Georgia Senate Bill 315: The Computer Intrusion Bill

Update (Feb. 22, 2018): Videos of the Senate Public Safety Committee Meeting on SB 315 and Senate Floor Debate on SB 315 have been posted.

Update (Feb. 15, 2018): SB 315 has been moved in the House to the Judiciary Non-Civil Committee. This is a potentially favorable development, but we will still need to make a good showing at the committee meeting. See the WABE article on the bill.

Update (Feb. 14, 2018): We will be at DC404 this Saturday, Feb. 17th, from 2:00 p.m. to 4:00 p.m. at Manuel's Tavern to present the latest info on SB 315.

Update (Feb. 13, 2018): SB 315 passed the full Senate this week by a vote of 41 for to 11 against. An amendment to restrict the bill to "malicious" activity failed on the floor. We heartily thank Senator Jennifer Jordan for speaking out against the worst abuses of the bill and attempting to attach a limiting amendment.

Update (Feb. 12, 2018): This article from The Parallax has some excellent background on SB 315.

Update (Feb. 10, 2018): SB 315 will be up for a vote on the Senate floor on Monday, February 12th. We expect it to pass but are hoping for amendments or maybe some drama on the floor that could draw attention to the many problems with the bill. Senate chamber proceedings will be livestreamed here starting Monday Feb. 12th at 10:00 a.m. EST.

Update (Feb. 4, 2018): We will be at the State Capitol on Tuesday Feb. 6th at 9:00 a.m. for GA SB315 Lobby Day.  Please join us!

See the EFF Article about GA SB315 here.

Electronic Frontiers Georgia is gravely concerned that Georgia Senate Bill 315 could impact non-commercial, academic security research and could make violations of Terms of Service (something as simple as lying about your age on Facebook) a criminal offense.

EFGA urges all interested parties residing in Georgia, or doing business in Georgia, to call their state senator and register their concerns.   Find your state senator by going to openstates.org and putting in your residence address.

Update as of Feb. 1, 2018: SB 315 was approved by the Public Safety Committee on January 31st.  EFGA was caught off guard and did not have a chance to testify against the measure.  This could go to the senate floor for a vote as early as Monday, February 5th or Tuesday, February 6th.  At this point amendments could be offered on the floor or we could ask the full senate to vote it down.

At a minimum we would insist on the following amendments.  Failing that we can ask our senators to vote against the bill.

  1. Ethical security research of an academic or non-commercial nature MUST be protected.  The bill only protects "legitimate business activity" which may not include academic activity and independent non-profit security research.  Many security researchers do work out the goodness of their own heart to keep our computer systems as safe as possible, and they are reporting findings ethically with no malicious intent.  This activity MUST be protected.
  2. Commercial "Terms of Service" violations must NOT be construed as a violation of criminal law.  This leads to a situation where something as simple as lying about your age or legal name on Facebook could trigger criminal liability.  The state should NOT be in the business of using criminal law resources to prosecute commercial Terms of Service violations.  This is the domain of civil law and is a waste of precious state resources (given the problems we have with drugs, terrorism, human trafficking, etc., the police and courts have more important priorities).

Full Bill Analysis

SB 315: The Computer Intrusion Bill

Latest bill text:
http://www.legis.ga.gov/Legislation/20172018/172171.pdf

Good points so far:

  • “with knowledge that such access is without authority” - requires intent, no accidental infringement
  • “A parent or legal guardian of an individual who is under the age of 18” - parental carveout, good idea
  • “Access to a computer or computer network for a legitimate business activity” - good start but does not go far enough.
  • Academic, non-business research, etc.
  • Property forfeiture was removed on January 31st, but unsure if it can be inferred from other areas of existing law.

Problems:

  • “Without authority” is not defined. Who is giving authority? It's left for the courts to decide. Major problem with Federal CFAA also.
  • Terms of Service will be swept into the domain of criminal law. TOS should ABSOLUTELY be reserved for the domain of civil law. In most cases, suspension of service by a provider is an adequate remedy. Otherwise, the state is put in the business of using criminal resources to enforce civil matters, an improper use of public funds.
  • Property forfeiture was previously in the bill but appears to have been removed. Property forfeiture if it occurs, MUST:
    • Be strictly limited to those items needed for forensic evidence,
    • In the case of acquittal, all items shall be returned to the accused in a timely manner,
    • Under no circumstances should items be sold to provide specific monetary benefit to individual and specific law enforcement agencies; any such revenue shall go directly to the general state fund for disbursement through normal budgetary controls.
  • In section 2 regarding venue, a judge should be specifically permitted to consolidate cases in multiple locations into a single location for the sake of reasonableness, in cases where violations have occurred in multiple counties.
  • NO carveout for non-commercial, ethical security research is present. THIS INCLUDES ACADEMIC RESEARCH.
  • The bill may not be necessary at all. The older legal concept of “trespass to chattels” has been used successfully against spammers and malware authors. This may be sufficient in the case of computer intrusion.