Georgia’s own CFAA — A Solution Desperately in Need of a Problem
A bill so bad, you know the person who wrote it says they “don’t do computers”
A few weeks ago, the Georgia State Senate passed bill SB315, a bill that would enact a state-level version of the much-reviled Computer Fraud and Abuse Act (CFAA). The bill, which passed the State Senate 41–11 seeks to criminalise unauthorised access to computers. It’s currently awaiting a vote by the State House.
Sure it sounds like a noble goal, right? It may even have been prompted by the hacks of Atlanta-based Equifax (which has been a huge mess for people, especially as they’ve just announced even more people were exploited) but it’s not quite that simple, because instead of being nuanced and specific, it’s quite the opposite. It’s a paragon of Republican ‘simple language’ billwriting, consisting of a grand total of 1.5 pages, of which just 15 lines are devoted to what makes a crime, while 17 are devoted to defining the location of the offense, and a further line says ‘anything that is in conflict with this, is repealed’.
When you have to spend more time and effort defining where the crime is considered to be committed, than what the crime actually is, you’re probably doing something wrong, and indeed they are. Here’s those 15 lines.
8 Part 1 of Article 6 of Chapter 9 of Title 16 of the Official Code of Georgia Annotated,
9 relating to computer crimes, is amended by adding a new subsection to and revising
10 paragraph (2) of subsection (h) of Code Section 16–9–93, relating to computer crimes
11 defined, exclusivity of article, civil remedies, and criminal penalties, as follows:
12 “(b.1)(1) Unauthorized Computer Access. Any person who accesses a computer or
13 computer network with knowledge that such access is without authority shall be guilty
14 of the crime of unauthorized computer access.
15 (2) This subsection shall not prohibit:
16 (A) A parent or legal guardian of an individual who is under the age of 18 from .
17 monitoring computer usage, denying computer usage, or copying data from such
18 individual’s computer; or
19 (B) Access to a computer or computer network for a legitimate business activity.”
20 “(2) Any person convicted of computer password disclosure or unauthorized computer
21 access shall be fined not more than $5,000.00 or incarcerated for a period not to exceed
22 one year, or both punished for a misdemeanor of a high and aggravated nature.”
It’s such a simple idea, right? “Any person who accesses a computer or computer network with knowledge that such access is without authority shall be guilty of the crime of unauthorized computer access.“
Odds are though, most Georgians are in violation of that law.
The law considers any access in violation of Terms of Service to be unauthorised. So have you broken the law with Facebook? Here’s a list of 10 points you that many people violate from Facebook's TOS
4 Registration and Account Security
Facebook users provide their real names and information, and we need your help to keep it that way. Here are some commitments you make to us relating to registering and maintaining the security of your account:
You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission.
You will not create more than one personal account.
If we disable your account, you will not create another one without our permission.
You will not use your personal timeline primarily for your own commercial gain, and will use a Facebook Page for such purposes.
You will not use Facebook if you are under 13.
You will not use Facebook if you are a convicted sex offender.
You will keep your contact information accurate and up-to-date.
You will not share your password (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.
You will not transfer your account (including any Page or application you administer) to anyone without first getting our written permission.
If you select a username or similar identifier for your account or Page, we reserve the right to remove or reclaim it if we believe it is appropriate (such as when a trademark owner complains about a username that does not closely relate to a user’s actual name).
There’s quite a lot of people that use Facebook who are under 13, and a lot of people have more than 1 account and with teens, it’s not uncommon to post false personal information (be it names, where they ‘work’, or where they live), and I’m sure all of us are guilty of not having kept our facebook account up to date with our latest contact info.
Those are all violations of the terms of service, and thus, accessing a computer service in an unauthorised way. Hello High and Aggravated Misdemeanor.
Let’s take for instance Representative Johnnie Caldwell Jr. Fans of Samantha Bee’s TBS show might remember him as ‘the judge that was run out of office for sexual harassment’
Now, johnnie Caldwell was a judge for 15 years, so you’d think he might know the law. He’s also a practicing lawyer. In fact, here I am outside his offices shortly after the Sam Bee segment aired.
So with all that level of legal experience, you’d think he’d manage to be in full accordance with the law, right? Wrong. Of course he’s not, because he’s 65+ and doesn’t know beans about technology.
