal already, so the most it'd do would be to make it a little easier to prosecute cases, by making the mere act of phishing punishable without having to find someone who took the bait and lost money. That's a pretty small advance, since it's unlikely anyone would go to the effort of suing in federal court unless the phish were good enough to have fooled someone. Indeed, in the absence of a victim a plausible defense would be that the material wasn't misleading since nobody was fooled.
I hope this bill is not enacted in anything like its current form, not because it would do anything bad, but because once it's passed, it's unlikely the Congress would consider a more effective law for a long time. (After four years of CAN SPAM, spam is worse than ever, but there's no hint of new legislation.) The only way we're going to make legal progress against phishing and spam is not by making bad guys' actions more illegal, but by changing the rules so that the providers and intermediaries who enable them can't escape responsibility by claiming (perhaps truthfully) that they didn't know what was going on. This will be a lot harder to do, but so long as the conduits don't care enough about spam or phishing to spend their own money to stop it, nothing's going to improve.
See Related Topics: DNS, Domain Names, Privacy, Security, Spam, Whois
Comments
It is precisely those "providers and intermediaries" who are pushing this bill.
Citicorp and Bank of America will now sell you a credit card, and for an additional $50 per year, they will sell you ID theft protection.
This is like having your bank charge extra for putting your money in a vault with a lock, instead of leaving it on the counter in the lobby.
A careful read indicates that its primary effect is not to cover things that are already unlawful, but to broaden the scope of things that are unlawful. A "brand" or a "name" is not the same thing as a trade or service mark. I can form a company named "Dog Food Inc." and I can sell dog food, but I cannot get a trademark in "Dog Food". By throwing in company names, which you didn't notice and which most people won't notice on a casual read, the bill renders unlawful a pretty broad swath of new things, and it does not have the same defenses or safeguards that were built into the Anti-CyberPiracy Consumer Protection Act.
Suggesting that network operators take prudent steps to secure their networks and detect botnet activity is anathema to the backers of this bill, and the intent here seems to be exactly what you believe it to be - to protect lazy or unconcerned service providers from liability for phishing activity. Since the ISP interests are aligned with the intellectual property interests, this bill is a marriage made in heaven.
John Berryhill said:
Using your read of the bill makes it even more dangerous.
One can easily argue that generic domain names, even when they aren’t a company’s primary brand name, are brands in their own right. For example, it has been pointed out that Bank of America’s use of loans.com generates a branding association between loans and Bank of America.
Thus, under your read of the bill, all uses of loans in domain names would be violations.
Regards,
Alex
A petition has been created, I encourage you all to sign it!
Sign the Petition: www.SnoweBill.com
There are also some insightful comments and thoughts to read from the other ~200 people who have signed the petition so far.
Mark Fulton
DotSauce Magazine
This bill goes way too far and threatens legitimate business.
The bill would make it unlawful if the domain name was identical or confusingly similar to the name or brand name of a government office, nonprofit organization, business or other entity.
Under this bill local governments across the US could seize their city domain names that were registered legally and in good faith and are being used today for legitimate business purposes. This law suggests for example that the Sacramento Bee (the major Sacramento newspaper) is acting unlawfully because they own and use the domain name Sacramento.com. They are not pretending to be the government of either the city or county of Sacramento so what misrepresentation are they doing? Why should they be treated now as criminals? This is completely wrong and will kill off a large private industry of providing localized information for cities across the US. Visit SanFrancisco.com, Chicago.com, LosAngeles.com, NewYorkCity.com, Dallas.com, do people actually think these websites are unlawful? This bill is ridiculous.
paul g said:
Please read the paragraph after that one. It's only illegal if you use the name to mislead people.
There's plenty of things wrong with this bill, but this isn't one of them. I agree that a clarifying "and" at the end of subsection A would be a good idead.
Egad, John B and I agree. Alertthe media!
John Levine says:
Please read the paragraph after that one. It’s only illegal if you use the name to mislead people.
