The State of Georgia must decide: will it be a hub of technological and online media innovation, or will it be the state that criminalized terms of service violations?
Will it support security research that makes us all safer, or will they chill the ability of Georgia’s infosec community to identify vulnerabilities that need to be fixed to protect our private information?
This is what’s at stake with Georgia’s S.B. 315, and state lawmakers should stop it dead in its tracks. As EFF wrote in its letter opposing the bill, this legislation would hand immense power to prosecutors to go after anyone for “checking baseball scores on a work computer, lying about your age or height in your user profile contrary to a website’s policy, or sharing passwords with family members in violation of the service provider’s rules.”
The bill also fails to clearly exempt legitimate, independent security research—such as that conducted by Georgia Tech’s renowned cybersecurity department—from the computer crime law.
Georgia already has a robust computer crime statute that covers a wide range of malicious activities online, but S.B. 315 would criminalize simply accessing a computer, app, or website contrary to how the service provider tells you, even if you never cause or intend to cause harm. A violation under S.B. 315 would be classified as “a misdemeanor of a high and aggravated nature,” punishable by up to $5,000 and 12 months in jail.
EFF has long criticized how stretched interpretations of the federal Computer Fraud & Abuse Act have resulted in the prosecution of computer scientists, such as Aaron Swartz. Georgia’s S.B. 315 is even worse in terms of how broadly it may be applied to regular users engaged in benign online behavior.
Fortunately, the digital rights community in Georgia is mobilizing. Electronic Frontiers Georgia, an ally in the Electronic Frontiers Alliance network, is speaking out against S.B. 315. Andy Green, an infosec lecturer at Kennesaw State University, is also calling for an overhaul of the bill to ensure computer researchers can carry out their work “without fear of arrest and prosecution.”
If Georgia lawmakers want to protect their residents from computer crime, it does not help to open them up to prosecution for the tiniest violation of the fine print in a buried terms of service agreement. And if lawmakers want Georgia to remain a welcoming destination for tech talent who can identify and stop breaches, they should spike S.B. 315 immediately.