Draconian. Unnecessary. These are the words used by the American Civil Liberties Union of Georgia to describe a new proposal making its way through the Georgia state legislature. Supporters say the bill will provide the ability for law enforcement to prosecute “on-line snoopers” — so called hackers that break into a computer system but doesn’t take any data or disrupt the systems from running normally.
Opponents argue the wording of the bill would criminalize the “gray hats” of the cybersecurity world (hackers that use their talents to find network weaknesses so they can be fixed) and could also allow law enforcement to go after those users that violate their user agreements — or even use a work computer for personal reasons.
Attorney General Chris Carr, whose office helped to craft the bill, stated “This bill is not intended in any way, shape or form to criminalize legitimate behavior.” Carr said the bill was drafted with the help of business groups and after conversations with the University System of Georgia, which has not taken a position on it.
Andy Green, an information security lecturer at KSU and Camille Fischer, a fellow at Electronic Frontier Foundation, both think it’s a bad bill. Andy’s concern is this could make it harder for “gray hackers” to alert businesses and organizations of data weaknesses, pointing to the cybersecurity experts who found in 2016 and 2017 a server at Kennesaw State University had left Georgia’s 6.7 million voter records exposed. Camille said independent security research is the “backbone” of efforts to protect consumers’ data.
Something as simple as lying about your age on social media could land you in jail is a concern for Sean J. Young, Legal Director for the ACLU of Georgia.
The bill’s lead sponsor, Sen. Bruce Thompson, isn’t convinced and said some hackers have unethical or illegal intentions.
What about sharing your password to your Netflix account with your roommate? According to Carr, “Our district attorneys with their limited time and resources are not going to spend any time trying to prosecute a roommate using the Netflix password.”
If this measure becomes law, that’ll leave Virginia and Alaska as the only states that do not have on-line snooping laws.
Only time will tell if this measure, much like the federal Computer Fraud and Abuse Act, will be abused.