So, I am wanting to by a Fram air filter for my car. To research the size I need I wanted to visit CADNA.COM, the TM holder for Fram, Purolator and other auto parts.
Instead I ended up on CADNA.ORG, the site promoting some non-sense about anti-phishing.
Not only are the names confusingly similar, they are identical.
I am now traumatized that I can not find the model number of the air filter for my 1959 Edsel ranger.
Who will get who's name in a case like this?
.pH said:
Sigh. If you're not willing to read the bill, why are you complaining about it?
Unfortunately, subjective intent can wind up "proven" on circular grounds, as in "The domain name is Anytown.com. This is inherently and manifestly misleading to anyone looking for the official website of Anytown." I see arguments like that all of the time. Sometimes they win.
IF we want to target phishing, then it would seem to make sense to make it illegal if the domain name is used for phishing - i.e. it is advertised in email and/or is used to operate a website which obtains personal data (other than IP address) for the purpose of compromising the security of the visitor's identity. I'm sure that someone can come up with suitable alternative verbiage better than that off-the-cuff sentence, but I'm sure you get the idea.
If the point is just to deal with consumer confusion from cybersquatted domain names - we have that already.
I can see the intent limitation there, but I am all too familiar with the proclivities of them what drafted it, and what they believe constitutes proof of intent.
That's a sure-fire indication that this bill is in serious need of surgery.
John Levine said:
But who gets to decide what is misleading?
It is already unlawful and fraudulent to misrepresent yourself as a government office or official so what purpose does this language in the bill serve?
The real goal here is to make it easy to seize domains simply because to some the mere existence of it is confusing regardless of how it is being used. irs.com is a perfect example where it is considered to be a fake Internal Revenue Service website simply because the name is the same. These are not my words, but the opinion of Congressman Ed Markeyhttp://markey.house.gov/...
Where would this domain seizure stop? Better to not let it start in the first place.
John Levine said:
I have read the bill over and over and over.
I have been studying this for days.
Perhaps you failed to see the sarcasm in my comments.
CADNA is a TM by the group that holds the control over those car products. They can be located on CADNA.com
CADNA is also a TM by this group trying to pass this legislation. They are located on CADNA.org. If Senator Snowe's or Sen. Nelson's office does mass mailings, either by email or snail mail, on behalf of the Anti-Phishing bill using the CADNA TM or CADNA.org moniker, then this bill seems to allow CADNA.com to sue for the intent and the confusingly similar TM usage.
In essence, either of these two TM holders could go after the other and seize their domain name and claim "confusingly similar", or as JB stated, a "subjective intent" not proven.
We already have enough of that going on without making it seemingly easier.
Simply making that claim to "misleading people" would be enough and is simple enough to bring a screeching halt to some legitimate internet commerce.
We know TM's can be held by multiple companies representing multiple products or services at the same time. And most lawmakers know this.
Yet, allowing one to file claim against the other CAN BE enough to put the one out of commission on the internet while the domain name is tied up.
Nor does this bill address the issue of:
When? If I grab the TM for circlID right now, too bad. This site is shut down while I file action to seize this domain name claiming it is mine.
Who? Who would decide the final outcome as for the claimant? We already have these measures in place.
What? What is purpose of this bill other than grandstanding for the election year when all these measures are already in place and on the books? Placing anything before your constituents that reads to protect the consumer is quite nice and sure to drum up votes.
And, again, who? Who pays for this oversight? The US taxpayer.
In essence, either of the two TM holders for CADNA could go after the other and seize their domain name and claim "confusingly similar", or as JB stated, a "subjective intent" not proven.
This has far reaching implications just not on the shores of the good old US of A. VeriSign controls the .com and .net registries. Many premiere and trusted registrars are based on U.S. soil.
But there are also an additional 260+ domain extensions. Why would one be of more importance than the other? And why would I want to be further burdened with paying my taxes to enforce seizure (or an attempt) to take cirleID.jp, .org, .net, .biz, .de and so on.
