S.B. 315 uses the term, “unauthorized access,” which is a very murky term. If you’re trying to go through all the proper channels in advance and get authorization for something, it’s not always clear who the person who has the authority to give that authorization is. If it’s a website and you’re testing some part of a website’s security you might think it’s the website administrator, but often it’s not. Often it’s their IT dev ops team or the tech ops team or something else. You may even get permission from one person and think you’re in the clear, and the next thing you know they say that’s not the correct authorization. With the broadness of the way this bill is written, there are way too many circumstances where somebody could be in violation of the law just performing their daily duties.
A bill (SB315) is currently making it’s way through the Georgia state legislature that would criminalize acts ranging from ‘ethical hacking’ to security research to violating the terms of service on your cable service, Netflix account (sharing that password with someone?). You read right, criminalize.
There are a number of security professionals and social media warriors involved in this but, ultimately, SB315 seems to still be making headway. There’s ample FUD (fear, uncertainty and doubt) being tossed about but the facts are pretty simple and the article below from the EFF does an excellent example of highlighting many of them in a simple Q&A format. The article also does an excellent job of shedding light on the responsible disclosure incident at KSU that’s being championed as an example of why this bill is needed (the facts in the case, however, indicate the exact opposite).