Lock IT Down: If you're using a honeypot, you may be breaking the law
Takeaway: Explore legal ramifications of a honeypot
Whether you are trying to deflect attacks against your systems or just trying to learn more about the latest hacker techniques, a honeypot or honeynet (a network of honeypots) may strike you as the perfect way to start. In the past, the technique has yielded considerable information for network administrators.
A honeypot is simply a dedicated server connected to the Internet that contains tempting, but fake, data and software and that's lightly defended. In fact, a honeypot is connected to the Internet for the sole purpose of tricking hackers into trying to penetrate the system—and that's where there may be a legal problem.
Why IT pros love honeypots
A major advantage of using a honeypot to study hackers is that all traffic on a honeypot (with the exception of simple search engine bots) can be presumed to be unauthorized and probably hostile. This means that you don’t have to sort out the few hacker attacks from all legitimate network traffic on normal systems to analyze what hackers are doing. You can generate a great deal of useful information from the attacks made on a honeypot, especially if it’s configured the same way your working network is.
Wiretapping laws
Richard Salgado, senior counsel for the Department of Justice's computer crime unit, has warned IT professionals and security researchers that using honeypots may be in violation of civil and criminal statutes. In a September 20, 2002 message on the Security Focus Honeypots' mailing list, Salgado said, “A honeypot operator should be careful about [the] monitoring of communications, even of intruders… The federal Wiretap Act and similar state statutes generally forbid the interception of communications unless one of the statutory exceptions applies. It is true that as a constitutional matter, an intruder has no reasonable expectation of privacy while he/she is trespassing on your network. This does not, however, answer the question of whether the Wiretap Act (or state statute) forbids the monitoring.”
More recently, Salgado reminded attendees at April’s RSA Conference that there exist very real legal issues here that aren’t easy to understand, and it may not be easy to avoid the potential negative consequences.
The problem lies in 18 U.S.C. 2511(1), better known as the federal Wiretap Act. Here's a sampling of the language in this document: “Any person who intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication…intentionally discloses, or endeavors to disclose, to any other person the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection; intentionally uses, or endeavors to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection…”
The text of the statute goes on and on, making it pretty clear that it applies to almost anything a prosecutor wants it to fit. It may all boil down to this: if you intercept any electronic data not intended for you, you may need a warrant. The act includes paragraph after paragraph of exceptions following the general definition of what constitutes a wiretap violation, but even a nonlawyer can easily grasp enough of the meaning to see that it’s impossible to determine precisely what is and what isn’t legal in a specific instance, especially when talking about something such as a honeypot, which is built with the intention of intercepting "wire" communications.
You probably think that this is a really stupid idea—the concept that you could be violating the law merely by monitoring what a trespasser does on a system you own. But that’s just your common sense speaking, and any lawyer will tell you that the law has little or nothing to do with common sense. (After all, consider laws that say you can’t necessarily throw someone off your land unless you have posted “no trespassing” signs.)
Even though it’s unlikely that a federal or even state prosecutor would really want to go on record prosecuting a legitimate IT professional for trying to track down vandals, there's still the civil side of the wiretap laws. Remember, you can sue someone over almost anything and, since there exists a wiretappng law that apparently makes monitoring hackers illegal in some circumstances, what’s to stop some high school student’s bright lawyer from suing you and your company when the kid gets in trouble for hacking? Sure, they probably won't win, but that’s not the point; it costs a lot of money just to defend yourself, whether you win or lose.
Working within the law
There are exceptions in the wiretap law that make it clear that you can monitor a system to prevent damage and misuse. But does that apply to a honeypot, which is specifically built to be attacked? Salgado says the exceptions may not apply, and that this has yet to be tested in a court case.
Certainly, you can consent to be monitored and that makes everything legal. Consider a message left on an answering machine. You know you’re being recorded so that doesn’t constitute a wiretap.
Salgado suggests that, “One way an operator may be able to get consent is to banner the system telling would-be users that by using the system they are consenting to monitoring. Of course, this assumes that the intruder is coming through a port that you can, as a technical matter, banner. There is also an argument that when an intruder communicates with the honeypot (say by FTP upload), the honeypot itself is a party to the communication and can give consent to monitoring. As with all things honeypot, there is no case law directly on point.”
In the most obvious case for legal monitoring, the government, but not individuals, can monitor server traffic during the course of an investigation under what’s known as the Computer Trespasser exception, part of the USA Patriot Act.
Final word
I’m not a lawyer and certainly am not trying to give any legal advice here. But the fact that a senior Department of Justice counsel has taken the extraordinary step of speaking out on this subject repeatedly and, most recently, in a major public forum attended by many IT security professionals, leads me to believe that companies should take Salgado’s warning very seriously indeed.
