“Misguided” hacking bill threatens to ice security researchers, say critics

The US state of Georgia is considering anti-hacking legislation that critics fear could criminalize security researchers. The bill, SB 315, was drawn up by state senator Bruce Thompson in January, has been approved by the state’s senate, and is now being considered by its house of representatives.

The bill would expand the state’s current computer law to create what it calls the “new” crime of unauthorized computer access. It would include penalties for accessing a system without permission even if no information was taken or damaged.

One of the bill’s backers, state Attorney General Chris Carr, said the bill is necessary to close a loophole: namely, the state now can’t prosecute somebody who harmlessly accesses computers without authorization.

From a statement his office put out when the bill was first introduced:

As it stands, we are one of only three states in the nation where it is not illegal to access a computer so long as nothing is disrupted or stolen.

This doesn’t make any sense. Unlawfully accessing any computer in Georgia should be a crime, and we must fix this loophole.

But critics of the legislation believe it a) will ice Georgia’s cybersecurity industry, penalizing security researchers reporting on bugs; b) would criminalize innocent internet users engaged in innocuous and commonplace behavior, given that the law’s definition of “without authority” could be broadly extended to cover behavior that exceeds rights or permissions granted by the owner of a computer or site (in other words, terms and conditions); and c) is unnecessary, given that current law criminalizes computer theft; computer trespass (including using a computer in order to cause damage, delete data, or interfere with a computer, data or privacy); privacy invasion; altering or deleting data in order to commit forgery; and disclosure of passwords without authorization.

That’s all coming from a letter sent by the Electronic Frontier Foundation (EFF) to Congress in opposition to the current draft of SB 315.

The EFF calls the legislation “misguided.”

The EFF, along with other groups, are worried that beyond criminalizing innocent online behavior, the bill would criminalize security researchers for the sort of non-malicious poking around that they do.

According to Scott M. Jones from Electronic Frontiers Georgia – a group that participates in the Electronic Frontier Alliance – overly broad use of the Computer Fraud and Abuse act (CFAA) has already chilled security research.

He brought up an incident from last year that he believes embarrassed the attorney general’s office into cooking up SB 315. It involved a data breach at Kennesaw State University, whose Election Center was handling some functions for elections in the state. The breach was big news, and it was messy: it spawned a lawsuit over destruction of election data, for one.

The thing about that breach was that it had been responsibly disclosed by a security researcher who wasn’t even targeting the university’s elections systems; rather, Jones said, he simply stumbled upon personal information via a Google search, then tried to get authorities to remove it. In other words, he poked around.

The FBI wound up investigating that researcher, but they couldn’t come up with anything, so off they went without a case to prosecute him. Jones:

To use the language that the attorney general’s office used, they want to build [SB 315] to criminalize so-called “poking around.” Basically, if you’re looking for vulnerabilities in a non-destructive way, even if you’re ethically reporting them—especially if you’re ethically reporting them—suddenly you’re a criminal if this bill passes into law.

Equifax is another case in point: As the EFF suggested in its letter about the bill, fear of prosecution under a bill like SB 315 could have dissuaded an independent researcher out of disclosing vulnerabilities in the credit broker’s system: vulnerabilities that Equifax ignored when the researcher responsibly disclosed them to the company. Those vulnerabilities led to the leak of sensitive data belonging to some 145 million Americans and 15 million Brits.

This illustrates why it is vital for independent researchers to hold companies accountable to their customers.

The EFF has asked the state to amend the bill so as to better protect security researchers.