On Monday, Georgia senators passed a bill that makes password disclosure or accessing a computer or computer network without permission “a misdemeanor of a high and aggravated nature.”
Lawmakers said it closes a loophole in Georgia’s criminal statutes, but cybersecurity professionals said they worry about the impact it will have on their work if it becomes law.
At a recent public safety Senate committee hearing, staff attorney David McLaughlin from the state’s Attorney General’s office spoke about working on Senate Bill 315. He said there were a lot of questions raised after someone accessed voter records at the state’s election center housed at Kennesaw State University.
“Everybody’s shrugging their shoulders like why isn’t this guy getting arrested?” McLaughlin said. “If I go into your computer system network and all I do is get access, and I’m in there absent anything else, that’s not a crime.”
Voter Records Breach
Kennesaw State University information security lecturer Andy Green said it shouldn’t be a crime. He said he accesses computers and networks for research purposes.
“This bill is intended to criminalize the very behavior that we all exhibited in that incident, and that’s a little scary to me,” Green said.
Green said one of the individuals who found out he could access state voter records through the state’s election center website reached out to tell Kennesaw State University that he had found a vulnerability.
Green said he thinks the bill will encourage “ethical hackers” – like the one who reached out to him – to keep quiet instead of reporting vulnerabilities to companies and governments.
“What will happen is that the research is not going to stop. But instead of going legitimately to those people who may be exposed unnecessarily to give them a chance to fix the problem, either that contact will [now] never happen and those researchers who are out there finding these things for profit-driven motives are simply going to sell their information on a black market,” Green said. “And then someone would take that vulnerability and use it for malicious purposes. That’s the kind of behavior we need to target.”
Green said he has been pushing for an amendment that would only penalize hackers who have malicious intent.
The bill makes an exception for parents and legal guardians who want to monitor computer use, deny use or copy data from computers for those in their care who are under 18.
It also allows for “legitimate business activity,” but Green said the wording is too vague.
“I’m concerned about the fact that there are no exemptions carved into this bill, as it’s currently written, to protect those of us who do legitimate research, whether it’s in the academic or commercial space,” Green said.
Kennesaw State University’s College of Continuing and Professional Education offers an ethical hacking certification course, but some of the assignments in those classes, and Professor Green’s, may become illegal.
State Sen. Bruce Thompson is the bill’s main sponsor and said he was motivated to sponsor the bill after he was the victim of a data breach a couple of years ago.
“There’s no such thing truly as ethical hacking when you’re hacking into a network you’re not authorized to be in,” Thompson said. “No more than there is of me going into your home because I heard a noise or I broke into your car because you left the radio on. It’s a very slippery slope to say that you’re going to let ‘ethical people’ hack into other people’s property because that’s what computers are in today’s world: it’s your digital home.”
Attorney General Chris Carr said people should always ask before entering.
“There is no harm, if it’s not your computer, in asking an entity or an individual if you can enter their computer, system, phone,” Carr said. “If there is a better way to craft bills then we are encouraging anybody and everybody to participate in the public process.”
But Atlanta attorney Roy Hadley said that’s not always possible if, for instance, you’re a researcher or “ethical hacker” tracking computer viruses.
Hadley is co-chair of the privacy and cybersecurity practice at Thompson Hine and chair of the information security society for the Technology Association of Georgia.
“By the time that you see that it’s coming from Home Depot, you’re in Home Depot,” Hadley said. “And that’s the problem. You don’t know that you’re there until you’re there.”
He said in most cases, companies will hire these researchers to then find other security vulnerabilities on their computer networks.
Sen. Thompson said the bill protects people who access sites without knowledge that they are entering those sites.
The bill is now waiting for lawmakers’ approval in the House.
Activists with the Electronic Frontiers Georgia group have planned a meeting at Manuel’s Tavern to oppose the bill.