Georgia Senate Thinks It Can Fix Its Election Security Issues By Criminalizing Password Sharing, Security Research
from the if-you-can't-make-it-better,-at-least-stop-making-it-worse dept
When bad things happen, bad laws are sure to follow. The state of Georgia has been through some tumultuous times, electorally-speaking. After a presidential election plagued with hacking allegations, the Georgia Secretary of State plunged ahead with allegations of his own. He accused the DHS of performing ad hoc penetration testing on his office's firewall. At no point was he informed the DHS might try to breach his system and the DHS, for its part, was less than responsive when questioned about its activities. It promised to get back to the Secretary of State but did not confirm or deny hacking attempts the state had previously opted out of.
To make matter worse, there appeared to be evidence the state's voting systems had been compromised. A misconfigured server left voter records exposed, resulting in a lawsuit against state election officials. Somehow, due to malice or stupidity, a server containing key evidence needed in the lawsuit was mysteriously wiped clean, just days after the lawsuit was filed.
Rather than double down on efforts to secure state voting systems, the state legislature has decided to expand the definition of computer crime. A CFAA but for federalists has been introduced in the state Senate. And it could possibly lead to criminalizing a whole lot of benign computer use.
A new bill winding its way through the Georgia state senate has cybersecurity experts on alert. As Senate Bill 315 is currently written, academics and independent security researchers alike could be subject to prosecution in Georgia alongside malicious hackers.
The two-page bill aims to amend legislation governing computer crimes in the Peach State to criminalize “unauthorized computer access.” It would penalize violations as a “high and aggravated misdemeanor,” with up to a $5,000 fine and year in jail, “any person who accesses a computer or computer network with knowledge that such access is without authority.”
"Unauthorized computer access" is a phrase security researchers hate to see. Much of their valuable work depends on unauthorized access. Criminals and malicious hackers aren't going to knock politely and ask for permission before helping themselves to personally-identifiable information or financial documents. Neither are researchers, who hope to beat criminals at their own game while helping affected entities patch holes and harden existing systems.
But it gets even worse. It's not just security research being criminalized. State senators appear ready to slap cuffs on Netflix users.
The bill also criminalizes terms-of-service violations, which could include infractions as minor as using a pseudonym on Facebook or sharing a password, says a Georgia government lawyer who spoke on the condition of anonymity.
I can see how someone connected to this law might want to remain anonymous. I mean, these are the non-anonymous assertions of named prosecutors who support the bill -- and I'd definitely want to distance myself from those as well.
A representative for Georgia Attorney General Chris Carr declined to comment for this story. In a statement, Carr said Georgia is “one of only three states in the nation where it is not illegal to access a computer, so long as nothing is disrupted or stolen. This doesn’t make any sense. Unlawfully accessing any computer in Georgia should be a crime, and we must fix this loophole."
The AG makes unauthorized access sound so nefarious when, in many cases, it's perfectly harmless. Password sharing gives people technically unlawful access, but letting a few extra people log into an HBO Go account shouldn't be a criminal act. Running a script to scrape publicly-available info from a website may be annoying to the site's owner (and likely forbidden by the terms of service), but it's nothing anyone should be looking at jail time for committing.
The state is still stinging from its election security failures and has decided to take it out on its citizens. It received a second pass in the state Senate before passing but the amendments made were mostly useless. It granted exemptions for parents monitoring their kids' computer use and some badly-worded stuff about "legitimate business activity," but the bill remains a second-rate CFAA just waiting to be abused by zealous prosecutors. And it's going to harm local businesses, which definitely shouldn't have to pay the price for the government's security issues.
“Companies will move divisions elsewhere, and startups will go elsewhere. Likewise, students will search for jobs elsewhere,” Georgia-based independent security researcher Rob Graham says. “It’s insane for legislators wanting to pass legislation that will mess this up.”
This is lawmaking so short-sighted it won't even solve the problem it's supposedly designed to target. The state needs to fix its own security issues before it starts criminalizing security research and password sharing. If it has problems with its election machine vendors, it should take it up with them, rather than burdening constituents with an unnecessary law that lends itself to abuse.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cfaa, cybersecurity, election security, georgia, hacking, password sharing, security research
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
Linda Ellis and Matthew Chan and Carl Malamud
(incinerated under that tin-foil hat again!)
