A bill was passed yesterday by the state of Georgia that causes any unauthorized access to a computer to be considered "Unauthorized Computer Access" and "shall be punished for a misdemeanor of a high and aggravated nature".  This bill amends the Georgia code, which originally only considered unauthorized access with malicious intent to be a crime.

SB-315 Amendment

The new bill, titled SB-315, was a Republican sponsored bill that passed with 42 votes of Yea, 7 of Nay, 6 who did not vote, and 1 who was excused. Of the Yea votes, 11 were Democrat senators. Only one Republican, Blake Tillery, voted against this bill. 

This bill changes the original language of the Georgia code shown below, to language that states that any unauthorized access to a computer, regardless of intent, is considered a crime.

(b)  Computer Trespass.  Any person who uses a computer or computer network with knowledge that such use is without authority and with the intention of:

  • (1)  Deleting or in any way removing, either temporarily or permanently, any computer program or data from a computer or computer network;
  • (2)  Obstructing, interrupting, or in any way interfering with the use of a computer program or data; or
  • (3)  Altering, damaging, or in any way causing the malfunction of a computer, computer network, or computer program, regardless of how long the alteration, damage, or malfunction persists shall be guilty of the crime of computer trespass.

The new language has raised a lot of concern among security researchers who feel that it could cause Georgia businesses to be at greater risk of insecure servers and web sites. This is because security researchers would not be able to responsibly disclose problems to a Georgia based company without fear of legal repercussions.

To take it further, sites that perform automated analysis of servers could land themselves in trouble. For example, Shodan.io, a search engine for connected devices, could potentially face legal ramifications when it scans servers located in Georgia.

Shodan.io search results for the keyword Atlanta

These issues could have been resolved by adding language that protects security researchers when they responsibly disclose vulnerabilities. Unfortunately, this heavy-handed approach may only lead to worse problems for Georgia business owners.

Bleeping Computer has reached out to Shodan.io and Georgia State Senator Bruce Thompson, one of the sponsors of this bill, for comment but had not received a response by the time of this publication.

Related Articles:

Dev rejects CVE severity, makes his GitHub repo read-only

Juniper releases out-of-cycle fix for max severity auth bypass flaw

Critical GitLab bug lets attackers run pipelines as any user

Exploit for critical Fortra FileCatalyst Workflow SQLi flaw released

Hackers target new MOVEit Transfer critical auth bypass bug