The Atlanta Journal-Constitution
Bill might limit effort to find security flaws
Until an internet researcher found the personal information of 6.7 million Georgia voters online, it was available for the taking by potential criminals.
Because the researcher reported his discovery last March, that election information was locked down within an hour.
The FBI looked into the case and concluded he hadn’t broken the law.
Now Georgia lawmakers might make that kind of research a crime.
A bill advancing through the Georgia General Assembly would crack down on investigations into whether the government or businesses aren’t protecting their data, unless permission is given in advance.
The legislation is meant to prevent computer snooping, but it could also stop legitimate internet security efforts.
The bill was introduced, in part, as a result of the state’s failure to protect voter records — including voter lists with full Social Security numbers and birth dates — at Kennesaw State University’s Center for Election Systems.
Instead of learning from the data breach, state lawmakers are trying to criminalize those who report internet security weaknesses, said Andy Green, a KSU information security lecturer who reported the problem after he was contacted by the internet security researcher.
“What we did was a public good,” Green said. “It may have made some people uncomfortable, but at the end of the day we had 6.7 million voter registration records that were exposed. We ended up sealing those records. We dodged a bullet.”
But state Attorney General Chris Carr says Georgia needs stronger laws to protect residents and businesses from intruders. Georgia is one of only three states that doesn’t ban people from accessing a computer or network without permission, even if no information is stolen. State law already prohibits data theft and tampering.
Carr said most Georgians don’t want hackers combing through their personal information, which could later be exploited if they find something valuable.
“Do we want people that do not have authorization to our computers or our computer networks coming in and being able to look
around?” Carr asked. “We want to continue to allow legitimate activity to remain legal. We want illegitimate activity to be illegal. The question is, where do you draw that line?”
Tech companies opposing the legislation, Senate Bill 315, testified that it should only criminalize computer snooping when it’s done with “malicious intent.”
Carr disagreed, saying adding that language to the bill would make it pointless because prosecutors couldn’t show ill intent until data was misused, and by then it would be too late.
In the case of the voting records exposed by KSU, they were publicly available online without a password to anyone who could find the web address, as the security researcher who discovered the problem did. The researcher gained access by changing one letter in the URL — from “http” to “https”.
A law that allows prosecution of those who find internet security problems would make Georgians less safe, said Rob Graham, the former chief scientist for Internet Security Systems, which was founded in Atlanta.
Under SB 315, unauthorized computer access would be a misdemeanor punishable by up to a year in jail and a $5,000 fine.
“The purpose of this law is to quiet us as security researchers,” said Graham, a cybersecurity consultant. “If we point out flaws that are embarrassing, they can come after us.”
The sponsor of the bill, state Sen. Bruce Thompson, R-White, said he couldn’t disagree more.
Personal property and data are nobody else’s business, he said. If internet consultants want to look for vulnerabilities,
they should get permission first.
“It’s never appropriate for you to access someone else’s property, period,” said Thompson, a tech business owner whose identity was stolen in 2015. “How do you determine if someone is an ethical or unethical hacker? It’s never appropriate to access someone’s information without authorization.”
Still, the business community is concerned about the proposal.
It’s worried the bill could discourage internet security companies from opening and expanding in Georgia’s burgeoning cybersecurity industry.
“In this bill there’s a lot of unintended consequences,” Heather Maxfield, a lobbyist for the Technology Association of Georgia, said during a committee hearing last week. “If we could include malice into the bill, I think most of my members would be more settled than with the language we have now.”
Robert Ball of Ionic Security said the bill could have a “chilling effect” on tech businesses.
“It could potentially negatively affect who wants to be in our business in the state,” said Ball, the general counsel for the Atlanta-based data security company.
The legislation will be changed to more precisely define what is and isn’t allowed, said state Rep. Ed Setzler, R-Acworth, the chairman of the subcommittee reviewing it.
Carr said the bill shouldn’t prevent accessing publicly available information, websites and wireless networks. But he said Georgia laws should ban more intrusive efforts, such as hacking attacks, to penetrate computers and networks.