First Anti-Phishing Law Enacted in California 137
Steve writes "Arnold Schwarzenegger, governor of California, signed a bill yesterday that makes phishing a civil liability. According to MSNBC, the new law is the first of its kind in the country:
"The bill, advanced by state Sen. Kevin Murray, is the first of its kind in the United States and makes 'phishing'... a civil violation.
Victims may seek to recover actual damages or $500,000 for each violation, depending upon which is greater."
This is an expensive penalty for phishers who are litigated against, but do the lack of criminal accountability and the burden of action on the victim hinder the effectiveness of this bill?"
Bah. Environmentalists (Score:2, Funny)
Bah. Republicans (Score:2, Troll)
Re:Bah. Republicans (Score:2)
100% Troll
TrollMods: "Troll" means a post designed to elicit only a predictable response, usually based on a fallacy. Not "scary poster said the ugly truth about Republicans out loud". You sissies.
Awesome! (Score:3, Funny)
Phishing is serious crime - Spam is just annoying (Score:4, Insightful)
Phishing is a serious attempt to defraud individuals of large amounts of money by sending false e-mail communications that appear to be from official financial institutions. Phishing must be stopped because it will destroy the ability of people to use the web for commercial transactions (and defraud individuals of large amounts of money).
These criminals can be quite clever. For example, I received an e-mail that appeared to be a question from an eBay bidder about an item that I wasn't selling. The e-mail graphics looked exactly like eBay's question-from-bidders form. I clicked on reply to inform the writer that I was not offering this item at auction. The screen appeared for me to enter my eBay user name and password. It looked exactly like the standard eBay screen. I was about to when I realized that it was unlikely that eBay would misdirect a question like this. I went to eBay's site and did a search for the auction number from the phish email. It didn't exist. I forwarded the phish message to eBay's fraud department. I was pissed, because they almost got my account password.
People who do this should be thrown into an American rape torture prison for years. This shit is serious. Same with those Nigerian assholes. This shit isn't funny anymore and no one in the government will do anything about it. I believe that this Nigerian bank fraud transfer scam is something that the international web community should handle by themselves because the authorities won't touch it. The Americans get a large percentage of their oil from Nigeria so they just look the other way at all this endless fraud and theft inflicted on the American people by these clowns.
We, the web designers and internet system administrators, should shut off all internet communication to and from Nigeria until the bank transfer scam criminals are imprisoned and the defrauded funds returned. Remember, in the new information age, it is not the governments or violence technicians that control the power, it's the people who control the information. It's time to let the world understand this new reality. And shutting down the Nigerian bank fraud scammers by an ad-hoc group action is just the way to get that point across.
Web != Net. Stop it (Score:2)
Not really, since email usually doesn't go over 80/tcp. Oh, you meant net access? I can understand PHBs failure to understand the Intarwebs, but on a Geek site, there's no excuse for such sloppy language.
Domain Names with International Characters (Score:2, Informative)
Actually, some phishing sites can do just that using international characters in the domain name. For example, a lower-case Cyrillic 'a' looks almost the same as the lowercase Latin 'a'. The only difference is the Unicode.
This problem only exists with Firefox, and can be turned off easily, but it does exist.
Re:Phishing is serious crime - Spam is just annoyi (Score:2)
I guess the hope here is that the civil violation part will encourage some cowboy lawyers to do civil take downs on these folks. Apparently the cops can't make the time...
I'm just waiting for a bunch of pissed off black hats to start offering $500 cash rewards for the heads of nigerian scammers, though. You'd be surprised at how en
Re:Phishing is serious crime - Spam is just annoyi (Score:2)
A person reaches a certain age where they realize that when people do seriously evil to them then those people should be seriously punished. These assholes tried to steal my money and destory my credit rating. Fuck them. There are too many people in world who are not doing these things for me to get upset about what kind of horrible shit happens to people who are seriously trying to do bad things to me.
$500,000 (Score:4, Funny)
Aw man: I just deleted about $6,000,000 worth of opportunities, er, scams last week.
