Georgia Bill Raises Concerns, Questions for 'White Hat' Hackers
A new bill passed through Georgia's General Assembly bans "unauthorized computer access," leaving security researchers concerned about the potential for prosecution.
April 04, 2018 at 02:20 PM
8 minute read
Cybersecurity researcher Logan Lamb breached Georgia's highly sensitive election data by accident.
Inspired by national headlines about voter system integrity after the 2016 U.S. presidential election, Lamb, who works for Bastille Networks, began poking around Kennesaw State University's (KSU) Center for Election Systems, the organization responsible for programming voting machines for the entire state of Georgia. Unwittingly, Lamb managed to download nearly 15 GB of Georgia voter information, among them registration records for 6.7 million Georgia voters and login credentials for pollworkers to use on Election Day. Although the center had placed the files behind a firewall, it also left its root directory unsecured, allowing Lamb to download it all.
Lamb and a second security researcher passed along their findings to Andrew Green, an information security and assurance lecturer at KSU, who verified that the vulnerabilities they'd found and passed them along to the university's chief information security officer. University officials notified state officials, and headlines broke that millions of Georgia voters may have had their data exposed.
When state Sen. Bruce Thompson (R-White) introduced SB 315 to the Senate this year, he told fellow senators that the proposed legislation was prompted by the “hack that happened at KSU.” Yet bill he proposed, which was voted through General Assembly last week, could leave cybersecurity researchers like Lamb, Grayson and Green who identified the vulnerability at risk of prosecution.
Senators voted on March 29, the last day of the legislative session, to approve the bill in a 42-7 vote. The bill criminalizes unauthorized access to computers or networks, and makes such breaches punishable as a misdemeanor by a $5,000 fine and up to one year in jail.
The bill seems intended to protect organizations and consumer data, but some in the cybersecurity community fear that the bill could leave well-intentioned cybersecurity researchers open to criminal charges.
The bill, which now awaits Gov. Nathan Deal's signature, includes exceptions for members of the same household, access for a “legitimate business activity,” defensive measures “designed to prevent or detect unauthorized computer access” and terms of service violations.
Closing Doors or Opening Vulnerabilities?
Thompson told legislators upon introducing the bill that he worked closely with Georgia Attorney General Chris Carr's office in drafting the legislation. Carr released a statement endorsing the passage of the bill, saying, “In a world where hackers—whether they are state-sponsored actors, organized criminal enterprises, loose confederations or lone wolves—attempt every single second of every single day to gain unauthorized access to our computers and computer networks, this common sense solution will close a window of opportunity for those who wish us harm,” he said.
Digital rights advocacy group Electronic Frontier Foundation (EFF) has opposed the legislation as written, and intends to ask Deal to veto the bill as written. “We feel it will chill security research, particularly the type of research conducted by independent contractors and students,” David Maass, senior investigative researcher for EFF, told Daily Report.
“This term of unauthorized access is fairly vague and ill-defined. They do have this exemption for legitimate business purposes, but even that is vague as well. What makes something a 'legitimate' business thing? Does someone have to be profiting from doing the cybersecurity research?” Maass noted.
Green thinks the seeming spirit of the bill has significant merits, but leaves good-faith cybersecurity researchers at significant risk as written.
“In the abstract, I agree with it. I believe that there's some key language missing. I believe that unauthorized access to a computer or computer network should be a criminal offense when it is done with malicious intent, and that's really the key piece that's missing right now,” Green said.
Sen. Jen Jordan (D-Atlanta) proposed an amendment to include language around malicious intent, but senators voted against it. “They'd tell you it's too hard,” Green said of the potential difficulties in enforcing intentionality language. “To a point, I agree philosophically with their concern, which is how do you manifest intent? It's really hard to know what intent is until that data has actually been put on the market and sold.”
Without language around intent, however, Green sees far too much risk for “white hat” cybersecurity researchers who test systems for potential vulnerabilities and report them to host organizations: “They're effectively handcuffing the good actors who find these problems.”
