Senate Looks To Outlaw Phishing, Even Though It's Already Illegal

from the gotta-do-something dept

Wed, Feb 27th 2008 7:21am — Mike Masnick

As the saying goes, when your only tool is a hammer, everything starts to look like a nail. The folks in Congress sure do an awful lot of whacking at various nails these days. The latest is a new bill in the Senate that seeks to outlaw phishing. One tiny point is important here: phishing is already illegal. So, really all this bill does is allow these politicians to claim that they took a stand to stop phishing. Except, it's actually worse than that. Not only will this bill not do anything to stop phishing, it will actually make life worse for plenty of non-criminals. That's because a part of the bill would outlaw hiding domain name registration information. Now, there are plenty of legitimate reasons for not wanting to reveal your info in the whois database -- but according to this bill, it won't be allowed any more. If you want to own a domain, you'll need to cough up your name, address and phone number to whoever wants it -- and they better be legit. If you provide false info, you'll also be breaking the law. So, it won't do anything new to stop phishing, but will make it much more difficult to own a domain anonymously. That's quite a nail.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: anonymity, grandstanding, phishing, senators

27 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Jay Fude (profile), 27 Feb 2008 @ 7:58am

Happy
I'll be happy to 'own' a site for anyone else, for a small fee, then they can 'rent' the site from me anonymously, as long as the check clears the bank, and all I do is answer the phone and say, "yep, I own that site" and collect $10 a month, I'll do it.

quick, I'd better patent this idea..... damn trolls read this site too, and patent all of techdirt and techdirt communitity ideas
[ link to this | view in chronology ]
- Anonymous Coward, 27 Feb 2008 @ 1:45pm
  
  Re: Happy
  I'll be happy to 'own' a site for anyone else, for a small fee, then they can 'rent' the site from me anonymously, as long as the check clears the bank, and all I do is answer the phone and say, "yep, I own that site" and collect $10 a month, I'll do it
  
  That's one of the ways it's done now. This bill would make that illegal.
  [ link to this | view in chronology ]
Thom, 27 Feb 2008 @ 8:09am

Whew!
I'm really glad to hear this. I'm so sick and tired of all those foreigners phishing for our passwords and account information, it's about time we passed a law to stop them. This one doesn't go far enough though. It also needs to make it illegal to hack, or otherwise gain entry to, another's legitimate web server to set up phishing pages. If the senate would tackle that one too then we'd be free from phishing in the good ole USofA. There's nothing like a few good US laws to frighten foreign scamers into submission!
[ link to this | view in chronology ]
- Nick, 27 Feb 2008 @ 10:55am
  
  Re: Whew!
  I guess some folks just totally seem to miss the point. Hacking and accessing remote servers is illegal too. What is needed instead of better laws is better protection software. Create a law to advance us further in our technology.
  
  Look at those damn drug laws. How many drug addicts take into consideration to not use drugs just because there illegal? Not many. Although, people that are scared of drug laws wouldn't use drugs anyway because they are also scarred of so many other things like health.
  
  So thinking that laws eliminate crimes is naive. Criminals don't follow the law. Only good people do.
  [ link to this | view in chronology ]
Anonymous Coward, 27 Feb 2008 @ 8:10am

Jay, and what do you do when US Marshalls walk up to you and hand you a warrant for your arrest?
[ link to this | view in chronology ]
- Anonymous Coward, 27 Feb 2008 @ 8:48am
  
  Re:
  He laughs all the way to the court where the judge chuckles because theres no actual evidence of him phishing. Meantime they confiscate his PCs and ruin his life because thats the way it works in the USA
  [ link to this | view in chronology ]
- Anonymous Coward, 27 Feb 2008 @ 9:31am
  
  Re:
  Also.. I dont think thats how it would play it. As the legal owner of a domain name I doubt youre responsible for what happens on it. But they might subpoena from you details of the person that is paying you to anonymously operate the domain name.
  [ link to this | view in chronology ]
  - John Duncan Yoyo, 27 Feb 2008 @ 9:49am
    
    Re: Re:
    And If I ran Jay's business I would make it clear that I would immediately hand over any and all information when and only when asked by a legal authority brandishing a legal subpoena.
    
    This is a firewall to stop people from bothering a small website owner.
    [ link to this | view in chronology ]
Scott, 27 Feb 2008 @ 8:30am

Um, is anyone paying attention?
Famous last words:

"We're with the government, and we're here to help."

