When phishing for solutions to online crime, lawmakers are bound to reel in two favorites: expanding statutory definitions of criminality, and broadening prosecutorial powers. Senator Leahy proposes the former (S. 2636), but amendments in committee would likely incorporate the later, as well as a few Federal Trade Commission rulemakings, and maybe even a GAO study.
Those of us who are unenthused about the prospect of such government encroachment tend to offer promises of technological solutions without reflecting adequately on whether or not a market exists to support their development. Not only do less than 5 percent of targeted consumers fall victim to phishing, but the primary consumers of these would-be innovations (online businesses) can opt instead to acquire collective (state) resources from pliable lawmakers at a fraction of the cost.
This dynamic is even more pronounced in this situation because the costs of phishing are predictably concentrated among a small subset of businesses and their consumers. According to data from the Anti-Phishing Working Group, 77 percent of phishing attacks are targeted against the financial services industry, with over 44 percent of those attacks against customers of Citibank, the largest bank (in market cap) in the world. Although the phishing infrastructure (mass emails and temporary web sites) is low cost, there are economies of scale involved. And to the extent that those targeted are not only the largest, but also the most reputable online businesses, phishing is a greater threat to brand equity than the more mundane trademark infringements these businesses already spend tens of millions each year to suppress.
Public concerns that consumers will shun all internet transactions after falling victim to fraud are unlikely to be as consequential as management’s concern that consumers will avoid future internet transactions with the business whose trademark was expropriated to commit the fraud. Publicly traded corporations with shareholder equity in excess of $90 billion do not need public subsidies in the form of prosecutorial resources to assist them in maintaining brand equity. And given estimates that suggest only 27 percent of phishing web sites are hosted in the U.S., supranationals may already be better positioned to police against phishing anyway.