Honeypots are effective and useful tools. Even Salgado says so. But until some case law has been established that lawyers can use to gauge the potential for legal action and that judges can use to guide them on applying the new laws, I wouldn’t recommend using a honeypot other than as a decoy system where you do not monitor the traffic.
Monitoring hacker activity on a honeypot may turn out to be perfectly legal, but do you want to have your name or your company’s name on the Supreme Court case that determines this?
Print/View all Posts Comments on this article
 You are monitoring intended traffic.jeffers | 05/11/03 |
 Are you "intercepting" traffic?Joshua1 | 05/12/03 |
 are you intercepting??Tech Locksmith | 05/13/03 |
 Nature of the beastCactus Pete | 05/14/03 |
| Trouble- Recorded conversations???jpenajr@... | 05/25/03 |
| 15/50Cactus Pete | 05/27/03 |
| Catch 22mike_mccane@... | 05/26/03 |
| Re: Catch 22Jim Phelps | 07/14/03 |
| re: catch 22JayMiller25 | 07/16/03 |
| you are monitoring...Tech Locksmith | 05/13/03 |
| You are correct about the DoJ not restricting t...Luker | 05/13/03 |
| Actually, there is case law, and it dates back ...lgarvin@... | 05/14/03 |
| System Testingdavid3792@... | 05/14/03 |
| David is sharprubatummy@... | 05/14/03 |
| case lawTech Locksmith | 05/14/03 |
| Show me the sequence of eventsCactus Pete | 05/15/03 |
| sequenceTech Locksmith | 05/16/03 |
| OKCactus Pete | 05/17/03 |
| Steve Jackson Games v U.S.Sec. Servicelgarvin@... | 05/20/03 |
| in plane view of normal trafficB cat | 08/11/03 |
| OMG: My NAT is a criminalmwiseman@... | 05/13/03 |
| syslogging and process accounting tooeldergabriel@... | 05/19/03 |
| Further...Cactus Pete | 05/20/03 |
| Fight litigatation with litigationcorey340@... | 05/14/03 |
| Double StandardValor | 05/14/03 |
| double standardTech Locksmith | 05/16/03 |
| Laws are temporaljward@... | 05/14/03 |
| Excellent pointCdnITMgr | 05/14/03 |
| Let's talk to legalgrayc | 05/14/03 |
| lets talk to legalTech Locksmith | 05/16/03 |
| To Intercept or Not To InterceptCdnITMgr | 05/14/03 |
| missing the point yet againTech Locksmith | 05/16/03 |
| What rights do hackers have?tmiller@... | 05/14/03 |
| What rights?Tech Locksmith | 05/16/03 |
| Tell the Feds to bite it.MechanicalPC | 05/14/03 |
| I've just read the articalHAL 9000 | 05/26/03 |
| down under threatsTech Locksmith | 06/05/03 |
| Now I'm lostHAL 9000 | 06/05/03 |
| Look, it's this simple.....bellcs@... | 05/26/03 |
| Law not alway resonablergk@... | 05/26/03 |
| Hacked server, hit Honeypot, Please Suetct2001@... | 06/06/03 |
| Shoot for Center of MassBucky Kaufman (MCSD) | 01/20/04 |
| My takeLordInfidel | 05/12/03 |
| Good points, but can you make that stickgeorgeou | 05/12/03 |
| Though i'm no lawyerLordInfidel | 05/12/03 |
| RE Im' no lawyerTech Locksmith | 05/13/03 |
| The Hacker is going to sue for what?Heavy_D | 05/14/03 |
| No you are wrong hereHAL 9000 | 05/26/03 |
| Your prose is almost unreadable -andrew.jewell@... | 05/13/03 |
| I'm sorry,,,, what!!!LordInfidel | 05/14/03 |
| Grammar policeTech Locksmith | 05/14/03 |
| Sure, why not?rniece | 05/13/03 |
| why not?Tech Locksmith | 05/13/03 |
| my takeTech Locksmith | 05/13/03 |
| The Wire-Tap ActLordInfidel | 05/14/03 |
| "Remember, I'm not saying this is "RIGHT", I'm ...lgarvin@... | 05/14/03 |
| rememberTech Locksmith | 05/14/03 |
| My Take 2Heavy_D | 05/14/03 |
| IMHOtech@... | 05/13/03 |
| ThoughtsTKD | 05/13/03 |
| The purpose of honeypotsLordInfidel | 05/14/03 |
| Use of honeypotsCactus Pete | 05/14/03 |
| Use of honeypotsHeavy_D | 05/14/03 |
| Not the caseCactus Pete | 05/14/03 |