Re:$500,000 (Score:4, Funny)
Dear sir,
I am write to you with very important business proposition. I understanding you recently to have lost much valuable data. I very please to offer you my services to recover this data.
I am expert computer consultant from Nigeria, able to help you in many ways to recover your valuable data. Please just to click here [r.us] to send me details your bank accounts, so that $10,000 seed money can be taken (temporary only!) to secure our services. Honourable guarantee of funds to be returned is provided.
Looking forward to working with you,
Mr A Cowboy
Customers Service Us Department
Best Antiphishing Company In The World, Inc.
Nigeria
where is the text of the law? (Score:2, Interesting)
Re:where is the text of the law? (Score:2)
Page with information on votes [ca.gov]
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Chapter 33 (commencing with Section 22948) is added to
Division 8 of the Business and Professions Code, to read:
CHAPTER 33. ANTI-PHISHING ACT OF 2005
22948. This chapter shall be known and may be cited as the
Anti-Phishing Act of 2005.
22948.1. For the purposes of this chapter, the following terms
have t
Useless (Score:3, Insightful)
I guess it makes the legislators in California feel good, but it isn't going to do anything to stop it. It might stop someone who lives in California, uses their home ISP account to collect information and deposits the money in their parent's bank account.
Re:Useless (Score:5, Insightful)
Ok you're saying: a) it's too expensive to go after the criminals, and b) it's the victims own fault.
What kind of defeatist BS is that?
But what's more, this law addresses precisely those points... for a) it creates an economic incentive for someone to at least
Seems like you should agree with those goals.
Re:Useless (Score:4, Insightful)
Equating this to a person selling you a bridge on street corner is not a fair comparison. A person selling a bridge is something highly unusual and operating as an independent group, whereas a phisher is attempting to break in on a very common transaction, by impersonating a trusted agent with a prior relationship. For your street corner comparison, a more accurate comparison would be a group coming in and setting up a fake Bank of America location and executing transactions.
As the other respondent says, your attitude is defeatist--too many people say things cannot be done. Just because something is difficult to defeat, or apparently impossible to stop, that is absolutely no reason to tolerate it. Murder is going to happen no matter what. Should we remove our laws against that?
Instead of being so negative, try seeing the positive side of this: the ground-breaking it sets for other states and countries that, through continued improvement, will hopefully greatly reduce the amount of phishing by giving courts a strong set of tools with which to punish violators.
Re:Useless (Score:1)
Re:Useless (Score:2)
The age of reason is limited at both ends of the human life span. Below perhaps 7 years old, and above some indefinite age that could be as low as retirement age or could be past a century, human beings don't always have sufficient judgment to distinguish scams and high risk situations.
The argument that "it's their own damn fault" is a license to prey on those who aren't as clever as the predator.
Is "social Darwinism" still a morally credible app
Anti-Phishing Act, 2005 ? (Score:4, Informative)
Re:Anti-Phishing Act, 2005 ? (Score:1)
They decided that when a DUI that results in the death of the non-influenced party scores you on average less than 5 years the 5 year sentence for putting up a website might have been a little extreme. Especially when you consider there are existing laws that cover this behavior (fraud, theft via misrepresentation, id t
Here we go again... (Score:5, Insightful)
The real difficulty is that phishers tend to operate from outside jurisdiction and for very brief periods of time. I fail to see how a new "anti-phishing" law will do much to solve the problem - but elections are soon...I doubt that is coincedence.
Re:Here we go again... (Score:3, Interesting)
Yes it is fraud, but I doubt a court will see a case for quite a while, what with many of the phishers being overseas, and the police resources to deal with online fraud stretched quite thin as it is. It's all they can do to take down child porn rings.
I'm glad California is taking steps to allow citizens to su
Indeed (Score:2, Insightful)
Police resources are stretched too thin - tell the politicians to get off the soapbox and support them.
