|
|
|
Anti-Phishing Bill Trojan Horse Seeks to Destroy Domain and Trademark Owner Rights |
|
By Rikki Kirzner
Contributing Writer
Domain and internet watchdog groups across the country have been holding intense discussions and heating up the keyboards to alert the domaining industry about the inherent threats hidden within the Anti-Phishing Consumer Protection Act of 2008 (APCPA).
Introduced on Feb. 25, 2008 by U.S. Senator Olympia Snowe and cosponsored by Senators Bill Nelson (D-FL) and Ted Stevens (R-AK) the bill is not quite what its title would have you believe. APCPA is a Trojan horse with all the earmarks of an attempt by special interest groups and/or certain corporations to wrest legal domain names away from domainers by imposing a new, tougher, and unfair type of infringement that goes beyond trademark law and eliminate domainers’ right to privacy under the guise of providing enforcement of anti-phishing laws.
APCPA defines phishing as “a method of online identity theft in the form of fraudulent e-mails or fake websites to deceive the recipient into giving personal or financial account information.” The bill cites the following data to illustrate the extent of the problem: “Approximately 59,000,000 phishing e-mails are sent a day; as many as 10,000,000 fake messages are opened per day by recipients; according to Gartner, Inc., between August 2006 and August 2007, roughly 3,500,000 United States computer users were victims of phishing scams, and suffered losses totaling $3,200,000,000.”
“Phishers will go after any valuable asset,” said Philip S. Corwin, Counsel to the Internet Commerce Association (ICA)—a non-profit trade association dedicated to promoting and protecting domain name owner rights. “Real consumer fraud is being perpetrated by criminal organizations. Even domainers are receiving phishing spam email attempting to get their registrar information so their domains can be stolen. The federal government certainly needs to do more to attack phishing but this bill isn’t the solution. APCPA is very weak and ineffective because all it does is make unlawful one more time a criminal practice that is already unlawful under at least seven different federal statutes as well as state laws. Declaring it unlawful once again isn’t really doing anything to effectively stop phishing attacks, especially those launched outside the U.S. It would be tragic if Congress passed this bill instead of doing something more effective to stop phishing.”
If APCPA passes in its current form it will not only put millions of legitimate and legally owned domain names at risk of being declared unlawful and their owners subject to substantial fines, but will also destroy people’s right to maintain their privacy and protection from spammers and phishers. If it passes, it will have little, if any, effect on curtailing or preventing criminal and technology attacks—but can cause irreparable harm to domainers, small businesses, and private citizens.
“I believe whoever put that bill together does not have a clear understanding of the problems that currently hinder the internet and those vulnerable to its misuse,” said Michael A. Castello, CEO and President of Castello Cities Internet Network. “An effort should be made to join together professionals in the field to better cope with where the real threats are coming from. Even though the majority of phishing schemes originate in foreign lands, there are remedies that can make a difference. Passing ‘feel good’ laws that can easily be abused is not the American way to address this.”
“This is a classic case of the road to hell is paved with good intentions,” said David J. Castello, COO and Secretary of Castello Cities Internet Network. “The best part of this bill is the title. When I read their press release, I thought, ‘Good, I'm tired of getting dopey phishing emails’. As I studied it further, I could see this bill opening the door to reverse domain name hijacking. Honestly, it's so poorly written that it probably needs to be scrapped.”
ACPCA is too focused on domain names used by phishers. It establishes a new law that is much broader than established trademark law allowing trademark owners to file infringement lawsuits without having to allege or prove that targeted domain names were actually involved in anti-phishing activities. People or companies who want to sue domainers for trademark violations can then bypass the existing ICANN Uniform Domain Name Dispute Resolution Policy (UDRP) as well as the existing Federal Anti-Cybersquatting Consumer Protection Act (ACPA).
"The APWG welcomes legislation that will make it easier for law enforcement to find and prosecute online fraudsters. Today's laws usually mean that we can go after phishers only after they have stolen and used the phished credit cards,” said David Jevans, Chairman of the AntiPhishing Workgroup (APWG. “This is mostly a back end process based on financial fraud and wire transfer type of legislation, but we have concerns that ACPCA is very specific around domain name abuse. In one sense the bill is too narrow and doesn’t address related types of crime such as malware and crimeware which are also used in phishing schemes. In other areas such as aspects of domain name trademarks, we think it is too broad and potentially oversteps the bounds of pure anti-phishing protection”
Senator Snowe’s spokesman, John Gentzel, insists that there is no real threat to legitimate domain name owners and said, “This is an enforcement bill—not a regulatory bill. This bill clearly defines phishing as a deceptive practice so the Federal Trade Commission (FTC) doesn’t have to expend resources in the judicial system trying to establish a definition. It also provides civil action authority to the FTC to go after phishers which they don’t have today.”
