Honeypots: a sticky legal landscape?

• Author: Walden, Ian
• Position: Catching computer hackers

1. INTRODUCTION

   With today's enhanced focus on cybersecurity, governments and businesses are looking for effective tools to prevent and detect attacks on their critical information systems. Effectiveness needs to be measured not only in terms of technological feasibility but also in terms of legality. One innovative technique is the use of so-called "honeypots": vulnerable computer systems or networks designed to be attractive to hackers as a target for intrusion. Honeypots can not only deflect the attention of hackers from an organization's "real" system, but they can also provide investigators with the ability to gather detailed and contemporaneous forensic evidence about the hackers.

   An intruder into a honeypot may be obtaining access simply as an intellectual challenge or in order to facilitate more serious criminal activities, such as the storage of child pornography or the launching of "denial-of-service" attacks against other systems. Whatever the ultimate purpose of the intrusion, under the laws of most industrialized nations, obtaining unauthorized access to the honeypot should itself be a criminal offense.

   Concerns have been raised in technical literature and chat rooms, however, about the legal risks associated with the operation of a honeypot. Uncertainty about the legality of honeypots may deter their use as a tool in the fight against criminal and terrorist attacks against critical information systems. This Article examines two key areas of concern: entrapment and privacy. As with much technological development, there is a need to apply existing legal rules to the innovative scenario to assess the legal risks involved in such activities.

   As is obvious from its moniker, honeypots are designed to attract visitors. By attracting a potential criminal or terrorist, however, a honeypot may be viewed as a form of entrapment. (1) Such a finding would render the use of a honeypot as an evidential tool ineffective. Section II of this article reviews the doctrine of entrapment from a comparative law perspective. The operation of a honeypot also enables access to communications between hackers when carried out via the honeypot. (2) Such access raises questions concerning lawful interception or other privacy concerns. Section III examines the relevant privacy rules in the United States and the United Kingdom.

   Key problems when pursuing those engaged in criminal activities across the Internet are identifying the perpetrator and obtaining sufficient evidence to commence legal proceedings. Honeypots can be an effective tool in addressing these problems. The legal implications of such techniques, however, need to be considered during the design and implementation of the honeypot; section IV makes some recommendations for those considering using a honeypot.

2. WHAT IS A HONEYPOT?

   A honeypot or deception host is a designated area within a computer system or network that has been designed specifically with the expectation that it will be attacked by unauthorized users, whether internal or external to the organization operating the honeypot; it is "a resource whose value is [in] being [sic] attacked or compromised." (3)

   A honeypot can be configured from hardware with weaknesses known to hackers or with software that emulates the hardware with weaknesses. In each case, the honeypot appears to be a target that the hacker can easily break into, but its decoy status is not obvious. Honeypots can range from simple systems that emulate a few of the services that would be provided on a server to highly complex networks of honeypots. (4)

   The function of the honeypot can vary. It can serve as a decoy to deflect the hacker from breaking into the real system, as a research tool for systems administrators merely to observe and learn how hackers operate and about weaknesses in their systems, or as a tool to monitor and document evidence for criminal prosecution. The passive gathering of information by the honeypot regarding a perpetrator's identity can obviously also be used to actively pursue the perpetrator; such pursuits can include issuing warnings or even attacking the perpetrator's system in retaliation. (5)

   The technical literature makes it clear that running a honeypot is a task not to be lightly undertaken, especially by those who do not have the skills to do it properly. If the honeypot is located on the same facilities as the "real" system, there is a clearly enhanced vulnerability. As already noted, such risks extend to third-party systems that may be targeted using the resource provided by the honeypot. A full risk/benefit analysis of a honeypot is therefore required prior to implementation; this analysis should extend to technological and legal risks.

3. HONEYPOTS AND ENTRAPMENT

   A key concern raised regarding the use of honeypots and related deception techniques is the characterization of such activities as a form of entrapment. Generally, as a legal concept, entrapment is concerned with the involvement of public law enforcement authorities and their agents in the inducement or commission of a crime. (6) In common law jurisdictions, a claim of entrapment has been characterized as having differing legal remedies. Depending on the jurisdiction, a finding of entrapment may either prevent legal proceedings from being pursued or fatally undermine the success of a prosecution.

