Georgia Senate Bill 315: The Unauthorized Computer Access Bill

Update (May 8, 2018): Governor Nathan Deal has announced that SB 315 among others has been vetoed!  Please see the official statement here and scroll down to #18.  Electronic Frontiers Georgia realizes that the issues addressed in SB 315 remain unresolved, and stands willing to work with the legislature, law enforcement, and the information security community to craft an acceptable compromise in a future legislative session.

Update (May 4, 2018): We expect to hear whether Governor Deal chose to veto SB 315 by Wednesday May 9th at the latest. In the mean time we have posted a panel discussion with many insights on problems with the bill recorded Wednesday, May 2nd.

Update (Apr. 13, 2018): SB 315 will be presented to Governor Deal by his staff next week. This is the best time to ask the Governor to veto the bill.  Call 404-656-1776 to register your opposition and/or use this form to send your comments online. (EFF has also provided this form with a pre-written letter ready to go.)

Update (Apr. 2, 2018): WABE Article covers many angles.

Update (Mar. 30, 2018): On March 29th, the Georgia Senate voted through the House version of SB 315 as version LC 29 8107S and thus no conference committee was required. From here it goes to the governor's desk.

Update (Mar. 22, 2018): On March 22nd, the House Judiciary Non-Civil Committee voted in this version of SB 315, changing 'and' to 'or' on line 18, and rejecting this amendment which would have substantially expanded protections for threat research in all of its forms. EFGA is opposed to rejection of the amendment and will continue to fight the bill. EFGA was unable to secure broad protections needed to give confidence to the entire security research community, so they may continue to have a "safe space" to operate in.

Update (Mar. 19, 2018): SB 315 full committee meeting delayed until Tuesday, March 20. Sessions will run 10 a.m. to noon and 1:00 p.m. on. We expect to meet in 406 CLOB.

Update (Mar. 18, 2018): SB 315 goes to the full Senate Non-Judiciary Committee on Monday, March 19, for a vote. EFGA plans to be there to lobby against it, at the velvet rope on the House side starting at 10:30am to noon, and then at 406 CLOB starting at 1:00pm. Please join us if you can to speak to your legislators face-to-face about the problems with the bill.

RED ALERT (Mar. 6, 2018): SB 315 is back on the calendar. A substitute bill could be offered. This is a subcommittee meeting, so any substitute could NOT be voted all the way to the floor. Wednesday, March 7, 2018 at 3:00 PM in 606 CLOB.

Major Update (Mar. 5, 2018): With the filing of SR 929, EFGA believes that progress on SB 315 has halted and the bill is effectively dead. We will watch over the remaining 10 days of the session to be sure. Please see our press release here.

Update (Mar. 2, 2018): New article posted on medium.com.

Update (Feb. 28, 2018): New article posted in the Naked Security blog by Sophos.

Update (Feb. 26, 2018): New articles posted by EFF, Atlanta Business Chronicle, and The Register (UK).

Update (Feb. 22, 2018): Videos of the Senate Public Safety Committee Meeting on SB 315 and Senate Floor Debate on SB 315 have been posted.

Update (Feb. 15, 2018): SB 315 has been moved in the House to the Judiciary Non-Civil Committee. This is a potentially favorable development, but we will still need to make a good showing at the committee meeting. See the WABE article on the bill.

Update (Feb. 14, 2018): We will be at DC404 this Saturday, Feb. 17th, from 2:00 p.m. to 4:00 p.m. at Manuel's Tavern to present the latest info on SB 315.

Update (Feb. 13, 2018): SB 315 passed the full Senate this week by a vote of 41 for to 11 against. An amendment to restrict the bill to "malicious" activity failed on the floor. We heartily thank Senator Jennifer Jordan for speaking out against the worst abuses of the bill and attempting to attach a limiting amendment.

Update (Feb. 12, 2018): This article from The Parallax has some excellent background on SB 315.

