Georgia Senate Bill 315 and the Future
Show transcript [en]
so welcome and thank you for coming to this moderator moderated panel um to discuss Georgia State Bill 315 so if you're unfamiliar with the bill the entire bill is there on the screen all 41 lines or 43 lines in all its Glory um so just a little bit of background on the law itself uh 2008 Georgia legislature introduced State Bill 315 to address the fact that as of today that the state of Georgia has no law in place criminalizing um hacking unless uh unless a a crime reaches the threshold required to prosecute the federal level then actually no action can be taken against the criminal in uh for those hacking activities in Georgia and that's Loosely
true right Le can still prosecute them under you know the traditional crimes if those usually computer is also being involved in some type of other crime like fraud or something like that but um I personally have been affected by this where we've been um seen cases that um perhaps didn't rise the the level of the federal um or that would require um would receive the attention from the federal government even though uh our local Bureau is been able to handle those anyway um but there there probably is a need for some law here in Georgia that does that would do that uh so the law was passed by the House of Representatives and the Senate um and
then it was vetoed uh by our governor at the last minute but there's there's been some speculation that they will reintroduce the um some similar legislature in the upcoming um upcoming sessions of Congress so um we've brought together an Allstar panel um to discuss um this and just talk about uh you know the props of the law um how we could do this better moving forward and the things that we should look at for as community so um in alphabetical order um let me introduce to you first U there on the my far left your right uh Mr Jack Daniels J Jack Daniels Jack Daniel is the co-founder of security bsides so bsides Augusta is
just one of the bsides conferences that happens all over the world uh Jack started the first bside conference he's a community Builder Storyteller technologist security professional and he works for tal security has over 20 years of experience in network and systems Administration and security and has worked in a variety of practitioner and management positions Jack used to put letters after his name but he lets most he let most of them fall off and feels better now so please welcome next in the middle is representative jod lot Jody lot uh represents the citizens of District 122 which includes portions of IIA County she was elected into the House of Representatives in 2015 born and raised in Maine
representative lot graduated from the University of Maine with a Nursing degree she spent 18 years as a registered nurse in both inpatient and outpatient facilities within the greater Augusta Community uh wellness and physical therapy practice in EV Georgia I think I skip the line currently represent represent a lot and her husband Jason are the owners of Evans Rehabilitation and wellness a physical therapy practice in Evans Georgia where she continues to assist in um in administrative responsibilities representative lot currently serves as the vice chairman of the intragovernmental Coordination Committee and a member of the Health and Human Services Juvenile Justice and State Property committee it's representative um lot her husband Jason have two sons dton Kobe and Liv in Evans Sur so help
me and welcoming representative Jody [Applause] lot next second from the right my right your left here is uh Brian ozden Brian ausden is the supervisory senior resident agent for the FBI uh Brian azen began his career as special agent of of the FBI in 2013 where he was assigned to the Atlanta division Augusta Regency agency um where he worked for a variety uh of criminal he worked a variety of criminal offenses to include violent crimes um major offenders domestic terrorism and cyber uh he created the crs's child exploitation task force which I understand doesn't actually do child exploitation you go after the people to do okay CS important clarification they they CS child exploitation task force to oh to protect
and Rescue children from human traffi right there on the bio I should have read that um he was the agent in charge of operations um in quano Bay for the last several years he's a lieutenant colonel in the Air Force Reserves and he has on a side note personally uh arrested bad guys who breaken broken into networks that I was responsible for so um I very much appreciate uh Brian please join me and welcome Brian next second for the left over here is Elizabeth [Music] Wharton who has the biggest fan club in the entire conference room so Elizabeth is a technology focused policy and transaction attorney specializing in the development um security and scale of emerging
Technologies including drones smart cities and autonomous vehicles she is the vice president of of strategy for pralon palian palian palian thank you a cyber security threat intelligence company overseeing the development and implementation of legal policy and strategic Partnerships prior to peralan she was the senior assistant City attorney responsible for advising the Hartwell Jackson air Atlanta International Airport on technology policies and projects and was part of the immediate response team for the City of Atlanta during the 2018 ransomware incident okay so please join me and [Applause] welcome and last but certainly not least here directly to my left is Mr Jake Williams Jake Williams is an information security professional with experience in offensive and defensive security
operations he founded rendition infos right here in Augusta Georgia he performs network security network security monitoring forensics instant response and Red Team operations Jake is also a senior instructor for the Sands Institute and an faculty member so please join me in welcoming [Applause] Mr okay so panel my first question really is is there a need for the state of Georgia to have state legislation at all that criminalizes um these types of activities and if so and why does Georgia need to have some of its own legislation so would like to think that first thank you Mark um and I he gave us a heads up that he was going to hand the mic to me so I did have a little bit of
time to prepare for this particular question from the federal side I can speak I can simply say that we have a federal law it's Title 18 10:30 it's the Computer Fraud and Abuse Act and it's been in effect since the it's not used a lot here in Augusta but I can I'll give you an example of a case that we worked here and and and I'll tell you why I'm giving that as an example after I tell you just a little bit about it so an employee of a company actually a couple of employees of a company uh they decided they were going to go out on their own and start their own similar company uh their upper
management realized this is a smaller mom and pop but but a decent size business u a few million dollars in Revenue uh they just theer deted that they knew these individuals were going to go and start their own business so they terminated them upon exit the these it's a husband and wife combination they one of the one of the individuals the the wife had access to the credentials of all the employees to get into the network so a few weeks after they were terminated these two individuals were able to log in to some of the uh accounts particularly the email accounts of the folks that they had uh the company they had left and the reason
they were doing so is we determined was to to take uh proprietary information in particular some bids on some contracts that they were working on for some local companies they then use that information underbid the company and then were able to get the bids themselves for their new company well obviously this poses an issue for the company that they left I mean if you're stealing all the proprietary bid information and all the pricing schedules for for a competitor it gives you a a pretty big Advantage so we were able to go in we determined through IP addresses that they had logged in to this uh their former employee we were able to do a couple
search warrants and subsequently got the individuals to plead in information which in our world is is counter to an indictment they were convicted arrested in their serving time but the reason I bring this case to an example is because if this case had happened in Atlanta the federal government would have never never touched it the loss was you know $40,000 which in Augusta because we have have a a close relationship with the US attorney's office in the community you know that can make an impact it was actually the first of that particular act and i' I've been in the bureau since 2003 that was uh not 2013 but this case was like 2007 it was the first time we
had used that particular act as a as a case so you know we wanted to to demonstrate that it was effective but in Atlanta that would have never happened so ultimately if we punted that to the state system there would not have been a comparable criminal law to to to charge them with now you know we also use wire fraud and and some of the other there are some other federal laws not specifically for computers that maybe the state system could use but having a very specific cyber computer intrusion hacking law is is beneficial and I hope that's a good example to show why we need one in Georgia just as a a follow what how much damage would you say is
