170 likes | 185 Views
The Law of Government Honeypots. Anthony V. Teelucksingh Computer Crime and Intellectual Property Section U.S. Department of Justice (202) 202-514-1026. Honeypots; Topics. Legal Issues Search & Seizure Electronic Surveillance Charging Entrapment Collateral Damage.
E N D
The Law of Government Honeypots Anthony V. Teelucksingh Computer Crime and Intellectual Property Section U.S. Department of Justice (202) 202-514-1026
Honeypots; Topics • Legal Issues • Search & Seizure • Electronic Surveillance • Charging • Entrapment • Collateral Damage
Honeypots Generally • Uncharted Legal Water • Get Counsel Involved Pre-Development
Honeypots; Legal Issues • Honeypot are Undercover Operations • Search & Seizure & Electronic Surveillance • Fourth Amendment • Wiretap Act • Pen Register/Trap and Trace • Electronic Communications Privacy Act
Honeypots; The Constitution • Fourth Amendment: Unreasonable Search and Seizure • Collection of Electronic Communications can be a search and seizure • Test: Reasonable Expectation of Privacy • Hackers Do Not Have Such Expectation • But Other Users on Honeypot May
Honeypots; The Wiretap Act • Value Derived from Monitoring Activity of Would-Be Attackers • To Legally Intercept Communications, Exception to Wiretap Act Must Apply • Consider These Exceptions • Computer Trespasser Exception • Party to the Communication or Consent of a Party to the Communication Exception • Provider Exception (System Protection)
Honeypots; The Computer Trespasser Exception • Government may monitor “trespasser” • No contractual relationship or authority to be on computer • Use care if “advertising” honeypot; may imply authority to use • Provider must authorized interception • Government must do the monitoring • Only trespasser’s communications intercepted • Relevant to an ongoing “investigation”
Honeypots; Party and Consent of a Party Exception • A party to a communication can intercept or give consent to intercept • Two ways this may help • Banner the System (but is imperfect solution) • The honeypot may be a party in some cases (but risky in other cases, e.g., IRC)
Honeypots;The Provider Exception • To Apply, the Monitoring Must be Done to Protect the Provider’s Rights or Property • May have Some Limited Application to Honeypots • Helpful Facts: • Separate Sys Admin Tasks from Investigatory Functions • Honeypot Associated with Production Servers
Suspicious Traffic Routed Hide Among Production Servers Honeypots; Examples
Honeypots; Pen/Trap • Monitoring only addressing information (to the exclusion of content), then the Pen Register, Trap and Trace statute would apply • If have exception to Wiretap Act to intercept communications, then have argument that ok to collect related info
Honeypots; ECPA • ECPA Rules May Limit • Voluntary Disclosure of Info Stored on Honeypot • Process Necessary to Compel Production • Do Voluntary Disclosure Limits Apply? • Only if services offered “to the public” • Not Clear what this Condition Means • Avoid Rapid Collection of Info that, although in Stored State, has been Stored only Short Time; Looks Like Wiretap
Honeypots; Other Rules • Other Laws May Apply Too • E-Government Act of 2002 • Rules on Use of Cookies • Rules on Privacy Policies • Internal Agency Regulations on Internet Resources • Populating Honeypot with Contraband • Make Sure You Know What Rules Apply and What Waivers are Available • DOD-Specific Rules
Honeypots; Charges • Know your Goal before Designing • If Purpose to Prosecute • Identify Charges of Interest • Attempt (Impossibility) • Other Victims • Warez, etc. • Consider Jury Appeal
Honeypots; Entrapment • Entrapment is a potential factor in any undercover • To find entrapment in most jurisdictions: • The government induced the illegal conduct and • The defendant was not predisposed to engage in the illegal conduct. • Entrapment is unlikely a good defense in pure honeypot cases • Still, keep it in mind • Trappings of Honeypot (e.g., promotion, password or vulnerability distribution) • If core of charge is based on gov’t supplying necessary item available only through the government
Honeypots; Collateral Damage • Do No Harm • Potential lawsuits • Downstream victims of intrusions • Launch Pad for Denial of Service Attack • Drop or Distribution Site for Contraband • Plan Ahead • Evidence of Criminal Activity • Evidence of National Security Breach • Victim Notification Issues • Can Take Significant Resources
Where To Get More Information • Computer Crime Section: (202) 514-1026 • E-Mail: anthony.teelucksingh@usdoj.gov • Computer Crime Section’s Web page: