CS406: Information Security

Network monitoring

Another set of issues associated with the daily functioning of honeypots and the realities of their operation is related to the very nature of honeypots in the area of research. A monitoring network may contribute to its improved security or valuable research output, whether we are talking in terms of production or research honeypots. There are several questions to deal with, namely the proportionality of the invasion of data for research purposes or for security. Monitoring every single packet, as has been shown elsewhere, may lead to considering this kind of situation a threat in itself (the question on who will control the guards), although we point out that courts will look at industry practices.

Apart from that, the EU prefers a universal legal framework, as opposed to specific industry practices or sectorial regulation, as is the case in the USA. It would be hard to define precisely which jurisdictions would bring what kind of decisions and how, due to a lack of precedent in most jurisdictions. However, we should remember that the legal framework on fundamental rights is strict and that this legislation is transparent according to its historical development.

Any research would have to comply with the existing legislation and it cannot be seen as legally entitled for such review or control, because these powers typically belong to public authorities and cannot be delegated to private entities, as this would entirely undermine the philosophy of data protection. Monitoring networks must meet some limits and adhere to valid standards which will not violate valid legislation or pose a threat to society from the risk of abuse of these facilities. Legislators should avoid an unbalanced exercise of security measures, which poses a threat to civil society and privacy.

Although we were discussing issues related to clashes of values and their legal quality in previous sections, we have not put focus on policy issues related to implied risks, which are related to the volume of data. If we take a look at this in the light of data retention, the retention of data for considerably long periods of time leads to risk exposure, which will pose a long-term threat to privacy and security to guarantee privacy rights in practice.

If data are stored, if all traffic is stored or monitored, then a leak of these data is a probable threat and a theft of these data is more probable the longer the period of time, because nothing is perfectly secure on the Internet and risks will become more salient as the time for their emergence and chance to occur increases. By trying to be in a state of higher security, we are actually risking more by creating implied insecurity. Thus, efforts to maintain more secure societies may lead to societies which will have to face environments with higher risks and fewer factual securities, because their data will be exposed to these risks for longer periods of time. This means that protection cannot cross a certain line; it must be proportionate. These conclusions could be summarized as follows: if there is an absolute, large amount of information stored, the risk of it being stolen grows with time and volume. In other words, the Internet is not perfect and security systems can be invaded, attacked, and penetrated successfully. This argument is quantitative in its essence.

A qualitative argument could be derived from different situations. What if a honeypot worked as a support facility to a chat server or another electronic service and research and security would require specific data? This leads to another problem which arises in cases of secrecy of correspondence. Even a network security and public order provisions should not deprive us of this right.

If a honeypot is deployed within a chat service or a similar service, the secrecy of messages has to be guaranteed. In case that a researcher identifies, using a research honeypot, the possibility that there is some kind of a suspicious activity or pattern, this implies that they will use these data for analysis. This also includes text messages. However, if we deal with content data, a second-order error may occur: the privacy of someone who was not conducting acts of a malicious character will be disclosed to a third person, thus violating data protection and privacy rights. From a procedural perspective, this produces a legal problem on the grounds of criminal and constitutional law, because interventions into privacy, such as wiretapping or other forms of monitoring, would proceed without a court order. An invasion of privacy by an administrator or researcher depends on the public law provisions which authorize only those actions which do not intrude on privacy without legitimate reasons recognized and defined by the law. Under any other conditions, an invasion of privacy, which is such a serious intervention that a court order is required, cannot take place and the administrators have to comply with and respect privacy. This defines the limits of research or security functions administered by honeypot administrators.

Publication of the results

Publication of results is related to the privacy issues outlined in the subsection relating to data capture. One of the important problems within this issue is the sharing and publishing of network traces. The scientific motivations for sharing these data are compelling: common datasets can provide meaningful comparisons between competing research approaches; simulated data are inadequate for some uses; and existing datasets may not reflect present-day threats or traffic characteristics . In this aspect, it is necessary to mention the anonymization issue. Before presenting research data, it is necessary to anonymize these data. Network trace anonymization is an active area of research in the security community, as shown by the ongoing development of anonymization methods and the releases of network data that they enable. Since the results contain personal data, their publication would constitute a new personal data processing with a new purpose and legal ground. Since this might be quite problematic, it is recommended to publish only anonymized version of the results.

The publication of results also has the potential to harm an organization's reputation by revealing network details that the institution would prefer to keep secret. A strictly legal concern that this raises is the potential for a breach of contract. The possibility that a publication will reveal details about a honeypot or a production network also raises liability issues. Honeynet administrators should also consider whether the papers or datasets that they publish could reveal information that could help adversaries attack the honeynet or production network of an organization. Publishing datasets is likely to pose a greater risk to a production network than a paper; therefore, data releases may deserve a more careful vetting by IT officers than papers do. Another aspect of liability is the fact that the publication of results merely provides information that might help another person commit cybercrime.