RE: Honeypot legal ramifications....

[Adam Shaw <Adam.Shaw () Integralis Com>]

Lances article on the legality of honeypots was quite informative when it
comes to the bevy of legal problems one might face
(http://www.securityfocus.com/infocus/1703).  However, I believe it remains
that in order for a hacker to substantiate a tortuous act he would have to
prove that he had an expectation of privacy within the given system (though
correct me if I'm wrong on this point).  I think often we confuse the
ability to press charges under some statutes by issuing banners as such
proclaiming that the system is private (i.e. so attackers cannot claim the
ignorance of what they were accessing wasn't a public system) with an
expectation of privacy.  I know that Lance suggests a banner in his article,
there is nothing wrong with being circumspect.  I believe what is trying to
be emulated with these banners is the idea of a two party consent (like
calling up a customer service pool)

I think that United States v. Butler (151 F. Supp. 2d 82 (D. Maine, June 25,
2001)) shows some of the delicate jurisprudence  relating to issues of
electronic privacy "I conclude that in 2001 there is no generic expectation
of privacy for shared usage on computers at large.  Conditions of computer
use and access still vary tremendously.  The burden remains on the defendant
to show that his expectations were reasonable under the circumstances of the
particular case."  This was also a claim against 4th amendment violations
which really only come into play when we're talking about criminal
proceedings (not torts like the privacy acts we're discussing with research
'pots).  The temporal aspect of this conclusion doesn't sit well with me but
I don't believe this idea has changed that the parties privacy concerns are
the burden of the hacker to prove, not the honeypot operator.  To this date
there is no direct precedent that I know of which involves honeypots and
Lance's article highlights this fact.

Lances article also goes over some of the federal acts that might affect
honeypots.  I wonder if the interference clause of the EWA could be used in
the case of honeypots ;) (S 2511 (2) (g) (iv)).  Furthermore, it seems that
the idea of "interception" is vague in the FWA.  The idea of interception,
and any lawyer who works in this industry can correct me, is when
information is gathered between two endpoints.  It is in this case that
interception is almost always unlawful, and usually a criminal act, to do
so.  It would seem, in the absence of any precedent, that a honeypot
constitutes a one party consent, and thus the worst you could be accused of
is a civil grievance if at all given the expectation of privacy of the
attacker.

I didn't touch on the jurisdictional issues that one might face also,
they're far reaching and go beyond the scope of my current knowledge.
Lance's article does a good job of enumerating some of those problems.

IANALY, just some ideas,
Adam Shaw

-----Original Message-----
From: Pitts [mailto:Jonathan.Pitts () colorado edu]
Sent: Monday, June 07, 2004 8:08 PM
To: Ryan Trost
Cc: provos () citi umich edu; honeypots () securityfocus com
Subject: Re: Honeypot legal ramifications....




Regarding the privacy of hackers...IMO they waive their rights if they are
confronted with a banner stating ...authorized users only, all events are
monitored... This seems to be fair warning to anyone, although I am unaware
of
any legal precedents.

best regards,
jon
Unfrozen Caveman Security Engineer


Quoting Ryan Trost <trostycp () hotmail com>:


 I have searched through the faq and read articles on several security
 websites....but I wanted to get some feedback from the people with hands-on
 experience with honeypots and honeynets.  Now, I am by no means a lawyer,
so
 please do not quote bylaws and expect me to keep up.

> From previous research, I was under the impression that honeypots impeded
 the hacker's privacy (so ridiculous!) and therefore was illegal to trick
 them into hacking into your computer.  However, it was legal if you were
 just tracking their moves for educating purposes (whitepapers and such) and
 not taking any aggressive legal action against the hacker.

 What are people's views on this subject??

 Have laws changed anything?

 Thanks in advance,
 Ryan Trost




Please note that:
 
1. This e-mail may constitute privileged information. If you are not the intended recipient, you have received this 
confidential email and any attachments transmitted with it in error and you must not disclose, copy, circulate or in 
any other way use or rely on this information.
2. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business 
practices.
3. The contents of this email are those of the individual and do not necessarily represent the views of the company.
4. The company does not conclude contracts by email and all negotiations are subject to contract.
5. The company accepts no responsibility once an e-mail and any attachments is sent.

http://www.integralis.com