Georgia Senate Thinks It Can Fix Its Election Security Issues By Criminalizing Password Sharing, Security Research
from the if-you-can't-make-it-better,-at-least-stop-making-it-worse dept
When bad things happen, bad laws are sure to follow. The state of Georgia has been through some tumultuous times, electorally-speaking. After a presidential election plagued with hacking allegations, the Georgia Secretary of State plunged ahead with allegations of his own. He accused the DHS of performing ad hoc penetration testing on his office’s firewall. At no point was he informed the DHS might try to breach his system and the DHS, for its part, was less than responsive when questioned about its activities. It promised to get back to the Secretary of State but did not confirm or deny hacking attempts the state had previously opted out of.
To make matter worse, there appeared to be evidence the state’s voting systems had been compromised. A misconfigured server left voter records exposed, resulting in a lawsuit against state election officials. Somehow, due to malice or stupidity, a server containing key evidence needed in the lawsuit was mysteriously wiped clean, just days after the lawsuit was filed.
Rather than double down on efforts to secure state voting systems, the state legislature has decided to expand the definition of computer crime. A CFAA but for federalists has been introduced in the state Senate. And it could possibly lead to criminalizing a whole lot of benign computer use.
A new bill winding its way through the Georgia state senate has cybersecurity experts on alert. As Senate Bill 315 is currently written, academics and independent security researchers alike could be subject to prosecution in Georgia alongside malicious hackers.
The two-page bill aims to amend legislation governing computer crimes in the Peach State to criminalize “unauthorized computer access.” It would penalize violations as a “high and aggravated misdemeanor,” with up to a $5,000 fine and year in jail, “any person who accesses a computer or computer network with knowledge that such access is without authority.”
“Unauthorized computer access” is a phrase security researchers hate to see. Much of their valuable work depends on unauthorized access. Criminals and malicious hackers aren’t going to knock politely and ask for permission before helping themselves to personally-identifiable information or financial documents. Neither are researchers, who hope to beat criminals at their own game while helping affected entities patch holes and harden existing systems.
But it gets even worse. It’s not just security research being criminalized. State senators appear ready to slap cuffs on Netflix users.
The bill also criminalizes terms-of-service violations, which could include infractions as minor as using a pseudonym on Facebook or sharing a password, says a Georgia government lawyer who spoke on the condition of anonymity.
I can see how someone connected to this law might want to remain anonymous. I mean, these are the non-anonymous assertions of named prosecutors who support the bill — and I’d definitely want to distance myself from those as well.
A representative for Georgia Attorney General Chris Carr declined to comment for this story. In a statement, Carr said Georgia is “one of only three states in the nation where it is not illegal to access a computer, so long as nothing is disrupted or stolen. This doesn’t make any sense. Unlawfully accessing any computer in Georgia should be a crime, and we must fix this loophole.”
The AG makes unauthorized access sound so nefarious when, in many cases, it’s perfectly harmless. Password sharing gives people technically unlawful access, but letting a few extra people log into an HBO Go account shouldn’t be a criminal act. Running a script to scrape publicly-available info from a website may be annoying to the site’s owner (and likely forbidden by the terms of service), but it’s nothing anyone should be looking at jail time for committing.
The state is still stinging from its election security failures and has decided to take it out on its citizens. It received a second pass in the state Senate before passing but the amendments made were mostly useless. It granted exemptions for parents monitoring their kids’ computer use and some badly-worded stuff about “legitimate business activity,” but the bill remains a second-rate CFAA just waiting to be abused by zealous prosecutors. And it’s going to harm local businesses, which definitely shouldn’t have to pay the price for the government’s security issues.
“Companies will move divisions elsewhere, and startups will go elsewhere. Likewise, students will search for jobs elsewhere,” Georgia-based independent security researcher Rob Graham says. “It’s insane for legislators wanting to pass legislation that will mess this up.”
This is lawmaking so short-sighted it won’t even solve the problem it’s supposedly designed to target. The state needs to fix its own security issues before it starts criminalizing security research and password sharing. If it has problems with its election machine vendors, it should take it up with them, rather than burdening constituents with an unnecessary law that lends itself to abuse.
Filed Under: cfaa, cybersecurity, election security, georgia, hacking, password sharing, security research
Comments on “Georgia Senate Thinks It Can Fix Its Election Security Issues By Criminalizing Password Sharing, Security Research”
Oh boy, what’s next? To combat the high rate of break-ins will Georgia also make it illegal to make a spare set of keys?
Re: Re:
To combat break ins, make TWO things illegal:
1. Duplicating keys (eg, password sharing)
2. Research into Lock Mechanisms (eg, Security Research)
End result of item 2 is that we’ll never see any locks that are more secure than what we have today.
Linda Ellis and Matthew Chan and Carl Malamud
But…how else will they legalize the sorts of abuse the legal system heaped on Mathew Chan from Linda Ellis (remember the Dash, anyone?), and from the entire legislature on Carl Malamud for daring to publish the ANNOTATIONS to the revised code?
(incinerated under that tin-foil hat again!)
Netflix allows me to stream to 2 devices at the same time. I see no issue with sharing my password as I’m granting "authority" via giving the person my password.