Murray knows what he is doing, police can't do it (Score:2)
Murray passed the California anti-spam law which provided $1,000 for each spam (until the scum passed the CAN-SPAM, law). Now, the law provides for $1,000 per spam that uses a deceptive header. I, w
Re:Murray knows what he is doing, police can't do (Score:2)
That's the problem, even if the case is won, very likely the perp will either be broke, or have hidden away his assets and cheefully go into bankruptcy, leaving the lawyer and/or the "victim" with nothing to cover their expenses. Lawyers aren't going to be eager to go after unrecoverable awards. Perhaps a few cases will get publicity and scare some of the local phishers, but
Re:Murray knows what he is doing, police can't do (Score:3, Interesting)
Even if they are overseas, you can still go after them. I went after Global Web Promotions [spamhaus.org] in a California court. They spent at least $25K tried to fight. I cannot discuss what happened after. They are subject to the jurisdiction that they i
Re:Here we go again... (Score:2)
How many people can do this?
Re:Here we go again... (Score:2)
It's really this simple:
You get an email from PayPal or your bank? It's fake. Delete it.
Open your web browser. Log into your account, read the news there. If everyone did it that way, there'd be no problems [but for the silly few].
Re:Here we go again... (Score:2)
You get an email from PayPal or your bank? It's fake. Delete it.
Uhh, yeah, except for the legitimate e-mails that I get from PayPal or my bank which aren't fake.
PayPal's legit e-mails will always start with your name, so if they don't, that's an easy sign it's fake.
Re:Here we go again... (Score:1)
Re:Here we go again... (Score:2)
Preponderance of the Evidence... (Score:2)
So, under the new scheme, you could lose the greater of actual damages (which might be $150) or $500,000 because, you know, it sorta looks like your guilty.
What if it sorta looks like your kid's Windows box was used in a phishing venture?
Civil law can be scary.
Re:Here we go again... (Score:2)
So a $500,000 judgement against them is probably worthless, since bankruptcy law generally allows you to keep what you have that's worth less than a few thousand dollars.
D
Is CAN-PHISH next? (Score:3, Insightful)
Now, if the other states will just take notice...
It's a shame Congress won't act, but we do not need a CAN-PHISH act.
Re:Is CAN-PHISH next? (Score:1)
burden of action? (Score:2)
There's a problem there (Score:2)
Only if the Phisher gets caught, and in a useful jurisdiction. Furthermore, Phishers don't usually start rich. (If you start with some money, Spamming is a more effective way to make a dishonest buck.) However, they do usually work in bulk. So, the victims get to divide up: his original assets, what he stole from everyone, and the proceeds of any (legitimate) winning lottery tickets he's bought... LESS what he's sp
Re:There's a problem there (Score:2)
No, bankrupcy can't clear court judgements, so after the bankrupcy, the phisher still owes just as much as before.
Is it not already coverd (Score:3, Insightful)
IANAL but why would there need to be a new law for phishing? it is after all just fraud .
The police are not doing the job (Score:2)
Re:The police are not doing the job (Score:2)
Re:The police are not doing the job (Score:3, Funny)
A real representative (Score:3, Insightful)
This is why we need to elect normal people to government. Normal people as defined as not a professional politician. Arnold isn't corrupted with long ties to special interests and can pass laws for the people. Established politicians wouldn't be too concerned about a law like this because of special interests.
So we get laws with teeth to protect people. Good deal.
So vote for non-politicians to administer government, it always seems to work better over time.
Re:A real representative (Score:2, Insightful)
A Surreal Executive (Score:1)
MPAA [afterdawn.com]?
(Of course, that's not a long tie, that's a very short leash indeed. That may be the only one... which could well be an improvement. He's also probably harder to bribe than most....)
Re:A real representative (Score:2)
Good. (Score:1)
not a good thing for people who dont know a lot.
Re:Good. (Score:1)
On the other hand, if you restrict yourself or others from those particular regions then it makes it hard to "poke around" on whatever server they may be using... Not that I would condone such behavior!
I get them as well on my old hotmail account as well, you'd think more of the major ESPs would do something about it.
Why does the world need anti phishing laws? (Score:3, Insightful)
Think of the saving to sanity and finances?
We should have only one law: "Don't do anything to harm someone else intentionally". God had the right idea when he gave Moses ten laws, provide us the bible as a sort of guideline to acheiving those laws. Not kidding.