Update (Feb. 10, 2018): SB 315 will be up for a vote on the Senate floor on Monday, February 12th. We expect it to pass but are hoping for amendments or maybe some drama on the floor that could draw attention to the many problems with the bill. Senate chamber proceedings will be livestreamed here starting Monday Feb. 12th at 10:00 a.m. EST.

Update (Feb. 4, 2018): We will be at the State Capitol on Tuesday Feb. 6th at 9:00 a.m. for GA SB315 Lobby Day.  Please join us!

See the EFF Article about GA SB315 here.

Electronic Frontiers Georgia is gravely concerned that Georgia Senate Bill 315 could impact non-commercial, academic security research and could make violations of Terms of Service (something as simple as lying about your age on Facebook) a criminal offense.

EFGA urges all interested parties residing in Georgia, or doing business in Georgia, to call their state senator and register their concerns.   Find your state senator by going to openstates.org and putting in your residence address.

Update as of Feb. 1, 2018: SB 315 was approved by the Public Safety Committee on January 31st.  EFGA was caught off guard and did not have a chance to testify against the measure.  This could go to the senate floor for a vote as early as Monday, February 5th or Tuesday, February 6th.  At this point amendments could be offered on the floor or we could ask the full senate to vote it down.

At a minimum we would insist on the following amendments.  Failing that we can ask our senators to vote against the bill.

1. Ethical security research of an academic or non-commercial nature MUST be protected.  The bill only protects "legitimate business activity" which may not include academic activity and independent non-profit security research.  Many security researchers do work out the goodness of their own heart to keep our computer systems as safe as possible, and they are reporting findings ethically with no malicious intent.  This activity MUST be protected.
2. Commercial "Terms of Service" violations must NOT be construed as a violation of criminal law.  This leads to a situation where something as simple as lying about your age or legal name on Facebook could trigger criminal liability.  The state should NOT be in the business of using criminal law resources to prosecute commercial Terms of Service violations.  This is the domain of civil law and is a waste of precious state resources (given the problems we have with drugs, terrorism, human trafficking, etc., the police and courts have more important priorities).

Full Bill Analysis

SB 315: The Computer Intrusion Bill

Latest bill text:
http://www.legis.ga.gov/Legislation/20172018/172171.pdf

Good points so far:

• “with knowledge that such access is without authority” - requires intent, no accidental infringement
• “A parent or legal guardian of an individual who is under the age of 18” - parental carveout, good idea
• “Access to a computer or computer network for a legitimate business activity” - good start but does not go far enough.
• Academic, non-business research, etc.
• Property forfeiture was removed on January 31st, but unsure if it can be inferred from other areas of existing law.

Problems:

• “Without authority” is not defined. Who is giving authority? It's left for the courts to decide. Major problem with Federal CFAA also.
• Terms of Service will be swept into the domain of criminal law. TOS should ABSOLUTELY be reserved for the domain of civil law. In most cases, suspension of service by a provider is an adequate remedy. Otherwise, the state is put in the business of using criminal resources to enforce civil matters, an improper use of public funds.
• Property forfeiture was previously in the bill but appears to have been removed. Property forfeiture if it occurs, MUST:
  • Be strictly limited to those items needed for forensic evidence,
  • In the case of acquittal, all items shall be returned to the accused in a timely manner,
  • Under no circumstances should items be sold to provide specific monetary benefit to individual and specific law enforcement agencies; any such revenue shall go directly to the general state fund for disbursement through normal budgetary controls.
• In section 2 regarding venue, a judge should be specifically permitted to consolidate cases in multiple locations into a single location for the sake of reasonableness, in cases where violations have occurred in multiple counties.
• NO carveout for non-commercial, ethical security research is present. THIS INCLUDES ACADEMIC RESEARCH.
• The bill may not be necessary at all. The older legal concept of “trespass to chattels” has been used successfully against spammers and malware authors. This may be sufficient in the case of computer intrusion.