[ link to this | view in thread ]
Netflix allows me to stream to 2 devices at the same time. I see no issue with sharing my password as I'm granting "authority" via giving the person my password.
[ link to this | view in thread ]
more fun than you'd think
I'm going for something a little more fun in the meantime, and looking to see which elected members of the GA House are currently in violation of this law if it passed - I know of at least one that's violated it three different ways just on facebook (and he's already kinda infamous in GA)
[ link to this | view in thread ]
Re:
"The Netflix service and any content viewed through our service are for your personal and non-commercial use only. During your Netflix membership, we grant you a limited, non-exclusive, non-transferable, license to access the Netflix service and view Netflix content through the service. Except for the foregoing limited license, no right, title or interest shall be transferred to you. You agree not to use the service for public performances."
you're transfering the license to include an external party, one that would not normally be considered a valid member of the household.
[ link to this | view in thread ]
Re: more fun than you'd think
[ link to this | view in thread ]
That is circular as hell.
[ link to this | view in thread ]
Perfect idea.
[ link to this | view in thread ]
Re:
1. Duplicating keys (eg, password sharing)
2. Research into Lock Mechanisms (eg, Security Research)
End result of item 2 is that we'll never see any locks that are more secure than what we have today.
[ link to this | view in thread ]
Again they beat the drums.
I like Oregon. We vote by mail. Also, we can vote early which stops many of the robo-calls re a vote.
[ link to this | view in thread ]
So TSA will no longer ask for your social media passwords?
[ link to this | view in thread ]
Re: Re: more fun than you'd think
If nothing else it would make for a fun way to force them to either back down on the bill or publicly admit that they don't believe that they should be treated the same under the law as those they 'serve'.
If a politician is backing a bill, and you point out that they are currently in violation of it such that the second it becomes law they'll be on the hook for jail time and they don't stop backing it they're not only displaying some blatant hypocrisy('It's okay when I do it, but it's jail time for anyone else'), as well as showing that they don't believe that it would be used against them, and no guesses needed as to why they'd think that.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Unlawfully accessing any computer in Georgia should be a crime, and we must fix this loophole.
So, we're just ignoring that by definition, unlawfully accessing a computer is already illegal?
[ link to this | view in thread ]
They will only know that someone went to a VPN, but not be able to figure out where they went beyond that VPN.
Under both California law, and the CFAA, it is only a criminal offense if you used a hacked, cracked, stolen, or otherwise illegally obtained password, when it comes to accessing an unsecured Wifi network.
Because laws in other states are different, I use a VPN when I travel, so that I cannot be identified by where I go. All that would be known is that I went to a VPN. Where I went beyond that VPN could never determined.
Some places don't always have cellular data avaibale, the "quiet zone", which covers much of Nevada protect Area 51 has no cellular data, is an example, and only analog voice communcations close to towns, so I have to use an open Wifi wherever I can find it, and I use VPN when I do, so that if I an uknowingly violating Nevada law, they would be able to identify me by where I go. I also let KillDisk run on my laptop all night, when I park for the night, so that any evidence is erased, and cannot be recovered.
The more conservative states do have stricter laws on this, unlike tech-heavy states, like Oregon or California.
This is why using a VPN is highly advised when travelling, so that where you went cannot determined if you need to use an unsecured WiFi somewhere.
[ link to this | view in thread ]
Re:
If something like this had been the law either in California, or under the CFAA, in the late 1980s, a lot of the student body at College of Marin could probably have been prosecuted, for something we did.
We found a trick that would let us circumvent the disk quotas and let us store as much as we wanted.
We were not breaking any laws either under the CFAA, or California law, when we did that, back in the late 1980s.
[ link to this | view in thread ]
Password sharing with my mistress is my own business
[ link to this | view in thread ]
Now for the evening news
[ link to this | view in thread ]
Re:
Just set up a VPN on your home computer network, and it appear as if you are coming from your home computer.
Then when you get home, you just wipe the evidence from your home computer, and whatever devices the TSA used.
Like I said before
No evidence = NO CASE
[ link to this | view in thread ]
Re: Re:
Except they will prosecute you for destruction of evidence.
[ link to this | view in thread ]
[ link to this | view in thread ]