We should have the one law of "don't hurt others intentionally" and then have a transparent system that enables qualified judges to make justified decisions on what appropriate punishments are based on circumstances and deservement (is that a word).
Laws get bought and even in democracies are based on people's current emotions at the time, and they are too non specific in the way they are written anyway. My point is that by have so many laws, they are over specific and miss too many situations.
It just seems like there are an infinite number of situations and deserved punishments that trying to codify them can lead to problems and more injustice than what the intent of laws is. Each crime is slightly different.
Re:Why does the world need anti phishing laws? (Score:1)
Because each is different, 10 will not cover them. (Score:2)
Which is why we have different crimes such as manslaughter and 1st degree murder.
With ONE law, how do you set the punishment/rehabilitation for the offender? Does stealing a loaf of bread merit the same punishment as killing an entire family?
If not, then you get into ranking the punishments based upon the crime which requires you to define the crime w
Re:Why does the world need anti phishing laws? (Score:3, Insightful)
This was tried... (Score:3, Insightful)
We didn't, at least, we used to not. At one time, our whole legal system was just a few pages long [house.gov]. But our government decided that it wasn't enough, and so we've ended up with the billions of pages of legal code we have today.
In a utopian world, I would agree with you. Unfortunately, there are just too many people who look for too many loopholes trying to screw other people over. And even that doesn't take into account the many gray areas. For example, I
US legal system was never "a few pages long" (Score:3, Informative)
Re:This was tried... (Score:2)
Unfortunately, there are just too many people who look for too many loopholes trying to screw other people over.
I really have to ask: why is this so? Is it an innate compulsion to fuck people over or is it a self-serving, invisible (and non-understood) sociological need to get more stuff, attention and babes, thus demonstrating dominance.
Re:Why does the world need anti phishing laws? (Score:2)
The Golden Rule, of sorts!
Unfortunately for this idea, there is a subjective moral base to most of our laws. Your idea would repeal all kinds of laws in various states that are covered, such as gays getting married, couples buying sex toys, adults gambling, people eating kittens, and so on.
I'm not saying repealing those laws is good or bad, but I am saying it would make you unpopular. :-)
Re:Why does the world need anti phishing laws? (Score:1)
Re:Why does the world need anti phishing laws? (Score:2)
But I don't like it. Why? Because the Golden Rule implies that action is a far honorable stance than inaction.
Instead, the Golden Rule should have been this: "Don't do unto others as you would not have them do unto you."
Humanity has paid dearly because of this mistake.
Also, JFK got it wrong too: "Ask not what your country can do for you, but what you can do for your country."
He should have said: "A
Mozart had too many notes (Score:2)
Okay, too many laws, dummy. But tell me, when you want to smuggle goods, launder money, exploit worker's rights, cheat your boss - exactly HOW will "don't intentionally hurt anyone" allow someone to reach a prosecute you for your complicated and subtle crimes?
The same way a person gets prosecuted today you moron! Even TODAY under current laws unintentional effects of actions are NOT prosecuted. Just because you break a law and get caught, it doesnt mean you will get prosecu
Phishing (Score:3, Funny)
Re:Phishing (Score:2)
OB SouthPark Quote (Score:2)
Chef: Aw no! Don't say flippity-floppity-floo!
Actually it was an anti-fishing bill, but you know (Score:2)
Re:Phishing (Score:1)
now imagine Arnold trying to say "Phishing" bwahahaha
How is fishing legal now? (Score:3, Insightful)
The Phishers will be Terminated... (Score:1, Funny)
Criminal Negligence (Score:2)
It is tough to find accountable criminals these days....
and they just renew, and renew (Score:2, Interesting)
Re:and they just renew, and renew (Score:3, Informative)
Domain squatting is against the rules, and yours seems like a pretty clear cut case.
Re:and they just renew, and renew (Score:1)
Re:and they just renew, and renew (Score:1)
Just a thought.
sn't this already fraud? (Score:2)
Why do they have to go through the effort of creating a whole new law when there are other laws covering this basic acticity?
