Georgia criminalizes routine security research


#1

Originally published at: https://boingboing.net/2018/03/30/bruce-thompson-404-656-0065.html


#2

Interesting text; vague in some ways and precise in others. This provision is particularly interesting to me:

Any person convicted of computer password disclosure or unauthorized computer access shall be punished for a misdemeanor of a high and aggravated nature.


#3

Hmmm, usually I’m aggravated when I’m not high. rimshot


#4

In all seriousness, I can’t imagine that this would pass Federal muster. Could it? OH WAIT look who’s in power…

Well, they’ll figure out quickly the negative economic effects of being the one state in the union stupid enough to do this.


#5

Its the cyber!


#6

They’re just really worried about that 400 pound guy moving to Georgia, so they’re heading that off at the pass.


#7

This fits right in with the repubs / NRA working to ban all research into gun violence by the CDC, and Georgia’s “we’re not giving Delta that tax break because they took away the NRA discount”. Very forward thinking state those Georgia good ol’ boys.


#8

Since there are exceptions for “members of the same household” “legitimate business purposes” and “cybersecurity active defense”, it seems that main difference from current federal law is to make research illegal. My first thought was that must be intentional, but then I remembered how US politics works. The original draft had no exceptions and businesses and paranoid parents have a seat at the table, but researches and public advocates don’t.


#9

I love the smell of moving vans in the morning…


#10

At what point does research become cyber security active defense? You can’t really have active defense if you don’t do research. Maybe “active defense” was supposed to cover this? Or does its definition in the law specifically exclude research?


#11

What’s the model that should be used here? One that allows/encourages active and aggressive research, while criminalizing hostile penetration? What would that look like?


#12

I think you kind of summarized it. The act of conducting the penetration is what should be made illegal, research which is obviously utterly required for security and defense must be allowed. Now, could there be regulations about the methodology of publishing research? Requirements to notify vendors FIRST, with X number of days provided before public release? That all seems like it could in theory be reasonable. But this seems like the WORST way of implementing such a law, although IANAL, and I have not read the law itself, and am just going off descriptions.


#13

Research without penetration is going to be … well, not quite useless, but a lot less useful than research that does include penetration.


#14

Penetration of other people’s property, duh! :slight_smile: Analogous to lock-picking: the picks are legal, you can use them on a lock you own, you just can’t break into someone else’s stuff with it. I know not all jurisdictions may work this way, but as an example.


#15

D’uh? Cool story, bro :roll_eyes:

A simulation cannot recreate the unexpected complexity and interactions of a real world system.


#16

I’m confused, you disagree that it should not be allowed to break into other people’s computers without their permission? That’s not cyber-security “research” as I’ve understood it.


#17

To extend your lock picking metaphor, this would be illegal:

Of course it should be illegal for you to pop a hotel lock in order to harm someone else, but it shouldn’t be illegal for you to pop a hotel lock to show that, uh-oh, these locks don’t actually provide much security.

(Metaphor-wise, this isn’t ‘your’ hotel room, even if you paid for it for the night. It is the hotel’s room and the hotel’s security system that you are attacking.)

It is a hard thing to get right in the legislation though.


#18

The vendor of that lock, however, would sell one to you, which you could use for research purposes. So you can demonstrate the problem, without breaking into anyone else’s property.

The key as it relates to software, is the notion of licensing, versus “ownership” of code. So a (good) theoretical law would deal with this in a way that shielded researchers, when using copies they have legally licensed, even if technically, the codebase belongs to, say, Microsoft.


#19

In one hotel I found a piece of cardboard in the slot which enables power to the room. You are supposed to put your key card in there but apparently its just a simple switch. If I already have a key I don’t think I would be harming the hotel by improvising a key. I might have more family members than keys for example.


#20

The Georgia Lege might have consulted some experts before they penned this since it’s obvious they don’t know what they’re talking about.