Baker Donelson corporate shareholder and founder of the firm's cybersecurity accelerator Justin Daniels said the bill noted that the explicit language of the law, even with the carve-outs for some legitimate practices, does leave uncertainty for cybersecurity researchers.
“Is it a fair point that these researchers and other folks could potentially be unfairly targeted? If you read the letter of the law, the answer is yes,” Daniels said. “The question is, are they really going to do it?”
White Hat Disagreement
Although white hat hacking is a fairly well-respected practice in the U.S., prosecutors don't always see eye to eye with security researchers on who wears the white hat, notably where student researchers are concerned. A British student attempting to point out security flaws in Facebook's infrastructure was sentenced to eight months' prison time in 2012, while an MIT student who developed a prototype program to mine for Bitcoin as a replacement for digital advertising faced prosecution from the state of New Jersey.
The suicide of “humanist hacker” 26-year-old Aaron Swartz, who faced steep charges for scraping millions of articles from online archive JSTOR prior to his death, is often invoked as evidence of prosecutorial overzealousness in this space. Although Georgia's bill does not explicitly discuss data-scraping, Green pointed out that, under the broad language in Georgia's proposed law, some data-scraping or site-crawling practices could be held as unauthorized system access.
Although a great deal of white-hat hacking is purely altruistic, some cybersecurity companies have used it as a sales tactic, a strategy that can feel invasive to companies. Daniels pointed out that these tactics can introduce some gray area around what constitutes a good-faith actor within cybersecurity. “Is it extortion, or is it them demonstrating that they can help you? Reasonable people can differ on that,” he said.
Maass also noted that the bill shifts responsibility for securing data away from organizations themselves, an especially significant move after a string of high-profile data breaches at companies like Uber, Yahoo and Atlanta-based Equifax drew fire to companies for exposing consumers' personal data.
“It's really important to hold the people responsible who are storing the data, particularly government agencies,” Maass said, adding that government agencies often store far more personally-identifying data than they need to provide services. “It doesn't make sense to blame the messenger for pointing out a vulnerability.”
Sen. Thompson and AG Carr have both noted that Georgia is only one of three states without similar laws on the books, but Maass said that EFF has not been able to substantiate the three-state claim. Daniels, meanwhile, said there appears to be at least some other states with similar laws in place to the newly passed bill.
Although some, including Green, have pointed to the potential economic loss Georgia could suffer, especially as the state tries to establish itself as a global hub of innovation around cyberdefense and cybersecurity, Daniels said it's likely too early to speculate on that.
“Honestly, I think it's a little to early to tell because you have the Computer Fraud and Abuse Act that has the same issue,” Daniels said, adding that the federal act includes similarly broad language. “I get it, once the private sectors sees regulation, there's an inherent concern about that. Understandably so. But I think what we're battling is what the right balance of companies being able to compete in the marketplace versus some level of regulation,” he said.
Deal has 40 days from General Assembly's adjournment to sign, veto or allow legislation to pass without approval.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllSecond Circuit Ruling Expands VPPA Scope: What Organizations Need to Know
6 minute readExpert: Georgia Tech Faces Uphill Battle in Suit Over Cybersecurity Failures
Delta Facing Class Action Lawsuit Over Tech Outage; Customers Seeking Refunds
3 minute readMilberg Files Data Breach Suits Against North Carolina-Based Truist Bank
Trending Stories
- 1South Florida Attorney Charged With Aggravated Battery After Incident in Prime Rib Line
- 2'A Death Sentence for TikTok'?: Litigators and Experts Weigh Impact of Potential Ban on Creators and Data Privacy
- 3Bribery Case Against Former Lt. Gov. Brian Benjamin Is Dropped
- 4‘Extremely Disturbing’: AI Firms Face Class Action by ‘Taskers’ Exposed to Traumatic Content
- 5State Appeals Court Revives BraunHagey Lawsuit Alleging $4.2M Unlawful Wire to China
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250