EFFecting Digital Freedom

by Jason Kelley

Grassroots Effort Kills Bad Computer Crime Bill in Georgia

We didn't think we'd pull it off.

S.B. 315, a computer crime bill in Georgia, was introduced into the state's legislature in January.  It passed the Georgia Senate in just over a month and the House shortly thereafter.  S.B. 315 is one of many laws that have popped up over the last few decades which are modeled a bit on the Computer Fraud and Abuse Act, or CFAA, the infamous bill used to prosecute good-faith security researchers.  But the Georgia bill would have done something totally new, and exceptionally dangerous.

Not only would the bill have created a new crime of "unauthorized computer access" in the state of Georgia - which is the country's third largest cybersecurity community - and have opened up independent researchers who identified vulnerabilities in computer systems to prosecution and sentencing of up to a year in jail, it would also have allowed for preemptive "active defense," giving authority under state law to companies to "hack back" or spy on potentially everyone from independent researchers to users whose devices have been compromised by malicious hackers.  This precedent-setting legislation was, thankfully, vetoed at the very last minute by the state's governor.

But the bill's narrow defeat is an important lesson.  How did something so widely criticized by the community sail so rapidly through the state's legislature?  And how was it, in the end, defeated?

The bill began its life out of, apparently, embarrassment.  In August 2016, security researcher Logan Lamb at the Oak Ridge National Lab in Tennessee had been searching Kennesaw State University's Center for Election Systems' website for public election information when he discovered sensitive documents that were openly available.  "You could just go to the root of where they were hosting all the files and just download everything without logging in," Lamb told Politico, who broke the story.

He wrote a script to download and take a look at what exactly was available, and came back with data including registration records for the state's 6.7 million voters and lots of additional sensitive data that should never have been made public.  Worse still, he discovered the site was using an old, seriously vulnerable version of Drupal as its back-end, which allowed attackers to potentially take control of any site that used the software.

After accidentally discovering the various vulnerabilities and reporting them directly, Lamb was disappointed that the state hadn't taken his discoveries seriously.  Georgia lawmakers responded to this, not with concern that the data had been left in the open, but rather, with anger that it wasn't illegal for Lamb to access that publicly accessible data - and thus Georgia's S.B. 315 was born.  (As the state's attorney general's office said, they wanted to criminalize "poking around."  And while we believe Lamb's actions would have been legal even had S.B. 315 become law, it's plausible that Georgia would have argued to the contrary.)

Did the bill have good intentions?  Almost certainly.  And this is why we must pay close attention to attempts to legislate computer and technology usage - without a deep understanding of how cybersecurity works, these good intentions are easily translated into fast-moving, wide-reaching legislation.  From its introduction until the date Governor Deal was required to sign or veto the bill, the infosec community in Georgia had about four months to work together to show their opposition.

This is also why it's absolutely essential to have grassroots advocates on the ground, available to educate and activate the public and lawmakers in short order.  Thankfully, Electronic Frontiers Georgia sprang into action nearly from the moment the bill was introduced.  Local organizations like EF Georgia are incredibly important, and the entire infosec community owes them a debt of gratitude.  They informed EFF about the legislation, giving us time to examine and respond.  On the ground, they were a credible and local group in the state that lawmakers felt comfortable to work and talk with.  They scheduled TV and other press appearances, met with members of the state Senate and House, "worked the rope" (a term for waiting outside the legislative chambers for lawmakers to emerge), held up literal "red cards" during hearings, and hosted a live stream panel.

But the bill still sailed through the legislature, and although it did undergo some positive changes, including exempting terms of service violations, it also acquired its "hack back" amendment in the process.

This only added fuel to the fire, and EF Georgia continued the fight.  As a veteran member of EFF's Electronic Frontier Alliance network of grassroots community and campus organizations, they did work that can only be done by those on the ground - but which is absolutely essential.

Out of EF Georgia's efforts came significant public backlash to the bill.  Professors organized at Georgia Tech to call upon the governor to veto the bill.  Fifty-five tech professionals around the country wrote that, among other things, the bill's exemption for "legitimate business activities" was too ambiguous, leaving researchers who were unconnected with a business (such as academics or independent researchers acting without remuneration) at risk, as well as leaving the definition of "legitimate" too vague.

At the last minute, a hacker group calling itself "SB315" began an ill-advised campaign of defacing local business websites, apparently with the goal of bringing attention to the bill.  We called on the group to cease its actions, worried the damage had undone the hard work that advocates, researchers, and more had done to present a reasonable argument, showing instead the "dangerous" side of hacking.

On the last day to sign the bill, in a surprise last-minute veto, Governor Deal wrote: "Consequently, while intending to protect against online breaches and hacks, S.B. 315 may inadvertently hinder the ability of government and private industries to do so."  He was absolutely right.

S.B. 315 will likely return next year - and Georgia's infosec community will have to renegotiate the terms of the bill.  And unfortunately, there's always a chance that a similar bill will pop up in your area.  For now, let's thank the folks of EF Georgia, and remember the lessons of their activism and effort.

If you're interested in helping grassroots efforts like this one, consider joining - or forming - a group in the Electronic Frontier Alliance.  Alliance affiliated groups work to educate neighbors, lawmakers, and communities about the importance of digital rights in ways that make the most sense for them, and participation is open to any group that endorses the EFA's simple principles.  You can find out more online at eff.org/efa.