Anti-Phishing Bill Likely To Be Reintroduced In Congress

By

Legislation to make Internet phishing a crime was lost in the shuffle and failed to win passage in Congress last year but will have another chance with lawmakers in 2005.

In July of last year, Sen. Patrick Leahy, D-Vt., the ranking member of the Senate Judiciary Committee, introduced Senate Bill 2636, also known as the Anti-Phishing Act of 2004.

“Phishing is a rapidly growing class of identity theft scams on the Internet that is causing both short-term loses and long-term economic damage,” he said while introducing his bill on the Senate floor. “In the short term, these scams defraud individuals and financial institutions. Some estimates place the cost of phishing at over $2 billion just over the last 12 months. Just imagine the concern we would all have about a series of bank robberies involving that much money.”

Leahys bill would have made the establishment of a Web site or domain name purporting to be a legitimate business with the intent of committing acts of fraud and without the consent of that business a crime. Use of that Web site to seek personal information from individuals also would be a crime. The decision to include the intent requirement was made with respect to First Amendment concerns, Leahy said while introducing the bill, to protect speech that may be deceptive for other reasons, such as a parody of a commercial site as political commentary.

The bill also would have made it illegal to send a message over the Internet purporting to be another, legitimate business, or to include in that message a link to a fraudulent Web site or request for personal information. Under the proposed legislation, these crimes would be punishable by a fine or up to 5 years in prison.

The measure was referred to the Judiciary Committee but went no further. Its failure to win passage was not a reflection of the bill, however, but of the circumstances of 2004, according to David Jevans, chairman of the Anti-Phishing Working Group, an advocacy group sponsored by a number of financial services and software firms that worked with Leahy on the phishing issue.

The 2004 bill “ran out of time, and then we had an election,” Jevans said. “It was really, purely a time issue.”

A spokesman for Leahy said the senator planned to introduce legislation either identical or very similar to the 2004 bill in the new Congress soon but was unable to provide a specific timetable.

In his comments on the Senate floor last year, Leahy expressed his belief that resolving the phishing issue is an important part of ensuring the viability of the Internet economy.

“In the long run, phishing undermines the Internet itself,” he said. “By making consumers uncertain about the integrity of the Internets complex addressing system, phishing threatens to make us all less likely to use the Internet for secure transactions. If you cant trust where you are on the Web, you are less likely to use it for commerce and communications.”

Jevans said there is still “plenty of interest in the topic” in government at the state and federal level.

One possible hurdle facing the bill, however, could be the fact that much of the activity related to phishing is already against the law.

“Phishing is largely illegal anyway,” Jevans said, adding that individuals engaged in acts involving phishing typically can be prosecuted for crimes including access device fraud, wire fraud and mail fraud. “Phishers in general can be arrested and prosecuted.”

However, he noted that Leahys proposed legislation would make an important change to how phishers are prosecuted and provide better protection for individuals. Under the anti-phishing bill, he said, law enforcement officials would be able to stop phishing schemes far earlier, rather than being required to wait until the phishers made fraudulent use of the data they collected.

“Its directly going after phishing, rather than using the phished data,” Jevans said.

The focus of the bill, he added, is more toward preventing more individuals from engaging in phishing rather than trying to deal with those already involved.

“The value there is more deterrent” than the actual prosecution of those already in phishing schemes, he noted, because those who have been found phishing have been caught because of their other crimes. “In general, if we can find you, we can prosecute you,” he noted.


Reproduced from National Underwriter Edition, April 29, 2003. Copyright 2003 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.