This excerpt is from Chapter 8, Legal Issues in Know Your Enemy: Learning about Security Threats written by Lance Spitzner and published Addison-Wesley. You can download the entire chapter for free here.
In this chapter, I will first address the limitations imposed on network operators who would like to monitor the activities of system users. The law in this area is developing, and there are discernible rules that may be surprising to lawyers and non-lawyers alike. Second, I address the possibility that your honeynet will detect improper activity, discuss what types of conduct are criminal in the U.S., and describe protocols that may be helpful in the event your honeynet becomes a witness to a crime. Third, I discuss the possibility of liability for running a honeynet that injures others.
The bottom line for the entire discussion is that you should consult with your lawyer before you design or deploy your honeynet. If you are considering a honeynet for your organization, check with counsel who advises the organization. In the case of a large enterprise, there may be in-house counsel who can provide the necessary guidance; if not, your enterprise may need to consult with outside counse. For government agencies, there may be an office of general counsel, Inspector General, or other source of advice. (Government organizations in the U.S. may also consult with the Computer Crime and Intellectual Property Section in the Department of Justice for guidance.) Your counsel will take into account your particular situation and goals, the regulations, state law, and local law applicable to you, and will help you identify potential problems and solutions.
Many of the concerns I discuss here apply equally to computer networks generally, even those that are not honeynets.
MONITORING NETWORK USERS
The first point is one that often surprises many people: Just because you own and are responsible for a computer network does not mean that you have unfettered legal authority to monitor users of the network, even if your network is a honeynet populated exclusively by intruders. There are many possible sources of restrictions that could make monitoring improper (such as statutes, internal policies, and user agreements). Failing to honor these restrictions could land you in civil and even criminal hot water. In the honeynet context, these rules take on particular significance because the entire value of the honeynet may be tied to monitoring. I first address the potential restrictions found in the U.S. Constitution and federal statutes.
U.S. Constitutional Provisions
If your honeynet is operated at the direction of the government, consider the (unlikely) possibility that the Fourth Amendment to the U.S. Constitution could apply. The Fourth Amendment limits the power of government agents to search for evidence without having first secured a search warrant from a judge. Evidence seized in violation of the Fourth Amendment may not be admissible at a criminal trial against the person who was subjected to the illegal search. In addition, the person who violated the Fourth Amendment rights of another may be subject to a lawsuit for money damages.
The Fourth Amendment applies only where the person searched has a "reasonable expectation of privacy." Those who hack into networks do not have a "reasonable" expectation of privacy in their use of the victim network. In addition, the Fourth Amendment restricts searches only by the government; a private actor may deploy a honeynet and monitor users without worrying about the Fourth Amendment, unless the private actor is an instrument or agent of the government. Similar provisions in state constitutions are at least as rigorous as the federal Constitution, and perhaps more.
Think about whether your organization is subject to the Fourth Amendment; you might be surprised to discover that your organization is a government entity for the purpose of the amendment. For example, because of their research value, academics and students may be drawn to the idea of deploying honeynets with an eye toward studying the results. If the honeynet is deployed in connection with a public university, the rules of the Fourth Amendment may well apply to the monitoring. Of course, as I noted above, a honeynet that monitors only the activities of intruders will not violate the Fourth Amendment because intruders do not have a reasonable expectation of privacy. If the scope of the monitoring goes beyond the intruders, however, the Fourth Amendment issue may be very real.
Want to read more? Download the entire chapter here for free.
This was first published in July 2004