RE: Legal Question about privacy

[Dave Dittrich <dittrich () cac washington edu>]

On Thu, 24 Jul 2003, Koseroski, Val wrote:

> Question 1) is the third party even aware of the hackers illegal
> activities?
>
> And then here is another scenario to look at:
>
> Your hitchhiking down the road, a person stops, picks you up and
> give you a ride, five minutes later your pulled over by the police
> and both of you are arrested, are you a guilty party to the crime???
>
> See the problem or "Grey area" of this type of crime.

Anologies are really hard to produce in this area, since what we are
really talking about is more like breaking and entering onto someones
property (i.e. a computer system on a network) and turning that
property into a public communications channel (i.e., a "Baby-Bell"
style telecommunications privider.)  This doesn't happen in the real
world, so analogizing is hard.

People have hit on the real crux of the problem, which is the
pass-through communication of third parties (let's assume they are not
party to the intrusion) who may have a real expectation of privacy in
their communications.  This was the original question posed.

To my knowledge, this has not been tested in a court, but someone
could reasonably argue that a honeypot owner who logged their IRC
traffic violated their privacy rights.  Even the intruder *could*
bring a suit against someone for doing this, and they *might* win.  It
has not (to my knowledge, or that of any lawyers I've talked with)
been tested in court.  (If anyone knows of cases, please send them
my way.)

There is a court case (sorry, no reference ;) where a criminal, using
a stolen cell phone that was used by the police to monitor the
criminal's communication, successfully sued the police for violation
of his privacy rights because they monitored the communications on the
cell phone without a warrant.  Just because the person is a criminal,
it doesn't mean they have given up all their rights or that anyone
is free to violate another law with impunity.

This is a research topic all in its own right, and part of this
research (some done by myself and a law school student, Alisha Ritter,
whose name didn't make it into the credits) was published in Lance's
"Honeypot: Tracking Hackers" book. You can find some of the relevant
cases referenced there.  Maybe at some point I'll get some funding (or
someone else will) to finish up with that research.

There are some other gray areas in the law that have also not been
tested in court:

o When someone breaks into a computer, they are (by the definition in
the Wiretap Statute) engaged in an "electronic communication" with
that system.  The computer probably cannnot consent to that (being one
party to the communication), but the owner probably could say they
were consenting.  That is pretty straight-forward.  Even installing an
IRC BNC on the system is an electronic communication, so that is OK to
monitor.

o Now that the BNC is in place, if you have an IDS whose policy is
"log everything" and you are now logging to disk, if you come back the
next day and read the logs (which you create by policy as a means of
protecting your system), are you "accessing" the communications?  Did
you "intercept" the communications in real-time (as restricted by the
Wiretap Statute) or did you now access stored communications (which
falls under ECPA)?

o What happens if the Honeypot is in State A (which has a two party
consent rule), but you log the traffic in State B (which has a single
party consent rule, similar to the federal laws.)

By the way, someone said "must have consent of two of the parties".
That is not quite accurate.  What is meant is in communication between
any party that is recorded by the other, does only one, or both of the
parties to the communication have to consent?  If the communication is
within a group, and one person records it, I believe that *all*
parties have to consent in a two-party consent situation, not just any
two parties out of N parties.  Does that make sense?

o I used the word "protection" above.  This is because one of the
exceptions to the "no monitoring" restrictions is for protection
of computer systems.  Please read the statutes to see the other
exceptions of which there are many.  If you are not actively
protecting your system (but just casually watching IRC chat because
you are curious) you may very well be giving up your ability to claim
the protection exception under the Wiretap Statute, and may be
violating privacy rights.  Just calling yourself "a honeypot
researcher" might not cut it in a court of law if you are trying to
defend against a civil suit for violating the Wiretap Statute.  This
means you had better focus on producing something as a result of your
"research" that can be used to protect your systems, or those of
others.

o Which leads to another legal question that hasn't been answered.
Whose systems are you "protecting" by doing honeypot research?  Your
own?  The general Internet?  If you are publishing information to the
general Internet, you could perhaps claim the latter, but if you
aren't intending to publish anything, what is your justification for
what you are doing in terms of "protecting" your own computers.  How
does monitoring IRC chat protect your computer?

I think there are some other situations that I'm forgetting, but alas
this is all the time I've got right now...

--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE97 0C57 0843 F3EB 49A1  0CD0 8E0C D0BE C838 CCB5