The US state of Georgia is considering anti-hacking legislation that critics fear could criminalize security researchers. The bill, SB 315, was drawn up by state senator Bruce Thompson in January, has been approved by the state’s senate, and is now being considered by its house of representatives.
The bill would expand the state’s current computer law to create what it calls the “new” crime of unauthorized computer access. It would include penalties for accessing a system without permission even if no information was taken or damaged.
One of the bill’s backers, state Attorney General Chris Carr, said the bill is necessary to close a loophole: namely, the state now can’t prosecute somebody who harmlessly accesses computers without authorization.
From a statement his office put out when the bill was first introduced:
As it stands, we are one of only three states in the nation where it is not illegal to access a computer so long as nothing is disrupted or stolen.
This doesn’t make any sense. Unlawfully accessing any computer in Georgia should be a crime, and we must fix this loophole.
But critics of the legislation believe it a) will ice Georgia’s cybersecurity industry, penalizing security researchers reporting on bugs; b) would criminalize innocent internet users engaged in innocuous and commonplace behavior, given that the law’s definition of “without authority” could be broadly extended to cover behavior that exceeds rights or permissions granted by the owner of a computer or site (in other words, terms and conditions); and c) is unnecessary, given that current law criminalizes computer theft; computer trespass (including using a computer in order to cause damage, delete data, or interfere with a computer, data or privacy); privacy invasion; altering or deleting data in order to commit forgery; and disclosure of passwords without authorization.
That’s all coming from a letter sent by the Electronic Frontier Foundation (EFF) to Congress in opposition to the current draft of SB 315.
The EFF calls the legislation “misguided.”
The EFF, along with other groups, are worried that beyond criminalizing innocent online behavior, the bill would criminalize security researchers for the sort of non-malicious poking around that they do.
According to Scott M. Jones from Electronic Frontiers Georgia – a group that participates in the Electronic Frontier Alliance – overly broad use of the Computer Fraud and Abuse act (CFAA) has already chilled security research.
He brought up an incident from last year that he believes embarrassed the attorney general’s office into cooking up SB 315. It involved a data breach at Kennesaw State University, whose Election Center was handling some functions for elections in the state. The breach was big news, and it was messy: it spawned a lawsuit over destruction of election data, for one.
The thing about that breach was that it had been responsibly disclosed by a security researcher who wasn’t even targeting the university’s elections systems; rather, Jones said, he simply stumbled upon personal information via a Google search, then tried to get authorities to remove it. In other words, he poked around.
The FBI wound up investigating that researcher, but they couldn’t come up with anything, so off they went without a case to prosecute him. Jones:
To use the language that the attorney general’s office used, they want to build [SB 315] to criminalize so-called “poking around.” Basically, if you’re looking for vulnerabilities in a non-destructive way, even if you’re ethically reporting them—especially if you’re ethically reporting them—suddenly you’re a criminal if this bill passes into law.
Equifax is another case in point: As the EFF suggested in its letter about the bill, fear of prosecution under a bill like SB 315 could have dissuaded an independent researcher out of disclosing vulnerabilities in the credit broker’s system: vulnerabilities that Equifax ignored when the researcher responsibly disclosed them to the company. Those vulnerabilities led to the leak of sensitive data belonging to some 145 million Americans and 15 million Brits.
This illustrates why it is vital for independent researchers to hold companies accountable to their customers.
The EFF has asked the state to amend the bill so as to better protect security researchers.
Rick Henderson
Unauthorized access to a computer system is already against the law in Canada, and it hasn’t been a problem for Canadian security researchers.
MrGutts
This bill goes further. It would and could go after people with jail time who violate an EULA or a ToS within GA.
FreedomISaMYTH
never trust a suit….
