Anti-Phishing Bill Introduced In U.S. Senate

A federal bill to impose penalties on people who like to phish was introduced into the U.S. Senate this week by the ranking Democrat on the Senate Judiciary Committee.

Called the Anti-Phishing Act of 2005 and written primarily by Sen. Patrick J. Leahy (D-Vermont), the bill would let prosecutors fine phishers up to $250,000 and put them in jail for up to five years if convicted.

Phishing involves tricking computer users into sharing sensitive personal and financial information through deceptive e-mails and/or fake Websites that are made to resemble messages and sites from legitimate businesses.

"Traditional wire fraud and identity theft statutes are not sufficient to respond to phishing," said Leahy in a formal statement. "We need to act aggressively to keep them from eroding the public's trust in online commerce and communication."

The Leahy bill, however, made a specific point of saying Internet parody sites and other kinds of sociopolitical speech presented similarly would not be prosecuted as phishing attacks. But it would apply the proposed penalties to a kind of phishing known as pharming—using programming tricks to re-route Netizens from legitimate sites to counterfeits.

The Anti-Phishing Working Group, a coalition of financial and technological businesses, supports the bill, saying it wold let investigators prosecute scammers even before they might send out their phishing e-mails.

"Right now, you can use copyright, trademark and other civil laws to sue people who are creating phishing sites, but that can take months," said APWG chairman David Jevans to reporters. "What (Leahy’s legislation) means is that if you're building a site called 'eBay-security.net' with the intent to defraud people, (law enforcement) can go after you just for that."

Some, such as former Bush White House cybersecurity advisor Marcus Sachs, fear that a new criminal law might not be the best solution, even if Leahy’s bill shows a Capitol Hill feeling the heat to solve such a high-profile problem as phishing.

"As soon as you start enacting new Internet-specific laws you open up the door for continued regulation and control over the Internet,” Sachs told reporters. "So far, the Internet has been violently successful following a largely unregulated road, so if the current laws are applicable here, we ought to be using those first."

The APWG’s latest report shows over 12,800 unique new phishing e-mails in January, up 42 percent from December, as well as 2,560 phishing Websites in January—up 47 percent from the previous month and twice as many as were spotted in October.