A bill was passed yesterday by the state of Georgia that causes any unauthorized access to a computer to be considered "Unauthorized Computer Access" and "shall be punished for a misdemeanor of a high and aggravated nature". This bill amends the Georgia code, which originally only considered unauthorized access with malicious intent to be a crime.

SB-315 Amendment

The new bill, titled SB-315, was a Republican sponsored bill that passed with 42 votes of Yea, 7 of Nay, 6 who did not vote, and 1 who was excused. Of the Yea votes, 11 were Democrat senators. Only one Republican, Blake Tillery, voted against this bill.

This bill changes the original language of the Georgia code shown below, to language that states that any unauthorized access to a computer, regardless of intent, is considered a crime.

(b) Computer Trespass. Any person who uses a computer or computer network with knowledge that such use is without authority and with the intention of: (1) Deleting or in any way removing, either temporarily or permanently, any computer program or data from a computer or computer network; (2) Obstructing, interrupting, or in any way interfering with the use of a computer program or data; or (3) Altering, damaging, or in any way causing the malfunction of a computer, computer network, or computer program, regardless of how long the alteration, damage, or malfunction persists shall be guilty of the crime of computer trespass.

The new language has raised a lot of concern among security researchers who feel that it could cause Georgia businesses to be at greater risk of insecure servers and web sites. This is because security researchers would not be able to responsibly disclose problems to a Georgia based company without fear of legal repercussions.

So Georgia just passed a bill making unauthorized, but well meaning (no damage or theft) access to a computer illegal, meaning anybody noticing a vuln on a website can be sent to jail for up to a year. — Rob Graham (@ErrataRob) March 30, 2018

To take it further, sites that perform automated analysis of servers could land themselves in trouble. For example, Shodan.io, a search engine for connected devices, could potentially face legal ramifications when it scans servers located in Georgia.

Shodan.io search results for the keyword Atlanta

These issues could have been resolved by adding language that protects security researchers when they responsibly disclose vulnerabilities. Unfortunately, this heavy-handed approach may only lead to worse problems for Georgia business owners.

Bleeping Computer has reached out to Shodan.io and Georgia State Senator Bruce Thompson, one of the sponsors of this bill, for comment but had not received a response by the time of this publication.