Before Gov. Nathan Deal vetoed an anti-hacking bill, he heard about nationwide opposition from tech experts who feared it would make the internet less safe.
Everyone who contacted the governor’s office said the bill to outlaw computer snooping shouldn’t become law, according to 65 pages of emails obtained by The Atlanta Journal-Constitution under Georgia’s Open Records Act. More than 80 people signed the emails, including representatives for Google and Microsoft, business owners, computer scientists, university professors and students.
They said the legislation was so broad that it would have criminalized legitimate internet security efforts. They also said it would have had the unintended consequence of encouraging hacking by allowing businesses to “hack back” in self-defense against perceived attackers.
Deal wrote in his veto message for Senate Bill 315 that he was concerned the measure could inadvertently hinder efforts to protect against online breaches and hacks. The disclosure of emails to Deal reveals details about the arguments against the bill before he nixed it May 8, along with 20 other bills.
The legislation would have made it a crime to access a computer without permission, punishable by up to a year in jail and a $5,000 fine. Those who pushed the bill, including Attorney General Chris Carr and state lawmakers, said it would have helped stop hackers who lurk on computer networks before they steal private information. State laws already prohibit data theft and tampering.
But online security business leaders and hacking researchers said the measure was deeply flawed.
“It gives state approval for dangerous ‘hacking back’ methods that will cause more problems than they solve,” said an email to Deal from 55 people including technology business executives, software engineers, university professors and cybersecurity experts. “The bill is more likely to hurt researchers, professionals and law-abiding citizens than improve cybersecurity.”
In a rare collaboration, Google and Microsoft sent a joint letter highlighting the dangers of exempting “hacking back” from the legislation.
“On its face, this provision broadly authorizes the hacking of other networks and systems under the undefined guise of cybersecurity,” according to the letter from the tech giants. “Provisions such as this could easily lead to abuse and be deployed for anticompetitive, not protective purposes.”
Others said the legislation would jeopardize Georgia’s booming technology industry if companies worried their legitimate efforts to fight hackers were perceived to be banned under a broad interpretation of the measure.
“The language is ambiguous on whether security research on vulnerabilities is illegal or not,” wrote Chris Klaus, the CEO of the video game company Kaneva who founded Internet Security Systems in Atlanta in 1994. “Potentially making this research risky to do in Georgia doesn’t strengthen the security industry here, and may force researchers to leave Georgia.”
Deal, who takes pride in Georgia’s ranking as the top state for business by Site Selection magazine, wrote in his veto message that more deliberation is needed on the bill’s potential impact on tech companies, research institutions, the U.S. Army Cyber Command and the state’s Cyber Range.
Legislators will likely consider a similar bill aimed at protecting Georgians’ online privacy next year, said state House Majority Whip Christian Coomer, who sponsored the bill in that chamber. He said 47 states already have this kind of law.
“I hope we can get a version of the bill passed that will protect the interests of businesses, private individuals and innocent parties to make sure we have security without jeopardizing business opportunities and privacy,” said Coomer, R-Cartersville.
Some of the objections to the bill arose only after it was approved by the General Assembly, Coomer said. For example, emails to the governor raised concerns that hackers could make it appear as if an attack was coming from someone else.
A group of 13 Georgia Tech professors and faculty said the need for the legislation wasn’t clearly presented and it threatened internet security efforts.
“We have serious concerns that the bill would criminalize widespread and beneficial cybersecurity research, such as internet scanning for security research and beneficial reverse engineering,” their email said.