A proposed anti-hacking law in the US state of Georgia is raising all kinds of alarms – because it could chill security research, and criminalize anyone who breaks a website or ISP's T&Cs.
The bill, SB 315, would expand the state's computer crime laws to include penalties for accessing a machine without permission even if no information was taken or damaged. Drawn up by state senator Bruce Thompson (R) in January, the proposed legislation has been approved by Georgia's senate, and is being considered by its house of representatives.
Backers of the bill, including state Attorney General Chris Carr, said expanding the protections will close a loophole, and allow the state to better pursue criminals.
"As it stands, we are one of only three states in the nation where it is not illegal to access a computer so long as nothing is disrupted or stolen," Carr said when the bill was first introduced.
"This doesn’t make any sense. Unlawfully accessing any computer in Georgia should be a crime, and we must fix this loophole."
It took DEF CON hackers minutes to pwn these US voting machinesREAD MORE
Opponents of the bill, however, say the draft legislation goes too far: it would, for example, criminalize "any person who accesses a computer or computer network with knowledge that such access is without authority." Disclosing a password to someone without permission to do so is also a no-no.
Groups including the Electronic Frontier Foundation (EFF) worry that the bill could be used against legitimate security researchers who alert private companies to vulnerabilities found in corporate systems.
Specifically, the rights warriors fear organizations could try to shut down bug reporting and disclosures by pressing charges alleging the researchers committed an unauthorized access in discovering flaws in networks and services. The EFF also argued that, as written, the law could be used to crack down on ordinary netizens: breaking the terms of service of a website or similar falls foul of this draft law, we're told.
In other words, if the terms of service on a website require you to be truthful about, say, your weight or martial status or email address, and if you're not or simply make a mistake on a form, you'll run up against the Peach state's proposed anti-hacking law.
"Terms of service come from a private company — for instance, your cable and internet provider have terms of service," said Electronic Frontiers of Georgia member Scott Jones.
"The bill is so broadly written that a violation of terms of service could possibly be construed as a criminal violation, and that would be improper delegation of powers."
The EFF has asked the state [PDF] to amend the bill to better protect researchers.
It just so happens that Georgia's electronic voting system was earlier probed by security researchers, who claimed to have found various exploitable holes. A computer system at the center of a lawsuit over the alleged vulnerabilities was later mysteriously wiped.
Beyond deleting evidence from servers, it would appear Georgia has found another way to avoid the hard gaze of computer security research – simply outlaw it. ®