[Cryptography] Georgia prohibits vulnerability research

L Jean Camp ljeanc at gmail.com
Thu May 3 16:36:20 EDT 2018 

On Thu, May 3, 2018 at 11:23 AM, R0b0t1 <r030t1 at gmail.com> wrote:

> On Wed, Apr 11, 2018 at 8:24 PM, Florian Weimer <fw at deneb.enyo.de> wrote:
> > * L. Jean Camp:
> >
> >> The law as proposed:
> >> http://www.legis.ga.gov/legislation/en-US/Display/20172018/SB/315
> >
> > I don't see the problem as reported.  The bill, unlike many others, is
> > extremely friendly to unauthorized security testing, to the degree
> > that I would consider it problematic for that reason.  It excludes
> > “legitimate business activity” and “Cybersecurity active defense
> > measures that are designed to prevent or detect unauthorized computer
> > access”.  If your “research” doesn't fall into those categories,
> > perhaps it is really prolematic?
> >
>
> This boat has already set sail. The federal Computer Fraud and Abuse
> Act (1986) covers this behavior. As used in federal court the test is
> typically whether the individual has actually logged in to a system in
> a fraudulent manner (regardless of their intent or qualifications).*
> However any interaction with a system that you were not authorized to
> perform is prohibited by the strictest interpretation of the law.
>
> Pinging a system that you were not authorized to ping is a felony.
> Speak out against this law but realize there are already worse.
>
> As strange as it may sound, I actually agree with the formulation of
> the CFAA. I see no way it can be considered a first amendment issue.
>
> Cheers,
>      R0b0t1
>
>
> * Vulnerability scanners typically bin their tests into "ones which
> try to log in" and everything else.
>


Yes, the CFAA has seen quite a a bit of prosecutorial overreach. I am sure
many of us have at least been threatened. The bill as passed but not year
signed into law in GA is worse.

This is closer to the Sklyarov prosecution where he did not use a
vulnerability rather he presented information about it. That case was
prosecuted under DMCA because sharing information about vulnerabilities is
not now and has never been found to be a violation of CFAA. It is the use
of vulnerabilities that concerns the CFAA, the investigation to find
vulnerabilities and discussions of these were under DMCA, and this law in
GA covers disclosure of their existence regardless of legitimacy in
discovery. It is quite problematic.

The DMCA has recently renewed the security research exemption; CFAA does
not have a formal security research exemption.

The DMCA still allows CFAA prosecution if the research includes
unauthorized use. So the DMCA exemption does not remove all CFAA risks, but
seriously mitigates these as well as formally removing prohibitions on
anti-circumvention in good faith security research.

This started as a temporary exemption which was then renewed.
https://www.ftc.gov/news-events/blogs/techftc/2016/10/dmca
-security-research-exemption-consumer-devices

You may find this report a more enjoyable read and it is fairly accurate:
https://www.techdirt.com/articles/20170625/01312637658/
copyright-office-realizes-dmca-fucks-with-security-research-while-w3c-still-
doesnt-see-it.shtml

The people who worked to make that DMCA exemption happen include the CDT
and the USACM (the policy arm of the ACM), and to a lessor extent the
IEEE-USA (similarly the volunteer organization of the IEEE). None of us
will be abandoning the fight for better policy in vulnerability disclosure,
crytpo policy, or standards.

Here, for example, is the short form of the USACM letter, there are longer
documents which detail the long slog towards this point:
http://usacmdev.acm.org/images/documents/1201_Short_CommentUSACMfinal.pdf

The GA law goes far beyond the DMCA (except if Elcom had lost) and
certainly far beyond the CFAA which requires actual use of a vulnerability.

In any case, the bill HAS NOT BEEN SIGNED  and here is a very nice article
if you care to oppose it:
https://www.eff.org/deeplinks/2018/02/how-grassroots-
activists-georgia-are-leading-opposition-against-dangerous-computer

 "A ping is a felony" has been used in no case of which I am aware, and may
be rhetorical outreach to match the prosecutorial excesses we have seen
under CFAA. This bill in GA would unlikely to make a ping a felony either.
That is not even on the radar, unless of course it was part of a DoS
leveraging ping, which is another bucket of crabs altogether.

There is fairly good material explaining it further in the links while
Security Week, tripwire, Microsoft, and Google have letters really the
grass roots on the ground is what has delayed this bill being signed.

As for a ping being felony, this is a  fun if sometimes strident read:
https://www.amazon.com/dp/B00505UZ4G/ref=dp-kindle-
redirect?_encoding=UTF8&btkr=1

You might recall the author from the famous MIT LaMacchia rule case.



-- 
Prof. L. Jean Camp
http://www.ljean.com
Research Gate: https://www.researchgate.net/profile/L_Camp
DBLP: http://dblp.uni-trier.de/pers/hd/c/Camp:L=_Jean
SSRN: https://papers.ssrn.com/sol3/cf_dev/AbsByAuth.cfm?per_id=262477
Scholar: https://scholar.google.com/citations?user=wJPGa2IAAAAJ
<https://scholar.google.com/citations?user=wJPGa2IAAAAJ&hl=en&oi=ao>
Make a Difference
http://www.ieeeusa.org/policy/govfel/congfel.asp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180503/6c95a062/attachment.html>

More information about the cryptography mailing list