SB 315 is a bill currently under consideration in the Georgia Legislature.
The bill’s stated purpose is to “…create the new crime of unauthorized computer access…” which has not been previously defined under Georgia law.
While I applaud the attempt, I have some concerns about the overly vague language present in the bill as it is currently written.
The bill defines the phrase “unauthorized computer access” as “…accessing a computer or computer network with the knowledge that such access is without authority…” However, what do the words “access” and “authorization” mean, exactly? The bill is completely silent on these key provisions, leaving it wide open to interpretation.
As we have seen with prior attempts at legislating this type of behavior, a clear definition of authorized access is critical, so as to prevent misuse and misapplication of the law. As we have seen with the CFAA at the federal level, there are too many federal prosecutors who, for whatever reason, take an overly broad approach when wielding the CFAA hammer, sometimes ending with tragic results (see https://www.eff.org/issues/cfaa).
For this bill to truly effective, and to ensure that it is not misused by overzealous and/or confused prosecutors and civil attorneys, Georgia legislators must take appropriate action to clarify their language, and ensure that there is no confusion as to what they mean by “unauthorized access”.
I’ll be watching this bill as it moves through the Georgia Legislature, and I hope that the citizens of Georgia will be watching as well.
Andy Green, Ph.D. 