[ale] Georgia SB 315 Computer Intrusion Bill ACTION ALERT

Thu Feb 1 11:49:37 EST 2018

Hi Scott,

     Thanks for the heads-up. Would you mind throwing this on your 
website so we can have a link to share?

On 2/1/2018 11:38 AM, Scott M. Jones via Ale wrote:
> My apologies for the "political" spam but pretty much everyone who uses
> a computer/mobile is at risk and those who do non-commercial/academic
> security research are especially at risk.  Please see below.
>
> -----------
>
> Bad news today...  Today I found out that GA SB 315 was pushed through
> the Public Safety committee yesterday and has already been voted on to
> move through committee.  I was hoping to testify against it but did not
> realize it would go through committee so soon.
>
> The next steps for the bill: It will go through the rules committee
> today or Monday and could be voted on the Senate floor as early as
> Monday or Tuesday Feb. 5 or 6 (per my state senator's office, I have
> already been in contact today).
>
> If you live in Georgia or do business in Georgia, WE NEED YOU TO CALL
> YOUR STATE SENATOR TODAY!!!
>
> This bill threatens: (1) non-business related security research
> including academic research, and (2) could make violations of commercial
> Terms of Service a criminal act (something as simple as lying about your
> age or legal name on Facebook).
>
> What to do TODAY if you live or do business in Georgia:
> (1) Go to openstates.org, enter your address, and find the name of your
> State Senator (not House representative yet, Senate is the top priority).
>
> (2) Find the phone number and CALL today, email is not fast enough.
>
> (3) Be very polite when you call, you are talking to an assistant or
> page and this bill is not their fault.
>
> (4) Register your concern about Georgia Senate Bill 315 the Computer
> Intrusion bill.
>
> (5) Talking point are (1) academic and non-commercial security research
> is not protected and (2) Terms of Service should be strictly a matter of
> civil law and not be criminalized.  Failing that, you can ask them to
> vote against the bill.
>
> (6) They have a right to ask for your legal name and address.  It adds
> legitimacy to your request and they can determine if you are a
> constituent or what your stake is in the bill.  This should not be done
> anonymously.
>
> ------
>
> Here is the link to the bill with our analysis:
>
> SB 315: The Computer Intrusion Bill
>
> Latest bill text:
> http://www.legis.ga.gov/Legislation/20172018/172171.pdf
>
> Good points so far:
> * “with knowledge that such access is without authority” - requires
> intent, no accidental infringement
>
> * “A parent or legal guardian of an individual who is under the age of
> 18” - parental carveout, good idea
>
> * “Access to a computer or computer network for a legitimate business
> activity” - good start but does not go far enough.  Academic,
> non-business research, etc.
>
> * Property forfeiture was removed yesterday, but unsure if it can be
> inferred from other areas of existing law.
>
>
> Problems:
> * “without authority” is not defined.  Who is giving authority?  Left
> for the courts to decide.  Major problem with Federal CFAA also.
>
> * Terms of Service will be swept into the domain of criminal law.  TOS
> should ABSOLUTELY be reserved for the domain of civil law.  In most
> cases, suspension of service by a provider is an adequate remedy.
> Otherwise, the state is put in the business of using criminal resources
> to enforce civil matters, an improper use of public funds.
>
> * Property forfeiture was previously in the bill but appears to have
> been removed.  Property forfeiture if it occurs, MUST: (1) be strictly
> limited to those items needed for forensic evidence, (2) in the case of
> acquittal, all items shall be returned to the accused in a timely
> manner, (3) under no circumstances should items be sold to provide
> specific monetary benefit to individual and specific law enforcement
> agencies, any such revenue shall go directly to the general state fund
> for disbursement through normal budgetary controls.
>
> * In section 2 regarding venue, a judge should be specifically permitted
> to consolidate cases in multiple locations into a single location for
> the sake of reasonableness, in cases where violations have occurred in
> multiple counties.
>
> * NO carveout for non-commercial, ethical security research is present.
> THIS INCLUDES ACADEMIC RESEARCH.
>
> * The bill may not be necessary at all.  The older legal concept of
> “trespass to chattels” has been used successfully against spammers and
> malware authors.  This may be sufficient in the case of computer intrusion.
>
> At a minimum I would insist on the following amendments.
>
> #1. Ethical security research of an academic or non-commercial nature
> MUST be protected.  The bill only protects "legitimate business
> activity" which may not include academic activity and independent
> non-profit security research.  Many security researchers do work out the
> goodness of their own heart to keep our computer systems as safe as
> possible, and they are reporting findings ethically with no malicious
> intent.  This activity MUST be protected.
>
>
> #2. Commercial "Terms of Service" violations must NOT be construed as a
> violation of criminal law.  This leads to a situation where something as
> simple as lying about your age or legal name on Facebook could trigger
> criminal liability.  The state should NOT be in the business of using
> criminal law resources to prosecute commercial Terms of Service
> violations.  This is the domain of civil law and is a waste of precious
> state resources (given the problems we have with drugs, terrorism, human
> trafficking, etc., the police and courts have more important priorities).
>
>
> Scott M. Jones
> Electronic Frontiers Georgia
> scott at ef-georgia.org
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo