Privacy Issues with Honeypots and Honeynets

This article discusses the legality of the data collected by honeypots and honeynets, and how they relate to liability and entrapment in US and EU law. After you read, you should be able to describe the four core elements of a honeynet and the issues associated with honeynets. How are honeypots classified according to their level of interaction and their purpose?

State of the art

In this section, we present the current state of the art in the discussed topics. First, we introduce honeypots to provide a background in the field. Second, the related work on honeypots and legal issues of honeypots will be presented.

 

Background on honeypots

For the purpose of this paper, we classify honeypots according to their level of interaction and purpose. The first classification is based on level of interaction. The level of interaction can be defined as the range of possibilities that a honeypot allows an attacker to have. Low-interaction honeypots detect attackers using software emulation of the characteristics of a particular operating system and network services on the host operating system. The advantage of this approach is better control of attacker activities, since the attacker is limited to software running on a host operating system. On the other hand, this approach has a disadvantage: a low-interaction honeypot emulates a service, or a couple of services, but it does not emulate a full operating system. Examples of this type of honeypot are Dionaea and Glastopf.

In order to get more information about attackers, their methods, and attacks, we use a complete operating system with all services. This type of honeypot is called a high-interaction honeypot. This type of honeypot aims to give the attacker access to a real operating system, where nothing is emulated or restricted. Examples of this type of honeypot are Sebek and HonSSH.

Spitzner suggests the classification of honeypots by purpose. There are research honeypots and production honeypots. The research honeypot is designed to gain information about the blackhat community and it does not add any direct value to the organization, which has to protect its information. The main aim here is to get maximum information about the blackhats by giving them full access to penetrate the security system and infiltrate it. A second type of purpose classified honeypot is the production honeypot, used within an organization's environment to protect the organization and help mitigate risk. An example of the production honeypot is a honeypot that captures, collects, and analyzes malware for anti-virus systems, intrusion detection system signatures, etc.

Honeynet extends the concept of a single honeypot to a highly controlled network of honeypots. A honeynet is composed of four core elements:

  • Data control - monitors and logs all of the activities of an attacker within the honeynet
  • Data capture - controls and contains the activity of an attacker
  • Data collection - stores all captured data in one central location
  • Data analysis - the ability of the honeynet to analyze the data being collected from it

 The deployment and usage of honeypots bring many benefits, e.g., the possibility of discovering new forms of attacks. In addition, low-interaction honeypots are easy to deploy, undemanding resource-wise, and simple to use. On the other hand, a number of issues need to be addressed during the deployment and usage. The most frequent problems are:

  • Inaccurate results - in some cases, the data obtained from the honeypots lead to poor results, due to a limited amount of data
  • Discovery and fingerprinting - the attackers can detect the honeypots
  • Risk of takeover - the honeypot may be used to attack against the real (non-honeypot) systems

 The quantity and quality of the data collected from honeypots are one of the problems associated with their usage. This problem is closely linked to the issue of privacy. It represents one of the most significant concepts in the field of law, and it was set forth in Article 8 of the European Convention on Human Rights. Privacy can be defined as the right to be left alone and to have a private life is. It can also be defined as the right of a person to be free from unwarranted publicity.

This includes some individual privacy, such as the privacy of the home and office, the protection of physical integrity, and also the privacy of communications (telephone calls, chats, emails etc.). Therefore, the primary motivation for writing this paper is the fact that an administrator has to take into account the issue of privacy and related issues in the process of data collection. The failure of an administrator to meet that responsibility leaves them open to a lawsuit for any disruption of privacy and resulting damages.

 

Related works

The papers dealing with the legal aspects of honeypots and honeynets focus on three fundamental legal issues of the deployment and usage of honeypots: privacy, liability, and entrapment. We discuss them in more detail below. They only deal with privacy in the context of honeypots only. Most of papers focus on legal issues from the US law perspective.

Mokube and Adams focus on the aspects of the deployment and usage of honeypots in the USA in general. One of these aspects is the legal issues. According to him, the laws might restrict the right to monitor users on a system. Scottberg outlines the privacy issues of the attackers' files, which are uploaded to the servers by attackers. According to him, these files are not protected. Salgado outlines the legal framework of the usage of honeypots. He recommends taking into account the laws that restrict the monitoring of users' activities. Salgado extends his analysis in the paper. An important analysis of the legal aspects of honeypots from the US perspective is presented by Spitzner. He discusses the same legal issues as the previous papers. In issues of privacy, he distinguishes two types of information being collected: transactional and content.

There are papers that at least outline the legal issues of honeypots from the perspective of the EU law. For example, Dornseif et al. focus on legal issues of the usage of honeypots in the context of German laws. Sokol focuses on the legal issues of honeynet generations. He discusses in particular the privacy and liability issues in each generation.

The abovementioned papers deal directly with honeypots. There are a number of papers focusing on the legal aspects in related fields, such as digital forensics and cybersecurity.

Since honeypots belong to network forensics tools, the legal aspects of digital forensics are relevant. Nance et al. introduce a preliminary research hierarchy for legal issues associated with digital forensics. The topic discussed in their paper includes property law, constitutional law, tort law, contract law, cybercrime, criminal procedure, evidence law, and cyberwar. Another interesting paper is about legal and technical issues of Internet forensics. This paper provides a combined approach on the major issues pertaining to the investigation of cybercrimes and the deployment of Internet forensics techniques. It discusses major issues from a technical and legal perspective, and it provides general directions on how these issues can be tackled. The paper also discusses the implications of data mining techniques and the issue of privacy protection with regard to the use of forensics methods.

Another related field of research is cybersecurity. Burstein focuses on issues related to cybersecurity research, especially running infected hosts, testbeds, non-isolated hosts, publishing results, etc. Another very interesting paper in this field relates to the legal issues surrounding monitoring during network research. There, Sicker et al. focus on several US laws that prohibit or restrict network monitoring and the sharing of records of network activity.