typically required before it's going to Garner the attention of law enforcement in say Atlanta so that that varies by District uh we're in the southern district of Georgia um we've got a very aggressive us attorney's office and there's a there's a few factors that play into that one is the deterrent Factor you know it could be very limited damage but if it's a deterrent if it's wide reaching and and there's a way to to set an example to so that we can show the community that we won't tolerate that then then then that number could be very low the thresholds are I mean the minimum is 5,000 but the federal government I I've presented cases to the
Northern District which is Atlanta for upwards of fact some of my colleagues here we presented one for $2 million in Atlanta and they declined so it just kind of depends on where you are but I can tell you that the case we work down here that point I just shared with you would have never been addressed they just have too many cases to to deal with $40,000 and we got creative we we started trying to add in the cost of redoing their security network redoing to try to make the loss bigger but still in a bigger jurisdiction you know spee like look at New York or DC I mean they would never touch a $440,000 case or
Atlanta would either yes sir what you mentioned the deterrent C could you could you tell us what that me detect to try to to set an example so the community um in in in cyber I mean to basically to motivate people not to commit the same crime so if it you know maybe it's a $40,000 loss but if there can be a media Splash about it and the general public say says if I do this I'm going to get 5 years in jail most people don't want to go to jail for any number of years but certainly uh the time type of crime that the federal government gives you especially considering we have no parole
so you do a majority of your time that has a deterring effect on the community I was one reason why this particular case I just shared with you because we hadn't used that act uh before it was a way to demonstrate to the community that hey there is a Cyber Law in the federal government and we are able to use it if we want to so I don't know in this particular case if that had a deterring effect to the people that might have potentially committed these kind of crimes but we certainly had that intent so just one more follow so if um if in the case of the $2 million in loss and the FBI Atlanta says no we're not
going to take this case if you are a resident of the state of Georgia is there some other recourse that you have or does the fact that there is no Georgia state law mean that you are just now out of look so yes and in that particular case it was it ended up being prosecuted by uh the case was multiple jurisdictions so it ended up getting prosecuted in DC and the 2 million that was involved in Georgia was rolled up into that particular case I mean so there are some but that's not always the case this hadn't been a large enough case where there was other victims in other jurisdictions um and and the reason why
we actually brought it to the attention because one of the victims was was actually in Augustus we thought maybe I mean it was maybe $100 out of 2 million but we thought maybe we could we could do something with it but it was just too complex but if that doesn't exist if the the only law now I'm not saying I I can't speak for the Northern District of Georgia and I don't know what their thresholds are I can just talk about that particular incident but you know I can tell you the $40,000 would never be prosecuted in Atlanta that's that's well below their thresholds and and frankly ours for fraud cases are a million dollars but because we have a close
relationship we can sometimes go well below that um Atlanta because it's a bigger jurisdiction they're not able to do have some of that that variance that we have down here follow here uh so I'm curious can you can you talk about a a case maybe where you basically give an example of a crime here in Georgia where the lack of this this type of law prevents the actual prosecution of a crime do you have any examples of those because that that's what we we heard pressed a lot you know here was that the lack of this prevents us from Prosecuting crime and cous what your take on that is you know given your experience and again it's
hard because Augusta has such a uh such a great relationship but we have you know we're in a small community small office so we're able to take a lot of I can actually give you one example of just that um there was some defacement of a website um that and actually was it was Mark's uh Mark company um potentially we could have prosecuted the individuals but because the complexity and the the U there was really no Financial damage at all uh it ended up just kind of we cleaned it up we brought it to his attention he cleaned it up and it went away um which is not obviously you want to put people in jail when they commit a
crime um in this case now if there had been a state law maybe we could have pled it to our state uh our state folks and they may have I know that DA's off and August is very aggressive so they very likely could have but in this particular case we just focused on detection and then stopping to live with the yeah well and one thing to keep in mind too is we do have computer trespass so we have ocga 16 sorry 16993 for any other fellow W NDS that when you with unauthorized access go in and uh in the case you were describing accessing someone's Network without authorization and take some data take information from
them that you have violated the statute and it has those civil as well as criminal penalties so that gets us into that sticky widget though of the just because we have a shiny object do we have an existing framework and in part of the motivation behind where SB 315 came from the elections uh database and so in that case no information was taken no you know they didn't really they went in identified the vulnerabilities but because there was not that further step that they didn't impact that that's the ging hole that the Attorney General's office was looking to fill so for those who don't know there was a particular case that uh drew the attention of some legislators
that that um this is can anyone share the details of what that particular case was does anybody want to um let's say thank you for letting me be here today I can barely turn my own computer on so I will not be giving you any technical information but um basically this s sp315 was considered a snooping Bill something that we didn't have addressed in code and I know Elizabeth just said that that we do have some um trespass um language in in code if you move anything if you shift anything and actually even if you use data to your advantage um so we do have a code that kind of follows some of that but I don't I don't know all of the um
the Attorney General's you know levels of which they can do things but this became the snooping bill which was um we have an elections database at a university system in Georgia and it was maintained by the university system and it was a database that was used by pollsters um who are the Republicans who are the Democrats what doors do we knock on and it was so it was not actually officially our elections our Secretary of State's office but it was a database of Elections information and someone went into that um and found the vulnerability in that system and brought it to the attention of the University system and then needless to say things are not
always handled properly in government situations and we certainly did not handle that properly um at the time that the information was brought forward but once it was all discovered that somebody had made their way in had snooped not moved anything not touched anything uh you know not really not done any harm except they brought it Forward um and once it was figured out of course now we have made some significant cber changes and and um we certainly Outsource a lot of our stuff now that we didn't before so it helped us but they then they took offense so then as a government we took offense we developed s 315 and we um um and we wrote this legislation and it was
very very very broad um and then we'll get into that on further questions but that's basically the kenat State University elections um happening snooping incident so thank you so as you as you mentioned uh so s sp315 was was pretty widely criticized as criminalizing a lot of legitimate and necessary research as well as um legalizing quote unquote hacking back right so that was one of the criticisms of the law is that it encouraged or legalized hacking back um so can any of our panelists help us to understand the flaws and the legislation that led to its eventual veto by Governor Nathan Deal I'm happy to take part of that at least um you know so so I'm not going to
cover everything here by any stretch but you know real quick I would mention that uh you know the Atlanta ransomware incident that Miss Wharton was was involved in there at Le on the legal end in the remediation involved in the remediation any relationship with the folks holding the information hostage I did not see any of the Bitcoin that was not paid this is kind of like this is kind of like when I have to admit that I used to work at HB G when they were breached right that's never a fun time either you have the caveat I wasn't in charge of security um anyway but as we talk about you know the Atlanta ransomware event um you know one of the
