Georgia cybercrime bill targets hackers

RABUN COUNTY — Lying about your weight on an online dating site? Checking out who won the Falcons game from your work computer? Using your computer hacking knowledge as an “ethical hacker?” Those actions may become illegal if a Georgia bill gets voted into law, civil liberty advocates say.

Supporters of a bill making its way through the state legislature say it’s designed to give law enforcement the ability to prosecute “online snoopers” hackers who break into a computer system but don’t disrupt or steal data. The legislation came in response to a recent data breach at a Georgia university in which unauthorized cybersecurity experts noticed the vulnerability of Georgia’s voting records.

But opponents say the legislation is so sweeping it could allow prosecutors to go after people who violate their user agreements or use a work computer for personal reasons. They also argue the bill will criminalize the “gray hats” of the cybersecurity world who use their hacking talents to find network weaknesses so they can be fixed, even if they never received permission to probe.

“This bill is not intended in any way, shape or form to criminalize legitimate behavior,” said Republican Attorney General Chris Carr, whose office helped craft the measure.

Carr said only three states Georgia, Virginia and Alaska have no law against online “snooping,” in which a hacker neither disrupts nor steals data. To remedy this, the measure criminalizes “any person who accesses a computer or computer network with knowledge that such access is without authority.” The bill does not apply to parents who monitor their children’s computer use, as well as those who are conducting “legitimate business.”

The bill is specifically meant to stop criminal hacking, Carr said. Lawmakers backing the bill, which passed the Senate on Feb. 12, point to the acts of two unauthorized cybersecurity experts who in 2016 and 2017 discovered that a server at Kennesaw State University had left Georgia’s 6.7 million voter records dangerously exposed. The men reported the vulnerabilities, but Carr said they should never have been snooping in the first place.

“If the research is legitimate, why should you not require someone to get permission on the front-end?” Carr said, arguing that it’s hard to know what a snooper’s intentions are.

Carr said the bill was drafted with the help of business groups and after conversations with the University System of Georgia, which has not taken a position on it. Carr said he is open for more input, especially from academics concerned it could hurt their ability to conduct research.