Re: Re:
Netflix TOS section 6
“The Netflix service and any content viewed through our service are for your personal and non-commercial use only. During your Netflix membership, we grant you a limited, non-exclusive, non-transferable, license to access the Netflix service and view Netflix content through the service. Except for the foregoing limited license, no right, title or interest shall be transferred to you. You agree not to use the service for public performances.”
you’re transfering the license to include an external party, one that would not normally be considered a valid member of the household.
more fun than you'd think
Being in GA, I’ve been working on writing this up for the past week (beat me too it Tim, booo! :-P)
I’m going for something a little more fun in the meantime, and looking to see which elected members of the GA House are currently in violation of this law if it passed – I know of at least one that’s violated it three different ways just on facebook (and he’s already kinda infamous in GA)
Re: more fun than you'd think
I’ll bet that every legislator behind this bill is guilty of multiple infractions of it. So yes, documenting the publicly-known ones would be amusing.
Re: Re: more fun than you'd think
If nothing else it would make for a fun way to force them to either back down on the bill or publicly admit that they don’t believe that they should be treated the same under the law as those they ‘serve’.
If a politician is backing a bill, and you point out that they are currently in violation of it such that the second it becomes law they’ll be on the hook for jail time and they don’t stop backing it they’re not only displaying some blatant hypocrisy(‘It’s okay when I do it, but it’s jail time for anyone else’), as well as showing that they don’t believe that it would be used against them, and no guesses needed as to why they’d think that.
_“one of only three states in the nation where it is not illegal to access a computer, so long as nothing is disrupted or stolen. This doesn’t make any sense. Unlawfully accessing any computer in Georgia should be a crime, and we must fix this loophole.”_
That is circular as hell.
Perfect idea.
Well this idea will work great. But what do I know. I’m an idiot.
Again they beat the drums.
The drums of war, war on what? Well now, that’s a different problame *cough* PROBLEM altogether. The peaches are trying to put out their flaming problems by making everything illegal. Pretty sure this is an epic fail waiting to happen. Barely waiting. Talk about the Streisand Effect. Now every Russian patriot will be swooping down.
I like Oregon. We vote by mail. Also, we can vote early which stops many of the robo-calls re a vote.
“Criminalizing Password Sharing”
So TSA will no longer ask for your social media passwords?
Re: Re:
Not at all, for that is sharing with the government, and they are trying to make that mandatory.
Re: Re:
If giving the TSA your passowrds becomes criminal, you can sign to a VPN, before letting them on to your computer, so that sites will not know the TSA is accessing your account.
Just set up a VPN on your home computer network, and it appear as if you are coming from your home computer.
Then when you get home, you just wipe the evidence from your home computer, and whatever devices the TSA used.
Like I said before
No evidence = NO CASE
Re: Re: Re:
Except they will prosecute you for destruction of evidence.
In fairness, Trump is doing the same thing to global warming. He’s banned research on it. ‘Out of sight, out of mind’; ‘What I don’t know won’t hurt me.’ Good job Georgia.
Unlawfully accessing any computer in Georgia should be a crime, and we must fix this loophole.
So, we’re just ignoring that by definition, unlawfully accessing a computer is already illegal?
Re: Re:
What Georgia is doing, is passing laws to cover things not covered by the CFAA.
If something like this had been the law either in California, or under the CFAA, in the late 1980s, a lot of the student body at College of Marin could probably have been prosecuted, for something we did.
We found a trick that would let us circumvent the disk quotas and let us store as much as we wanted.
We were not breaking any laws either under the CFAA, or California law, when we did that, back in the late 1980s.
With laws like that at the state level, that may not be at the federal level, that it why, when I travel, I always use a VPN with any open Wifi I may have to use, so that if I am unknowingly violating state law, the network admins will not know where I am going.
They will only know that someone went to a VPN, but not be able to figure out where they went beyond that VPN.
Under both California law, and the CFAA, it is only a criminal offense if you used a hacked, cracked, stolen, or otherwise illegally obtained password, when it comes to accessing an unsecured Wifi network.
Because laws in other states are different, I use a VPN when I travel, so that I cannot be identified by where I go. All that would be known is that I went to a VPN. Where I went beyond that VPN could never determined.
Some places don’t always have cellular data avaibale, the “quiet zone”, which covers much of Nevada protect Area 51 has no cellular data, is an example, and only analog voice communcations close to towns, so I have to use an open Wifi wherever I can find it, and I use VPN when I do, so that if I an uknowingly violating Nevada law, they would be able to identify me by where I go. I also let KillDisk run on my laptop all night, when I park for the night, so that any evidence is erased, and cannot be recovered.
The more conservative states do have stricter laws on this, unlike tech-heavy states, like Oregon or California.
This is why using a VPN is highly advised when travelling, so that where you went cannot determined if you need to use an unsecured WiFi somewhere.
Password sharing with my mistress is my own business
— General Petraeus
Now for the evening news
Shit heel politicians in shit heel state make stupid shit heel laws because they don’t understand technology. Details at 11.
They can’t even criminalize NSA’s wrongdoing.