things that that came out immediately after they got hit was that they you know had big public relations and you know PR teams coming out and explaining how you know they have great cyber security in the city of Atlanta right that's what they do and everybody gets hit and it was just you know it was just an opportune thing for them but it turns out that we have Scan data if you remember the shadow workers incidents uh when they dumped dumped a lot of tools we have Scan data uh going back where rendition infos was scanning the whole internet um and uh we were actively interrogating uh machines that were open on Fort 445 for those that don't know
Windows file sharing which is a really bad idea to have that publicly exposed to the internet and it turns out that some of those tools that were leaked you can tell whether or not machines have been exploited by interrogating those machines and and by questioning those machines without actually accessing do access work I don't know actually that's a Liz question um but how does access work what's legal definition there but we were questioning those machines without directly compromising them and and identifying those that were compromised and so we're able to provide a useful I like useful data point back to uh back to the community to say that a year before five of these machines
definitely five of the servers in the city of Atlanta uh had and again this is a a minimum number had been compromised right and so this kind of throws in the face of or you know flies in the face of yes we definitely take cyber security seriously when you can show that these machines that were publical exposed to the internet had been unpatched for months right so anyway so the point there being thatal research that you did would be illegal under s SP 315 yeah I apologize here I forgot the overtone right the research there would be 100% illegal under s sp35 uh we would not have been able to conduct that research that would
have been criminalized under the ACT well so the version that we see up here is the version that was passed if you go back and look at what was first introduced you see how the one up above us has all these kind of carots uh legitimate business purpose uh under the terms of service and even the whole hacking back the ability to in the initial version is introduced none it was the um intentionally uh accessing without uh authorization so as the bills evolve through and this is absolutely Jody's wheelhouse and what youall get but it's part of one a speak to the community the community reached out and said hey we've got some issues with this they were
receptive work some of that in but to look at this and the flaws within the legislation as it is it's still light years better than it was and there's still that much further to go so it's kind of that important part but speaking to the actual legislation in its path um this is my great opportunity to you should know your representatives but I know nothing about cyber um this is an SB Bill meaning it starts in the Senate and um I am in the house I would not have seen this bill for um an additional 12 working days had it not been from an email from Mr Mark bagot and it was a first phone call and then an email that
went into to say hey there's been a bill that's been passed in the Senate the bad version the well I should say the worst the worst version was actually passed out of the senate in that form where there were no exemptions it was unauthorized use well so at that point the phone call and the message from Mark to me was what can we do about this legislation I need you to basically I need you to find it stop it um help it fix it um want to go to jail agreements what is it um uh your your what do you call this agreements on the computer when you're just terms of service thank you I mean none of that was excluded
from what we were looking at so everybody pretty much anybody and in your email to me it clearly stated if you have a fake name on Facebook you're done you know I mean he just went do this long list so you know he he had um this opportunity we had never met before that um but I just want you to know that that's how these these kind of things evolve um and we we did make some changes and we did make some significant changes to the legislation it was still just a two-page bill most of the bills in Georgia and I know that you're not all from Georgia but most every bill is less than six pages long um when I do
get a phone call or an email it means a lot to me if you've actually read the legislation before you tell me what's wrong with it and so we were here and this is where he met me right in the middle and we fought through this battle um plenty of reasons why this bill from the Senate was not going to work we have research institutions as you can imagine but he pointed all of this out so um we went ahead and scurried but I would like to say that your entire organizations um all of the the Cyber grouping and Technical people um there were a lot of folks sort of hitting the governor's office and hitting the house and the
Senate and coming forward with similar information but we were able to take this bill and um sort of adjust it that didn't make it perfect but we can along those lines me point out Scott Jones with the eff is's right here in the front uh Scott's Scott's organization um did did a lot in lobbying um with you get i'll pit you want okay you want to do is this is it is the question here um of what kind of impact this is going to have on um on the community why this is a bad Bill is this is right well um I probably the best way to go back and the best way to go back and
look at everything is to to to look at our website ef- georgia.org where we did the full analysis and so yeah I've was electronic Frontiers Georgia uh we started back in the 1990s and one of the one of the Compounders is also here um and so uh yeah we did a full analysis of the bill and it's on our website ef- georgia.org if you look for sp315 um I think that the the hack back was was U very concerning for a lot of people um but as you said this bill as was said already the bill went through many stages and had many problems the very early draft of the bill actually had a property forfeiture clause which
was extremely Broad and it was extremely scary so you would have whatever equipment been used to do the research would have been snatched up as part of the investigation and resulting but I mean the Way It Was Written if you plugged your computer into the house power then they could they could take your house because your house provided power for the computer that you used for the ha so it was it was bad and kind of going building further EF Georgia going to in reaching out to all of the different technology information security organizations learning as much as you can and figuring out how you can help the effort because unfortunately where I was sitting at the time the city of
Atlanta we didn't have an official position on the legislation so as an employee within the Law Department I could not say a thing but if people happen to reach out to me I could give them hey I see you're very interested in this bill may I share with you a chief of staff for or the staffer who here's their EMA address phone number etc etc etc here's how to reach them send them a very you know well written letter if you need some help on that good you have Georgia look at what they're doing look at what others so getting involved in that plays a significant role in getting stuff changed because legislators can't know everything about the nuanced
subjects and so what sounds like a great idea of we can't you know oh you shouldn't be able to have unauthorized access that's bad and they Point things but then to be able to walk it back and say but the reason the database is now more secure and the reason is because researchers found the vulnerabilities and disclosed them and to the proper contact so when we have all the stuff about oh responsible disclosure bug bounties everything to know that just even that research if you stumbled upon it would trip you up under state law is just SC first I have to Twitch because you said responsible disclosure and we do not use that term responsible is a word
that's been used against researchers by vendors a couple of things we've talked about um authorized access and here's where this can't be vague I can go to your website so I've accessed your website but I can't go to the page with your costs of materials behind your catalog cuz I have to log in first but if you misconfigure it and I click a link and accidentally land somewhere where you say I can't go I was authorized on a computer level but you say I'm not allowed to go there this is one of those things where uh and this is the challenge with this computer FR and Abuse Act uh cfaa um is not especially clear either and so one of
the reasons I think a lot of really wound up about this is like hey if George is going to have a bill um it should actually solve some of those problems and it should be a tool that's useful for small businesses to defend themselves it should be a tool that's useful it should be a tool that doesn't leave Law Enforcement wondering how hard they should work and then doing an enormous amount of work and watching it Go thud on the other hand it shouldn't have curious high school kids with felony charges you know ruining the rest of their lives so simple things like we talking about authorized access what exactly does that mean does that mean
what you think is authorized or does that mean what the logic in the you know the logic flaws in your computer system that often make for Access and so it's a vagueness in this is is not good I often joke that uh that the uh so cfaa first person convicted was Robert T Morris possibly the last person that legitimately convicted that's not fair to say but uh you know so it's a real issue but but as far as not being able to bring the law one of the when I do history talks one of the people I'm talking about are two French brothers who subverted the the French cop for system long before Electronics by
