A cybersecurity bill being proposed in the state of Georgia has both the tech world and civil liberties advocates worried. If you’re just tuning in, the bill is working its way through the state legislature that’s designed to give law enforcement the ability to prosecute ethical hackers, or those who break into a computer system but don’t disrupt or steal data.
Supporters say it closes a loophole in existing Georgia cyber crime laws. Currently, it’s tough to prosecute hackers who access systems without authorization if they don’t actually steal anything. Typically, this sort of “grey hat” hacking is done for the purpose of demonstrating vulnerabilities in vital systems and then bidding on contracts to fix the issue, or for research.
This legislation came in response to a recent – but benign – data breach at Kennesaw State University in which unauthorized cybersecurity experts noticed the vulnerability of Georgia’s voting records. To do so, they needed to probe the system without authorization.
Voters are understandably divided on the issue. While everyone can see the value of crucial state infrastructure being protected from harm (which might involve the private sector examining it for flaws that otherwise might go unnoticed or unacknowledged by government officials), they’re less comfortable with their own data being potentially at risk.
After all, none of us would say it’s fine for someone to break into our home as long as they don’t steal anything while they’re there.
But polarization around the bill goes a bit deeper than that. Its critics maintain that the bill casts too wide of a net and criminalizes perfectly legal behaviors, like giving your HBO password to your coworker so they can watch Game of Thrones or fudging your weight just a bit on your online dating profile. It could even criminalize employees using their work computers for personal business.
Attorney General Chris Carr, whose office helped draft the bill, says otherwise. “This bill is not intended in any way, shape or form to criminalize legitimate behavior,” maintaining that only three states – of which Georgia is one – have no law against the “grey hat” practices of neither disrupting nor stealing data while accessing a system without authorization.
Still, some of the bill’s language is troubling to civil liberties advocates. Among such concerns is the language, “any person who accesses a computer or computer network with knowledge that such access is without authority,” which could technically apply to you using your friend’s Netflix account.
The bill makes exceptions for parents who monitor their children’s computer use along with those who are conducting “legitimate business,” but the latter is an especially tough sell because it’s incredibly vague. How much leverage will a prosecutor have to determine what’s legitimate and what isn’t? That’s what has some in the state profoundly concerned.
To be sure, the spirit of the law is noble. The letter, on the other hand, could spell trouble for innocent people in the future. Just because the government doesn’t enforce certain provisions of the bill now doesn’t mean they won’t in the future, civil liberties advocates say.
Some also accuse the government of taking steps to cover its own inefficiencies. After all, this was only brought up because some researchers found weaknesses in Georgia’s voting systems. Instead of addressing the issue, critics argue, the government responded by creating legislation that has almost nothing to do with state system security and effectively penalizes whistleblowers.
The biggest concern is the whistleblowers themselves. They could be viewed as security analysts or hackers, but the reality is that most of these grey hat operators probe systems for weaknesses and then sell their services to fix them. While that practice comes with some concerns – some of which are merely unethical rather than illegal, such as pretending a system is more vulnerable than it really is – the truth is that sometimes these services are necessary.
Critics argue that without the ability to sell their services, these hackers will find another way to profit from their skills and that could actually encourage more criminal activity that’s harder to track by nature. For example, if an airport passenger log is vulnerable, the hacker could simply sell the information to a third party on the black market rather than out risk prosecution by offering to fix the flaw. Chances are, no one knows they’ve accessed it anyway.
For more perspectives on real estate and current events, check back with us each week as we post new blogs and be sure to sign up for our Priority Access List for advance listings and market updates. We’ll see you next week, and in the meantime, don’t forget that you can also keep up with us on Facebook and Twitter!