Honeypots, Part 3

* More on legal issues surrounding honeypots

Norwich University student Bob Pelletier continues his review of the role of honeypots in intrusion detection work. In this article he looks at privacy issues surrounding honeypot usage. I (Kabay) have condensed his text (with Bob’s approval) to fit the format of this newsletter.

* * *

Honeypots are under fire for potentially invading two types of user privacy:

* Information privacy protects stored information about an individual. Honeypots are designed with in-depth logging systems that have the ability to capture large amounts of information on its users.

* Communication privacy protects communications by telephone, e-mail and so on. Honeypots are usually set to intercept communication going to and from the system through the use of sniffers and firewalls.

Any infringements of these two privacy categories can get the owner of a honeypot in legal troubles.

The governing laws of the honeypot’s location should be reviewed to determine any infringements of the legal definition of privacy. This paper focuses primarily on the governing laws of the United States, and other resources should be sought if a honeypot is not within U.S. borders.

One concern is based on a misunderstanding of Fourth Amendment rights. The Fourth Amendment of the U.S. Constitution asserts that “the right of the people to be secure in their persons, houses, papers and effects, against unreasonable search and seizures, shall not be violated.” However, this amendment protects the privacy of individuals from _government_ intrusions. As with entrapment, the private owner of a honeypot is not affected by the Fourth Amendment. As long as they are not acting as government agents, private honeypot owners have the right to search their own systems.

Government agencies and those affiliated with or under the direction of government agencies should include a logon banner that states that privacy protections must be waived when using the system. Take note that a banner is not always affective. For instance, what if an attacker bypasses the logon screen containing the consent banner? Or what if the attacker does not speak the same language the banner is written in? In any case, it is still a good safety measure to include logon banners on all honeypot systems.

Other federal statutes that are discussed in connection with privacy rights and honeypots include the:

* Electronic Communications Privacy Act of 1986

* Federal Wiretap Statute

* Pen Register Trap and Trace Statute

None of these pose any serious bar to private use of honeypots when used for serious information security purposes. Nonetheless, one should always rely on a qualified attorney to refer to applicable privacy statutes in one’s own jurisdiction when implementing a honeypot to ensure that it will be operating within legal limits.

* * *

In the next article, Bob Pelletier ( mailto:pelletib@norwich.edu ) looks at ethical issues in the use of honeypots.

References:

Girasa, R. J. (2002). _Cyberlaw: National and International Perspectives_. Prentice Hall. ISBN 0-13-065564-3.

Spitzner, Lance (2002). _Honeypots: Tracking Hackers._ Addison-Wesley (ISBN 0-321-10895-7).

Learn more about this topic

What is the Fourth Amendment?

Amending the Pen Register and Trap and Trace Statute

Tricky worm triggers new P2P alarms

Network World, 05/19/03

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2003 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)