bribing somebody who put signals on and they realized they were playing these Market scams they would find out when the fish were Landing they would just beat the market to death and uh so they defrauded hundreds of thousands of dollars 150 180 years ago uh and so they were arrested and they looked on the books and there was no law and so they're like oh well keep all your money and uh good luck you know so if if people are doing bad things it needs to be illegal we need to understand what it is if I could follow up with Jack Daniels and I have to admit I've always kind of wanted to say that
the I agree cfaa is not it's not a it's not a perfect ACT it's it's got a lot of loopholes and many of good defense attorney has been able to mitigate their clients uh because of of some of the loopholes but the intent is there's really five categories and I I wrote them down so I wouldn't miss them that really was the intent of the law and it's data that's related to National Security that's a no no you can't just go in and access that whether you're doing you know legitimate research or not if it's a top Seeker database you're not supposed to be in there um Financial records belonging to financial institutions including credit card
issuers that that be prosecuted under this law uh if you have the intent to Def frud obviously if your intentions are negative and bad then you can be prosecuted under the law uh information that belongs to any US Government department or agency again that kind of C caveats with the National Security but if it's you know something that belongs to a government agency you can't tap into the FBI's website and dig into it or some of our secure networks even if you're not trying to do anything bad that's still considered a violation of the law and then if it relates to Interstate Communications or Commerce um and that's where I think you have a lot of gray area probably uh Mr Daniels
was discussing there is there is some gray area in that one and and that's probably where most people end up uh with their defense yes sir i' like I have a two- part question first part is how do we determine legitimate research from somebody who wants to break in steal the information and then later on CLA in thought they were and secondly I heard that e andever people on keep referring to this as a hack back bill but I can't find the word hack a back anywhere in and they seem to mention computer security AC defense where did the Haack monitor come from take up I'll talk about the research thing right um I I think it's
really really difficult uh to tell at a at a technical level to differentiate uh legitimate research uh from uh what looks like a computer crime otherwise I'm going to come back to the you know to the example because I don't want to imp implicate myself in other potential crimes I'm going to come back to the scanning the internet for the for the stuff you know compromised by Eternal blue that looks just like exploiting stuff uh and and trying to access those those back doors right so the only difference is I I stop immediately before but for all you know uh you know we we we actually saw I should say for all you know we observed you know with
some of our internet sensors people doing that first and then coming back from the same IP addresses and dropping dropping hour later uh you know in in a period in some cases of of one to you know 1 hour to to a couple of days um so certainly that's not outside the realm of possibilities and that makes it very difficult to differentiate um I I think the law enforcement folks will speak to intent but at a technical level it's very very difficult for you to step back and say you know here's precisely the line between research and obviously there's some obvious you know you know when you cross the line you're doing damage or whatever but you know you
interrogating a system could indeed take that system down in which case you you did not have access to the system well now we straight into now we have committed a criminal act while doing while dooing research again at least under the under the law let me just ask let me just ask a question of the audience here just to kind of understand the the gray area so um if you run an nmap scan against a company's um IP range um if you would say that that is legal uh raise your hand is or should be is an N scan against the company's IP address legal what's the intent what kind of scan what's the intent d a yeah with a with a cash dash
capital a option on your in SC and all the hands go down no it is legal right yeah ACC to according to current laws well so what if what if the command line option with the D A includes doing password guess runs the default nmap scripts and does the password guessing against the SSH servers that it finds in the FTP servers is that where are we running it from from from your house I thought you said which one and which which VPN endpoint that the other end is yeah so so so the problem is is that the term intent is subjective uh and obscure um you can you can you know how do you how do you
determine intent uh the reason Hillary Clinton didn't get trouble I mean in ten is is there a victim are you so I can give you another example of a case and this one's from Mark as well somebody breaks into a corporation and then tries to sell the sell what they found to that company and and caused damage by doing what he did so that is clearly his intent was was not just righteousness right but if you catch them in the ACT which we did they right but they haven't they haven't done anything with the they haven't gotten the data they haven't done anything with the data so that's the so I can tell you from that that exact scenario we did we
caught him in the act and then we did some research back and the same individual had done the same thing against actually the same University and also tried to sell back he had so um we had every intention of Prosecuting this particular individual unfortunately he passed away prior to to it come to fruition but we were intending on on Prosecuting him because historical data case closed also I would say that the law is intentionally
vague and that's I mean you highlighted in your other example as well it when you leave kind of the gray areas or when the legislators leave those gray areas in the bills or in what becomes the statute it gives a lot of discretion to the prosecutors and that's part of the problem of even discussing uh SD 315 it was like oh we we won't do that until you embarrass it important politician then they will prosecute or I mean there's any number or somebody's having a bad day and we have some amazing people that are you know working in law enforcement Etc and they have a tough task but personalities or personalities and staffs or staffs you just don't know and
so from putting on my legal hat and when researchers for the companies I work with or work for would come and say hey can we do this like well all right have you put anything in writing yet can it pass the gig test do you can you give me enough information to where I could go stand in front of someone and with a straight face made an argument in your behalf if I can't do that then no we can't do it even though it might be really cool research and it might it doesn't pass the giggle test have you put something in writing you shouldn't have or or are you documenting your intent with this uh have you documented
the relationship if there is one but that's the trouble with the Grays I mean even looking at the section on the active defense well okay and U the legitimate business purpose um it's not legitimate business purpose because nobody's paid me yet but if I'm doing found some really cool research and I use it to get a job do I have to wait to close it after I've been hired and then go and show that I was doing it for job hunting purposes or school or I got nothing so did did anybody have a good why but the it's the phrase active defense right that's that's and that's utterly undefined active defense can be a script that um blocks an IP address if
it hits your firewall too many times and we just going to drop all that traffic or active defense does that mean I'm going to RMF all the boxes that are getting me you know which was problematic when aai controls the third of the internet yeah okay so the um the hack back uh Clause is indeed the line 18 cyber Security Act of Defense I am not a lawyer but I did some research on this and it turns out that the the the hot hot phrase cyber security active defense has no specific legal meaning based on my research so that means that that judges and Jes could canr it to mean whatever they wanted mean based on how
it's being cast by a prosecutor so it it I it could be read um as hack back but the problem with hackpack legislation is what about false flag there's many other problems um but that's that's part of the problem what if you set up somebody to look like a bad guy which is that would be false flag um but it is line 18 and and doing the research on it I found out that it does have no specific legal meaning okay so um so law is horribly flawed is that is there a consensus here on this so all right so and there there is a need for um to protect legitimate researchers from from this type of legislation uh so
