Honeypots mailing list archives
RE: Honeypot legal ramifications....
From: Adam Shaw <Adam.Shaw () Integralis Com>
Date: Tue, 8 Jun 2004 08:46:36 -0400
Lances article on the legality of honeypots was quite informative when it comes to the bevy of legal problems one might face (http://www.securityfocus.com/infocus/1703). However, I believe it remains that in order for a hacker to substantiate a tortuous act he would have to prove that he had an expectation of privacy within the given system (though correct me if I'm wrong on this point). I think often we confuse the ability to press charges under some statutes by issuing banners as such proclaiming that the system is private (i.e. so attackers cannot claim the ignorance of what they were accessing wasn't a public system) with an expectation of privacy. I know that Lance suggests a banner in his article, there is nothing wrong with being circumspect. I believe what is trying to be emulated with these banners is the idea of a two party consent (like calling up a customer service pool) I think that United States v. Butler (151 F. Supp. 2d 82 (D. Maine, June 25, 2001)) shows some of the delicate jurisprudence relating to issues of electronic privacy "I conclude that in 2001 there is no generic expectation of privacy for shared usage on computers at large. Conditions of computer use and access still vary tremendously. The burden remains on the defendant to show that his expectations were reasonable under the circumstances of the particular case." This was also a claim against 4th amendment violations which really only come into play when we're talking about criminal proceedings (not torts like the privacy acts we're discussing with research 'pots). The temporal aspect of this conclusion doesn't sit well with me but I don't believe this idea has changed that the parties privacy concerns are the burden of the hacker to prove, not the honeypot operator. To this date there is no direct precedent that I know of which involves honeypots and Lance's article highlights this fact. Lances article also goes over some of the federal acts that might affect honeypots. I wonder if the interference clause of the EWA could be used in the case of honeypots ;) (S 2511 (2) (g) (iv)). Furthermore, it seems that the idea of "interception" is vague in the FWA. The idea of interception, and any lawyer who works in this industry can correct me, is when information is gathered between two endpoints. It is in this case that interception is almost always unlawful, and usually a criminal act, to do so. It would seem, in the absence of any precedent, that a honeypot constitutes a one party consent, and thus the worst you could be accused of is a civil grievance if at all given the expectation of privacy of the attacker. I didn't touch on the jurisdictional issues that one might face also, they're far reaching and go beyond the scope of my current knowledge. Lance's article does a good job of enumerating some of those problems. IANALY, just some ideas, Adam Shaw -----Original Message----- From: Pitts [mailto:Jonathan.Pitts () colorado edu] Sent: Monday, June 07, 2004 8:08 PM To: Ryan Trost Cc: provos () citi umich edu; honeypots () securityfocus com Subject: Re: Honeypot legal ramifications.... Regarding the privacy of hackers...IMO they waive their rights if they are confronted with a banner stating ...authorized users only, all events are monitored... This seems to be fair warning to anyone, although I am unaware of any legal precedents. best regards, jon Unfrozen Caveman Security Engineer Quoting Ryan Trost <trostycp () hotmail com>: I have searched through the faq and read articles on several security websites....but I wanted to get some feedback from the people with hands-on experience with honeypots and honeynets. Now, I am by no means a lawyer, so please do not quote bylaws and expect me to keep up.
From previous research, I was under the impression that honeypots impeded
the hacker's privacy (so ridiculous!) and therefore was illegal to trick them into hacking into your computer. However, it was legal if you were just tracking their moves for educating purposes (whitepapers and such) and not taking any aggressive legal action against the hacker. What are people's views on this subject?? Have laws changed anything? Thanks in advance, Ryan Trost Please note that: 1. This e-mail may constitute privileged information. If you are not the intended recipient, you have received this confidential email and any attachments transmitted with it in error and you must not disclose, copy, circulate or in any other way use or rely on this information. 2. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business practices. 3. The contents of this email are those of the individual and do not necessarily represent the views of the company. 4. The company does not conclude contracts by email and all negotiations are subject to contract. 5. The company accepts no responsibility once an e-mail and any attachments is sent. http://www.integralis.com
Current thread:
- Honeypot legal ramifications.... Ryan Trost (Jun 07)
- Re: Honeypot legal ramifications.... Pitts (Jun 07)
- Re: Honeypot legal ramifications.... Valdis . Kletnieks (Jun 07)
- Re: Honeypot legal ramifications.... Lance Spitzner (Jun 08)
- Re: Honeypot legal ramifications.... Lance Spitzner (Jun 08)
- <Possible follow-ups>
- RE: Honeypot legal ramifications.... Adam Shaw (Jun 08)
- Re: Honeypot legal ramifications.... dreamwvr () dreamwvr com (Jun 08)
- Re: Honeypot legal ramifications.... Freddie Beaver (Jun 08)
- RE: Honeypot legal ramifications.... Polazzo Justin (Jun 09)
- Re: Honeypot legal ramifications.... Pitts (Jun 07)