A group of information security researchers, academics, students and business owners has drafted a letter to Georgia Gov. Nathan Deal urging him to veto a bill that would criminalize “unauthorized access” of a computer or computer network, potentially jeopardizing the legality of much of the state’s $4.7 billion cybersecurity industry.
The governor is expected to review the bill, S.B. 315, this week, according to a representative from Electronic Frontiers Georgia, a digital advocacy group.
The letter includes 55 signatures and a clear call-to-action for the Republican governor, who is expected to sign the bill that was heavily supported by his attorney general, Chris Carr. The signatories, some of whom are signing in their personal capacity and some as representatives of their companies, urge a veto of the bill based on two major concerns: liability for security researchers and a provision that allows parties to “hack back.”
Legitimate business activities, one of the four exemptions in the bill, are “undefined,” the letter says, and create “ambiguity for researchers unconnected with a business (such as academics or independent researchers acting without remuneration) and how activities will be qualified as “legitimate.”
The bill has been raising concerns for researchers since its introduction earlier this year. Despite having “good intentions,” the letter says, the bill’s vague language threatens virtually everybody who uses the internet in Georgia with the potential to be charged with “unauthorized access” of a computer or computer network.
“The only people who will be prosecuted will be those who try to report [vulnerabilities] — which means people won’t report,” Frank Rietta, a Georgia-based security researcher told StateScoop.
The letter also says that the “hack back” provision that the bill includes could grant authority under state law to companies looking to retaliate or spy on “independent researchers, unwitting users whose devices have been compromised by malicious hackers, or innocent people that a company merely suspects of bad intentions.”
Some of the signatories are optimistic about the letter, but wary of the future nonetheless.
“This is the first of what I believe will be many attempts by elected officials to draft legislation focused on infosec-related matters,” said Andy Green, a lecturer at Kennesaw State University. “Long-term, infosec professionals and academics will have to find a way to work with elected leaders and their staffs, to help inform and craft better legislation in the future. If we fail to do so, I believe we will find ourselves fighting bills like this more often in the future.”
The governor has 40 days to sign or veto the bill once it reaches his desk, which it did on March 30. In Georgia, the governor may ignore a bill and it will become law after the grace period. Unless vetoed, this law will go into effect on July 1.
This story was updated shortly after publication to clarify that not all those who signed the letter are based in Georgia. The story was updated again on April 19, 2018 to include comments from Andy Green.