can can any you share either personal anecdotes or examples of how criminalizing this would have adversely affected customers so if this law had passed right then really what negative what's the worst going to happen right just another law let's talk about you're talking about legitimate research but let's talk about another Edge case completely made up no basis in reality at all imagine that you live in a small town perhaps in Georgia and uh your water bill comes and uh it says you can pay online and you go online and they use third party portal and you put in your username and password and your username and account number appear in the URL bar and those of us that have been in
this business for a while have a real urge to change things in that um because thankfully nobody does direct object reference stupidity on the web can I in this completely theoretical situation where I drive to the water department and hand them a paper check every month CU I don't trust them oh wait maybe not you know what do you do it's under a Mis under a extreme interpretation of this stuff I can't even tell the people at the water department now there's a whole another problem which is when I do tell the people at the water department there are people at the water department they're not people that understand web security much less cyber security andb 3 of the Alternatives and
so I've just stumbled across something that is at best a poor practice and at worst let's me you know see everybody's bills and possibly um you know I don't know how far you can go because I'm not about to dig into that rabbit hole but anybody that's played with one of these websites that's you know whether a pin test or testing your own systems knows that sometimes that little thing opens up just utter nightmares um so what do we what do you do there's like I I would be a afraid to if this passed I would be afraid to report it because first of all I don't know where I would go but I would have to go up to the company that
does it for a bunch of small towns and they're probably uh going to respond like companies do so you know there there are all these challenges so it's like oh hey I stumbled across something it's a bad practice maybe whatever and and this gets into a lot of historical cases around the world okay I change the last digit of the number and I see somebody else's account okay um if I stop there then I have a pretty strong case in my own mind maybe not a prosecutor who wants to be da and eventually run for president um right you but is is that over the line is two or three over the line you know the ones
a lot of the stories that you know to to flip to the the law enforcement side a lot of these somebody found this kind of problem and uh they're being prosecuted what doesn't come out is they downloaded the entire database you know they wrote a script and pulled it all U but where does that line go where can you know this can keep me from saying you need to fix stuff and that's not even intentionally going on looking for it those of us in this field who just if you pay attention you see really bad stuff all the time and this would keep me from reporting as it is I always think about whether or not an
organization that's likely to respond well to being tot they screw up so what about the opposite of that someone has a problem with the water department they found a problem and the first call is to R bre to try to embarrass them and are now publishing all the US names and passwords so what's the flip side to that how do you tell the intent of the person's actions Bas all they do so in legal terms that's called burden of proof right y you would have to the prosecutor owns the burden of proof to prove that there was an intent and that the person should have known that it was unauthorized I'll throw another non hypothe I sorry hypothetical on example
um the uh a a hypothetical 11-year-old that may or may not belong to me um may or may not have found a command injection vulnerability in a school website that her school third party website um that her school uses uh that may or may not have uh allowed her to gain access to lots of uh other students information not just the students but also their parents um and she may or may not have come home and bribed to me that she had discovered this right now um you know a lot of people at least when I when I had a daughter initially no no when I had a daughter initially I was worried about having the talk um and I
had no idea what the talk was going to mean in 2018 terms but uh you know this this is a great example where you know if and she wasn't actively pen testing as an 11-year-old right but she she well she worked works with me sometimes and and has seen some of the hey throw semicolon in here and let's see what we can do and got some data back and and all of a sudden now we're kind of you know we're stepping foot into the active hacking whatever right what she wrong for doing it hypo wrong for hypothetically doing this completely hypothetical scenario allegedly doing this um yes no question about that right I think we can go and level that right
now um but uh you know kids being kids and her not intending to do anything other than say hey is the security on this thing that has my information in it kind of coming back to Jack's example is the security of this thing that has my information in it you know is is it is it well put together and uh you know we we were able hypothetically to disclose to this uh company that uh hypothetically Colombia County and Richmond County both use as well uh and uh you know all our kids are safer for it right but under SB 315 I wouldn't touched that right so ifb 315 were law there's no question that uh you know we
started that computer uh trespass as it were in the uh you know in one of the counties in Georgia so I guess that's a good example for me at least hypothetical example of a place that would matter Brian you want to talk you talked about this one here it's a good it's a good example for one simple reasor brother we don't have the federal system doesn't have a juvenile we have no juvenile system so so if she was 18 or 19 and committed a actually did commit a crime there would need to be some kind of state law to be able to to prosecute her I'm still going to get that information you should put her on a
watch she's frequent dangerous so um one one more example of something that I had I had very recently so um uh prominent information security research came to Augusta was doing a demonstration of some awesome things to could do with the um uh software defined Radio Systems right and it's just got software Define radio system plugged into the laptop and is tuning around and um suddenly on the screen starts uh flowing some uh Hippa type information of um you know patient being checked into emergency room name date of birth social security number check into emergency room diagnostic codes of patients being transmitted and clear text Wireless SDR Radio so I go on the internet 5 minut of searching YouTube
videos and reproduce this in you know a couple of minutes right looking at this information so what do you do with that well under s sp315 even without s sp315 it's like well is this a violation of wiretap laws is this is what just happened here is doing what this YouTube video walks you through is it legal right it's just the the problem is with many of the laws right you can read the law and see what it says but then it's also gone to through court and there's there's there's case law on top of Courts right we had uh San Francisco 19th District um Court look at our wetop laws and say that wireless connections
are no longer radio Transmissions right that we're not using radio frequencies um when and once you have established a Wi-Fi connection it's no longer radio communications right well that is complete nonsense right to anyone who has any type of understanding of radio frequencies so for us to even understand whether or not something is legal or not requires both a law degree and a complete understanding of all the case law that leads up to these things it's as researchers this is it's just too dangerous to do anything so are we scared into a position where we can no longer do legitimate research to find vulnerabilities by by the way last Saturday found a buffer overflow Microsoft poers shell version five
looking forward to completely uh understanding that and going through a uh irresponsible disclosure coordinated a coordinated disclosure um process and getting that um that bug fixed and making it saf for everybody so are we are we scared into a place where we can't do legitimate research and make things better for people or what happens if you're watching oh some you know B net that's crashing down everything and say you sinkhole uh some of the traffic because well it stops what's going on it keeps the world TR but you didn't have permission to take over bad data you just happen toister one of the domains or you know you do something like that hypothetically and yeah you save the
world billions of dollars of damage but it's not a legitimate business purpose and it wasn't necessarily an active def defense because we're not sure what that is and so hey thanks for stopping the world from burning uh but we're going to sented to jail or I've had clients um in the past who may or may not have um purchased a automobile beginning with the D um and noticed it had certain similarities sof you and done testing on that and played around with stuff and they're goofing around they have no malicious in they have no not a legitimate business purpose their creative mind it's sitting in their driveway and they don't mind if they mess it up have they similarly triggered
