This article can also be found in the Premium Editorial Download "Information Security magazine: Balancing act: Security resource planning helps manage IT risk."
Download it now to read this article plus other related content.
Before you design and deploy a honeypot, consider the possible legal issues. Even if you own a network or are responsible for its security and maintenance, you may not have the unfettered right to watch what network users are doing.
Provisions in federal and state statutes, particularly the federal Wiretap Act, which I'll discuss in more detail, may restrict your right to engage in certain types of monitoring. For some violations, the sanctions may include civil and criminal penalties. Additionally, organizational policies, acceptable use agreements and contracts may also conflict with your honeypot deployment.
There's also a small chance that the Fourth Amendment to the U.S. Constitution, which generally prohibits government searches and seizures without a warrant, could restrict your right to monitor honeypot users if you are a government employee or agent, or if the honeypot is operated under the direction of a government agency. The mitigating factor here is that the monitoring of users is proper without a warrant if they have no "reasonable expectation of privacy." Hackers certainly don't have a reasonable expectation of privacy in their unauthorized use of a victim's system, so they don't fall under the amendment's protection.
Federal Wiretap Act
The federal Wiretap Act is another matter. The key is understanding the statute's exceptions and making sure your organization meets their requirements.
As applied to computer networks, the act generally prohibits anyone from sniffing the content of electronic communications in real time unless one of the statutory exceptions applies. It may sound strange, but the attacker may have statutory privacy rights even if the Fourth Amendment doesn't apply. Violation of the Wiretap Act could result in civil and criminal liability.
There are three exceptions to the Wiretap Act prohibition that may be particularly relevant to honeypot operators:
Provider Protection. A network operator may monitor user communications for the purpose of protecting the "rights and property" of the operator. This exception allows the operator of a production server to sniff traffic to prevent harm like fraud and theft of services. However, no court has addressed whether this exception applies to a honeypot, where the whole point may be to have the honeypot hacked so that the attacker's activity can be recorded. The closer a honeypot is associated with a production server, and the more the honeypot serves to protect that production server, the stronger the argument that monitoring honeypot users falls under this exception.
Consent of a Party. Monitoring communications is also allowed if the user consents to the interception. A network operator may secure consent, for example, by posting a "banner" informing users that by accessing the system they consent to monitoring of their activities on the system. An intruder who continues the session after having been presented with the banner has consented to monitoring.
Computer Trespasser. A victim of a computer hack can allow a government agent to intercept communications of hackers. For this exception to apply, the agent must be conducting an investigation and reasonably believe that the communications are relevant to the investigation.
One last important caution: Be very careful to watch what is happening on your honeypot. A neglected honeypot, particularly one that has been made vulnerable to common exploits, can quickly be turned into a launching point for attacks against other systems; or a distribution point for contraband, such as child pornography, stolen trade secrets, or pirated software and media. Ignoring a honeypot may compound the problems it was originally designed to combat.
Take the time to understand how these restrictions on monitoring may apply to your organization. The best advice is to consult with your corporate counsel, who can identify the issues that apply to your situation.
Richard P. Salgado is senior counsel in the Computer Crime and Intellectual Property Section of the U.S. Department of Justice. He is also an adjunct law professor at Georgetown University Law Center and a faculty member of the SANS Institute. The views expressed are those of the author and do not necessarily represent the views of the U.S. Department of Justice.
This was first published in July 2003