The US state of Georgia is considering anti-hacking legislation that critics fear could criminalize security researchers. The bill, SB 315, was drawn up by state senator Bruce Thompson in January, has been approved by the state’s senate, and is now being considered by its house of representatives. The bill would expand the state’s current computer law to create what it calls the “new” crime of unauthorized computer access. It would include penalties for accessing a system without permission even if no information was taken or damaged. One of the bill’s backers, state Attorney General Chris Carr, said the bill is necessary to close a loophole: namely, the state now can’t prosecute somebody who harmlessly accesses computers without authorization.
From a statement his office put out when the bill was first introduced:
As it stands, we are one of only three states in the nation where it is not illegal to access a computer so long as nothing is disrupted or stolen. This doesn’t make any sense. Unlawfully accessing any computer in Georgia should be a crime, and we must fix this loophole.
But critics of the legislation believe it a) will ice Georgia’s cybersecurity industry, penalizing security researchers reporting on bugs; b) would criminalize innocent internet users engaged in innocuous and commonplace behavior, given that the law’s definition of “without authority” could be broadly extended to cover behavior that exceeds rights or permissions granted by the owner of a computer or site (in other words, terms and conditions); and c) is unnecessary, given that current law criminalizes computer theft; computer trespass (including using a computer in order to cause damage, delete data, or interfere with a computer, data or privacy); privacy invasion; altering or deleting data in order to commit forgery; and disclosure of passwords without authorization.