ATLANTA — Lying about your weight on an online dating site? Checking out who won the Falcons game from your work computer? Using your computer hacking knowledge as an “ethical hacker?” Those actions may become illegal if a Georgia bill gets voted into law, civil liberty advocates say.
Supporters of a bill making its way through the state legislature say it’s designed to give law enforcement the ability to prosecute “online snoopers” — hackers who break into a computer system but don’t disrupt or steal data. The legislation came in response to a recent data breach at a Georgia university in which unauthorized cybersecurity experts noticed the vulnerability of Georgia’s voting records.
But opponents say the legislation is so sweeping it could allow prosecutors to go after people who violate their user agreements or use a work computer for personal reasons. They also argue the bill will criminalize the “gray hats” of the cybersecurity world who use their hacking talents to find network weaknesses so they can be fixed, even if they never received permission to probe.
“This bill is not intended in any way, shape or form to criminalize legitimate behavior,” said Republican Attorney General Chris Carr, whose office helped craft the measure.
Carr said only three states — Georgia, Virginia and Alaska — have no law against online “snooping,” in which a hacker neither disrupts nor steals data. To remedy this, the measure criminalizes “any person who accesses a computer or computer network with knowledge that such access is without authority.” The bill does not apply to parents who monitor their children’s computer use, as well as those who are conducting “legitimate business.”
The bill is specifically meant to stop criminal hacking, Carr said. Lawmakers backing the bill, which passed the Senate on Feb. 12, point to the acts of two unauthorized cybersecurity experts who in 2016 and 2017 discovered that a server at Kennesaw State University had left Georgia’s 6.7 million voter records dangerously exposed. The men reported the vulnerabilities, but Carr said they should never have been snooping in the first place.
“If the research is legitimate, why should you not require someone to get permission on the front-end?” Carr said, arguing that it’s hard to know what a snooper’s intentions are.
Carr said the bill was drafted with the help of business groups and after conversations with the University System of Georgia, which has not taken a position on it. Carr said he is open for more input, especially from academics concerned it could hurt their ability to conduct research.
Andy Green is an information security lecturer at KSU. Green said that by alerting people at KSU’s Center for Election Systems, the men prevented the data from falling into the wrong hands. Criminalizing such acts will only deter “ethical hackers” and not stop malicious ones, Green argued.
Independent security research is the “backbone” of efforts to protect consumers’ data, said Camille Fischer, a fellow at Electronic Frontier Foundation, an international digital rights nonprofit advocacy group opposing the measure. Software vulnerability experts can be too expensive for some businesses, so the work of unauthorized researchers — who may be trying to raise their professional profile — is vital for the “ecosystem” to survive, she said.
But the measure’s lead sponsor, Sen. Bruce Thompson, R-White, said some hackers have unethical or illegal intentions.
“When you go out and discover that there’s a problem, but you aren’t going to freely give it — you’re going to make a business of it — that’s extortion,” Thompson said.
Fischer said many other states have anti-snooping laws that are modeled after the federal Computer Fraud and Abuse Act, which can be more narrowly worded by focusing on what cybersecurity experts do with the unauthorized access or what their intent was.
Other opponents said the bill is worded in such a way that any time a user violates a website’s terms-of-service agreement or an employer’s web-use guidelines, the user could be prosecuted.
“We should not be giving businesses the authority to determine what is criminal and what is not,” Sen. Jen Jordan, D-Atlanta, told The Associated Press in an interview. She says the bill should only apply to those who act “maliciously.”
The American Civil Liberties Union of Georgia has called the proposal “draconian and unnecessary.”
“Something as simple as fudging your age on social media could land you in jail,” said Sean J. Young, Legal Director for the ACLU of Georgia.
Jessica Gabel Cino, a professor at the Georgia State University College of Law, said user-agreement violations, technically speaking, would go against the “letter of the law.” But she doubted anyone would ever actually be charged for such innocuous acts, something Carr also called “absurd.”
“Our district attorneys with their limited time and resources are not going to spend any time trying to prosecute a roommate using the Netflix password,” Carr said.