Security news that informs and inspires

Georgia Bill Casts a Chill on Security Research

The Georgia state legislature is considering a new bill that includes vague language that would criminalize the act of connecting to a given network or individual computer “without authority”. The bill is “needlessly problematic” and could lead to severe restrictions on computer security research in the state, and possibly elsewhere, legal experts say.

Security researchers, civil liberties advocates, and attorneys have been concerned about the language in the bill since it was introduced several weeks ago, specifically a section that creates a new category of computer crime. The section is written in a way that would make many kinds of common online activities illegal.

“Any person who intentionally accesses a computer or computer network with knowledge that such access is without authority shall be guilty of the crime of unauthorized computer access,” Georgia S.B. 315 reads.

The attempt to amend the state’s computer crime statute is the result of an incident last year in which a security researcher discovered millions of voter-registration records and other sensitive information sitting on a publicly available server. The data was on a site run by Kennesaw State University, a contractor for the state of Georgia, and Logan Lamb, the researcher who discovered the issue, reported the problem. An investigation followed, but authorities found that Lamb hadn’t violated any existing laws.

S.B. 315 would change the existing state law to include the clause that would make such discoveries illegal. In a letter to several state senators who are supporting the bill, Jamie Williams, a staff attorney for the Electronic Frontier Foundation, warned that the new language could have a broad effect on security researchers as well as normal users.

Security researchers rely on the ability to access networks or specific computers as part of their work.

“This section may be intended to target malicious behavior like computer break-ins or identity theft. In fact, however, it would criminalize violation of a website’s terms of service, due to the broad, preexisting definition of ‘without authority’ in Georgia’s computer crime statute. As a result, this bill would turn innocent individuals into criminals on the basis of innocuous and commonplace online behavior, chill important independent computer security research in the state, and render O.C.G.A. 16-9-93 unconstitutionally vague,” Williams’s letter says.

Security researchers rely on the ability to access networks or specific computers as part of their work, and removing that ability could severely restrict a large portion of such research. The most-recent version of S.B. 315 does have a line that eliminates violations of terms of service agreements from potential prosecution, a provision that addresses a major concern with the original bill’s language. However, last week, a Georgia House of Representatives committee passed a version of the bill that elimated a proposed amendment that would have protected people who conduct research as part of their jobs or who discover vulnerabilities and then report them to the affected parties. The proposed legislation is due for a hearing in the Georgia General Assembly later this week.

The concern is that this could shut down responsible reporting on vulnerabilities if it goes through," said Scott M. Jones of Electronic Frontiers Georgia, a civil liberties group that has been tracking S.B. 315. "There isn't any broad outcry for this. It all seems to be coming from the attorney general's office.

The bill also includes a section that would protect organizations and individuals from prosecution if their unauthorized computer access is part of an active defense operation. Active defense can be a controversial concept in the security community, depending upon the context and the scope of the measures being used. The term can apply to things such as dynamically changing network architecture or creating dummy honeypot files, but in some contexts is applied to “hack back” operations, though the two are separate concepts.

Georgia’s bill would protect “Cybersecurity active defense measures that are designed to prevent or detect unauthorized computer access”. However, like the section criminalizing “unauthorized computer access”, the language protecting active defense measures also is rather vague.

Image by Ken Lund, CC By-sa license.