• United States



Computerworld: Proposed Bill Takes on Phishing, Irks Internet Trade Group

Mar 05, 20087 mins
Build AutomationCSO and CISO

An antiphishing bill that was introduced in the U.S. Senate last week could end up being used by large holders of trademarks to unfairly wrest legitimate domain names away from small businesses and individuals, according to a trade group that represents domain name investors and so-called direct search companies.

But supporters of the new legislation proposed by Sen. Olympia Snowe (R-Maine) claim that the bill is timely and offers a more effective mechanism for dealing with phishing and the deceptive use of domain names than existing statutes do.

The bill is called the Anti-Phishing Consumer Protection Act of 2008 (APCPA) and was introduced in the Senate on Feb. 25, with Sens. Bill Nelson (D-Fla.) and Ted Stevens (R-Alaska) as co-sponsors (download PDF) . The proposal would basically outlaw phishing and “related abuses,” such as using for commercial gain domain names that are identical or confusingly similar to those legitimately held by trademark owners.

As part of the proposed law, such practices would be formally defined as deceptive practices under the Federal Trade Commission Act. The APCPA also would require U.S.-based domain name registrars that offer proxy services to reveal the full contact information of registrants to individuals or entities that file complaints or lawsuits. The contact info of proxy registrants typically is hidden from public view in the Internet’s WHOIS database.

The legislation calls for statutory damages of US$250 per violation, up to a maximum of $2 million. But in cases in which a defendant is deemed to have willfully violated the provisions of the bill, the total damages could go up to $6 million. Actions could be brought under the APCPA by trademark owners or by state attorneys general, federal banking and securities agencies, Internet service providers and the FTC itself.

“Phishing and other online fraud activities directly undermine the vital trust of online consumers,” Snowe wrote in a blog post on The Hill Blog.

“Now more than ever, Congress needs to take action to limit the growth of a practice that attacks the very essence of our commerce,” she added, noting that more than 3.5 million U.S. residents fell victim to phishing and online identity theft last year.

But as a measure that ostensibly is designed to fight phishing, the APCPA is far too broad in scope, claimed Philip Corwin, general counsel at the Internet Commerce Association in Washington. The ICA represents about 60 members, including individual domain investors and companies such as Tucows Inc., Sedo, and TrafficZ.

Corwin said the trade group isn’t opposed to legislation that is aimed at reining in phishing problem and other criminal misuses of domain names. The problem, he added, is that some provisions in the proposed bill appear to be unrelated to those issues. “This looks like trademark legislation on steroids,” Corwin said.

He contended that the APCPA appears to have been designed to enable the creation of a parallel domain-name infringement enforcement scheme that is broader and more onerous than the Uniform Dispute Resolution Process (URDP) offered by the Internet Corporation for Assigned Names and Numbers. The bill also would expand on the protections already offered under the federal Anticybersquatting Consumer Protection Act, he said.

Corwin claimed that trademark owners already prevail in 85% of all UDRP complaints and almost 100% of the cases brought under the anticybersquatting law, which was approved by Congress in 1999.

Under Snowe’s proposed bill, trademark owners would be able to encourage state and federal officials to bring what are essentially trademark infringement suits without any need to prove that their targets were engaged in illegal activity, Corwin said. He added that although the URDP requires a complainant to show that a domain was registered by someone in bad faith, the APCPA includes no such requirement for companies or individuals seeking to initiate a private right of action.

According to Corwin, the bill also appears to cover so-called geo-domains — for example, or — and generic domains such as or Those types of domains typically haven’t been subject to trademark restrictions, he said.

Another part of the proposed bill that is of concern to the ICA is a provision that Corwin claimed would allow just about anybody to get WHOIS information simply by asking for it, without any restrictions for reliably identifying who is asking for the information and why. He said that provision would violate the legitimate privacy expectations of domain name registrants, because it would require registrars offering proxy services to disclose who the owners of a domain are upon mere receipt of a notice.

However, an aide to Snowe said the concerns raised by the ICA are a bit “disconcerting” given the sharp growth of phishing and related domain name abuses. He also dismissed the notion that the bill was somehow redundant to the laws that are already in place for dealing with those abuses.

“This is not a regulatory bill but an enforcement bill,” the aide said. “It clearly defines phishing and domain abuses as deceptive practices.” As a result, he added, the FTC wouldn’t “have to waste time in court” proving that phishing qualifies as a deceptive practice from a legal standpoint.

The ICA’s privacy concerns are similarly unfounded, asserted the aide, who asked not to be identified. Requiring the owners of commercial domain names to provide accurate and prompt disclosure of their contact information is fully in line with established ICANN practices, he said.

Paul Martino, a partner at Washington-based law firm Alston & Bird LLP and legislative counsel for the Coalition Against Domain Name Abuse (CADNA), said he welcomes Snowe’s bill. Martino pointed to the rapid growth in phishing and the deceptive use of domain names as evidence that existing laws have failed to curb the problem. And he dismissed the ICA’s objections as an attempt by the trade group to give it cover for casting the legislation in an unfavorable light.

“I think it’s very difficult for any organization to try and oppose a consumer protection bill,” Martino said. “I’m not surprised if they’re trying to characterize it as a trademark bill.”

CADNA’s charter members include Dell Inc., pharmaceutical maker Eli Lilly & Co., banking company HSBC Holdings PLC and insurer American International Group Inc. According to the group, cybersquatting is costing legitimate brand owners more than $1 billion annually on a worldwide basis, in the form of diverted sales and enforcement expenses stemming from domain name disputes. Domain names derived from well-known brands also are contributing to a rapid growth in phishing and the sale of counterfeit products, CADNA claims.

Martino said that ICANN’s dispute resolution process doesn’t impose damages upon cybersquatters. Instead, he said, the UDRP simply requires them to relinquish domain names found not to belong to them, after a process that can cost the complainant about $5,000 per domain name. The federal anticybersquatting law does provide for damages of $1,000 to $100,000 per violation, but the actual amounts are discretionary and are set by individual judges.

“These existing mechanisms don’t effectively curtail nor deter bad practices, but are rather seen as a potential low cost of doing business for those that would violate the law,” Martino said.

By Jaikumar Vijayan, Computerworld (US online)