something under this outside of CFA worries what happened yeah just quickly I want to point out the the hacker perspective here we're talking about um what we're doing to researchers or just obvious you know curious people um what what's not getting addressed in s sp315 is the those who are negligent with our data those who um violate Hippa and other laws that fail to protect our data uh they're getting away free if we can't hold them accountable we don't have the tools um and you know something that' be great with Georgia is we could put some teeth into our into our U breach disclosure law I had a credit card reissued because of em mergent breach
nobody's owned up to it I have no way to find out I can't force the credit card issuer to tell me who it was they're indemnified uh so we've got laws on the books that uh should help us as individuals against the corporations that aren't securing our data they're not being used in a way that protects us so not that I'm advocating viilante cyber whatever but we need you know we need the the uh as Karen hackers you know the internet immune system is those of us who are curious and watch things whether formally or informally because that hospital uh wasn't doing what Hippa requires them to do you know the the the credit card
merchant was not doing what Georgia law requires them to do in notifying the of the breach so um we we have to remember there are other parties it's why I object to the term responsible disclosure because it's normally used by those businesses against those of us that do research by saying we're irresponsible when they are the ones that failed to secure things in the first place and not that it's easy there is an industry because this is hard a lot of us make good money because it's hard to secure stuff um so it's a complex it's a complex situation and simple ansers fail you I see some questions there you you take the microphone um if kind of On a related
topic if I'm a business owner or say a software engineer and I'm building a product that has um a touch point from the internet uh legally are there other statutes for um the the example that I think to my mind is let's say I own 100 acres of land and part of my property ORD public land if someone wanders onto my land and I don't have a fence up did that person trespassing and could I prosecute and then on the um digital side of things is there a a standard or a burden on the provider of a service um to secure their stuff that they have to meet that standard before they can prosecute um not just
someone who's trying to group force a log which is a little more easy to prove intent but um those cases where a researcher finds open vulnerabilities I don't know if that's clear yeah so the question is somewh um are there laws that do kind of go what Jack is saying is in forcing because I know we have things like uh Visa Mastercard um uh PCI standards that are kind of corporate enforced but it does anybody know of legislation that is putting some teeth behind um making corporations who have data uh responsible for the data they're holding to question I the EU is it there what's that gdpr there's gdpr says you canel Thea my mouth I'm going to get the airport
wrong but about a year ago I think it was Heath Bristol one of the airports had a data bre in a sense of an employee had a unencrypted Thum drive that had a lot of information on it that was found and they just received the airport itself received 120,000 lb fine um in the US you have the f TC that uh should be doing more of that perhaps there's a fight uh between the different FTC FCC uh and where you're looking at who actually is going with the FTC is in charge of consumer protection uh but whether they have actually exercised that um Authority and put teeth behind it was reading something just as we call the SEC is looking at
putting security and lack security practices as something so you have government agencies that are doing it uh from a state level just depends on what the state statutes if you've reached a duty that has been imposed but um as you see the it's going to take a lot heavier of a fine or um liers and insurers we we mess everything up so either they get sued as heavy heaven or a fine that hit where it GRS all right so you had a question you would good ask yeah um so it seems like the same kind of argument we were having this morning about white listing versus blacklisting obviously you guys said this is in reaction to bad stuff
happening to Atlanta why don't we basically create you know a bill that's a white list of stuff that is okay it is acceptable for you know to do job are all going to you what you can't do in what should be right so I think the question the just I think the issue would be the same thing that there is with actual wh listing is if you try to implement application whitelisting which is where you say these are all the applications that we're allowed to do in our organization what's the problem with that it's that it's always changing it's always evolving right the next day okay we business needs change I now have to do this and it would be the same thing
for hacking right uh Microsoft released a new tool um so there's a new technique that needs to be used to or Microsoft is a new product there's a new tool that needs to be used to break into that system so the techniques would never be evolving so I I would fear that if you had a white listing approach to the law that that would be good for a day and keep in mind the Georgia legislature meets for 40 days and so what happens if we created this list they've worked with all the industry groups and on the 50th day after the legislature had Microsoft comes out with some you know and it evolves you can't play catchup when it
comes to technology calls you can't chase the shiny object you have to pull it back and say okay what was the harm what was the end result because you look at the mechanism through which folks are doing it um there's enough OD out there research that you're already behind I think your mic got turned off I'd actually like to hear Jack's opinion on this as well but I'll tell you that if we had a white list approach even assuming that everything stays static um and we don't have the constant change problem I'm going to take that off the table for a minute I would actually be less comfortable performing my my job because anything that wasn't explicitly
in the white list I'd be worried about doing now versus right now I've got a pretty clear understanding of of at least stuff that's over the line right and I think we can all identify lots of gray area but I know I know where the black list is at right if you come up with the white list I'm suddenly fearful that and again I'm really interested to know Jack given his experience what what you think about this but but I'd be more concerned with the white list doing anything that wasn't on the white list now okay um let me come back to questions at the end I want to I want to pose one last question to the group um
and give everybody a chance to respond and then if we have some time um we'll come back to questions and answers from the group but um so the the question question is that you know there there has been some discussion that in the um 2019 uh General leg uh General Assembly session that some people are going to reintroduce the law right there's a an election coming up and things are going to change um perhaps in the in the makeup of of the Senate so and house so um although we we certainly hope that Jody L will still be there she voted but uh regardless of that right um um uh you know what's going to happen in the next
legislation we uh in the Le next legislature and um particularly how is it that uh lawmakers can address the gray areas right there's there is gray area right we we don't is it okay to go up and change the item on a URL right we there was a time when someone was arrested for that right with the with um with apple registration and then later exonerated right is that right he wasn't exonerated yeah it wasn't exonerated he was it was wrong procedural issue procedural issue okay so maybe just changing a URL is illegal right um nmap scanning is that legal well we don't know right none of us here know whether these things are legal how do we address the um gray area
in the legislation and find the right balance between allowing researchers to do what's NE necessary to help um us I understand vulnerabilities and eliminate them from these products so that we are all more secure um and what what do we need to do to do that so I'm going to just this battery is working so we'll just pass this one all the way down the on the road give each of you guys a chance to answer this question I'm going to be super short here because uh this isn't rocket science right we've had the gray areas in and particularly the interstate commerce is is absolutely it's it's laughable coming back to the laugh test or the gall test
um the idea of interstate commerce triggering or any system that that's involved interstate commerce show me an Internet connected server that's not involved in interstate commerce right I mean seriously that that's where the giggle test land is for me so I'm going to step back here and say that for this this is fairly simple we've been having the uh the cfaa debate and the what's wrong with the cfaa for a a long time now and the idea that you know we went forward or the Georgia legislature went forward and wrote A bill with many of the same ambiguities but but somehow worse um is uh you know is that that that doesn't pass the Google testim me
