Honeypots: Re: Honeynet Alliance Charter Question

[Adam Carlson <ajcarlson () ucdavis edu>]

Just to be clear IANAL, my opinions are just that, opinions and in no 
way enlightened or accurate.
I have read a little bit about the legal complications surrounding 
honeynets, in particular the writings of Richard Salgado who has done a 
great job in alerting the honeynet community of the potential issues he 
has identified.  He does not make claims about what the legal issues 
actually are, as there is no case history to draw from, but I think he 
has done the best job so far of attempting to interpret the laws in a 
plausible and realistic way.  The chapter he wrote for the honeynet book 
is a great source of information on the subject.
From what I've read entrapment only applies when one is attempting to 
use the information to criminally prosecute individuals.  Is this the 
intent of the honeynet alliance and the reason requirement 4.8 is 
mandatory for all members?  From what I understand from the entrapment 
laws, if there is some collaboration between the honeynet alliance and 
law enforcement, then the honeynet alliance could be guilty of 
entrapment.  If there isn't an established connection with law 
enforcement, however, then they shouldn't be able to be charged with 
entrapment, even if law enforcement did at some point choose to request 
logs.  I think a big part of liability depends on whether or not you are 
monitoring with the intent of using it in a criminal prosecution.  As 
long as the honeynet alliance is not running the honeynets to gain 
information for the purpose of prosecuting criminals, it should be 
immune according to my interpretation of what I've read.  I do not think 
that entrapment would be a major concern of the alliance, but if there 
is a link between the alliance and law enforcement that I'm not aware 
of, it definitely would have to be.
The other laws of concern(identified by Mr. Salgado) are the federal 
wiretap act and the pen trap, trap and trace laws.  From my 
understanding, conforming to these laws would also not mandate employing 
only passive data capture techniques, but I could be wrong and the 
alliance may believe otherwise.
I'm wondering if it was in fact a legal decision to include that statute 
or a moral decision or a mixture of both?
Again, please let me know if you can shed any light on the subject. 
Thanks!  -Adam


sushant () umich edu wrote:
> I think its a question of legal law. Law states that you cannot use "entrapment"
> as a means to prosecute someone. For example, you think a guy is a contract
> killer. Now, to prove that, you goto him and offer $10,000 if he kills someone.
> And when he is close to the killing, you cannot arrest him because thats
> "entrapment".
>
> Similarly, you cannot set up a honeypot and ask someone to break into it, and
> then charge him for breaking in. If you write a client to join a botnet and
> hacker controlling the botnet issues a command to DoS a particular website.
> Then, you cannot prosecute him for issuing such a command to your machine.
>
> More of such instances can be created but the bottom line is: "If you actively
> lure an attacker, then you cannot charge him for breakin"
> -Sushant.
>
> Quoting Adam Carlson <ajcarlson () ucdavis edu>:
>
>
> > Greetings all,
> >    I was wondering if someone could explain to me the meaning and
> > purpose of the honeynet alliance requirement 4.8 involving data capture.
> >
> > From this page:
> >
> > http://www.honeynet.org/alliance/charter.txt
> >
> > "4.8  Organizations that deploy honeynets and related technologies for
> >     data capture must use passive means.  No active means of data
> >     capture are acceptable under the Alliance.  "
> >
> > What types of activity would be considered "passive" data capture as
> > opposed to "active".  I see how tcpdump would be considered passive,
> > while something like nmap would be considered active, but is there a
> > more formal definition/description that could be used to help classify
> > data capture methods when they aren't so obvious?  Having a better
> > understanding of the intent of this requirement might help me understand
> > how to interpret it as well.  Please let me know any thoughts you might
> > have.
> > Thank you for any assistance, -Adam
> >
> >
> > --
> > Clatto Verata Nicto