CS406: Information Security

The landscape of cybersecurity threats is continuously evolving and reactive security measures are often not sufficient for protecting information infrastructures. We continuously have to learn about new threats to keep pace with potential attackers.

One of the most popular methods of learning about attackers is using honeypots. Spitzner defines honeypots as an information system resource whose value lies in unauthorized or illicit use of that resource. It can also be defined as a computing resource whose value is in being attacked. A honeypot is deliberately allowed to be compromised, and the attack is then analyzed so that we can learn about the methods, procedures, and tools that the attacker used.

It is unquestionable that honeypots increase our understanding of malicious activity in cyberspace. However, we have to keep in mind that there are legal issues regarding honeypots that need to be addressed when deploying one, analysing the captured data, and sharing the results with others. One of the major legal issues is the issue of privacy, which we address in this paper. This issue influences how a honeypot can be deployed, what data they are allowed to collect, and what we can do with the collected data.

To formalize the scope of our work, two research questions are stated:

1. What data are legally allowed to be collected by honeypots?

2. What are the legal conditions for the collection of data and data retention?

In this paper, the authors focus on the European Union (EU) regulations, EU directives, and international agreements. The national legislation of the EU Member States is based on these legal documents (EU directives, international agreements) or alternatively, the legal documents are an integral part of the national legislation (EU regulations, international agreements). Therefore, some national legislation may be slightly different from the concept found in EU law or international law. The aim of this paper is to elaborate on the legal framework of the European Union. We acknowledge that cybersecurity is a global issue where information must be shared across borders and thus there are many legal implications that must be considered within different legal cultures. However, this question is out of the scope of the presented work and will be a subject of future research.

This paper is organized into five sections. The background of honeypots and the related works are discussed in Section 2. This section focuses on previous literature related to the legal aspects of honeypots and honeynets, especially the issue of privacy. Section 3 is the main part of this paper and deals with privacy and personal data protection. Section 3.1 focuses on the legal framework of privacy and personal data protection in the EU law. Section 3.2 discusses the basic concepts of personal data protection in the EU. Section 3.3 is focused on the data collected by honeypots and honeynets from the perspective of EU law. IP addresses as the most important collected data are discussed in Section 3.4. Section 3.5 deals with the legal grounds for data processing and purpose limitation. In Section 4, the paper outlines issues related to privacy, namely network monitoring (Section 4.1) and the publication of results (Section 4.2). Section 5 concludes the paper and outlines the newly opened problems for future research.