Sometimes things actually work the way they’re supposed to. It’s rare, especially when the Internet is involved, but it does happen. Tuesday was one of those times.
The governor of Georgia on Tuesday vetoed a bill that not only would have outlawed many kinds of security research, but also would have legalized active defense measures. The bill has been called deeply flawed and dangerous for researchers and activists worried that it could lead to similar bills in other states. In vetoing the bill, Gov. Nathan Deal said that the measure could have a variety of unintended consequences.
“Under the proposed legislation, it would be a crime to intentionally access a computer or computer network with knowledge that such access is without authority. However, certain components of the legislation have led to concerns regarding national security implications and other potential ramifications. Consequently, while intending to protect against online breaches and hacks, SB 315 may inadvertently hinder the ability of government and private industries to do so,” Deal wrote.
“After careful review and consideration of this legislation, including feedback from other stakeholders, I have concluded more discussion is required before enacting this cyber security legislation. The work done this session by the legislation’s sponsors and stakeholders provides a solid foundation for continued collaboration on this issue. It is my hope that legislators will work with the cyber security and law enforcement communities moving forward to develop a comprehensive policy that promotes national security, protects online information, and continues to advance Georgia’s position as a leader in the technology industry.”
There were two main issued with the bill. First, the main intention of the bill was to criminalize the act of accessing a computer or network without permission. The motivation behind most computer crime laws is to make it illegal for people to misuse or break various computing resources, but the language in the Georgia bill is so vague that it could have led to prosecutions for benign security research work.
"I have concluded more discussion is required before enacting this cyber security legislation."
“Any person who intentionally accesses a computer or computer network with knowledge that such access is without authority shall be guilty of the crime of unauthorized computer access,” the bill read.
Civil liberties advocates said this clause wasn’t specific enough.
“S.B. 315 would have created the new crime of “unauthorized access” without any requirement that the defendant have fraudulent intent. This could have given prosecutors the discretion to target independent security researchers who uncover security vulnerabilities, even when they have no criminal motives and intend to disclose the problems ethically,” Dave Maass of the Electronic Frontier Foundation said.
The second issue with the bill was its protection for people engaged in active-defense measures. That language could have had the effect of allowing private companies or individuals to conduct their own offensive operations against attackers. This clause raised serious concerns about random users or security teams going off on their own to track down and hack back against attackers, something that is strongly discouraged in the security community.
Deal’s veto of S.B. 315 came as somewhat of a surprise, but it doesn’t necessarily mean it’s the end of the road for a bill of this kind. In his veto statement, Deal said he wants legislators to go back and figure out a better law.
“It is my hope that legislators will work with the cyber security and law enforcement communities moving forward to develop a comprehensive policy that promotes national security, protects online information, and continues to advance Georgia’s position as a leader in the technology industry,” Deal said.