The first of the two most controversial sections of ACPCA is Section 3B DECEPTIVE OR MISLEADING DOMAIN NAMES. The bill makes it unlawful to use a domain name that “is or contains the identical name or brand name of, or is confusingly similar to the name or brand name of a government office, nonprofit organization, business, or other entity” in an email, instant message, or on a webpage. That section of the bill also makes it illegal to transfer, sell, or assign the domain name for financial gain without having used, or having an intent to use, the domain name in the bona fide offering of any goods or services.
“We own Traveler.com and there are several magazines that use the word Traveler,” said Michael Castello. “The language is so broad that any number of trademark holders could be jumping at the bit to take us to court to get that name. But wait! That is the name we registered over 10 years ago and built our business upon. What protects us? The statue of limitations? The global registry that offered our public information for twelve years? I believe we would prevail, but at what cost? Who is protecting the smaller businesses? Definitely not this bill.”
“The seemingly innocuous words in this section open the door to a plethora of reverse domain name hijacking. UDRP arbitration already covers this territory (extremely well) and in a clear way that discourages abuse on the part of the Complainant,” adds David Castello. “The wording would encourage a litigious free-for-all. The last thing we need to do is replace one abuse with another.”
“This is not just an enforcement bill because it is not narrowly targeted at criminals and does not restrict its new powers to law enforcement agencies,” said Corwin. “Section 3b is not targeted at phishing—but at domain names. Why would an enforcement bill allow for private rights of action by trademark owners and other private parties and not give a right of action to law enforcement agencies like the FBI, Department of Justice, and other agencies. Section 3b doesn’t even require an allegation that a particular domain name or the associated website is in any way involved with a phishing scheme. It doesn’t require any evidence of that type be produced in order to initiate legal action.
“It creates a free for all on trademark disputes placing small entrepreneurial businesses under the thumb of large corporate litigation in order to advance their positions,” said Michael Castello. “This bill would basically allow those who have the money to extort small companies into submission. It could change the landscape of the Internet as we know it and hand it over to all the large corporations. The power of the internet is in giving a voice and a means of advancement to everyone. This bill does the opposite.”
“ACPCA is far broader than it needs to be particularly with regards to existing trademark laws, and far less balanced in its approach than either the UDRP or the ACPA–both of which give trademark interests very effective mechanisms against true cybersquatting,” said Corwin. “The bill’s fines go beyond the $100K statutory damages per violation of the anti cybersquatting act that is now on the books. The bill’s potential punishment is so much greater that if it was used against a domain name registrant the likely effect would be that the accused domain holder would abandon the domain name regardless of the lawsuit’s merits because the potential monetary awards could be crushing especially since it lacks the UDRP and ACPA requirement that the complainant establish bad faith registration to prevail.”
“We believe this proposal would make for bad law and the ICA is conducting meetings with key individuals in the Senate to help them understand that domain names are very valuable assets,” continues Corwin. “Some domain investors will spend millions to tens to millions of dollars for the right names and are therefore very careful to make sure they are not violating UDRP or trademark law before they make these purchases. It is unfair to suddenly subject them to an entirely new law where things that are clearly legal under existing trademark law may suddenly become unlawful—making their investment worthless.”
“There are other provisions of the bill that we don’t fully understand but might make parked web pages unlawful,” adds Corwin. “That is obviously unacceptable since we don’t want the government to legislate what constitutes a legitimate business model on the internet—something they have always refrained from doing in the past.”
The second controversial section of ACPCA is Section 3C WHOIS DATABASE INFORMATION ACCURACY which makes it unlawful to register a domain with false or misleading information. It also makes it unlawful for a domain name registrar, registry or authority to shield, mask, block, or otherwise restrict access to this same type of information in any WHOIS database if anyone requests that information for whatever reason.