so I'd step back and say hey take a look at the arguments that have been put forth before and at least solve those at a state level rather than writing legislation that has all of the same problems and then adding more sir and I would agree 100% U it all comes down to intent I mean if the intent is to do research and do good things then obviously you shouldn't be criminalized for it the intent is to defraud to steal National Security Secrets than than of course you should be so there needs to be some serious debate on that and then I'll leave it to the experts in the house and the Senate to to to come up
with a bill that that meets that need and on that yeah we we certainly didn't prove to be experts on this one did we your Nursing degree prepared you for um for this you prepared me for this thank goodness again you know we are farmers and real estate agents and nurses and all of these other things do know that your government affects you every day and if you're not watching him we in trouble so you know we are trying to vote on these things I am not a fan of jumping the gun um and I think that we had an incident that um just scared um a few folks that um and again I'm going to
use the word snooping because I don't know the details of the case nor do I actually care the details of the case but it came to me as a version of snooping and nothing no harm was done we have code that already sets it up for if you take something use something something move something you know that already exists so I will say that I don't have the feeling that we're going to start this one again in 19 it may happen um there's a lot of hesitation the question was asked earlier about the why the governor V to and the governor um was very wise in the state of Georgia to recognize that again your industry
stepped up and came out loud um that's what it takes and so um I don't like this bill I certainly didn't like it when you handed it to me the first day um and there were some changes made um but again the politics of politics it got out of the house and it made it to the governor's desk and luckily everybody boots on the ground in your industry um got that stopped um my thinking is that there's a lot of conversation that needs to happen and it needs to happen with the right people in the room and that's not what apparently I'm only guessing here whenever this started it didn't start with the right people in the room um and we don't need
to be dropping legislation in the state of Georgia that has not been vetted by the industry which we are about to dramatically affect so um if this happens if it comes forward certainly not by me but if I see this bill um or if anyone uh is stirring about doing this sort of thing again we will make sure that uh there are a lot of people having this conversation with us um and then we get into some of what needs to be vague and what needs to be detailed um and I think we've got good legislation right now that handles the bad guys so I'm I'm not a fan and I'll pass it on know your house member and
your Senator and you call them if you think they're about to do something for you against you I should say building on that it's really reaching out and truly getting to know the policy makers and the question goes to you to the W enforcement side what do y'all need from an information standpoint as you're going through what information what voices what input is helpful for you that you don't necessarily have access you don't know what you don't know but finding ways to get the right people to come in and talk and part of that is getting the community engaged getting through EF Georgia through technology Association you know finding these different interests and if you're not
seeing the input you know your Viewpoint or your information presented Reach Out directly but getting the information that yall need to make the decisions that you need to make so um I'm going to take a different tack but first I want to make a point about intent um it's it's worth remembering as I play historian sometimes because I'm old um I mentioned the Morris worm before it was pretty much universally understood that Robert tap Morris had no malicious intent and he was the first person convicted doesn't mean he didn't do any damage that's why he was CU he turned something loose and they didn't understand how it did that much damage that's why way of
assert is because of that um spaff had to do the the analysis to figure out how this thing got out of the University but yeah there was no malicious intent and he was convicted now he didn't serve jail had a three threee probation um but I want to flip this around and so if something happens I you can figure out where I come on anti-hacking you know I'm opposed to criminals I'm opposed to people abusing my data I'm opposed to people not protecting my data not protecting sensitive information however um as much as there might be a rationale for the state doing things um I look at the breach disclosure laws and the state laws that U like Massachusetts
2011 CMR 17 and 93h um 2011 CMR 17 is the disclosure law 93h is basically what you have to do as a business that is in Massachusetts does businesses there to protect your data um there are I last count 44 45 states that have breached disclosure laws no to are identical um as you mentioned earlier uh the idea of interstate commerce um we're all everywhere right um so if something happens it needs to not be an unreasonable on businesses large and small to be able to comply it doesn't need to be another thing where there are 46 versions of a law um not that I think we can trust the federal government to get this right
either but I just want to throw that out there there's there is a flip side and I can believe it or not actually be sympathetic to the business is trying to defend their system we we've got some some real challenges I think that as it stands um I don't know I understand the need for it and I you know last last to to hander to law enforement whatever we do it ought to be easy for you to figure out whether or not you should do something right and then it should be easy for you to hand off to a prosecutor like yeah that's it shouldn't be well is this worth my effort so Jack that's interesting with the different 48
different laws and as flawed as the Computer Fraud and Abuse Act is tile 18 section 1030 um what do you think the solution of the state of Georgia just says if you um violate the federal statute then you can also be prosecuted by Georgia legislators while it doesn't solve any problems it's it seems like a very quick and easy fix to me that um that makes it so that the gbi can go in and begin to enforce the existing laws where while not perfect we all it's it's a Known playing field we know we know where uh lines are what do you think of that I have enough issues with the cfaa that I wouldn't endorse that okay but I
do think as has been mentioned before if we use the years the decades long debates over where there are holes in cfaa um even if we just pick a couple of things let's find a couple but trying to say hey there's a really bad federal law let's enforce it locally too I is not something that I'm really cool with um it's better than that one [Music] and we actually have that that statute's on the books federally if there's no federal law we can actually adopt the state law in the state of the jurisdiction to prosecute so and that happens all the time the other way yeah for Gordon it happens all the time because it's exclusive Federal
jurisdiction a crime is committed that there's not explicitly a federal law that's been violated you can use you can adopt the state law for that real quick and and I would never argue with Jack bis um but I I meant to say probably intent is not the right word uh Common Sense maybe a better word cuz intent is you know involuntary manslaughter there's no intent either but it's still if somebody goes in there and you know like and I'm not going to I don't know enough about the the the code you're talking about but if somebody goes there introduces something and it causes billions of dollars of damage it wasn't intentional it doesn't make it not a
crime it doesn't remove the damage yeah it doesn't remove the fact they should be prosecuted and unfortunately you know sometimes good intentions turn into bad results so that' be my okay so I think we have what five we have three and a half minutes for some questions so we're going to go around see I saw a hand there and there a hand back here and then and after we do that I'll come back up here so you have a question for the yeah sorry I have to pick one of my questions because I had a bunch of thought in this but uh what I wanted to ask about was activism um news about sp3 kind of dropped in two waves
for me local security Community people understood what it was about and how it would cause issues for them and then when I started hear about it at the grocery store was when we had like a a wave of activism in regards to people getting frustrated with it deciding to take things in their own hands face websites and whatnot um I'm curious particularly from our St representative uh what portion of feedback did you get that was people like him that understood what was going on and how it was going to affect them and what portion it was people were frustrated about the activism did that play a part in the law getting you know VTO I'm just serious
