Georgia Gov. Nathan Deal has until Tuesday to decide whether to approve a dubious bill that would make it illegal to access a computer or network “without authority,” Wired reported, in what looks an awful lot like legislators trying to make something they don’t understand a crime.
Here’s the backstory: The state government and its Republican Secretary of State Brian Kemp were humiliated last year when it became public knowledge data on 6.7 million voters as well as election officials’ login credentials were stored on an unsecured Kennesaw State University server. (Officials involved conveniently covered their tracks by deleting the evidence.) Legislators have somehow convinced themselves that the problem was not the security vulnerability, but that the state can’t prosecute anyone who stumbled across the publicly accessible data.
Georgia is one of only a handful of states that don’t prohibit unauthorized computer access. But state legislators’ version, SB 315, is incredibly broadly written:
Any person who intentionally accesses a computer or computer network with knowledge that such access is without authority shall be guilty of the crime of unauthorized computer access.
That crime is listed as punishable as a “misdemeanor of a high and aggravated nature,” which can come with a maximum $5,000 fine and a year in prison.
The final version does carve out a number of exemptions:
This subsection shall not apply to:
(A) Persons who are members of the same household;
(B) Access to a computer or computer network for a legitimate business activity;
(C) Cybersecurity active defense measures that are designed to prevent or detect unauthorized computer access; or
(D) Persons based upon violations of terms of service or user agreements.
The bill seems predicated on at least two weird assumptions: The first being that stumbling across publicly accessible data is the problem instead of sloppy cybersecurity, and the second being that outlawing it will actually accomplish anything. (Similar provisions in federal law are already the topic of heated criticism and accusations of prosecutorial overreach.) Worse, in addition to potentially making the kind of proactive snooping that’s the core of much security research illegal, that exemption for “cybersecurity active defense measures” is basically a stand your ground law for hacking. Under that provision, hacking anyone you claim hacked you first is legal, potentially causing a race to the bottom.
According to Wired, security researchers are worried that SB315's passage could have a chilling effect entirely the opposite of its intended goals:
“I don’t think this legislation actually solves a problem,” says Jake Williams, founder of the Georgia-based security firm Rendition Infosec. “Information put in a publicly accessible location can and will be downloaded by unintended parties. Making that illegal brings into question so many other issues, like what is ‘authorized’ use? Is violating terms of service illegal?”
“Georgia codifying this concept in its criminal code is potentially a grave step that has some known and many unknown ramifications,” representatives of Google and Microsoft wrote in a joint letter to Governor Deal in April urging him to veto the legislation. “Network operators should indeed have the right and permission to defend themselves from attack, but ... provisions such as this could easily lead to abuse and be deployed for anticompetitive, not protective purposes.”
“The only people who will be caught are those who come forward to warn vulnerable organizations that they have vulnerabilities,” Chris Risley, CEO of Atlanta’s Bastille Networks Internet Security, told the Atlanta Journal-Constitution. “If someone comes forward and freely provides a warning of vulnerability, they should be thanked, not charged.”
The best that can be said for this law is that it appears to have been amended from a prior version to clarify that violating the terms of service of a website or service—say, by violating the fine print of your ISP’s contract—doesn’t count as “unauthorized computer access.” Activists were previously concerned that the bill was so broadly written as to make violating any terms of service, anywhere a crime.
Gov. Deal’s office told Wired that he is still “carefully reviewing” the bill, though there likely won’t be any clarity as to its final passage until later this week.