Which is why he has TWO facebook accounts.
Oops, that’s a violation of the Facebook TOS (rule 2) and yes, he’s accessing both at the same time, as you can see here
Oh, and that second profile, that’s a profile being used for commercial use, when a page should be used instead (and I’m sure that he wasn’t going to try and claim that the ‘state rep’ account is a personal one and thus exempt from open records laws), especially as there’s a page option specifically for politicians.
That’s 30 seconds of searching, on a rep that should know the law, and possibly in violation of the CFAA as well (since Facebook is headquartered in another state, although they could have a local cache), which means he may be liable for federal charges under (a)(2)(c)(“ intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer”), as well as the new state ones.
I could go looking for more, but I won’t (as a reminder, he’s Representative 131, the state of Georgia has a lot of elected members of the state government) but I may come back to it if I have time.
A message was sent to Rep Caldwell asking for his thoughts on SB315, but nothing yet.
Here’s the thing though. 15 years as a judge, 47 years of a ‘professional career’ in the law, and he’s in violation of this law. Courts have held that ignorance of the law is no excuse, he’s affirmed he read the terms and conditions when he signed up for facebook — TWICE. And as a lawyer, judge, former DA, he should know better than anyone what is and isn’t a crime, and yet here we go, with him violating the law.
So, as a general rule, if a lawmaker with more than 40 years of legal experience (15 of them not only as a judge, but as the type of judge that would be actually hearing this law’s cases) will be violating the law, then perhaps the law is not at the most basic level, fit for purpose.
Password sharing too!
Another thing this criminalizes is password sharing. Do you share a Netflix account with someone else? It’s a pretty common thing.
Here’s the Netflix TOS
6b The Netflix service and any content viewed through our service are for your personal and non-commercial use only. During your Netflix membership, we grant you a limited, non-exclusive, non-transferable, license to access the Netflix service and view Netflix content through the service.
7 Passwords and Account Access
a. The member who created the Netflix account and whose Payment Method is charged is referred to here as the Account Owner. The Account Owner has access and control over the Netflix account. The Account Owner’s control is exercised through use of the Account Owner’s password and therefore to maintain exclusive control, the Account Owner should not reveal the password to anyone.
Now, Netflix have said they won’t press charges against anyone sharing their passwords, BUT, they can change their minds on that at any time. And in US v Nosal the 9th circuit ruled in the summer of 2016 that using someone else’s password was unauthorised access.
So yes, using someone else’s netflix account *could* land you in trouble, but Netflix won’t push it at present. What about other services, like Hulu, Youtube Red, Amazon, CBS All Access, HBO Go, DirecTV now, or any other? There’s no knowing how these other services will react to a practice that impacts their bottom line.
Stupid does as stupid is
So, since you have incompetent jackasses (bless their hearts!) writing laws they don’t understand, and doing so in what some have ascribed to a desperate attempt to deflect and “Be Seen To Be Doing Something”™ against issues of absolutely abysmal security on election system, which isn’t surprising, because they’re pretty bad (in fact, the whole Secretary of State’s office in Georgia is a mess, especially the election division, but that’s another story)
Others have pointed that this law, which won’t deal with anything major (but will give a whole host of minor criminal infractions for pretexting, parallel construction, and plea bargaining) — as its already covered by the federal Computer Fraud And Abuse Act (CFAA) — will actually be a severe handicap for legitimate security researchers (sometimes known as ‘whitehats’) trying to do their research. That can include researchers looking at government systems to see if there are holes that can be exploited so that the agencies can be told and they can fix… oh, right. Until someone tells you your security is the equivalent of a tent, you can carry on pretending your system is the equivalent of a bank vault.
The whole bill is nothing more than an attempt to cover backsides, by people who think that blue e is the internet (or a little black box is), and get their technical know-how from watching TV shows (and not the good stuff, but the utter dross like NCIS, Scorpions, and the Big Bang Theory).
The bill does no actual good, it does a lot of harm, and is a blatent show of ignorance wielded like some absurd manga weapon by a bunch of fat guys in cheap (but overpriced) suits desperately trying not to look like the corrupt and ignorant morons they are.
More info on other bad aspects of this law here
- Electronic Frontiers Georgia page on the Bill
- Georgia Must Block This Flawed Computer Crime Bill | EFF