so I will say um I mostly got contacted by people actually through Mark ended up on your site with all the data so most of what I got was basically fact-based fact driven give me something I can work with um and I didn't get the other but of course April 30th after um we had ended session in prior to the governor's veto there was what I guess you're calling activism going on here in a gusta Georgia where there was um information to a church was taken the local government came out in the newspaper and basically there was a message left that said um if you don't U you know this is about this issue and S
sp315 was mentioned and the governor needed to stop the bill um that doesn't usually work for me that's not my favorite way to get information I would rather you not do it um and so I didn't I didn't see a lot of that hear a lot of that other than reading my local newspaper and but fortunately prior to of course that I had some very smart people who I had been linked in with that um that made some changes it didn't stop passed the house and it passed the Senate and I think more than anything you need to know that that it's not a perfect system that we have and we are a citizen legislature and we all have real
jobs at home and we're trying to make 40 hours a week there and live in Atlanta 3 months so you need to know that we need you and we need your expertise in in any area that affects you directly um after it passed the house after it pass the Senate and passed the house which I would not say that this is best way to do things but that did not stop we fought it at the governor's level for the rest of the time and we B you know so we were we were on it as best we could to to get it stop still too many yeses too many yes votes so um Adam Savage once said the
only difference between screwing around and science is writing it down and uh I this is more sort of something to think on but uh perhaps the like a registry of individuals or uh institutions that are use the
blockchain protect the intent no um maybe you know academic institutions companies that are uh audited at some point to do this kind of research you know rattle the locks as a word um I could see some some shaking heads yeah all you need to do is go over to the EU and take a look at Crest and what it's done to security research in the European Union specifically in the UK and you'll know why that's a bad idea I will do that thank you it is it an abysmally bad idea on a side note Bri Brian you want to put your email up there and all the hackers in the room can send their email to especially Brian
a and he he'll maintain that we got the more more intelligent ones over here so next question was up here here and who is next so um on the 4th of July I attended a lunch for one of the parties and and a number of the people who are running for office were there to you know talk to the people and I said okay you're running for um you know a position in you know Georgia government how about I help you by looking and at your systems and making sure that you're secure you know this is free and I had not a single phone call from these people a single one these are people who are not from our
industry and it was alarming to me that no one took me up on a free offer to help protect not just their information but citizens information and so I the question I have is how do we the industry experts help people who are not in our field and get their attention because they are the people who make our laws and they're not educated in this area and we're thrilled to go and tell them how to keep things safe relationships positively relationships when I have a bill that comes through on low voltage low voltage electricians you know I call the guy in Evans Georgia that put my speakers in he owns the company what does this bill say
you got to help me out when I have a cyber question I've got a contact in my phone right now but if you don't build those relationships um you we don't know who you are I get hundreds of emails hundreds some of them make no sense at all I mean absolutely and some of all they say is vote no I don't know some I've tried to get my administrator to ask the question have you ever read the bill most of our bills like I said less than six pages long every a kindergartener can read the majority of these bills and um but I have people hundreds of calls a day while we are in this 40-day session of people who have
not read the bill they watched the news well that is not okay so just build a relationship and if you're in other states and something like this is going to hit you and you don't have a relationship you can call me I will find that relationship with whoever in your state and tell them what we went through in Georgia and see if we can get somebody to listen but we don't admittedly we can't listen to everyone you have to have basically almost proven yourself because there are so many people in front of us every day at the capital at the ropes every subject matter you can imagine and I really don't know who's who until you form an
intelligent argument which is how it got to me it was a very intelligent argument and it was a really valid bunch of points and stats and data and some historical issues he commented on some things you've been through and and kind of Drew the picture for me on a first grade level I got it and then that call went out so yeah so uh going back to I keep going back to the the thing with intent right it seems like the biggest gray area I'm seeing as I'm reading through this is that the only way you can prove malicious intent is if somebody make does something malicious right can't just say I downloaded a database to my
computer but I didn't do anything with it I just want to see if I can do it right you have to prove that somebody did something malicious in order to prove malicious intent so you have a bill that's essentially there to prevent crime but you can't enforce it until they actually commit crime would that would you agree with that sorry we're we're conferring uh among the legal lines um but when you start looking at so George's existing statute the 16993 it doesn't really get to intent as much as it looks like you took the data you saw you could get in you saw you could download the database and you did and so it's not whether you intended bad
things you knew you weren't supposed to be doing it you knew you didn't have access and you took that information you kind of took that next step and so how it gets dealt with from the prose prosecutors and how that gets interpreted that's a lot easier to draw the picture because you can look and say I don't care why you did it um I don't care I mean how you did it it's fascinating because now you can do things but the fact that you did it was the end result but how do you distinguish between research and I just wanted to see if I could purpose it doesn't right right that's what but but as a researcher that's part of the
responsibility is understanding hey I may be going into a gray area um and knowing what kind of all right oops accidentally did this all right now I need to tell somebody versus getting caught um and that was part of the inspiration behind 315 the researchers did come forward and said hey maybe we shouldn't have gotten into where we got into and access to what we got access to somebody needs to fix this and so a firestorm because it's embarrassing because we'd already been embarrassed from several other elections issues okay so I want to thank the the panel this was a really complex issue and I'm glad that we solved it here
[Applause] today what is a solution yeah it was it was laws more laws yeah so um before we take off here I want to thank thank all my panelists thank everybody for coming out here but um Scott there's something going on here in uh in the next legislature you guys have some some watch going on or something like that I just want to give you an opportunity to tell tell everybody about that okay so for those people who'd like to get involved and wondering what the next step is um electronic FR news Georgia this we did not do this the past year and this is this is one of the things that slip by us but coming up in the next for the
next session we're going to do legislative Review Committee and that means that um in February and March we're going to meet every single week and talk about technology legislation and see where we can have an impact and see where we can have a comment period and we can't always fix every problem that comes down but we can come in and and kind of give our input so last year we weren't looking at a regular basis and this kind of caught us by surprise this was passed in the senate committee on January 31st which is extremely early for any Bill to pass committee um and I was I was on I was on January 31st or I
think on February 1st I was looking up to see when this bill would come before committee so I could go out and and speak against it and it had already passed on January 31st and there was nobody speaking against it it was just the Attorney General's office asking for this St so we don't want to get caught by surprise we want to meet twice in January and then every week in February and March these will be virtual meetings they'll be on the you know with internet conferencing and we would love to have more represent visitation throughout Georgia not just in the Atlanta area because we're mostly Atlanta based now but if somebody's in austa or somewhere
else in the state U we love to have some other people in this call who could do some of this if You' got an internet connection you can go to the state's website and look up this legislation and you can be a part of this so if you'd like to get involved please let me know thanks thank you all right and thank you once again to can I get one more round of applause for everyone and thank you I hope you rest of
Related talks
16:05
42:06
37:29
26:31
51:37
30:27