[Cryptography] Georgia prohibits vulnerability research

R0b0t1 r030t1 at gmail.com
Thu May 3 11:23:56 EDT 2018


On Wed, Apr 11, 2018 at 8:24 PM, Florian Weimer <fw at deneb.enyo.de> wrote:
> * L. Jean Camp:
>
>> The law as proposed:
>> http://www.legis.ga.gov/legislation/en-US/Display/20172018/SB/315
>
> I don't see the problem as reported.  The bill, unlike many others, is
> extremely friendly to unauthorized security testing, to the degree
> that I would consider it problematic for that reason.  It excludes
> “legitimate business activity” and “Cybersecurity active defense
> measures that are designed to prevent or detect unauthorized computer
> access”.  If your “research” doesn't fall into those categories,
> perhaps it is really prolematic?
>

This boat has already set sail. The federal Computer Fraud and Abuse
Act (1986) covers this behavior. As used in federal court the test is
typically whether the individual has actually logged in to a system in
a fraudulent manner (regardless of their intent or qualifications).*
However any interaction with a system that you were not authorized to
perform is prohibited by the strictest interpretation of the law.

Pinging a system that you were not authorized to ping is a felony.
Speak out against this law but realize there are already worse.

As strange as it may sound, I actually agree with the formulation of
the CFAA. I see no way it can be considered a first amendment issue.

Cheers,
     R0b0t1


* Vulnerability scanners typically bin their tests into "ones which
try to log in" and everything else.


More information about the cryptography mailing list