Senate Looks To Outlaw Phishing, Even Though It's Already Illegal

from the gotta-do-something dept

As the saying goes, when your only tool is a hammer, everything starts to look like a nail. The folks in Congress sure do an awful lot of whacking at various nails these days. The latest is a new bill in the Senate that seeks to outlaw phishing. One tiny point is important here: phishing is already illegal. So, really all this bill does is allow these politicians to claim that they took a stand to stop phishing. Except, it’s actually worse than that. Not only will this bill not do anything to stop phishing, it will actually make life worse for plenty of non-criminals. That’s because a part of the bill would outlaw hiding domain name registration information. Now, there are plenty of legitimate reasons for not wanting to reveal your info in the whois database — but according to this bill, it won’t be allowed any more. If you want to own a domain, you’ll need to cough up your name, address and phone number to whoever wants it — and they better be legit. If you provide false info, you’ll also be breaking the law. So, it won’t do anything new to stop phishing, but will make it much more difficult to own a domain anonymously. That’s quite a nail.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Senate Looks To Outlaw Phishing, Even Though It's Already Illegal”

Subscribe: RSS Leave a comment
Jay Fude (profile) says:


I’ll be happy to ‘own’ a site for anyone else, for a small fee, then they can ‘rent’ the site from me anonymously, as long as the check clears the bank, and all I do is answer the phone and say, “yep, I own that site” and collect $10 a month, I’ll do it.

quick, I’d better patent this idea….. damn trolls read this site too, and patent all of techdirt and techdirt communitity ideas

Anonymous Coward says:

Re: Happy

I’ll be happy to ‘own’ a site for anyone else, for a small fee, then they can ‘rent’ the site from me anonymously, as long as the check clears the bank, and all I do is answer the phone and say, “yep, I own that site” and collect $10 a month, I’ll do it

That’s one of the ways it’s done now. This bill would make that illegal.

Thom says:


I’m really glad to hear this. I’m so sick and tired of all those foreigners phishing for our passwords and account information, it’s about time we passed a law to stop them. This one doesn’t go far enough though. It also needs to make it illegal to hack, or otherwise gain entry to, another’s legitimate web server to set up phishing pages. If the senate would tackle that one too then we’d be free from phishing in the good ole USofA. There’s nothing like a few good US laws to frighten foreign scamers into submission!

Nick says:

Re: Whew!

I guess some folks just totally seem to miss the point. Hacking and accessing remote servers is illegal too. What is needed instead of better laws is better protection software. Create a law to advance us further in our technology.

Look at those damn drug laws. How many drug addicts take into consideration to not use drugs just because there illegal? Not many. Although, people that are scared of drug laws wouldn’t use drugs anyway because they are also scarred of so many other things like health.

So thinking that laws eliminate crimes is naive. Criminals don’t follow the law. Only good people do.

Derek Kerton (profile) says:

Validated Target Spam Mail List

Thanks DC. Now every spammer will have access to a free, government-certified mail list. Spammers can cull the Whois database, and be well on their way to having a great list of real people to whom they can send spam, compliments of the US Senate. The senate is validating contact info for spammers.

Basically, in a bid to stop phishing, the government is guaranteeing that I will get more SPAM by forcing me to publish my full contact info to a place where bots can grab it cheaply.

Hey comment #1, you’ve got mail. Sign me up.

RIch Ku.lawiec says:

Re: Validated Target Spam Mail List


Every spammer already has this. You don’t seriously think that your super-secret address in your registrar’s database is going to stay that way indefinitely, do you?

Registrars have data leaks too. Registrars have underpaid employees who might be willing to burn a CD in return for an envelope stuffed with non-taxable income. Registrars can make deals with data brokers. Registrars can be bought and sold.

But there’s a larger picture than this: any email address that’s actually used shows up in multiple places: on the sender’s system, on the sender’s outbound mail server, on the recipient’s inbound mail server, on the recipient’s system. If any of those are compromised, or susceptible to dictionary attacks (in the case of the mail servers), or otherwise leak the address — then it’s out, and once it’s out, it’s on its way into the databases.
Given that there are enormous numbers of already-compromised systems (at least 100 million) and that the number is steadily increasing, the odds of avoiding one of those systems are getting worse all the time.

Yes, there are isolated examples of addresses that have managed to elude spammers. I have a few myself. But these few examples are not indicative of the overall trend.
It’s best to assume that spammers have, or will soon have, any valid email address and plan defenses accordingly.
Given that any minimally-competent email system administrator should be able to set up a system with no more than 5% FN rate and a tiny FP rate, this really isn’t asking much.

Let me also toss in that constructs like are trivially undone with a snippet of Perl or equivalent; spammers figured that out a decade ago, and so there is no point at all in obfuscating addresses.

Adam says:

Anonymity is overrated

I for one believe in public records for use of public resources. There is a huge difference between privacy and anonymity, and I would suggest that anonymity erodes the social fabric.

There are many good reasons why tax roles, broadcast licenses, motor vehicle registration, and much more should be a matter of public record.

And a shout out to spammer-haters above: at least half of the anti-spam professionals believe that public DNS records are a good idea.

Rich Kulawiec says:

Re: Anonymity is overrated

I concur. And as the guy who released the first anti-spam program, I think I have some experience in this area.

The way I’ve put it is this: anonymous speech on the Internet is invaluable and should be defended; anonymous operation of the Internet is completely unacceptable.

And anyone who owns a domain, or a network, is an operator: they control part of the network’s public infrastructure, therefore they need to be publicly identifiable, accountable, and reachable.

That may too much of a burden for some: that’s fine. They may choose not to operate part of the Internet. It also may be dangerous for some — for example, those engaging in politically controversial speech while living under authoritarian regimes. I agree — which is why one of the LAST things such people should do is register a domain…because it creates a link between them and the domain. It de-anonymizes them the moment someone hacks their registrar — or serves them with a subpoena — or hands them a National Security Letter. Those seeking anonymity should avoid domain registration completely, not pretend that the farce of “anonymous domain registration” will somehow protect them.

MaddMannMatt says:

Law Happens

Yep. This is basically the same poop that happens on the State level. When the fed passes a law, often state and local gov’ts mirror it. Most of this has been flagged for a crappy revenue generation scheme, but in reality it is supposed to (yeah) speed the process of prosecution by taking the already horrible delayed federal court/justice out of the mix and localizing it.

But the real and all too unfortunate problem of making Phishing illegal even at the fed-level is that a majority of it is non-domestic! It’s sort of like attempting to prosecute a Chinese company for US patent infringement. (oops…I’m sorry…was that out loud?) Symbolic at best.

John (profile) says:

How about education

Instead of spending money to make something that’s illegal even more illegal, how about spending that money on education?

How about creating commercials or programs that teach people not to fall for phishing and spam e-mails?

The most effective way to stop spam is to stop the spammer’s income. They don’t care if their business is illegal in Country A or Country B, but they do care if no one’s buying their products of falling for their scams.
If no one replies to the phishing e-mails, the spammers will have to move onto some other scam… and the phishing e-mails stop.

KD says:

This isn't about phishing ...

I have a strong feeling that this bill isn’t about phishing at all — that’s just the cover. The real reason is to make it easier for the content mafia to locate the owner of a site doing something they don’t like.

If they just were trying to ensure that criminal investigations or civil lawsuits could track down a website owner, the most they would have to do is make the registrars responsible for verifying the identity of people registering a domain. If the identity were needed for a criminal investigation or civil lawsuit, a warrant or subpoena would be all that’s needed to get the information.

My conclusion: Phishing isn’t the target.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...