Anyone looking to government regulation to solve ANY technical problem should not be involved in ANY technology infrastructure whatsoever.

Go work in off-off-broadway theater as a stage hand. Please.
[ link to this | view in chronology ]
- Kenneth M, 27 Feb 2008 @ 8:41am
  
  Re: Um, is anyone paying attention?
  Your right... and I bet it's going to cost taxpayers $250M to manage and enforce it.
  
  Good Job. So whatever happened to Ron Paul? Oh yeah, the media outlets would have been at risk if he had a chance. So they didn't give him airtime.
  [ link to this | view in chronology ]
Liam, 27 Feb 2008 @ 9:12am

I can still get domains anonymously
Untill america owns the internet, I can still anonymously own a domain :)
[ link to this | view in chronology ]
- B, 27 Feb 2008 @ 10:08am
  
  Re: I can still get domains anonymously
  I wonder if the Congress is going to try to force foreign domain sellers to provide whois information.
  Although the ICANN is located in America....
  [ link to this | view in chronology ]
Derek Kerton (profile), 27 Feb 2008 @ 9:19am

Validated Target Spam Mail List
Thanks DC. Now every spammer will have access to a free, government-certified mail list. Spammers can cull the Whois database, and be well on their way to having a great list of real people to whom they can send spam, compliments of the US Senate. The senate is validating contact info for spammers.

Basically, in a bid to stop phishing, the government is guaranteeing that I will get more SPAM by forcing me to publish my full contact info to a place where bots can grab it cheaply.

Hey comment #1, you've got mail. Sign me up.
[ link to this | view in chronology ]
- RIch Ku.lawiec, 27 Feb 2008 @ 11:33am
  
  Re: Validated Target Spam Mail List
  Invalid.
  Every spammer already has this. You don't seriously think that your super-secret address in your registrar's database is going to stay that way indefinitely, do you?
  Registrars have data leaks too. Registrars have underpaid employees who might be willing to burn a CD in return for an envelope stuffed with non-taxable income. Registrars can make deals with data brokers. Registrars can be bought and sold.
  But there's a larger picture than this: any email address that's actually used shows up in multiple places: on the sender's system, on the sender's outbound mail server, on the recipient's inbound mail server, on the recipient's system. If any of those are compromised, or susceptible to dictionary attacks (in the case of the mail servers), or otherwise leak the address -- then it's out, and once it's out, it's on its way into the databases. Given that there are enormous numbers of already-compromised systems (at least 100 million) and that the number is steadily increasing, the odds of avoiding one of those systems are getting worse all the time.
  Yes, there are isolated examples of addresses that have managed to elude spammers. I have a few myself. But these few examples are not indicative of the overall trend. It's best to assume that spammers have, or will soon have, any valid email address and plan defenses accordingly. Given that any minimally-competent email system administrator should be able to set up a system with no more than 5% FN rate and a tiny FP rate, this really isn't asking much.
  Let me also toss in that constructs like rskNOSPAM@gsp.org are trivially undone with a snippet of Perl or equivalent; spammers figured that out a decade ago, and so there is no point at all in obfuscating addresses.
  [ link to this | view in chronology ]
Danny, 27 Feb 2008 @ 10:26am

data points
Clinton and Obama have their campaign site domain names registered publicly to their campaign headquarters'.

McCain's campaign site domain name appears to be registered thruogh "DomainsByProxy.com"

It will be interesting to see how these Senators vote.
[ link to this | view in chronology ]
- Anonymous Coward, 27 Feb 2008 @ 1:48pm
  
  Re: data points
  It will be interesting to see how these Senators vote.
  
  They'll probably exempt themselves like they did with the do-not-call list and many other laws.
  [ link to this | view in chronology ]
Adam, 27 Feb 2008 @ 10:54am

Anonymity is overrated
I for one believe in public records for use of public resources. There is a huge difference between privacy and anonymity, and I would suggest that anonymity erodes the social fabric.

There are many good reasons why tax roles, broadcast licenses, motor vehicle registration, and much more should be a matter of public record.

