A bill introduced to the Georgia General Assembly on Jan. 9 aims to make unauthorized computer access illegal in the state, but cybersecurity researchers are worried that the bill’s unclear language could pose a danger to citizens.
Sen. Bruce Thompson, R-Ga., introduced Senate Bill 315 to modify the Georgia Computer Systems Protection Act, an existing law regarding computer crimes that was passed in 2010, said Andrew Green, a lecturer of information security and assurance at Kennesaw State.
The purpose of the bill is to add the crime of unauthorized computer access to the GCSPA, a concept not previously defined under Georgia law. Georgia is one of three states in the nation without a law regarding unauthorized computer access, according to Attorney General Chris Carr in a 11Alive article.
Many are worried, however, about the language used in SB 315. The bill defines “unauthorized computer access” as “accessing a computer or computer network with the knowledge that such access is without authority.” The bill does not go on to clearly define the words “access” and “authority,” leaving the bill open to interpretation.
Green expressed his concern over the bill, saying that a clear definition of unauthorized access is essential to prevent misuse and misapplication of Georgia’s cybersecurity laws.
“When key terms of a law are left undefined, it leaves the door open to being used in ways much broader and wider than the legislature may have intended or even thought of,” Green said.
Green compared the bill to the Federal Computer Fraud and Abuse Act, a federal law that made it illegal to access any protected computer without authorization or in excess of authorization. This law gives greater detail when defining certain types of crimes and associated penalties, but Green explained that it leaves out clear definitions for some key terms.
“[This] has led to overzealous federal prosecutors using the CFAA in ways that actually inhibit legitimate cybersecurity research efforts,” Green said.
Green said he had experienced misapplication of the CFAA and the GCSPA by prosecutors in the past.
“A friend of mine was once charged with violating both the GCSPA and the CFAA for engaging in the simple act of port scanning,” Green said. “Because the terminology in those laws [is] so vague, prosecutors were able to use it to unfairly prosecute normal, accepted practice in our field.”
Green also mentioned that people have been charged under the CFAA because they violated a vendor’s terms of service.
“In personal terms, that’s like Comcast saying that if you do something that they believe violates their terms of service, the federal government can charge you with a crime,” Green said. “That is nothing short of insane, but it has happened.”
If SB 315 continues through the Georgia General Assembly without any revisions to make its language clearer, it could have an immense impact on cybersecurity researchers and students.
Limitations on security research could be the result of researchers being punished under the law for normal, everyday procedures. Researchers may also not be as willing to involve students in their research.
“If the language stays as-is, it would be reckless for me to engage students in research efforts if the possibility exists that they could get charged under this law,” Green said.
Attorneys working with the Electronic Frontier Foundation have shared thoughts on how to improve the CFAA by adding clearer definitions to key terms. Green believes these thoughts could also be used to improve SB 315.