In an item earlier today, I wondered what problems may develop from recent attempts by MasterCard and NameProtect to stop "phishing," phony solicitations for personal information using the stolen trade dress of banks and other institutions.

Brad Hutchings (pictured) responds:

I'm skeptical that they can preempt phishing.

The obvious attach on such preemption is spoofing the phishing, much like spammers spoof return addresses. I.e. in your phish spam, send people to a bogus URL on my website, directing the NameProtect people to my web site, which isn't engaged in anything. Disregard spoofing and think what this really amounts to... it's like finding a blog that isn't on anyone's blogroll. Not likely they can do anything except make sure they get phished with 100 thousand of their closest friends and get there first before it does a lot of damage.

But here is what we really need.

You know in the browser how the lock indicates a secure session? That says that encryption is being used to transmit all data between client and host and that the keys have been verified as issued by a certificate authority. We need another "lock" icon that indicates that the transaction is being watched and recorded by a privacy authority.

That may sound a little weird, and the architecture may not be entirely obvious, but the best protection against the scammers might just be to have a complete recording of what they are doing and perhaps haviing some third party that approves or denies their attempt to deal with you in real time.