Honeypots mailing list archives
RE: Legal Question about privacy
From: Dave Dittrich <dittrich () cac washington edu>
Date: Thu, 24 Jul 2003 14:36:05 -0700 (PDT)
On Thu, 24 Jul 2003, Koseroski, Val wrote:
Question 1) is the third party even aware of the hackers illegal activities? And then here is another scenario to look at: Your hitchhiking down the road, a person stops, picks you up and give you a ride, five minutes later your pulled over by the police and both of you are arrested, are you a guilty party to the crime??? See the problem or "Grey area" of this type of crime.
Anologies are really hard to produce in this area, since what we are really talking about is more like breaking and entering onto someones property (i.e. a computer system on a network) and turning that property into a public communications channel (i.e., a "Baby-Bell" style telecommunications privider.) This doesn't happen in the real world, so analogizing is hard. People have hit on the real crux of the problem, which is the pass-through communication of third parties (let's assume they are not party to the intrusion) who may have a real expectation of privacy in their communications. This was the original question posed. To my knowledge, this has not been tested in a court, but someone could reasonably argue that a honeypot owner who logged their IRC traffic violated their privacy rights. Even the intruder *could* bring a suit against someone for doing this, and they *might* win. It has not (to my knowledge, or that of any lawyers I've talked with) been tested in court. (If anyone knows of cases, please send them my way.) There is a court case (sorry, no reference ;) where a criminal, using a stolen cell phone that was used by the police to monitor the criminal's communication, successfully sued the police for violation of his privacy rights because they monitored the communications on the cell phone without a warrant. Just because the person is a criminal, it doesn't mean they have given up all their rights or that anyone is free to violate another law with impunity. This is a research topic all in its own right, and part of this research (some done by myself and a law school student, Alisha Ritter, whose name didn't make it into the credits) was published in Lance's "Honeypot: Tracking Hackers" book. You can find some of the relevant cases referenced there. Maybe at some point I'll get some funding (or someone else will) to finish up with that research. There are some other gray areas in the law that have also not been tested in court: o When someone breaks into a computer, they are (by the definition in the Wiretap Statute) engaged in an "electronic communication" with that system. The computer probably cannnot consent to that (being one party to the communication), but the owner probably could say they were consenting. That is pretty straight-forward. Even installing an IRC BNC on the system is an electronic communication, so that is OK to monitor. o Now that the BNC is in place, if you have an IDS whose policy is "log everything" and you are now logging to disk, if you come back the next day and read the logs (which you create by policy as a means of protecting your system), are you "accessing" the communications? Did you "intercept" the communications in real-time (as restricted by the Wiretap Statute) or did you now access stored communications (which falls under ECPA)? o What happens if the Honeypot is in State A (which has a two party consent rule), but you log the traffic in State B (which has a single party consent rule, similar to the federal laws.) By the way, someone said "must have consent of two of the parties". That is not quite accurate. What is meant is in communication between any party that is recorded by the other, does only one, or both of the parties to the communication have to consent? If the communication is within a group, and one person records it, I believe that *all* parties have to consent in a two-party consent situation, not just any two parties out of N parties. Does that make sense? o I used the word "protection" above. This is because one of the exceptions to the "no monitoring" restrictions is for protection of computer systems. Please read the statutes to see the other exceptions of which there are many. If you are not actively protecting your system (but just casually watching IRC chat because you are curious) you may very well be giving up your ability to claim the protection exception under the Wiretap Statute, and may be violating privacy rights. Just calling yourself "a honeypot researcher" might not cut it in a court of law if you are trying to defend against a civil suit for violating the Wiretap Statute. This means you had better focus on producing something as a result of your "research" that can be used to protect your systems, or those of others. o Which leads to another legal question that hasn't been answered. Whose systems are you "protecting" by doing honeypot research? Your own? The general Internet? If you are publishing information to the general Internet, you could perhaps claim the latter, but if you aren't intending to publish anything, what is your justification for what you are doing in terms of "protecting" your own computers. How does monitoring IRC chat protect your computer? I think there are some other situations that I'm forgetting, but alas this is all the time I've got right now... -- Dave Dittrich Computing & Communications dittrich () cac washington edu University Computing Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE97 0C57 0843 F3EB 49A1 0CD0 8E0C D0BE C838 CCB5
Current thread:
- RE: Legal Question about privacy, (continued)
- RE: Legal Question about privacy dave kleiman (Jul 24)
- Re: Legal Question about privacy Jack Cleaver (Jul 24)
- Re: Legal Question about privacy Valdis . Kletnieks (Jul 24)
- Re: Legal Question about privacy tcleary2 (Jul 24)
- Re: Legal Question about privacy Chris Boubalos (Jul 24)
- Re: Legal Question about privacy Christopher J Carella (Jul 24)
- Re: Legal Question about privacy Steve Barnet (Jul 24)
- Re: Legal Question about privacy Richard Johnson (Jul 24)
- Re: Legal Question about privacy Matt D. Harris (Jul 29)
- Re: Legal Question about privacy Richard Johnson (Jul 24)
- RE: Legal Question about privacy Koseroski, Val (Jul 24)
- RE: Legal Question about privacy Dave Dittrich (Jul 24)
- RE: Legal Question about privacy Chris Shepherd (Jul 31)
- RE: Legal Question about privacy Dave Dittrich (Jul 24)