[ale] Georgia SB 315 Computer Intrusion Bill ACTION ALERT

Scott M. Jones eff at dragoncon.org
Thu Feb 1 11:38:48 EST 2018 

My apologies for the "political" spam but pretty much everyone who uses
a computer/mobile is at risk and those who do non-commercial/academic
security research are especially at risk.  Please see below.

-----------

Bad news today...  Today I found out that GA SB 315 was pushed through
the Public Safety committee yesterday and has already been voted on to
move through committee.  I was hoping to testify against it but did not
realize it would go through committee so soon.

The next steps for the bill: It will go through the rules committee
today or Monday and could be voted on the Senate floor as early as
Monday or Tuesday Feb. 5 or 6 (per my state senator's office, I have
already been in contact today).

If you live in Georgia or do business in Georgia, WE NEED YOU TO CALL
YOUR STATE SENATOR TODAY!!!

This bill threatens: (1) non-business related security research
including academic research, and (2) could make violations of commercial
Terms of Service a criminal act (something as simple as lying about your
age or legal name on Facebook).

What to do TODAY if you live or do business in Georgia:
(1) Go to openstates.org, enter your address, and find the name of your
State Senator (not House representative yet, Senate is the top priority).

(2) Find the phone number and CALL today, email is not fast enough.

(3) Be very polite when you call, you are talking to an assistant or
page and this bill is not their fault.

(4) Register your concern about Georgia Senate Bill 315 the Computer
Intrusion bill.

(5) Talking point are (1) academic and non-commercial security research
is not protected and (2) Terms of Service should be strictly a matter of
civil law and not be criminalized.  Failing that, you can ask them to
vote against the bill.

(6) They have a right to ask for your legal name and address.  It adds
legitimacy to your request and they can determine if you are a
constituent or what your stake is in the bill.  This should not be done
anonymously.

------

Here is the link to the bill with our analysis:

SB 315: The Computer Intrusion Bill

Latest bill text:
http://www.legis.ga.gov/Legislation/20172018/172171.pdf

Good points so far:
* “with knowledge that such access is without authority” - requires
intent, no accidental infringement

* “A parent or legal guardian of an individual who is under the age of
18” - parental carveout, good idea

* “Access to a computer or computer network for a legitimate business
activity” - good start but does not go far enough.  Academic,
non-business research, etc.

* Property forfeiture was removed yesterday, but unsure if it can be
inferred from other areas of existing law.


Problems:
* “without authority” is not defined.  Who is giving authority?  Left
for the courts to decide.  Major problem with Federal CFAA also.

* Terms of Service will be swept into the domain of criminal law.  TOS
should ABSOLUTELY be reserved for the domain of civil law.  In most
cases, suspension of service by a provider is an adequate remedy.
Otherwise, the state is put in the business of using criminal resources
to enforce civil matters, an improper use of public funds.

* Property forfeiture was previously in the bill but appears to have
been removed.  Property forfeiture if it occurs, MUST: (1) be strictly
limited to those items needed for forensic evidence, (2) in the case of
acquittal, all items shall be returned to the accused in a timely
manner, (3) under no circumstances should items be sold to provide
specific monetary benefit to individual and specific law enforcement
agencies, any such revenue shall go directly to the general state fund
for disbursement through normal budgetary controls.

* In section 2 regarding venue, a judge should be specifically permitted
to consolidate cases in multiple locations into a single location for
the sake of reasonableness, in cases where violations have occurred in
multiple counties.

* NO carveout for non-commercial, ethical security research is present.
THIS INCLUDES ACADEMIC RESEARCH.

* The bill may not be necessary at all.  The older legal concept of
“trespass to chattels” has been used successfully against spammers and
malware authors.  This may be sufficient in the case of computer intrusion.

At a minimum I would insist on the following amendments.

#1. Ethical security research of an academic or non-commercial nature
MUST be protected.  The bill only protects "legitimate business
activity" which may not include academic activity and independent
non-profit security research.  Many security researchers do work out the
goodness of their own heart to keep our computer systems as safe as
possible, and they are reporting findings ethically with no malicious
intent.  This activity MUST be protected.


#2. Commercial "Terms of Service" violations must NOT be construed as a
violation of criminal law.  This leads to a situation where something as
simple as lying about your age or legal name on Facebook could trigger
criminal liability.  The state should NOT be in the business of using
criminal law resources to prosecute commercial Terms of Service
violations.  This is the domain of civil law and is a waste of precious
state resources (given the problems we have with drugs, terrorism, human
trafficking, etc., the police and courts have more important priorities).


Scott M. Jones
Electronic Frontiers Georgia
scott at ef-georgia.org

More information about the Ale mailing list