The oft-attacked city of Baltimore not only uses mind-bogglingly bad data storage. Its home state, Maryland, also knows how to swiftly propose mind-bogglingly bad legislation that would outlaw possession of ransomware and put researchers in jeopardy of prosecution.
It is, of course, already a crime to use the data/systems-paralyzing malware in a way that costs victims money, but proposed legislation, Senate Bill 30, would criminalize mere possession.
It’s not supposed to keep researchers from responsibly researching or disclosing vulnerabilities, but like other, similar “let’s make malware more illegal” bills before it, SB 30’s attempts to protect researchers could “use a little more work,” as pointed out by Ars Technica‘s Sean Gallagher.
It covers much of the same ground as does Federal law, but SB 30 would take it a step further by labelling the mere possession of ransomware as a misdemeanor that would carry a penalty of up to 10 years imprisonment and/or a fine of up to $10,000.
The draft could get yet more draconian still: Earlier this month, members of the Maryland Senate Judicial Proceedings Committee said they’d actually prefer to make the crime a felony, according to Capital News Service.
The problematic outlawing of “unauthorized access”
Besides mere possession of ransomware, the bill would outlaw unauthorized, intentional access or attempts to access…
…all or part of a computer network, computer control language, computer, computer software, computer system, computer service, or computer database; or copy, attempt to copy, possess, or attempt to possess the contents of all or part of a computer database accessed.
It would also criminalize acts intended to “cause the malfunction or interrupt the operation of all or any part” of a computer, the network it’s running on, and their software/operating system/data. Also verboten: intentional, willful, unauthorized possession or attempts to identify a valid access code, or publication or distribution of valid access codes to unauthorized people.
Where does that leave researchers? Partially protected by a thin blanket that doesn’t protect them from liability, experts say.
The bill does holler out an exemption for researchers, rendered in full caps in the draft:
THIS PARAGRAPH DOES NOT APPLY TO THE USE OF RANSOMWARE FOR RESEARCH PURPOSES.
But that doesn’t cover any of the extensive list of “thou shalt not touch without authorization” aspects of the bill that could spell trouble for researchers and keep them from reporting vulnerabilities. Well-known vulnerability disclosure policy expert Katie Moussouris – the founder and CEO of Luta Security and creator of Microsoft’s bug-bounty program – told Ars that as it’s now worded, the bill would…
…prohibit vulnerability disclosure unless the specific systems or data accessed by the helpful security researcher were explicitly authorized ahead of time and would prohibit public disclosure if the reports were ignored.
The truth is that organizations ignore responsible vulnerability reports all too often. That’s why responsible disclosure programs have reporting windows: once the clock ticks down, plenty of researchers give up on waiting for a response and go ahead and publish vulnerability details. The rationale: the longer a vulnerability exists, the higher the chance it will be exploited by hackers.
Maryland should follow Georgia’s lead and rethink this
SB 30 is currently still under review. Were it to pass in its current form, there is, of course, a chance that the governor might veto it. That’s what happened to the equally, similarly misguided hacking bill, SB 315, that was passed in Georgia in 2018.
From Governor Brian P. Kemp’s veto message:
Under the proposed legislation, it would be a crime to intentionally access a computer or computer network with knowledge that such access is without authority. However, certain components of the legislation have led to concerns regarding national security implications and other potential ramifications. Consequently, while intending to protect against online breaches and hacks, SB 315 may inadvertently hinder the ability of government and private industries to do so.
Hopefully, Maryland’s lawmakers will take a much closer look at the proposed bill and listen to experts like Moussouris. Hopefully, they’ll come to realize that the legislation may very well harm the very people who are working to protect the state.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast.
Anonymous
The way I’m reading this is if you are in possession of the ransomware you are breaking the law. So someone that is infected with the ransomware is actually in possession of it which means they are in violation of the law. If that is the case, if one of these idiotic lawmakers whom have the right idea laid out the wrong way gets infected, would that make them seriously rethink this law?
Stevez
Misdemeanors cannot result in 10 years imprisonment. Did you mean a felony?
Paul Ducklin
According to the website of the National Conference of State Legislatures, there is considerable variation between the states on the maximum penalty for misdemeanors.
That website does note that “[t]ypically, misdemeanor incarceration is served in jail rather than prison. Jails are generally intended to house individuals for shorter sentences, those less than one year. […] Generally, misdemeanors are punishable by less than one year or 365 days, whereas felonies are generally subject to more than one year of incarceration.” But it also points out that “[t]here are a few states where misdemeanors carry permissible sentences longer than one year and the court can send an individual to prison rather than jail.” Maryland is listed as one of those states.
So I think that the answer is, “You probably wouldn’t get 10 years, but there is no state-wide agreement that says you can’t.” In other states, presumably, it would be considered a felony, but that is sort of just legal semantics. (England got rid of the misdemeanour-versus-felony distinction many years ago.)
Stevez
Excellent reply! Thanks Paul for the clarification! Go figure it would be Maryland that bucks the norm :)
Paul Ducklin
No worries… I must admit that I too was inclined to assume that misdemeanors would be defined by how much punishment you might deserve for what you did and how you did it rather than specifically by the crime.
Anonymous
Pro tip: When reading the bill, only the BOLD and CAPITALIZED sections are being added. Most of the text, and most of the bits Sophos and Ars are railing against, is already on the books and has been in place for 15+ years (https://law.justia.com/codes/maryland/2005/gcr/7-302.html).
So, hooray I guess. MD has been living under the draconian madness for a decade and hasn’t fully imploded.
This all does bring up the fact that MD Criminal Law Section 7-302 could use a more thorough overhaul, rather than just a peppering in of ransomware language.