nakedsecurity | The US state of Georgia is considering anti-hacking legislation that
critics fear could criminalize security researchers. The bill, SB 315,
was drawn up by state senator Bruce Thompson in January, has been
approved by the state’s senate, and is now being considered by its house
of representatives.
The bill would expand the state’s current computer law to create what
it calls the “new” crime of unauthorized computer access. It would
include penalties for accessing a system without permission even if no
information was taken or damaged.
One of the bill’s backers, state Attorney General Chris Carr, said
the bill is necessary to close a loophole: namely, the state now can’t
prosecute somebody who harmlessly accesses computers without
authorization.
From a statement his office put out when the bill was first introduced:
As it stands, we are one of only three states in the nation where it is not illegal to access a computer so long as nothing is disrupted or stolen.
This doesn’t make any sense. Unlawfully accessing any computer in Georgia should be a crime, and we must fix this loophole.
But critics of the legislation believe it a) will ice Georgia’s
cybersecurity industry, penalizing security researchers reporting on
bugs; b) would criminalize innocent internet users engaged in innocuous
and commonplace behavior, given that the law’s definition of “without
authority” could be broadly extended to cover behavior that exceeds
rights or permissions granted by the owner of a computer or site (in
other words, terms and conditions); and c) is unnecessary, given that
current law criminalizes computer theft; computer trespass (including
using a computer in order to cause damage, delete data, or interfere
with a computer, data or privacy); privacy invasion; altering or
deleting data in order to commit forgery; and disclosure of passwords
without authorization.
That’s all coming from a letter sent by the Electronic Frontier Foundation (EFF) to Congress in opposition to the current draft of SB 315.
The EFF, along with other groups, are worried that beyond
criminalizing innocent online behavior, the bill would criminalize
security researchers for the sort of non-malicious poking around that
they do.
