Greetings Honey Potters!
I'm a new "kid" on the list and just wanted to respond to Adam's mail.
I, too, am unaware of legal precedence in hacker privacy infringement by
honeypots. However, as the evolving legal system must do, we can take case
examples from other established areas (i.e. like Ecommerce has done from
International Commerce Law).
Two examples come to mind,
1) businesses and residents putting "No Soliciting" signs on their
entrances, and
2) military bases posting "all vehicles/persons entering are subject to
search.
Just some thoughts...
Fred
----- Original Message -----
From: "Adam Shaw" <Adam.Shaw_at_Integralis.Com>
To: "'Pitts'" <Jonathan.Pitts_at_colorado.edu>; "Ryan Trost"
<trostycp_at_hotmail.com>
Cc: <provos_at_citi.umich.edu>; <honeypots_at_securityfocus.com>
Sent: Tuesday, June 08, 2004 8:46 AM
Subject: RE: Honeypot legal ramifications....
> Lances article on the legality of honeypots was quite informative when it
> comes to the bevy of legal problems one might face
> (http://www.securityfocus.com/infocus/1703). However, I believe it
remains
> that in order for a hacker to substantiate a tortuous act he would have to
> prove that he had an expectation of privacy within the given system
(though
> correct me if I'm wrong on this point). I think often we confuse the
> ability to press charges under some statutes by issuing banners as such
> proclaiming that the system is private (i.e. so attackers cannot claim the
> ignorance of what they were accessing wasn't a public system) with an
> expectation of privacy. I know that Lance suggests a banner in his
article,
> there is nothing wrong with being circumspect. I believe what is trying
to
> be emulated with these banners is the idea of a two party consent (like
> calling up a customer service pool)
>
> I think that United States v. Butler (151 F. Supp. 2d 82 (D. Maine, June
25,
> 2001)) shows some of the delicate jurisprudence relating to issues of
> electronic privacy "I conclude that in 2001 there is no generic
expectation
> of privacy for shared usage on computers at large. Conditions of computer
> use and access still vary tremendously. The burden remains on the
defendant
> to show that his expectations were reasonable under the circumstances of
the
> particular case." This was also a claim against 4th amendment violations
> which really only come into play when we're talking about criminal
> proceedings (not torts like the privacy acts we're discussing with
research
> 'pots). The temporal aspect of this conclusion doesn't sit well with me
but
> I don't believe this idea has changed that the parties privacy concerns
are
> the burden of the hacker to prove, not the honeypot operator. To this
date
> there is no direct precedent that I know of which involves honeypots and
> Lance's article highlights this fact.
>
> Lances article also goes over some of the federal acts that might affect
> honeypots. I wonder if the interference clause of the EWA could be used
in
> the case of honeypots ;) (S 2511 (2) (g) (iv)). Furthermore, it seems
that
> the idea of "interception" is vague in the FWA. The idea of interception,
> and any lawyer who works in this industry can correct me, is when
> information is gathered between two endpoints. It is in this case that
> interception is almost always unlawful, and usually a criminal act, to do
> so. It would seem, in the absence of any precedent, that a honeypot
> constitutes a one party consent, and thus the worst you could be accused
of
> is a civil grievance if at all given the expectation of privacy of the
> attacker.
>
> I didn't touch on the jurisdictional issues that one might face also,
> they're far reaching and go beyond the scope of my current knowledge.
> Lance's article does a good job of enumerating some of those problems.
>
> IANALY, just some ideas,
> Adam Shaw
>
> -----Original Message-----
> From: Pitts [mailto:Jonathan.Pitts_at_colorado.edu]
> Sent: Monday, June 07, 2004 8:08 PM
> To: Ryan Trost
> Cc: provos_at_citi.umich.edu; honeypots_at_securityfocus.com
> Subject: Re: Honeypot legal ramifications....
>
>
>
>
> Regarding the privacy of hackers...IMO they waive their rights if they are
> confronted with a banner stating ...authorized users only, all events are
> monitored... This seems to be fair warning to anyone, although I am
unaware
> of
> any legal precedents.
>
> best regards,
> jon
> Unfrozen Caveman Security Engineer
>
>
> Quoting Ryan Trost <trostycp_at_hotmail.com>:
>
>
> I have searched through the faq and read articles on several security
> websites....but I wanted to get some feedback from the people with
hands-on
> experience with honeypots and honeynets. Now, I am by no means a lawyer,
> so
> please do not quote bylaws and expect me to keep up.
>
> >From previous research, I was under the impression that honeypots
impeded
> the hacker's privacy (so ridiculous!) and therefore was illegal to trick
> them into hacking into your computer. However, it was legal if you were
> just tracking their moves for educating purposes (whitepapers and such)
and
> not taking any aggressive legal action against the hacker.
>
> What are people's views on this subject??
>
> Have laws changed anything?
>
> Thanks in advance,
> Ryan Trost
>
>
>
>
> Please note that:
>
> 1. This e-mail may constitute privileged information. If you are not the
intended recipient, you have received this confidential email and any
attachments transmitted with it in error and you must not disclose, copy,
circulate or in any other way use or rely on this information.
> 2. E-mails to and from the company are monitored for operational reasons
and in accordance with lawful business practices.
> 3. The contents of this email are those of the individual and do not
necessarily represent the views of the company.
> 4. The company does not conclude contracts by email and all negotiations
are subject to contract.
> 5. The company accepts no responsibility once an e-mail and any
attachments is sent.
>
> http://www.integralis.com
>
