Know Your Enemy -- Learning about Security Threats: Chapter 8, Legal Issues

This excerpt is from Chapter 8, Legal Issues in Know Your Enemy: Learning about Security Threats written by Lance Spitzner and published Addison-Wesley. You can download the entire chapter for free here.

(Note: The views expressed in this chapter are those of Richard Salgado and do not necessarily represent the views of the Department of Justice.)

In this chapter, I will first address the limitations imposed on network operators who would like to monitor the activities of system users. The law in this area is developing, and there are discernible rules that may be surprising to lawyers and non-lawyers alike. Second, I address the possibility that your honeynet will detect improper activity, discuss what types of conduct are criminal in the U.S., and describe protocols that may be helpful in the event your honeynet becomes a witness to a crime. Third, I discuss the possibility of liability for running a honeynet that injures others.

The bottom line for the entire discussion is that you should consult with your lawyer before you design or deploy your honeynet. If you are considering a honeynet for your organization, check with counsel who advises the organization. In the case of a large enterprise, there may be in-house counsel who can provide the necessary guidance; if not, your enterprise may need to consult with outside counse. For government agencies, there may be an office of general counsel, Inspector General, or other source of advice. (Government organizations in the U.S. may also consult with the Computer Crime and Intellectual Property Section in the Department of Justice for guidance.) Your counsel will take into account your particular situation and goals, the regulations, state law, and local law applicable to you, and will help you identify potential problems and solutions.

Many of the concerns I discuss here apply equally to computer networks generally, even those that are not honeynets.

MONITORING NETWORK USERS
The first point is one that often surprises many people: Just because you own and are responsible for a computer network does not mean that you have unfettered legal authority to monitor users of the network, even if your network is a honeynet populated exclusively by intruders. There are many possible sources of restrictions that could make monitoring improper (such as statutes, internal policies, and user agreements). Failing to honor these restrictions could land you in civil and even criminal hot water. In the honeynet context, these rules take on particular significance because the entire value of the honeynet may be tied to monitoring. I first address the potential restrictions found in the U.S. Constitution and federal statutes.

U.S. Constitutional Provisions
If your honeynet is operated at the direction of the government, consider the (unlikely) possibility that the Fourth Amendment to the U.S. Constitution could apply. The Fourth Amendment limits the power of government agents to search for evidence without having first secured a search warrant from a judge. Evidence seized in violation of the Fourth Amendment may not be admissible at a criminal trial against the person who was subjected to the illegal search. In addition, the person who violated the Fourth Amendment rights of another may be subject to a lawsuit for money damages.

The Fourth Amendment applies only where the person searched has a "reasonable expectation of privacy." Those who hack into networks do not have a "reasonable" expectation of privacy in their use of the victim network. In addition, the Fourth Amendment restricts searches only by the government; a private actor may deploy a honeynet and monitor users without worrying about the Fourth Amendment, unless the private actor is an instrument or agent of the government. Similar provisions in state constitutions are at least as rigorous as the federal Constitution, and perhaps more.

Think about whether your organization is subject to the Fourth Amendment; you might be surprised to discover that your organization is a government entity for the purpose of the amendment. For example, because of their research value, academics and students may be drawn to the idea of deploying honeynets with an eye toward studying the results. If the honeynet is deployed in connection with a public university, the rules of the Fourth Amendment may well apply to the monitoring. Of course, as I noted above, a honeynet that monitors only the activities of intruders will not violate the Fourth Amendment because intruders do not have a reasonable expectation of privacy. If the scope of the monitoring goes beyond the intruders, however, the Fourth Amendment issue may be very real.

Want to read more? Download the entire chapter here for free.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip BROWSE BY TAG Network Intrusion Detection and Analysis,   Enterprise Network Security,   Monitoring Network Traffic and Network Forensics,   Information Security Laws, Investigations and Ethics,   Information Security Management,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Monitoring Network Traffic and Network Forensics Best practices for (small) botnets Botnet masters turn to Google, social networks to avoid detection Preventing SQL injection attacks: A network admin's perspective Breach prevention: How to keep track of data and applications Researchers find thousands of flawed embedded devices Network traffic collection, analysis helps prevent data breaches Lifecycle of a network security vulnerability Port scan attack prevention best practices How to prevent network sniffing and eavesdropping DoD urges less network anonymity, more PKI use Information Security Laws, Investigations and Ethics Melissa Hathaway urges more cooperation, government attention to cybersecurity Cybersecurity czar candidate questions clout of new position DHS fills National Cybersecurity Center post FTC shutters rogue ISP for hosting malicious content, botnets Experts optimistic of Obama cybersecurity plan WH cybersecurity plan needs private sector guidance Obama announces creation of cybersecurity coordinator position Cybersecurity Act of 2009: Power grab, or necessary step? Face-off: Who should be in charge of cybersecurity? Feds should get private sector advice on cybersecurity RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bridge  (SearchSecurity.com) computer forensics  (SearchSecurity.com) Einstein  (SearchSecurity.com) footprinting  (SearchSecurity.com) information signature  (SearchSecurity.com) inverse mapping  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) network forensics  (SearchSecurity.com) promiscuous mode  (SearchSecurity.com) snoop server  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.