Tracy
Two thoughts here. First it is amazing how we can let people who have little or no knowledge of cybersecurity, hacking and other computer related issues propose rules and laws. Rules and laws that are then interpreted by others who again have just as little knowledge. Forgive me but just because someone can turn a computer on and use a browser to watch cat videos doesn’t make them an expert. Second thought is that anyone who enters and mucks about my computer or server without my permission, regardless of whether they do harm, is trespassing and invading my privacy. I believe both of these things are a crime. At any rate, Whether this proposed law is good or bad, The ruling will be used to ones own end.
s31064
“First it is amazing how we can let people who have little or no knowledge of cybersecurity, hacking and other computer related issues propose rules and laws. Rules and laws that are then interpreted by others who again have just as little knowledge.”
You get what you vote for and you get what you deserve. Not to get into a political discussion over this, but during the Obama administration, every poll from various pollsters showed Congress had between a 94 – 98% dissatisfaction rating. At the midterm elections, 97% of incumbents were re-elected. Now, if you or I were in a situation where our boss was only happy with 2 – 6% of our job performance, we’d be out on our ear, and not with any golden parachute.
Tracy
Forgive me s31064 but my comment was a general statement. It had nothing to do with politics. Anyone who proposes something that affects others need to have a bit of knowledge about that subject. As far as polling and pollsters? Let us just say that those statistics are a bit like the Easter Bunny. They are only believable if you tell them to the right people.
I’ve been in the Computer Tech profession as a tech and businessman for 40 years and have seen the progression. I can understand the unease when something like this is proposed but as Mr Ducklin’s comments affirm for me, the EFF and those other’s may be overstating the issue for their own purposes. :)
To Miss Vaas and other Sophos Staff. If my comments here are deemed inflammatory please forgive an old man and just delete them. I have no wish to bring trouble to such a nice place. :)
irrelevantdotcom
It does rather amaze me how lawmakers can’t simply look at their neighbouring states, find some already existing legislation that does the job, works well, and which people are happy with, and just adopt that. Why do they have to re-invent the wheel all the time? Self-promotion? Justifying their position? Or just arrogance?
Anonymous
Let them pass the bill. All it will do is give the criminal/ state sponsored elements easier access to systems. It is not like companies are policing their products and code before they go to market, can we say IoT devices. When something drastic happens, like say a major attack on the internet hubs such as Dyn and people can’t access Amazon or Facebook, they’ll just turn around and blame the security professionals. Then the security community should turn around an just say, hmm…you made it a crime for us to find vulnerabilities that could have possibly prevented this from occurring, welcome to the mess you politicians just created!
Tim Boddington
This has been an offence in the UK for c.30 years. Our Computer Misuse Act was put together by a committee that included a couple of Members of Parliament and half a dozen security specialists (including me). I don’t think there have been many prosecutions resulting from just poking around. The problems would arise if you get zealots in the prosecutor’s office.
Paul Ducklin
Agreed. This is just the sort of over-the-top legalistic grandstanding that the EFF seems to make a habit of. Unauthorised computer access has been criminalised for decades in many jurisdictions – including, as you say, the UK – where mainstream computer research is alive and well.
Poking around in computer systems is not analogous to simple non-criminal trespass in the physical world. You can’t steal the family silver merely by taking a shortcut through my garden and peeking at it through the window. But you *can* steal private data from a server just by looking…
MrGutts
Master Jedi, don’t underestimate the power of stupid within the GA legislature and the legal Proxy voting they do within it. Here in the great state of Georgia they gave you these wonderful gems.
*It is illegal to keep a donkey in a bathtub.
*It shall be unlawful for any person to play ball by throwing, catching, pitching or batting a ball on any public street, alley or sidewalk.
*It is illegal to use profanity in front of a dead body which lies in a funeral home or in a coroners office.
*No one may carry an ice cream cone in their back pocket if it is Sunday.
*Members of the state assembly cannot be ticketed for speeding while the state assembly is in session.
Mark Stockley
The law is less than half the story – I’m dying to know what somebody did that lead somebody else to say “Something must be done about these kids with ice cream in their pockets!”
Steve
It’s not just Georgia. Every state has a collection of bizarre laws like those.