As domainers, we know why we would choose one domain extension over the other.
But take your knowledge of domaining, litigation, WIPO, URDP, TM, and all you know and writeabout domains OUT OF THE EQUATION for the moment.
You are now a consumer.
Most consumers and businesses are not domainers. I would generalize most of the population does not knowthe value of a domain, the necessity of a brandable URL and not really caring in the first place.
And an even greater bet would be that most of our congress knows nothing about domaining other than telling their voters which website to go to to make their donation pledge.
Reading S.2661 is depressing. Here's the worst crud from the "Findings". I put a call into Olympia Snowe's Portland office this morning.
Keystroke logging software developed by the Federal Bureau of Investigation is pervasively deployed, and is "not detected" by commercial anti-virus software. As we mentioned in RFC 2048, building wiretap into the network, at the physical forwarding elements or application layer filtering, which is what anti-virus software is, creates an exploitable mechanism for uniformed, and non-uniformed criminals.
This is a baffling factoid. There are 150m second-level entries in the global namespace, 70m are in .com, 10m are in .net, so half the global namespace is published by VGRS and easily half of the A records published by VGRS' resolve to ipv4 addresses in blocks allocated by ARIN, so one could just as well have written "Verisign" as "United States", and then relied upon existing contract, rather than ignoring existing contract, involving the DoC, the NTIA, ICANN and VGRS.
The final example of masquerading as a trustworthy entity, using socially engineered payloads against specific targets, to acquire valuable information, usually usernames, passwords and credit card details, but here "top secret military information" is reasonable, if you believe that DISNET is connected to MILNET and MILNET to "the Internet", and that each connection is a policy-free (non-filtering) gateway.
When I ran SRI's largest internal (and external) network, I'd one of the seven MILNET to ARPANET mail gateways in my shop. Neither MILNET nor ARPANET (modernly "the Internet") were classified networks. In the basement was a SCIF, on DISNET. I once "broke" the ARPANET by adding subnets for a Usenix meeting. That got me a same-day call from the ARPANET NOC at BBN. If I'd connected my DISNET node to either my MILNET IMP (modernly, router) or my ARPANET IMPs (ditto), I'd probably still be inside Leavenworth.
Whoever wrote the final cherry on that slice of pie was either plain ignorant or interestingly dishonest.
I've probably tossed them by now, but back when I hosted Barry's Amptoons his URL earned several multi-hundred node DDOS attacks, and I was always amused to find military assets, pwned of course, in the logfile of each attack. Calling their owners was always good for a laugh.
This mixes two issues, to the loss of sense of both. The appearance of a domain name in the payload of some phish isn't the same thing as the actual domain name. This is why, when you look at a phish payload you often find that Sears or Bank of America appear to be operating out of Russia, the Ukraine, and China. The problem is "HTML-enabled" email. It makes pretty, and it makes hiding all kinds of neat toys, from web beacons that disclose every reading of a payload by an "HTML-enabled mail reader", to the bones of every phish.
The other issue is what is really at play in S2661. Trademark. This is more overtly discovered in the 12th Finding:
Remember, you got here because the Peoples Liberation Army or someone is spear fishing in the third deck of E-ring, the SCIF that houses the secure-side of the office of the SecDef, the senior staffers of the OSD, and all the happy campers awaiting the return of Donald Rumsfeld. Where you're about to go to prevent this critical disclosure of "top secret military information" is ... a bunch of Intellectual Property lawyers in Geneva (I'm actually going there next week, not just to Geneva, but to the World Intellectual Property Organization) and a more accurate WHOIS database.
That's sure to foil the PLA, the KGB, and reverse Global Warming too.
I'll cover other parts of this gem in the near future. I operate an ICANN Accredited Registrar, one with its operational facilities in Portland and Bangor. The pointy end of S.2661 is aimed at Registrars, apparently because we either control the PLA, the KGB, and the melting point of ice, or because Markmonitor is using Olympia Snowe's office for marketing.
