Ryan Blitstein asks this question in a great article at the Mercury News, here is the link.
To summarize, the difficulties include legislators who don’t understand the technology, as well as companies that fight good laws because the proposed law hurts their bottom line. Special interests, as usual, appear to have more sway than implementing good laws to fight spyware or phishing attacks.
To further understand why stronger laws are needed, he’s also written a three-part series on cybercrime. Here are links to Part I, Part II, and Part III. (Hat tip to Bruce Schneier for linking to Part III today.)
These laws are needed, and are needed soon.
A California man was recently convicted of a “phishing” scam. Specifically, Mr. Goodin’s conviction is based upon violations of the CAN-SPAM act (15 U.S.C. §§ 7701 et seq.), as well as 10 additional counts, including wire fraud, misuse of the AOL trademark, and attempted witness harassment.
The article here at Mercury News makes a big deal of his conviction under the CAN-SPAM act, as it is the first in the country. However, it really is notable as a phishing conviction, it’s just that the scheme was operated by sending out spam. The spam consisted of “phishing” emails that appeared to be coming from AOL’s billing department. He succeeded in convincing AOL members that they needed to resubmit their billing information at his site that the misleading messages directed users towards.
According to the article, sentencing will be in June. He faces up to 101 years on all counts.