During the House subcommittee meeting on Wednesday, 3/14, multiple amendments were proposed to the Senate version of SB 315. I can only describe these amendments as making a bad bill even worse.
In the Senate version, an exception was carved out to allow for parents to engage in monitoring of minor children. The language in the Senate version is:
A parent or legal guardian of an individual who is under the age of 18 from monitoring computer usage, denying computer usage, or copying data from such individual’s computer;
That language was removed by the House subcommittee, and replaced with the following:
Persons who are members of the same household;
The impact of this language change is clear – anyone who lives in the same household would be exempt from punishment under this bill. This change has huge implications for individuals in abusive relationships, living with their abuser in the same household.
The next amendment focuses on carving out an exception for so-called “legitimate business activity”. The language in the Senate version of the bill is:
“Access to a computer or computer network for a legitimate business activity”
The House amended this language as follows:
Access to a computer or computer network for a legitimate business activity including cybersecurity active defense and offensive countermeasures that are designed to prevent and detect unauthorized computer access;
The worrisome portion of this amendment is the addition of the phrase “offensive countermeasures” to the exemption. The net result of this language is that it would now be legal to “hack back” under the guise of “legitimate business activity”. Similar language can also be found in federal legislation proposed by Georgia Representative Tom Price. This legislation, popularly known as the “Active Cyber Defense Certainty Act“, has been widely criticized by numerous members of the security community, as well as federal officials.
The only positive amendment offered to the bill, comes in the form of an exemption for persons violating terms of service or or user agreements. This language is a win for those folks concerned about criminal prosecution for lying about your age on a website, for example.
The House subcommittee failed to include any exemptions for legitimate academic or industry researchers. This continued failure to acknowledge the reality of how a large and valuable portion of the security industry works, is an indicator that lawmakers either do not understand the issues at hand, or think the behavior should not be legally permissible.
At this point, this bill has actually been made worse, and I don’t believe it can be salvaged. I have little in the way of hope, that the full committee will do anything other than rubber stamp the subcommittee’s actions, and pass it along for full consideration by the House.
While the exception for terms of service violations and user agreements is an important one, the other amendments make this bill more dangerous – not just to legitimate security researchers, but now it endangers those people involved in abusive relationships, who live together.
This bill, if it makes it to the floor of the Georgia House for consideration, should be voted down. There is just way too much bad here, with not enough good.
EDIT: corrected the date in the first paragraph, from 3/15 to 3/14.