Anything "phishy" about this?
http://thecaucus.blogs.nytimes.com/...
March 6, 2008, 3:50 pm
R.N.C. Snaps Up Domain Names
We have cases of politicians winning back their domain name from common folks:
http://www.arb-forum.com/...
But now find political parties involved in the same cybersquatting and potentially phishing schemes that Sen Snowe seeks to prevent with The Anti-Phishing Consumer Protection Act of 2008 (S. 2661).
Part of this proposal is to
"prohibit related abuses, such as the practice of using fraudulent or misleading domain names, by defining them as deceptive practices under the FTC Act."
(from first paragraph ofhttp://blog.thehill.com/... Protect Internet Consumers from Fraud and Theft - Sen. Olympia Snowe)
Domains registered by the R.N.C . or on servers used by the committee:
2007
calculatingclinton.com
canttrustclinton.com
clintonbabbit.com
clintoncleland.com
clintoncohen.com
clintonisbad.com
clintoniscorrupt.com
clintoniswrong.com
clintonkerrey.com
clintonlibrarycard.com
clintonlibraryresolution.com
clintonomalley.com
clintonsalazar.com
clintonschweitzer.com
clintontruthwatch.com
hillaryiswrong.com
hillarymythfact.com
hillaryrecords.com
hillaryspendometer.com
hillarytaxplan.com
hillarytruthsquad.com
hopelesshillary.com
outwithhillary.com
thetwohillarys.com
2008
amateurobama.com
barackisliberal.com
barackiswrong.com
baracknotready.com
barackobamanotready.com
barackobamatheliberal.com
baracktheamateur.com
barackthebeginner.com
fauxbama.org
hesnotready.com
meetbarackobama.com
norealexperience.com
nowecannot.com
nowecannot.net
nowecannot.org
obamaisliberal.com
obamaiswrong.com
obamanotready.com
obamaspendometer.com
obamatheamateur.com
obamathebeginner.com
yeswecandowhat.com
yeswecanwhat.com
Seeing that this is a bi-partisan bill, I thought the Honorable Senator would want to keep up on such things so a copy of the New York Times article was sent to her office.
John,
Just to reiterate each Section of this bill is stands alone.
Section A covers phishing
Section B covers infringing names and then more troublesome "confusingly similar" language
Section C covers WHOIS
Just to reiterate
These Sections are not in anyway linked together - so you can violate Section B by merely owning a domain name and displaying an Under Contruction page. Your domain name is vulnerable even if you don't collect information (Section A) and you have complete and full id information in your WHOIS record (Section C). Also if you register a name and don't have any content on the page and use private registration you violate Scetion C.
All the Sections use the same Fines but again they are not conditional.
At the beginning of the bill they are use language that attempts to create a link between Phishing and Domain Names and Private WHOIS in the reader's mind. A three legged stool.
But the bill ignores any links between Phishing and Domain Names and private WHOIS . Perhaps in the hope that people will read the title of the bill, glance over it and mistakenly ASSUME that you have to be suspected of Phishing to worry about Section B or Section C.
Read it again and you will see these sections are OR not AND. They is likely an attempt to sneak section B past everyone since they have carefully attempted to make you think Phishing is a required element.
Also in Section B who has rights among the various TLDs? does a .com name override a .net name or maybe .us is better than .org?
Very few domain registrants own all the top 5 or 6 TLDs for generic names and as you point out even trademarks rarely avoid bumping TLDs.
So under this bill it appears that UTube.com now demand that YouTube.com cease and desist and pay them millions in fines.
This is simply a pandora's box that will put more stress on small business owners that use a generic domain name for their business address.
If you are really concerned about small business and their ability to use the internet for commerce then don't pass a bill that will make them afraid to invest in their website - you wouldn't build a five star hotel on land that could be taken away from you at a moment's notice.
By the way in Section 6 D they create exceptions for most govt related agencies so the domain names in the prior post would probably be exempt from this type of legislation.