Shit like this pisses me off. Rather than tweaking the existing laws a bit, politicians need to create whole new laws when a lot of time and effort can be saved, and probably end up with a more effective law, by tweaking a close fit we already have. But new laws get more press
New age of bounty hunters? (Score:4, Interesting)
Tracing a phisher back can be pretty hard and you pretty much have to do illegal things yourself in the process since their webservers usually run on some hacked machine and the only way to trace them fast enough will be to hack into that machine yourself. But a half million bucks is enough money to make it worth it and some of the phishers may decide that it's more profitable to go after their own kind.
Of course collecting may be the most difficult part... you can sue someone who is located in Russia in a California court, but if you win how are you going to collect?
Btw., as I understand US law only it's probably enough if any one of the recipient, the email account that got the phishing email, the fake web server, or the company that was being spoofed are located in California for you to sue in a Cal court.
Anyway, it'll be really interesting to see what happens with this. I've long thought that the best way to combat all sorts of scum on the internet is to create a sufficient economic incentive for bounty hunters since LE is never going to put their resources in the right places. This is the first anit-internet-scum law that makes the (potential) reward high enough, so if it works expect to see more.
And good hunting!
Save the Noodlers (Score:2)
Isn't it already Fraud? (Score:2, Insightful)
Of course the burden is on the victim... (Score:4, Insightful)
Of course the burden is on the victim, fraud is already a criminal offense. This bill classifies phishing specifically as a CIVIL offense so the victim can collect damages. In order to collect, the victim has to sue. Don't you remember the OJ civil trial?
Oh, and IANAL. Just knows what I sees on the teevee.
Huh? (Score:3, Insightful)
Ok you're saying: a) it's too expensive to go after the criminals, and b) it's the victims own fault.
What kind of defeatist BS is that?
But what's more, this law addresses precisely those points... for a) it creates an economic incentive for someone to at least
Seems like you should agree with those goals.
Why? (Score:2)
Phishing is already illegal... (Score:2, Insightful)
Phishing is already illegal across the US, if not the world. It's called "fraud". This bill merely adds more ammunition to the public's arsenal.
Civil vs. Criminal (Score:3, Insightful)
You know, this may be worse for those who have a suit brought against them as the burden of proof for the other side is smaller. At least this is what I have been made to understand for years. (I may be using the incorrect language however.) Also, can someone who knows tell us if you can have a jury in civil suits?
Now, as much as I dislike the activity, I also dislike laws that have such large statutory damages. (And the whichever is greater provisions.) You may have only suffered a ten dollar loss as a result of someone's foolishness, but you can collect $500,000.00 from them? We really need to go back to the thought of the punishment fitting the crime instead of trying to scare people into compliance. (I am talking in general here and not about phiching.)
all the best,
drew
--
http://www.ourmedia.org/node/57503 [ourmedia.org]
Paper Plane Design 001 Video
Creative Commons Attribution-ShareAlike License
Re:Civil vs. Criminal (Score:2)
Of course you can, and when a civil suit goes to trial, it's almost always in front of a jury. I know for sure, because I've served on the jury for a civil suit.
Re:Civil vs. Criminal (Score:2)
Let's make breathing illegal and punishable by death. Then, whenever there is a bad guy we want to put out of action, just send the cops around to observe him. Bingo, they see him breathing and arrest him on the spot. He cannot plead innocent as everyone in the court will be able to see the evidence of his guilt.
You can get rid of all the bad guys you want very easily with such a simple law.
all the best,
drew
I'd take the cash (Score:2)
Civil Issue (Score:3, Insightful)
However, since this often involves stealing of personal information and actual theft, perhaps it should have remained a criminal issue..
We'll have solar energy... (Score:2)
Unleash the hounds! (Score:2)
Expect to see some fraction of ambulance-chaser commercials in California turn into phisher-chaser commercials.
Does it count if I knowingly reply to a Phis? (Score:2)
1. Create new PayPal account
2. Put $10 into it
3. Wait for a PayPal phisishing email (I get a couple a week)
4. Fill in the new PayPal details
5. Wait for the $10 to disappear
6. Report the phishers
7. Profit!
Sorry, a few more steps that the usual profit posts, but at least this one has a better chance of making it!
