|
...of legality. One innovative technique is the use of so-called "honeypots": vulnerable computer systems or networks designed to be attractive to hackers as a target for intrusion. Honeypots can not only deflect the attention of hackers from an organization's "real" system, but they can also provide investigators with the ability to gather detailed and contemporaneous forensic evidence about the hackers.
An intruder into a honeypot may be obtaining access simply as an intellectual challenge or in order to facilitate more serious criminal activities, such as the storage of child pornography or the launching of "denial-of-service" attacks against other systems. Whatever the ultimate purpose of the intrusion, under the laws of most industrialized nations, obtaining unauthorized access to the honeypot should itself be a criminal offense.
Concerns have been raised in technical literature and chat rooms, however, about the legal risks associated with the operation of a honeypot. Uncertainty about the legality of honeypots may deter their use as a tool in the fight against criminal and terrorist attacks against critical information systems. This Article examines two key areas of concern: entrapment and privacy. As with much technological development, there is a need to apply existing legal rules to the innovative scenario to assess the legal risks involved in such activities.
As is obvious from its moniker, honeypots are designed to attract visitors. By attracting a potential criminal or terrorist, however, a honeypot may be viewed as a form of entrapment. (1) Such a finding would render the use of a honeypot as an evidential tool ineffective. Section II of this article reviews the doctrine of entrapment from a comparative law perspective. The operation of a honeypot also enables access to communications between hackers when carried out via the honeypot. (2) Such access raises questions concerning lawful interception or other privacy concerns. Section III examines the relevant privacy rules in the United States and the United Kingdom.
Key problems when pursuing those engaged in criminal activities across the Internet are identifying the perpetrator and obtaining sufficient evidence to commence legal proceedings. Honeypots can be an effective tool in addressing these problems. The legal implications of such techniques, however, need to be considered during the design and implementation of the honeypot; section IV makes some recommendations for those considering using a honeypot.
II. WHAT IS A HONEYPOT?
A honeypot or deception host is a designated area within a computer system or network that has been designed specifically with the expectation that it will be attacked by unauthorized users, whether internal or external to the organization operating the honeypot; it is "a resource whose value is [in] being [sic] attacked or compromised." (3)
A honeypot can be configured from hardware with weaknesses known to hackers or with software that emulates the hardware with weaknesses. In each case, the honeypot appears to be a target that the hacker can easily break into, but its decoy status is not obvious. Honeypots can range from simple systems that emulate a few of the services that would be provided on a server to highly complex networks of honeypots. (4)
The function of the honeypot can vary. It can serve as a decoy to deflect the hacker from breaking into the real system, as a research tool for systems administrators merely to observe and learn how hackers operate and about weaknesses in their systems, or as a tool to monitor and document evidence for criminal prosecution. The passive gathering of information by the honeypot regarding a perpetrator's identity can obviously also be used to actively pursue the perpetrator; such pursuits can include issuing warnings or even attacking the perpetrator's system in retaliation. (5)
The technical literature makes it clear that running a honeypot is a task not to be lightly undertaken, especially by those who do not have the skills to do it properly. If the honeypot is located on the same facilities as the "real" system, there is a clearly enhanced vulnerability. As already noted, such risks extend to third-party systems that may be targeted using the resource provided by the honeypot. A full risk/benefit analysis of a honeypot is therefore required prior to implementation; this analysis should extend to technological and legal risks.
III. HONEYPOTS AND ENTRAPMENT
A key concern raised regarding the use of honeypots and related deception techniques is the characterization of such activities as a form of entrapment. Generally, as a legal concept, entrapment is concerned with the involvement of public law enforcement authorities and their agents in the inducement or commission of a crime. (6) In common law jurisdictions, a claim of entrapment has been characterized as having differing legal remedies. Depending on the jurisdiction, a finding of entrapment may either prevent legal proceedings from being pursued or fatally undermine the success of a prosecution.
In practical terms, such differences will generally have the same consequence: the failure to prosecute successfully. However, such characterization will impact on the manner in which the claim is treated within the proceedings and, indeed, may impact the handling of cross-border criminal proceedings.
In the United States, federal courts characterize entrapment as a substantive defense, which if found would mean that the crime was considered not to have been committed. (7) As such, it is an issue to be decided by a jury rather than the judiciary. (8) In Canada, entrapment gives rise to a stay of proceedings, with the court effectively preventing the commencement of the proceedings. (9) In Australia, the issue has been treated as an evidential matter, with the courts exercising their discretion to exclude evidence obtained through entrapment. (10) In the United Kingdom, the issue of how to characterize entrapment was recently examined by the House of Lords in Regina v. Loosely. (11) The case provides a clear precedent for the treatment of entrapment under English law. (12)
The following will examine the doctrine of entrapment in the context of honeypots under the laws of the United States, Canada, Australia, and the United Kingdom, respectively.