I don't like Phishing but truthfully over 66% of attacks come from outside the US and most use infringing email text links and use trademark names only as subdomains early on in very long URLS.
The actual domain names used for phishing are either IP addresses or nonsense domain names (i.e asdjkl.info) that only have a lifetime of 24 to 48 hours before they are shutdown.
This bill is either naive or just another pro big business bill being sold under the false pretense of Consumer Protection.
Either way it should be killed.
Perhaps someone will propose a BETTER BILL that actually does address criminal penalties for Phishing attempts without denying domain owners their rights, their due process, and their ability to hide their home address, phone number and email from the entire world.
Mr Domain Owner: Please don't sit on your hands and expect others to take care of this.
Domain owners have been bullied since day 1 and it is time to unite and stop our government from passing legislation that will make reverse hijacking even easier than ever.
I would assume ICANN would have a position on this as their WHOIS policies and there domain dispute policies are seemgingly tossed aside for US domain owners if this were to become law.
Using the internet should be safe and fun but you can't protect every user ALL the time. Roads and Highways are great but if I walk out onto a major interstate highway I will most likely be hit and killed.
Anti-phishing software, OPenDNS and other easy, affordable tools exist to protect the average user from being Phished. This bill would do next to nothing.
Snowe is likely just the entry/access point
The roots of this bill can be traced here
http://www.alston.com/...
http://www.alston.com/...
Martino works with
Coalition Against Domain Name Abuse who clearly supports this bill
http://www.cadna.org/...
In case you want to vote with your wallet.
CADNA Member List
American International Group, Inc. (AIG Insurance )
Bacardi & Company Limited
Compagnie Financière Richemont SA
Dell Inc.
Eli Lilly and Company
Hilton Hotels Corporation
HSBC Holdings plc
Marriott International, Inc.
Verizon Communications Inc.
Wyndham Worldwide Corporation
Seeing Dell here is a real bummer because I love their laptops.
John Levine,
Thank you for a good article. You are correct that this is a bad bill. However, as has been pointed out by JB, Domain Rights and others, it isn't that easy to fix it. It is essentially a trademark bill posing as a consumer protection bill. Trademark owners do not need to prove that a domain is used for phishing, only that it is misleading (confusingly similar). If passed, it will create trademark rights far superior to current rights and without the requirement to actually register a trademark. Brand owners will only have to have a "brand" or company name to seek protection under the Snowe bill.
I can't agree that this bill does not do anything bad, but will agree with you that if passed "it’s unlikely the Congress would consider a more effective law for a long time". Internet Commerce Association strongly supports legislation that really addresses phishing. However, we are devoting a lot of our association's resources to stop this bill and welcome responsible businesses involved in internet commerce to join or donate at InternetCommerce.org.
First of all, I greatly appreciate you addressing this legislative documentis such a insightful manner.
Upon reading the Anti-Phishing Consumer Protection Act of 2008 and researching its supporters and sponsors, it is obvious that there is a large movement within the corporate powers that be to take control of the domain name market from the public.
This market is currently accessible to investors with limited resources, allowing them to buy access to available domain names for less than $10, than put their creative entrepreneurial minds to work creating income from their efforts.
Phishing is definitely an unjust and currently illegal and fraudulent activity. I have personally been violated by similar activity, but this bill before the US Congress is a wolf in sheep's clothing. It alludes to addressing Phishing, but is written to take away our ability to monetize investment in domain names.
Over the last 10 years, limited-capital investors have been pushed out of many of the markets through the monopolizing of large corporate structures, government legislation, and manipulation by our financial institutions. The Domain Name market is one of the only havens left for this limited resource adventurer.
Normally I attempt to limit my public actions in political realms, but passing of this act would totally invade my ability to produce income in my industry of choice. Therefore I also have started creating articles addressing this injustice on my website www.domainprojections.com). Feel free to read and comment on my articles. Again, thank you for your open addressing of this issue.