“There is nothing wrong with WHOIS being public,” said Michael A. Castello. “It was like that when I started. I would rather have a global listing to my names that is public. After seven years, I would then have cause to say my information was public and the statute of limitations now protects me. Parts of the bill basically have good intentions, but the way it is currently written is very destructive. I don't think any of these Senators want to be remembered as the ones who destroyed the individual powers the internet now allows us. This bill needs people who can see the big picture. I understand their impulse for correction, but it is far too heavy handed.”
“We believe that section 3C—the WHOIS database information accuracy—is extremely difficult to enforce and that it will raise many privacy and anti-spam concerns if the government attempts to pass this,” said Jevans. “Many people believe that there should be private domain name registration including small business owners who don’t want to have their private information available to everyone out there who might want to contact them or use that information for illegal practices. Maintaining privacy lets you reduce the amount of spam you get and helps you avoid becoming the target of spear phishers. By stepping on privacy issues, this bill can hurt more than it can help.”
"Many people in the APWG working group believe that this bill is unenforceable,” adds Jevans. “You aren’t supposed to enter inaccurate information now into the WHOIS database. If it passes, who is going to go through 50 million domain names and turn them off because the information in the WHOIS database is incomplete or inaccurate? How exactly is this information going to be audited? Is someone going to visit each domain owner at their stated address? How do you enforce this globally? You can now register domain names in more than 100 countries. If this law passes, domainers will just register names with another registrar in some other country that doesn’t subscribe to this type of public disclosure of information.”
“Ironically, ACPCA also assists spammers and criminals by giving them access to that data on demand,” adds Corwin. “Automated bots could be created to generate those demands by the millions.”
“We do believe private registrations are fine, but the registrar should still have accurate information about the user,” said Jevans. “If there is a provable act of fraud on a website, law enforcement or other parties involved in an investigation can request that information from the registrar and get it in a timely fashion But, that is not really addressed in this bill the way it is currently written.”
Phishing is a global problem and U.S. law doesn’t have any effect on criminal actions throughout the rest of the world. ACPCA doesn’t take into account the changing dynamics and expanding global criminal presence. When this fact was discussed with Senator Snowe’s aid, Gentzel said, “Yes there is a foreign/international component but the antiphishing working group has shown that the U.S. is consistently the top country hosting phishing websites with 32% of the phishing sites hosted in the U.S.”
This data also means that two-thirds of the perpetrators are operating outside US jurisdiction. Jevans agrees and said “The data also means many other things. It is true that the majority of phishing emails are sent to U.S. recipients and the majority of brand names being spoofed are U.S. based companies or companies that have a U.S. presence. The financial services sector—particularly banks and credit unions—has the most number of companies being spoofed because the U.S. has thousands of independent banks and credit unions which is not the case in most other countries. However, when you consider where these websites are hosted, the U.S. has been continually declining as the primary country for hosting phishing over the last 2-3 years. Two years ago the U.S. hosted more than 50% of phishing sites but that is no longer true China has gone from 8% a year ago to 23% today. Russia also has a growing phishing hosting presence. If phhishers are not physically located in the U.S. then it is very difficult to make them subject to U.S. laws.”
“Any effective response to phishing must clearly be coordinated between law enforcement and financial regulatory agencies globally,” said Corwin. “We urge the Commerce Committee to hold oversight hearings on this bill or start drafting new legislation without using Sen. Snowe’s proposal as its starting point.”
EDITORIAL NOTE: The bill has been referred to the Subcommittee on Interstate Commerce. If it receives a hearing and subsequent vote there it will be considered by the full Committee and then perhaps reported for full Senate consideration. It is very important to communicate your views to your Senators to be sure that ACPCA never gets a hearing or markup in Subcommittee so the bill cannot advance any further this year. Don’t be complacent. If the bill fails, it can (and most likely will) be reintroduced in 2009, when the 111th Congress convenes. Let’s be sure that when it does resurface, it actually addresses the anti-phishing issues and nothing else.
For a copy of the Senate bill, visit http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=110_cong_bills&docid=f:s2661is.txt.pdf
To read more on the ICA's opposition, visit http://www.internetcommerce.org/Snowe_Bill_Threatens_Domain_Name_RegistrantsTo read CADNA's statement in support of the bill, visit http://www.cadna.org/en/press-release-february-26-2008.html |
|
|
