Friday, December 10, 2004 - The Progress & Freedom Foundation Blog

Phishing update

In the last 3 days, I have "account information requests" from 'Bank of America,' 'Suntrust,' and 'Citizens' Bank.' These are prototypical phishing solicitations that look legitimate and official, but are really a means for thieves to get people to voluntarily hand over account information. I, and millions of others, ignore them, and with the better junk e-mail filters don't even need to see them at all.

That said, this is the type of stuff that gives folks like my 70 year old in-laws the willies. My mother-in-law gets these things and thinks she does have to respond or her account will be closed (fortunately, the phishers haven't gotten lucky and made the request from her bank). Further, she then becomes more suspicious about making any online purchases for fear her information will be stolen. Amazon should pay me a commission for talking her through the fact that it's all right to order something from them.

The political response to this scourge: "there oughta' be a law....!" is empty posturing. There is a law. It prohibits fraud. All states have them. The problem here is enforceablility, which is near-impossible. I tend to think the ultimate solution is structural -- better authentication, active policing by the broadband providers limiting access the bad guys' access. This second solution, you will note, violates the vaunted end-to-end principle. And the answer to that should be: so what? It is a valauble principle so long as it is useful, not a foundational article of faith. When "'Net Freedom" becomes the bad guys' invitation to harassment at best and fraud at worst, then the principle needs to be rethought.

Our sometimes Red Lodge, Montana office headed and staffed solely by Jim DeLong is fond of making analogies between the property and contract rights foment and change in the American West and the current "wild, west" phase of the Internet. There is explanatory force to this analogy, and insight to be gained from how settlers to the west worked out the rules of property (western "prior appopriation" water law and its complete difference from eastern riparian property regimes is one glaring example).

The Internet still has a ways to go toward working out these laws. In the case of phishing, perhaps we need to revive the Greek and Roman practice of banishment.

posted by Ray Gifford @ 3:11 PM | E-commerce , Privacy