Senator Introduces Anti-Phishing Bill

Vermont Senator Patrick Leahy has introduced a bill to the U.S. Senate that would criminalize phishing and pharming. Should it be signed into law, Leahy's draft bill, the Anti-phishing Act of 2005, will impose a maximum of five years of prison time and fines of up to $250,000 on fraudsters who are successfully prosecuted.

The bill is similar to the CAN-SPAM Act of 2003, which imposes limitations and penalties on the transmission of unsolicited commercial mail over the Internet.

Phishing is the designation for a class of socially engineered attacks that fraudulently obtain consumers' passwords, credit card numbers and other personally identifiable information. Pharming refers to exploits that redirect Web browsers to malicious Web sites, even if the user inputs a legitimate URL.

"Some phishers and pharmers can be prosecuted under wire fraud or identity theft statutes, but often these prosecutions take place only after someone has been defrauded. For most of these criminals that leaves plenty of time to cover their tracks." said Leahy while he introduced the bill on the floor of the Senate.

Leahy, one of the Senate's Democrat leaders, took care to limit the scope of the bill and protect First Amendment rights. The bill protects free speech as it relates to parody and political speech online.

Some analysts question the effectiveness of such legislation. "So far legislative efforts for fighting cybercrime haven't proved to be all that effective. One reason is the speed with which criminals can change domain, IP address or venue," said Jupiter Research senior analyst Joe Wilcox. "Consumer education and industry action probably could do move than legislation, particularly, in the case of phishing sites, where many may operate outside U.S. jurisdiction."

In the absence of Federal legislation that restricts the techniques commonly used to fraudulently obtain personal information online, the industry has turned to public-private cooperation to protect Internet users. In December, technology companies and law enforcement teamed up to crack down on phishing by launching the Digital PhishNet program. Digital PhishNet opens a direct line of communication so that cyber criminals can be quickly identified and detained.

In its January 2005 Phishing Activity Trends Report, the Anti-Phishing Working Group revealed that the number of active phishing sites reported in January was 2560, and that the average monthly growth rate in phishing sites in the period of July 2004 through January 2004 was 28 percent.

Representatives from Senator Leahy's office did not return calls for comment by press time.