Georgia SB 315 anti-hacking law dangerously misses the mark of protecting people, making us all less safe
GA SB 315 (LC 29 8107S) (PDF / legis.ga.gov) just passed the House Judiciary Non-Civil Committee and will be voted on this week. While significantly improved through the committee process, it still creates a dangerously broad definition of Criminal Unauthorized Computer Access that is so sweeping, people will need permission before visiting any website.
This bill was drafted because Georgia law enforcement and the U.S. FBI could not find any law broken by a professional security researcher. This researcher tried to alert Georgia election officials of voter data inappropriately published publicly on the Internet by Kennesaw State University, a contractor for the Georgia Secretary of State’s Office. What he discovered through ordinary Google searching was that voters' names, addresses, and other private information was indexed by Google and accessible by anyone. After months, he and another researcher discovered that the data was still available on the public Internet and brought it to the attention of the media. Only under the daylight of public attention was the data removed from the Internet in an embarrassing scandal.
Rather than thanking good Samaritan security researchers for helping guard the public from truly malicious hackers, the Georgia Attorney General’s Office has conducted a legislative campaign to ensure that these facts would lead to a successful prosecution under SB 315, which creates a new crime of unauthorized computer access, even when no computer was broken into or data stolen.
By analogy, consider your local bank as a metaphor for a website hosted on a computer. Now suppose that John Doe is a professional security camera expert and during his visit to deposit his check, he notices a defect in the bank’s security camera system that is clearly visible to his expert eye. This defect places many customers at risk. Under SB 315, the mere act of noticing this defect is a crime. Any attempt to report the issue to the bank is a confession of guilt and could lead to his criminal prosecution in Georgia. This absurd situation is precisely the outcome for well-intentioned computer security experts who see defects in the websites we all depend on to protect our most sensitive information. Security experts will stop reporting defects in good faith, and we will all be less safe. Many defects will only become known after being exploited by a malicious hacker for criminal purposes.
Computer security law and policy is a delicate balancing act between protecting those who own computer systems/networks and the people who are victimized when a data breach occurs. GA SB 315 misses the mark in protecting the public. It actually puts the public more at risk. While it is true that many other states, including California, have an unauthorized computer access statute, many of those are much narrower in scope and include more exemptions for professionals who help in good faith. Worse, Georgia is making benign Internet access a crime by eliminating the “malicious intent” concept from its law, turning millions of web interactions into prosecutable acts and depending on prosecutors and the courts to apply the law as they see fit.
It is my expert opinion that GA SB 315 should be dropped by the Georgia General Assembly and instead the State government should study the matter with input from all sides, including Information Security professionals, and come back in 2019 with a comprehensive data protection bill to protect all Georgia residents from the harm of their personal information being stolen.