And a shout out to spammer-haters above: at least half of the anti-spam professionals believe that public DNS records are a good idea.
[ link to this | view in chronology ]
- Rich Kulawiec, 27 Feb 2008 @ 11:41am
  
  Re: Anonymity is overrated
  I concur. And as the guy who released the first anti-spam program, I think I have some experience in this area.
  The way I've put it is this: anonymous speech on the Internet is invaluable and should be defended; anonymous operation of the Internet is completely unacceptable.
  And anyone who owns a domain, or a network, is an operator: they control part of the network's public infrastructure, therefore they need to be publicly identifiable, accountable, and reachable.
  That may too much of a burden for some: that's fine. They may choose not to operate part of the Internet. It also may be dangerous for some -- for example, those engaging in politically controversial speech while living under authoritarian regimes. I agree -- which is why one of the LAST things such people should do is register a domain...because it creates a link between them and the domain. It de-anonymizes them the moment someone hacks their registrar -- or serves them with a subpoena -- or hands them a National Security Letter. Those seeking anonymity should avoid domain registration completely, not pretend that the farce of "anonymous domain registration" will somehow protect them.
  [ link to this | view in chronology ]
another mike, 27 Feb 2008 @ 10:56am

this is really surprising?
when hollywood owns congress, and even they haven't had an original idea in decades, you expect a senator to come up with something new?
[ link to this | view in chronology ]
MaddMannMatt, 27 Feb 2008 @ 11:44am

Law Happens
Yep. This is basically the same poop that happens on the State level. When the fed passes a law, often state and local gov'ts mirror it. Most of this has been flagged for a crappy revenue generation scheme, but in reality it is supposed to (yeah) speed the process of prosecution by taking the already horrible delayed federal court/justice out of the mix and localizing it.

But the real and all too unfortunate problem of making Phishing illegal even at the fed-level is that a majority of it is non-domestic! It's sort of like attempting to prosecute a Chinese company for US patent infringement. (oops...I'm sorry...was that out loud?) Symbolic at best.
[ link to this | view in chronology ]
John (profile), 27 Feb 2008 @ 11:59am

How about education
Instead of spending money to make something that's illegal even more illegal, how about spending that money on education?

How about creating commercials or programs that teach people not to fall for phishing and spam e-mails?

The most effective way to stop spam is to stop the spammer's income. They don't care if their business is illegal in Country A or Country B, but they do care if no one's buying their products of falling for their scams.
If no one replies to the phishing e-mails, the spammers will have to move onto some other scam... and the phishing e-mails stop.
[ link to this | view in chronology ]
Griper, 27 Feb 2008 @ 1:03pm

Get your tin-foils caps on
And consider this, they passed this law so the government can find out who owns the websites they don't like.
[ link to this | view in chronology ]
- Rich Kulawiec, 27 Feb 2008 @ 1:24pm
  
  Re: Get your tin-foils caps on
  Why would they bother? This administration has shown itself ready, willing and able to acquire information like that via any means necessary, without going through legal formalities. If this was their goal...then they've already done it.
  [ link to this | view in chronology ]
  - Anonymous Coward, 27 Feb 2008 @ 1:50pm
    
    Re: Re: Get your tin-foils caps on
    Why would they bother? This administration has shown itself ready, willing and able to acquire information like that via any means necessary, without going through legal formalities. If this was their goal...then they've already done it.
    But this makes it easier.
    [ link to this | view in chronology ]
    - mann, 27 Feb 2008 @ 2:12pm
      
      Re: Re: Re: Get your tin-foils caps on
      remember carnivore was introduced in the previous administration...
      [ link to this | view in chronology ]
KD, 28 Feb 2008 @ 3:25am

This isn't about phishing ...
I have a strong feeling that this bill isn't about phishing at all -- that's just the cover. The real reason is to make it easier for the content mafia to locate the owner of a site doing something they don't like.

If they just were trying to ensure that criminal investigations or civil lawsuits could track down a website owner, the most they would have to do is make the registrars responsible for verifying the identity of people registering a domain. If the identity were needed for a criminal investigation or civil lawsuit, a warrant or subpoena would be all that's needed to get the information.

My conclusion: Phishing isn't the target.
[ link to this | view in chronology ]
Emme, 3 Apr 2008 @ 2:12pm

Public records/info
I am so mad about having my public information, along with family members!!, listed online in search engines for anyone to see.

I had a stalker, and guess how he found out where I live? This should be illegal.
[ link to this | view in chronology ]