[gruez]

>They are written like that precisely so you won't try to weasel your way around a requirement. If they had said "verified badges may not be sold" then you would try to say "this isn't a verified badge but a they-paid-us badge." By wording it vaguely, it cannot be weaseled.

It also means enterprising prosecutors and regulators can use it as a cudgel against their opponents. As others have mentioned, the checkmark already meant very little when it came to whether the poster was trustworthy or not. It's like fining Chrome and Firefox for accepting letsencrypt certificates, because previously there was a $10 cost to having a lock appear on your site, and letsencrypt making it free misleads users.

[Incipient]

It's the age old argument of "letter of the law" vs "spirit of the law".

Neither approach is perfect. Personally I prefer the spirit approach as companies will generally do more harm than regulators given some rope.

[immibis]

It does. I don't think this example is as good as you think, though. You used to have to give out your full legal name and address and have them verified to get an SSL certificate and the lock icon. When any random website could get the lock icon, this did indeed lead to more people typing their passwords into phishing sites, thinking they were real because they had the lock icon, and this was indeed a real problem.

They could have chosen to only show the lock for EV certificates, and show something else, or no icon, for DV certificates, but instead they made a choice that was misleading. Google probably should have been fined for that, but not very much, because it wasn't foreseen. I think Mozilla was still a non-profit at the time.