PC Manufacturers can educate users. (Score:3, Funny)
The PC manufacturers can configure a start up sequence. When a user starts their computer, a series of screens appear which demonstrate the various Internet evils and countermeasures. One can show information on spam, another on phishing, etc.
As each screen is displayed, the user must click on a "I understand" button before going to the next screen. Only after each screen is viewed will their PC fully boot.
How simple can it be for the PC manufacturers to do this? At least the user cannot say "I didn't know".
How many languages - and usability? (Score:2)
(I'm assuming here you don't want to restrict this idea to only the English speaking part, and you have to target the 'not-so-computer-literate' to get any positive effect).
As for having to plough through many "I understand" buttons, two observations:
(1) how do you think Microsoft gets away with an almost insane amount o
The real problem is that companies don't care (Score:2, Insightful)
Submitter moran (Score:1)
Legislation? (Score:3, Informative)
Really, if you want to solve the problem of phising, what better/easier way than to remove the stupid social security number (SS#) from existence? People are worried about identity theft of credit card numbers(CC#) and we have a NATIONAL ID CARD proposal? Sounds kind of ridiculous to me.
I know a lot of you really probably don't know the technicalities of phishing, but the only reason why identity theft is an issue is because of the holy grail of all numbers, the SS#. If I get someone's SS#, it's better than a CC#, because now I can register a CC# under their name and SS#. If you think that phishers do what they do to get a CC#, you're wrong. The SS# is what many of them are *really* after.
Governor? (Score:2)
"Arnold Schwarzenegger, governor of California..."
It's governator, baby!
Minnesota did this before California (Score:3, Informative)
332.4 Subd. 5a. [CRIME OF ELECTRONIC USE OF FALSE PRETENSE TO
332.5 OBTAIN IDENTITY.] (a) A person who, with intent to obtain the
332.6 identity of another, uses a false pretense in an e-mail to
332.7 another person or in a Web page, electronic communication,
332.8 advertisement, or any other communication on the Internet, is
332.9 guilty of a crime.
332.10 (b) Whoever commits such offense may be sentenced to
332.11 imprisonment for not more than five years or to payment of a
332.12 fine of not more than $10,000, or both.
332.13 (c) In a prosecution under this subdivision, it is not a
332.14 defense that:
332.15 (1) the person committing the offense did not obtain the
332.16 identity of another;
332.17 (2) the person committing the offense did not use the
332.18 identity; or
332.19 (3) the offense did not result in financial loss or any
332.20 other loss to any person.
332.21 [EFFECTIVE DATE.] This section is effective August 1, 2005,
332.22 and applies to crimes committed on or after that date.
Re:Minnesota did this before California (Score:2)
Obviously the 'normal' laws apply if they are caught stealing or committing fraud, in addition.
Bounty Huntin' (Score:2)
"Private Attorney General" Laws (Score:3, Interesting)
That said, this would work better as a national law that permits state courts to be used for action.
Re:So what? (Score:3, Interesting)
Sheesh, what a waste of fucking paper.
Not really a waste of paper for two reasons.
First, it sets a pace for the federal and perhaps later for the world to follow. Although your point about enforcing this to another country may be more difficult is a fact.
But a second point is if a phisher became successful enough, it would warrent setting the fool up. Just wait until they travel and get them in a friendly juristiction. It wouldn't be the first time a criminal was caught by the bait of a good job or p
Re:So what? (Score:2, Offtopic)
There doesn't need to be a new law against every method of committing a crime. For instance, do we need a new law specifically forbidding the use of explosives to break into a bank vault? Of course not! Breaking into a bank vault is already illegal; it doesn't matter how you do it.
-Z
((YR)O) != (Y(RO)) (Score:2)
It's ((Your Rights) Online), not (Your (Rights Online)). That is, a discussion of your rights, which happens to take place online, not a discussion of online rights, which happen to be yours.
</rant>
-Ster