   In practical terms, such differences will generally have the same consequence: the failure to prosecute successfully. However, such characterization will impact on the manner in which the claim is treated within the proceedings and, indeed, may impact the handling of cross-border criminal proceedings.

   In the United States, federal courts characterize entrapment as a substantive defense, which if found would mean that the crime was considered not to have been committed. (7) As such, it is an issue to be decided by a jury rather than the judiciary. (8) In Canada, entrapment gives rise to a stay of proceedings, with the court effectively preventing the commencement of the proceedings. (9) In Australia, the issue has been treated as an evidential matter, with the courts exercising their discretion to exclude evidence obtained through entrapment. (10) In the United Kingdom, the issue of how to characterize entrapment was recently examined by the House of Lords in Regina v. Loosely. (11) The case provides a clear precedent for the treatment of entrapment under English law. (12)

   The following will examine the doctrine of entrapment in the context of honeypots under the laws of the United States, Canada, Australia, and the United Kingdom, respectively.

   1. The United States

      There are many different entrapment laws and definitions in the United States. The individual states apply different tests under state criminal law; (13) the federal courts serve as another source of doctrine on entrapment under federal common law and U.S. constitutional law. (14) Since it is likely that any potential prosecution using honeypot techniques is likely to apply the U.S. Computer Crime and Abuse Act, (15) however, this paper will examine that part of the federal doctrine that is of immediate concern here. (16)

      The U.S. federal entrapment doctrine was recognized by a divided Supreme Court seventy years ago in Sorrells v. United States. (17) Its holding, affirmed in 1958, in Sherman v. United States, (18) and most recently in 1992, in Jacobson v. United States, (19) continues to divide the Court and legal scholars. Under what is known as the Sorrells-Sherman doctrine, (20) entrapment is an absolute defense to a federal crime. The court may determine it if the elements are found to exist as a matter of law; otherwise it is to be decided by the jury as part of its determination of the guilt or innocence of the accused. (21)

      This doctrine uses a subjective test (22) that focuses on whether the accused was predisposed to commit the crime. (23) Thus, its rationale is not the integrity of the judicial system and, theoretically, the nature of the state's conduct is irrelevant. (24) Rather, the test is premised on whether the accused is "otherwise innocent" and, therefore, not blameworthy, and premised on the basic tenet of criminal law that defendants who are not culpable should not be punished. (25)

      A successful entrapment defense under Sorrells-Sherman (26) requires two elements: government inducement and a lack of predisposition on the part of the accused to engage in criminal conduct. (27) With the focus on the latter, it has been suggested that the first half of the test is, in practice, "superfluous." (28) For purposes of this analysis, however, it is the most critical part of the test. That is, if the conduct of the operators of a honeypot does not amount to an inducement under U.S. law, then the disposition of the accused intruder sought would be irrelevant.

      Thus, the accused must present evidence that a government agent took actions intended to induce him to engage in the alleged criminal behavior. Yet, as noted, "[t]he government may undertake covert operations to detect and expose consensual crimes. Accordingly, 'if law enforcement officers do nothing to induce a defendant to commit a crime, a defendant cannot claim entrapment.'" (29)

      An examination of what conduct rises to the level of inducement indicates that the U.S. courts generally require a significant showing. The test, as posited by the Tenth Circuit and other courts indicates that:

      "Inducement" may be defined as government conduct which creates a substantial risk that an undisposed person or otherwise law-abiding citizen would commit the offense.... Governmental inducement may take the form of "persuasion, fraudulent representations, threats, coercive tactics, harassment, promises of reward, or pleas based on need, sympathy or friendship." (30) In contrast, mere solicitation, proposal of a criminal plan or provision of an opportunity to commit a crime does not constitute inducement. (31) Thus, conduct...