| Exactly.....LordInfidel | 05/14/03 |
| Will be legalized...Thyo-J. A.-a. | 05/13/03 |
| Two Words for the Feds . . .tag13@... | 05/13/03 |
| two wordsTech Locksmith | 05/16/03 |
| Legal in GA and most states...if...tct2001@... | 06/06/03 |
| Is the law protecting the hackers?jf555@... | 05/13/03 |
| A good tool to use against hackers...sizar1234 | 05/14/03 |
| Not a conspiracy theorist...RQV | 05/14/03 |
| conspiracyTech Locksmith | 05/15/03 |
| Jail TimePaul D. Masley | 05/13/03 |
| Jail Timebill@... | 05/13/03 |
| Arguable premiseJC in Dayton | 05/13/03 |
| View Cyber Wars on PBSIT Professor in South Dakota | 05/13/03 |
| re: Arguable premisebill@... | 05/13/03 |
| My understanding.RQV | 05/14/03 |
| Original Postjames.hulme@... | 05/13/03 |
| I agree JamesTimbo Zimbabwe | 05/13/03 |
| The Patriot ActHeavy_D | 05/14/03 |
| Not sue I buy into it.Andy L (aka Droid) | 05/13/03 |
| What about IDS systems????spacedhacker | 05/13/03 |
| FUD alertdlw6 | 05/13/03 |
| so much for home land securityrgk@... | 05/13/03 |
| Definition of a honeypotrandalbin | 05/14/03 |
| re definitionTech Locksmith | 05/14/03 |
| Real HoneypotsHeavy_D | 05/15/03 |
| communication?Richard P | 05/14/03 |
| Common SensePaul S. | 05/14/03 |
| Packet SniffersHeavy_D | 05/14/03 |
| common senseTech Locksmith | 05/14/03 |
| Let me get this straightCactus Pete | 05/15/03 |
| StraightTech Locksmith | 05/15/03 |
| Careful...Cactus Pete | 05/17/03 |
| As for the other pointsCactus Pete | 05/15/03 |
| hot coffeeTech Locksmith | 05/15/03 |
| Please, tackle all my faliciesCactus Pete | 05/17/03 |
| Using Common sence and the lawHAL 9000 | 05/29/03 |
| Part 2HAL 9000 | 05/29/03 |
| The key will be "Comunication"jeff@... | 05/14/03 |
| Consider this - very scaryR.E.C. | 05/15/03 |
| Did I hear you right?Heavy_D | 05/15/03 |
| ILLEGALITNEWBIE2003 | 05/15/03 |
| no wayCactus Pete | 05/15/03 |
| Legal unless you use itHeavy_D | 05/15/03 |
| IllegalTech Locksmith | 05/16/03 |
| This is absurdalicia@... | 05/15/03 |
| absurd or notTech Locksmith | 05/16/03 |
| What a crock!rkowalke | 05/19/03 |
| CrockTech Locksmith | 06/05/03 |
| Innocent until proven guilty surelystephen.burns@... | 06/30/03 |
| Innocent until proven guilty surelystephen.burns@... | 06/30/03 |
| A Small Dose of Realitydwdino | 05/19/03 |
| Not Interception, Not Monitoring.csmith@... | 05/19/03 |
| not...notTech Locksmith | 05/19/03 |
| A real can of worms hereCobolKid | 05/26/03 |
| A real can of worms hereCobolKid | 05/26/03 |
| Government and technology don't mixWallyTCW | 05/28/03 |
| Who write lawsCactus Pete | 05/29/03 |
| Curiosityandypiesse@... | 09/01/03 |
SponsoredWhite Papers, Webcasts, and Downloads
- SQL Server Advanced Protection and Fast Recovery with Dell EqualLogic Auto-Snapshot Manager Dell EqualLogic
- ShoreTel Ergonomic Phones ShoreTel
- VoIP Hits the Bull's Eye for Sporting Goods Supplier's Call Center ShoreTel
- Voice over IP and Productivity: How IP Telephony Enables Experts and Support Staff to Be Seemingly Everywhere at Once ShoreTel
- Sprint IPVoice Connect Fact Sheet Sprint
Article Categories
- Security
- Security Solutions, IT Locksmith
- Networking and Communications
- E-mail Administration NetNote, Cisco Routers and Switches
- CIO and IT Management
- Project Management, CIO Issues, Strategies that Scale
- Desktops, Laptops & OS
- Windows 2000 Professional, Microsoft Word, Microsoft Excel, Microsoft Access, Windows XP,
- Data Management
- Oracle, SQL Server
- Servers
- Windows NT, Linux NetNote, Windows Server 2003
- Career Development
- Geek Trivia
- Software/Web Development
- Web Development Zone, Visual Basic, .NET
