[ale] Georgia SB 315 Computer Intrusion Bill ACTION ALERT

[Scott M. Jones]

Here is the direct link:

https://www.ef-georgia.org/index.php/action-alerts/8-georgia-sb-315-the-computer-intrusion-bill.html

It's also on our Action Alert page:

https://www.ef-georgia.org/index.php/action-alerts.html

On 2/1/18 11:49 AM, Dustin Priest via Ale wrote:
> Hi Scott,
> 
>     Thanks for the heads-up. Would you mind throwing this on your
> website so we can have a link to share?
> 
> 
> On 2/1/2018 11:38 AM, Scott M. Jones via Ale wrote:
>> My apologies for the "political" spam but pretty much everyone who uses
>> a computer/mobile is at risk and those who do non-commercial/academic
>> security research are especially at risk.  Please see below.
>>
>> -----------
>>
>> Bad news today...  Today I found out that GA SB 315 was pushed through
>> the Public Safety committee yesterday and has already been voted on to
>> move through committee.  I was hoping to testify against it but did not
>> realize it would go through committee so soon.
>>
>> The next steps for the bill: It will go through the rules committee
>> today or Monday and could be voted on the Senate floor as early as
>> Monday or Tuesday Feb. 5 or 6 (per my state senator's office, I have
>> already been in contact today).
>>
>> If you live in Georgia or do business in Georgia, WE NEED YOU TO CALL
>> YOUR STATE SENATOR TODAY!!!
>>
>> This bill threatens: (1) non-business related security research
>> including academic research, and (2) could make violations of commercial
>> Terms of Service a criminal act (something as simple as lying about your
>> age or legal name on Facebook).
>>
>> What to do TODAY if you live or do business in Georgia:
>> (1) Go to openstates.org, enter your address, and find the name of your
>> State Senator (not House representative yet, Senate is the top priority).
>>
>> (2) Find the phone number and CALL today, email is not fast enough.
>>
>> (3) Be very polite when you call, you are talking to an assistant or
>> page and this bill is not their fault.
>>
>> (4) Register your concern about Georgia Senate Bill 315 the Computer
>> Intrusion bill.
>>
>> (5) Talking point are (1) academic and non-commercial security research
>> is not protected and (2) Terms of Service should be strictly a matter of
>> civil law and not be criminalized.  Failing that, you can ask them to
>> vote against the bill.
>>
>> (6) They have a right to ask for your legal name and address.  It adds
>> legitimacy to your request and they can determine if you are a
>> constituent or what your stake is in the bill.  This should not be done
>> anonymously.
>>
>> ------
>>
>> Here is the link to the bill with our analysis:
>>
>> SB 315: The Computer Intrusion Bill
>>
>> Latest bill text:
>> http://www.legis.ga.gov/Legislation/20172018/172171.pdf
>>
>> Good points so far:
>> * “with knowledge that such access is without authority” - requires
>> intent, no accidental infringement
>>
>> * “A parent or legal guardian of an individual who is under the age of
>> 18” - parental carveout, good idea
>>
>> * “Access to a computer or computer network for a legitimate business
>> activity” - good start but does not go far enough.  Academic,
>> non-business research, etc.
>>
>> * Property forfeiture was removed yesterday, but unsure if it can be
>> inferred from other areas of existing law.
>>
>>
>> Problems:
>> * “without authority” is not defined.  Who is giving authority?  Left
>> for the courts to decide.  Major problem with Federal CFAA also.
>>
>> * Terms of Service will be swept into the domain of criminal law.  TOS
>> should ABSOLUTELY be reserved for the domain of civil law.  In most
>> cases, suspension of service by a provider is an adequate remedy.
>> Otherwise, the state is put in the business of using criminal resources
>> to enforce civil matters, an improper use of public funds.
>>
>> * Property forfeiture was previously in the bill but appears to have
>> been removed.  Property forfeiture if it occurs, MUST: (1) be strictly
>> limited to those items needed for forensic evidence, (2) in the case of
>> acquittal, all items shall be returned to the accused in a timely
>> manner, (3) under no circumstances should items be sold to provide
>> specific monetary benefit to individual and specific law enforcement
>> agencies, any such revenue shall go directly to the general state fund
>> for disbursement through normal budgetary controls.
>>
>> * In section 2 regarding venue, a judge should be specifically permitted
>> to consolidate cases in multiple locations into a single location for
>> the sake of reasonableness, in cases where violations have occurred in
>> multiple counties.
>>
>> * NO carveout for non-commercial, ethical security research is present.
>> THIS INCLUDES ACADEMIC RESEARCH.
>>
>> * The bill may not be necessary at all.  The older legal concept of
>> “trespass to chattels” has been used successfully against spammers and
>> malware authors.  This may be sufficient in the case of computer
>> intrusion.
>>
>> At a minimum I would insist on the following amendments.
>>
>> #1. Ethical security research of an academic or non-commercial nature
>> MUST be protected.  The bill only protects "legitimate business
>> activity" which may not include academic activity and independent
>> non-profit security research.  Many security researchers do work out the
>> goodness of their own heart to keep our computer systems as safe as
>> possible, and they are reporting findings ethically with no malicious
>> intent.  This activity MUST be protected.
>>
>>
>> #2. Commercial "Terms of Service" violations must NOT be construed as a
>> violation of criminal law.  This leads to a situation where something as
>> simple as lying about your age or legal name on Facebook could trigger
>> criminal liability.  The state should NOT be in the business of using
>> criminal law resources to prosecute commercial Terms of Service
>> violations.  This is the domain of civil law and is a waste of precious
>> state resources (given the problems we have with drugs, terrorism, human
>> trafficking, etc., the police and courts have more important priorities).