A new bill winding its way through the Georgia state senate has cybersecurity experts on alert. As Senate Bill 315 is currently written, academics and independent security researchers alike could be subject to prosecution in Georgia alongside malicious hackers.
The two-page bill aims to amend legislation governing computer crimes in the Peach State to criminalize “unauthorized computer access.” It would penalize violations as a “high and aggravated misdemeanor,” with up to a $5,000 fine and year in jail, “any person who accesses a computer or computer network with knowledge that such access is without authority.”
Security researchers often need to access computers or networks without authorization, even if just to prove that they have dangerous vulnerabilities to patch. This includes holes in government technologies like voting machines, some of which are in use in Georgia and are at the center of lawsuits.
The bill also criminalizes terms-of-service violations, which could include infractions as minor as using a pseudonym on Facebook or sharing a password, says a Georgia government lawyer who spoke on the condition of anonymity.
“This could expose a lot of consumers to potential prosecution,” says Jamie Williams, a staff attorney at the digital-rights advocacy group Electronic Frontier Foundation. She says that could include willingly sharing your password on a banking or medical website. “Prosecutorial discretion covers everything.”
A representative for Georgia Attorney General Chris Carr declined to comment for this story. In a statement, Carr said Georgia is “one of only three states in the nation where it is not illegal to access a computer, so long as nothing is disrupted or stolen. This doesn’t make any sense. Unlawfully accessing any computer in Georgia should be a crime, and we must fix this loophole.”
The existing Georgia state law the bill aims to replace, 16-9-93, already criminalizes the activity that SB 315 is looking to penalize, the government lawyer says. But the bill adds vague language that reflects parts of the Computer Fraud and Abuse Act, the preeminent U.S. antihacking law that hackers and privacy advocates say has been used to unfairly prosecute security researchers. Who provides authority to access computers would be left for the courts to decide.
“The attorney general is looking to grandstand…It is a knee-jerk reaction” to the news that Georgian voter databases might have been compromised in the run-up to the 2016 election, the lawyer says.
Late on Tuesday, the bill was sent back to the Georgia Senate Rules Committee for further review and possible revision before a vote by the full Senate. Even though a revision to the bill on February 1 added an exception for parents monitoring their children’s computer use and the vague “legitimate business activity,” cybersecurity and legal experts from Georgia and beyond worry that the bill, if made into law, would ultimately chill Georgia’s booming cybersecurity community, driving away academics, researchers, and businesses.
Internet Security Systems, one of the first major cybersecurity companies that looked beyond antivirus products and now owned by IBM, was founded in Georgia in 1994. The Georgia Institute of Technology, widely known as Georgia Tech, has one of the nation’s top academic cybersecurity programs. And Fort Gordon, in Augusta, is the home of the U.S. military’s Cyber Command.
“Companies will move divisions elsewhere, and startups will go elsewhere. Likewise, students will search for jobs elsewhere,” Georgia-based independent security researcher Rob Graham says. “It’s insane for legislators wanting to pass legislation that will mess this up.”
Andy Green, a lecturer of Information Security and Assurance at Kennesaw State University in Marietta, criticizes the bill for using vague terminology and putting computer security researchers at risk.
“I’m putting research on hold with college undergrad students because it may open them up to criminal penalties,” Green says. “It’s definitely giving me pause right now.”
Update at 1 p.m. on Monday, February 12: The Georgia state Senate passed SB 315 with a 41-11 vote. The bill is now positioned to move to the state’s House of Representatives.