Maine Senator Olympia Snowe (R) introduced a bill (S. 2661) on February 25, 2008, known as the “Anti-Phishing Consumer Protection Act of 2008” (APCPA). The proposed legislation seeks to fight trademark infringement and phishing schemes. However, some believe the proposal goes too far.
- Creating unnecessary bureaucracy
- Presuming guilt and therefore denying the fundamental right to due process
- Not requiring the complainant to provide proof
- Outlawing anonymous domain registration
- Criminalizing what was once handled in civil proceedings
Ostensibly, this bill goes after phishing — the act of misleading people to websites that look like legitimate sites, then attempting to obtain information from the hapless user, such as a bank-account number and password (this new proposed federal law would make it illegal to register a domain name like ‘www.citibanks.com’ in order to misdirect people to a fake website). But, there are already laws against this activity, and this sounds like your typical Washington response to inadequate enforcement of existing laws by churning out new ones that will be equally ignored.
Co-sponsored by Bill Nelson (D-Florida) and Ted “Internet Tubes” Stevens (R-Alaska), this bill overreaches in a number of areas, also typical of federal action (never use a toothpick when you can use a sledge hammer). According to a description of the bill by the Internet Commerce Association:
Enforcement of the APCPA could be undertaken by –
- A state attorney general or any other official of a state
- The Federal Trade Commission (and any violation of the APCPA would be considered to be a violation of the Federal Trade Commission Act as an unfair and deceptive trade practice, and subject to its additional penalties and remedies)
- Federal banking and securities agencies, state insurance commissioners, and the Federal Communications Commission
- Interactive computer services (e.g., ISPs)
- Trademark owners
All of these parties could seek injunctions, enforcement, and recovery of actual monetary damages. In addition, interactive computer services and trademark owners could seek punitive damages for willful and knowing violations – the private right of action granted to these parties in a bill ostensibly aimed at criminal activity is highly questionable. In cases filed by the FTC, FCC, and state officials, cease and desist orders and injunctions could be obtained without any requirement to allege, much less prove, that the domain name registrant had actual or implied knowledge of likely misleading effect.
Putin and all the Czars of Russia would love legislation like this. The presumption of guilt denies due process. The bill does not require the complainant to provide proof, and there are no penalties for bad faith complainants that intentionally abuse the law to crater their competition. Plus, the domain registrant doesn’t even have to be informed that a complaint has been filed, nor are they given the opportunity to contest the complaint. Call it Star Chamber domain name justice. The only court that would entertain such a law should be one populated by kangaroos.
Part of the bill discusses a domain name infringement dispute mechanism, which is redundant to ICANN’s dispute resolution process. According to the Internet Commerce Association, trademark owners who use ICANN’s process win 85% of their cases, and almost all win using the U.S. Anti-Cybersquatting Protection Act (ACPA).
So why have a duplicate system when the existing one works so well? Not only is this demonstrably unnecessary, but in the case of internet domain names, it also creates a governmental system that prosecutes trademark infringement as criminal law, as opposed to adjudicating in a civil case. In essence, this makes trademark infringement with domain names illegal, and corporations would get a legal entitlement (welfare) from the government, who could prosecute the case on their behalf, saving them the legal expense. Nice handout at $500 an hour.
Fines could be from $250 to $2 million, with treble damages applicable, and prison for up to five years. Given current criminal sentences, the new bill practically equates trademark infringement with armed assault. This punishment is all out of proportion — yet another sign of bad legislation.
The potential for abuse of this potentially new law is considerable. One possible outcome is for large corporations or even relatively small domain trolls (people who register domain names on the belief they are valuable to someone else) to register as many domain names as they can at $14 a pop, perhaps in strategic naming patterns, and lock down as much of the internet as possible. The legal defense thereof would be taken care of by the American taxpayer.
In addition, pre-existing domain names would be under equal threat, no matter how old. Free speech issues aren’t even addressed. This goes way beyond a ‘www.microsoftsucks.com.’ It’s bad enough we have domain trolls who register potentially useful domain names; now Congress creates the incentive for them and corporations to become über-trolls, and then gives them additional protection in the form of a legal nuke.
Other consequences could include a flood of claims from every guy who feels the other guy is infringing because his domain name includes the word pizza as well. Hey, it wouldn’t cost them anything to use the long arm of the law to beat their competition senseless. Since the language of the proposed bill covers private and public entities, what about if the City of Boston pursued websites with the word Boston in them, like iBoston.org? Even with the best gatekeepers throwing out cases, the workload could be astronomical.
Privacy is another concern that this proposed legislation tramples all over. From Declan McCullagh of Cnet:
So let’s get this right. Those folks who, reasonably, prefer not to give their actual physical address and telephone number when registering a domain name for themselves or their family are now going to be violating federal law. (Here’s something I wrote on Whois privacy in 2004.)
And if someone is using a private domain name registration feature–which companies like GoDaddy and Dynadot offer–all it takes is a single unverified complaint to the domain registrar about phishing to make their name, physical address, and phone number public?
So much for privacy and due process. Even the Digital Millennium Copyright Act, for all its flaws, requires a sworn statement made “under penalty of perjury” before a hosting service needs to do anything about a copyright complaint.
In addition, ISPs outside U.S. may invoke their national privacy laws to shield themselves and their domain registrants from this insipid law. ICANN is on the verge of becoming functionally independent from the U.S. government, and occasionally adds new top-level domains — the maintaining of which can be awarded to non-U.S. companies. The effect will be a migration of domain registrants to non-U.S. registrars. And, at some tipping point, the U.S. will undoubtedly react by banning those sites from Americans that fall beyond their reach. Such clumsy tactics have used before.
Going after phishing schemes as criminal activity is a fantastic idea. Going after domain names vis-a-vis trademark infringement as criminal activity is a very bad idea, and so is presuming guilt, denying due process, no requirement of proof, trashing the privacy of domain holders, and criminalizing what was a part of civil law. This approach is ham-fisted, and its need is unjustified.