First Anti-Phishing Law Enacted in California

Steve writes "Arnold Schwarzenegger, governor of California, signed a bill yesterday that makes phishing a civil liability. According to MSNBC, the new law is the first of its kind in the country: "The bill, advanced by state Sen. Kevin Murray, is the first of its kind in the United States and makes 'phishing'... a civil violation. Victims may seek to recover actual damages or $500,000 for each violation, depending upon which is greater." This is an expensive penalty for phishers who are litigated against, but do the lack of criminal accountability and the burden of action on the victim hinder the effectiveness of this bill?"

Useless

[cdrguru]

1. There is no accountability on the Internet. Domain registration is (or can be) anonymous, so even if you have a domain, it is meaningless. ISPs aren't going to cooperate, especially those outside of the US. It would cost $500,000 to find out who hooked you with thier phishing, so you might as well forget about it.
2. It's their own damn fault. If you are silly enough to click links that people IM you or email you, then you are silly enough to buy a bridge from a guy on a street corner. This has been happening sinces, well, the beginning of time. The Internet just makes it a lot easiler, anonymous and risk-free. You can't stop it. It's like trying to stop daylight.

I guess it makes the legislators in California feel good, but it isn't going to do anything to stop it. It might stop someone who lives in California, uses their home ISP account to collect information and deposits the money in their parent's bank account.

Re:Useless

[jurgen]

Huh?

Ok you're saying: a) it's too expensive to go after the criminals, and b) it's the victims own fault.

What kind of defeatist BS is that?

But what's more, this law addresses precisely those points... for a) it creates an economic incentive for someone to at least /try/ to go after the perps, and for b) it lets the intended victims (even if they were never actually stupid enough to fall for it) fight back.

Seems like you should agree with those goals.

:j

Re:Useless

[ash]

Regarding your second point that "It's their own damn fault":

Equating this to a person selling you a bridge on street corner is not a fair comparison. A person selling a bridge is something highly unusual and operating as an independent group, whereas a phisher is attempting to break in on a very common transaction, by impersonating a trusted agent with a prior relationship. For your street corner comparison, a more accurate comparison would be a group coming in and setting up a fake Bank of America location and executing transactions.

As the other respondent says, your attitude is defeatist--too many people say things cannot be done. Just because something is difficult to defeat, or apparently impossible to stop, that is absolutely no reason to tolerate it. Murder is going to happen no matter what. Should we remove our laws against that?

Instead of being so negative, try seeing the positive side of this: the ground-breaking it sets for other states and countries that, through continued improvement, will hopefully greatly reduce the amount of phishing by giving courts a strong set of tools with which to punish violators.

Here we go again...

[QuaintRealist]

New laws (all laws) have unintended consequences, and fraud is already illegal. TFA provides no details, but I am always skeptical of new regulations which seem to "protect us" from something which is already covered by existing statute.

The real difficulty is that phishers tend to operate from outside jurisdiction and for very brief periods of time. I fail to see how a new "anti-phishing" law will do much to solve the problem - but elections are soon...I doubt that is coincedence.

Is CAN-PHISH next?

[dragon_imp]

Now, if the other states will just take notice...

It's a shame Congress won't act, but we do not need a CAN-PHISH act.

Why does the world need anti phishing laws?

[backslashdot]

Actually why do we have so many damn laws? We can get rid of legislators by getting rid of laws.

Think of the saving to sanity and finances?

We should have only one law: "Don't do anything to harm someone else intentionally". God had the right idea when he gave Moses ten laws, provide us the bible as a sort of guideline to acheiving those laws. Not kidding.

We should have the one law of "don't hurt others intentionally" and then have a transparent system that enables qualified judges to make justified decisions on what appropriate punishments are based on circumstances and deservement (is that a word).

Laws get bought and even in democracies are based on people's current emotions at the time, and they are too non specific in the way they are written anyway. My point is that by have so many laws, they are over specific and miss too many situations.

It just seems like there are an infinite number of situations and deserved punishments that trying to codify them can lead to problems and more injustice than what the intent of laws is. Each crime is slightly different.

Of course the burden is on the victim...

[Asprin]

Of course the burden is on the victim, fraud is already a criminal offense. This bill classifies phishing specifically as a CIVIL offense so the victim can collect damages. In order to collect, the victim has to sue. Don't you remember the OJ civil trial?

Oh, and IANAL. Just knows what I sees on the teevee.

Phishing is serious crime - Spam is just annoying

[Simonetta]

Spam is an annoying side effect of allowing open access to the web to the masses. You're going to get a lot of scumbags, er... people who don't share the same ethical standards as the original web designers. Spam is the pollution (unlimited access for commercial messages) of a general community resource (the web) for individual private gain (selling ad space in a medium that you don't own).

    Phishing is a serious attempt to defraud individuals of large amounts of money by sending false e-mail communications that appear to be from official financial institutions. Phishing must be stopped because it will destroy the ability of people to use the web for commercial transactions (and defraud individuals of large amounts of money).

    These criminals can be quite clever. For example, I received an e-mail that appeared to be a question from an eBay bidder about an item that I wasn't selling. The e-mail graphics looked exactly like eBay's question-from-bidders form. I clicked on reply to inform the writer that I was not offering this item at auction. The screen appeared for me to enter my eBay user name and password. It looked exactly like the standard eBay screen. I was about to when I realized that it was unlikely that eBay would misdirect a question like this. I went to eBay's site and did a search for the auction number from the phish email. It didn't exist. I forwarded the phish message to eBay's fraud department. I was pissed, because they almost got my account password.

        People who do this should be thrown into an American rape torture prison for years. This shit is serious. Same with those Nigerian assholes. This shit isn't funny anymore and no one in the government will do anything about it. I believe that this Nigerian bank fraud transfer scam is something that the international web community should handle by themselves because the authorities won't touch it. The Americans get a large percentage of their oil from Nigeria so they just look the other way at all this endless fraud and theft inflicted on the American people by these clowns.

        We, the web designers and internet system administrators, should shut off all internet communication to and from Nigeria until the bank transfer scam criminals are imprisoned and the defrauded funds returned. Remember, in the new information age, it is not the governments or violence technicians that control the power, it's the people who control the information. It's time to let the world understand this new reality. And shutting down the Nigerian bank fraud scammers by an ad-hoc group action is just the way to get that point across.