Controversial bill makes waves in the infosec community after Senate gives the go-ahead

A new bill passed last week in the US state of Georgia could criminalize the reporting of security vulnerabilities, as researchers call for the controversial idea to be axed.

The bill, which was approved by the Senate on Friday, could rule that all unauthorized computer access, including that carried out by ethical hackers, is a crime.

Anyone found to have gained access without permission could be fined up to $5,000 or jailed for a year, according to the bill.

It could also penalize security researchers who report vulnerabilities in an ethical way.

The legislation amends a previous legal code which criminalizes the unauthorized access of a computer with malicious intent.

It reads: “Any person who intentionally accesses a computer or computer network with knowledge that such access is without authority shall be guilty of the crime of unauthorized computer access.”

The Electronic Frontier Foundation (EFF), a non-profit digital rights campaign group, is calling for the bill to be vetoed before it is implemented into state law.

It is lobbying for Governor Nathan Deal to throw out the bill, which the EFF claims isn’t doing enough to make sure researchers “aren’t targeted by overzealous prosecutors”.

Dave Maas of the EFF wrote: “S.B. 315 is a dangerous bill with ramifications far beyond what the legislature imagined, including discouraging researchers from coming forward with vulnerabilities they discover in critical systems.

“It’s time for Governor Deal to step in and listen to the cybersecurity experts who keep our data safe, rather than lawmakers looking to score political points.”

Other researchers have outlined the risk of the Georgian infosec community moving elsewhere to carry out their practice.

Professor Andy Green pleaded with Gov Deal on Twitter, writing: “Recruitment of Georgia security talent to other states is already starting to happen. Please veto.”