Snowe Bill – Ineffective Anti-phishing Legislation

Philip CorwinBlog

Internet Commerce Association (ICA) has been working diligently to stop the Snowe bill, S. 2661 since the day it was introduced. Even though it has an anti-phishing name, it is clearly a trademark bill. Philip Corwin, Counsel to ICA, has met with Senators’ staff and spoken with Capitol Hill reporters and other companies and associations who have a lobbying presence in Washington. He has been informing them of the damage this bill will cause to our industry and soliciting opposition to the bill and his work is starting to pay off.

One question that we hear from supporters of the bill and even from some people in the domain community is “how can we amend the bill to make it less offensive”. ICA strongly supports legislation that will stop phishing. Our association is made up primarily of individuals and businesses that earn 100% of their revenue on the internet. Phishing destroys public confidence in Internet Commerce. No group is more concerned about consumer confidence in Internet Commerce than ICA members. Further, domain registrants themselves are becoming the targets of phishing attacks by criminals seeking to steal their valuable assets, their domains.

However, it makes no sense to try to take this new trademark rights bill and try to amend it into an effective anti-phishing bill. Congress should start from scratch with an investigation into how phishing attacks are perpetrated and what technologies can effectively prevent them, as well as inquire whether there are gaps in existing law and the start writing a proposal on a clean sheet of paper. It is my understanding that the criminal organizations that engage in these frauds operate from outside the U.S. to a great extent and are adept at using hijacked “zombie” computers to send their spam, and at hacking into others’ servers to establish their bogus websites. Even so, there may be something that US lawmakers can do to help thwart phishing attacks. There are technically skilled people in the domainer community that would be happy to contribute their time to a Congressional inquiry to help establish effective solutions to phishing and ICA will gladly recruit them to the task.

The National Consumers League, founded in 1899 and America’s pioneer consumer organization says “The most common form of phishing is by email.” Yet, the Snowe bill hardly focuses on email, and certainly not to the extent that it does on domain names. The Internet Governance Project and Electronic Frontier Foundation have already raised strong concerns about the bill and other public interest and cyber-liberties groups should be weighing in soon. With such growing opposition, and with little new legislation likely to be enacted in this very political year, there is absolutely no reason for domain investors to regard the Snowe bill as inevitable and therefore something where we need to negotiate from a position of weakness. The bill does demonstrate that we face a real long term challenge from trademark interests, but it also gives us the opportunity to get better organized and explain what we do, and how it helps consumers, to Congress and other policymaking bodies.

I am not a technical expert on the Internet or phishing techniques, but it seems like anyone with a working email address understands enough to know that the Anti-Phishing Consumer Protection Act does not really touch on the problem. I get phishing emails every day. I have even been tricked into providing login information to one fraudster pretending to be eBay. Fortunately for me, I realized my mistake immediately and went to eBay and changed my password. I have noticed that most of the time, emails that I receive use html links to disguise the actual domain name of the counterfeit site. Furthermore, the domain names are rarely if ever similar to the site they mimic. Usually, misleading sub-domains are used in very long URLs to confuse the victim. These two examples are from email that I received in the last 24 hours.

This text was displayed as a link which you might presume linked to Wachovia.com.

https://wc.wachovia.com/

When in fact it linked to this URL.

http://wc.wachovia.ibsidcmopserver.cmserver.access18309788.
default.servletdologin.verify.cfm.mlnk7.com/

This URL was completely hidden in the html email and is so long that the domain name was not visible in the address bar when my browser opened after clicking on the link. In order to see the domain name in my browser address bar, I had to enlarge the window or click in the address bar and scroll to the right. Notice that the domain m1nk7.com is not similar in any way to Wachovia. This is typical of the phishing emails that I get and is like the one that tricked me into giving up my eBay login information.

 

The next example shows less sophistication in my opinion. The email purported itself to be from PayPal. Of course it contained an urgent message requesting me to login to my PayPal account using the following link. This link was displayed as the following much shorter URL, which was easier to identify as a fake. Notice again that the domain, iris-kay.com is not similar to PayPal, but that PayPal-security.com is included in the URL this time to the right of the domain name.

http://www.iris-kay.com/images/update.paypal-security.com.php

Now if I, with limited email and internet technical knowledge, can provide this much information about real phishing attacks using only the emails that I received in the last 24 hours, imagine how little effort was put into research for this bill introduced into the US Senate. Of course, we all know that considerable work went into writing the bill. It is just that the bill was probably written with substantial input from the trademark interests behind CADNA and then the anti-phishing title and a little anti-phishing content was thrown in to sell it. That is pretty smart and it might even have worked if ICA wasn’t on the job to blow the whistle on what might be better labeled “The Reverse Domain Hijacking Authorization Act”. ICA needs more help from the domainer community to explain our industry to lawmakers and to stop harmful proposals like S. 2661.

In summary, this is an ineffective anti-phishing bill and an overreaching trademark bill. Let’s work together to stop this bad trademark bill and then help Congress to do some really effective work on phishing. I invite CADNA to come clean and join us in asking Congress for a real anti-phishing bill. Phishing is harmful to their members too and we should work together to stop phishing, not be fighting over new rights for trademark owners who already have UDRP and ACPA on their side.

Join ICA or donate to help finance our fight on this issue. Our website cart, now accepts PayPal. We need more of you to join in on this one. For U.S. businesses and individuals, trade association membership dues and donations are tax-deductible except for that percentage devoted to defined lobbying activities – base on current ICA activities, 80% of dues are deductible.