A. The United States
There are many different entrapment laws and definitions in the United States. The individual states apply different tests under state criminal law; (13) the federal courts serve as another source of doctrine on entrapment under federal common law and U.S. constitutional law. (14) Since it is likely that any potential prosecution using honeypot techniques is likely to apply the U.S. Computer Crime and Abuse Act, (15) however, this paper will examine that part of the federal doctrine that is of immediate concern here. (16)
The U.S. federal entrapment doctrine was recognized by a divided Supreme Court seventy years ago in Sorrells v. United States. (17) Its holding, affirmed in 1958, in Sherman v. United States, (18) and most recently in 1992, in Jacobson v. United States, (19) continues to divide the Court and legal scholars. Under what is known as the Sorrells-Sherman doctrine, (20) entrapment is an absolute defense to a federal crime. The court may determine it if the elements are found to exist as a matter of law; otherwise it is to be decided by the jury as part of its determination of the guilt or innocence of the accused. (21)
This doctrine uses a subjective test (22) that focuses on whether the accused was predisposed to commit the crime. (23) Thus, its rationale is not the integrity of the judicial system and, theoretically, the nature of the state's conduct is irrelevant. (24) Rather, the test is premised on whether the accused is "otherwise innocent" and, therefore, not blameworthy, and premised on the basic tenet of criminal law that defendants who are not culpable should not be punished. (25)
A successful entrapment defense under Sorrells-Sherman (26) requires two elements: government inducement and a lack of predisposition on the part of the accused to engage in criminal conduct. (27) With the focus on the latter, it has been suggested that the first half of the test is, in practice, "superfluous." (28) For purposes of this analysis, however, it is the most critical part of the test. That is, if the conduct of the operators of a honeypot does not amount to an inducement under U.S. law, then the disposition of the accused intruder sought would be irrelevant.
Thus, the accused must present evidence that a government agent took actions intended to induce him to engage in the alleged criminal behavior. Yet, as noted, "[t]he government may undertake covert operations to detect and expose consensual crimes. Accordingly, 'if law enforcement officers do nothing to induce a defendant to commit a crime, a defendant cannot claim entrapment.'" (29)
An examination of what conduct rises to the level of inducement indicates that the U.S. courts generally require a significant showing. The test, as posited by the Tenth Circuit and other courts indicates that:
"Inducement" may be defined as government conduct which creates a substantial risk that an undisposed person or otherwise law-abiding citizen would commit the offense.... Governmental inducement may take the form of "persuasion, fraudulent representations, threats, coercive tactics, harassment, promises of reward, or pleas based on need, sympathy or friendship." (30)
In contrast, mere solicitation, proposal of a criminal plan or provision of an opportunity to commit a crime does not constitute inducement. (31) Thus, conduct by government agents that does not rise to the requisite level for inducement will not constitute entrapment.
Considering this in the context of honeypots, it would appear that the merely passive presence of a decoy site, (32) the only lure of which is that it has less than optimal security, does not rise even to the level of a solicitation to enter the system. Nor does it rise to a proposal to commit crime of hacking or a request to crack the system that would of themselves be insufficient to constitute inducement under the U.S. law of entrapment. The hacker would crack the system as he would any other that was similarly vulnerable. Thus, absent the essential element of inducement by the honeypot operator, it is unlikely that entrapment could be found under U.S. federal law for such honeypot operation. (33)
B. Canada
In 1988, the Supreme Court of Canada thoroughly reviewed the law of entrapment in light of the adoption of the Canadian Charter of Rights and Freedoms. (34) The Court determined in The Queen v. Mack (35) that the "principles of fundamental justice" under section 7 of the Charter (36) governed the rationale, nature, and scope of entrapment. (37) The Court concluded that these principles of fundamental justice were in the "inherent domain of the judiciary as the guardian of the justice system." (38) Furthermore, these principles compelled the recognition of the doctrine of entrapment in order to insure that the administration of justice "[be] kept free from disrepute." (39)
Thus, the Mack Court determined that entrapment was not a defense to a crime. Rather, it was a manifestation of the court's disapproval for "the spectacle of an accused's being convicted of an offense which [was] the work of the state," in the form of a stay of the proceedings. (40) It is to be exercised by the judge (41) only in the clearest of cases (42) and only after the trier of fact has made a determination as to the guilt or innocence of the accused. (43) This latter requirement is necessary because a stay of proceedings, while having the procedural effect of an acquittal (in terms of the right to appeal), does not have the same substantive effect. (44) Once guilt or innocence is established beyond a reasonable doubt, it is for the accused to prove on the balance of probabilities that the conduct of the state is an abuse of process because of entrapment. (45)
The Mack Court set forth two criteria of what constitutes entrapment, positing some factors that should be considered by the courts under an objective assessment of the conduct of the state and its agents. Entrapment is established when:
[t]he authorities provide an opportunity to persons to commit an offence without reasonable suspicion or acting mala fides ... or having a reasonable suspicion or acting in the course of a bona fide inquiry, they go beyond providing an opportunity and induce the commission of an offence. (46)
In discussing the first criteria, the Court noted that:
in certain situations the police may not know the identity of specific individuals, but they do know certain other facts, such as a particular location or area where it is reasonably suspected that certain criminal activity is occurring. In those cases it is clearly permissible to provide opportunities to people associated with the location under suspicion, even if these people are not themselves under suspicion. (47)
This must be pursuant to a bona fide investigation, however, and not "random virtue-testing." (48)
The Mack decision provides an illustration of the distinction between bona fide investigations and random virtue-testing that appears relevant to a honeypots analysis. Random virtue-testing arises where a police officer, merely looking to increase his arrest statistics, places a full wallet in an obvious, public location, ensuring that the wallet contains the owner's full identification. (49) A person who walks up, takes the money, and disposes of the wallet with the identification would be arrested. (50) Here, the Court reasoned that the "police officer acted without any grounds and his conduct carries the unnecessary risk that otherwise law-abiding people will commit a criminal offen[s]e." (51)
Under the Court's contrasting example, a bona fide inquiry arises with reports of handbag thefts in a bus station. (52) If, in the course of an investigation the police plant a handbag in an obvious location in the bus terminal and subsequently arrest and charge the person who took the bag, this should not be entrapment. (53)
Under Canadian law, therefore, it seems that a finding of entrapment could be avoided under the first Mack criteria if there were specific facts indicating the need for a good faith inquiry. (54) In the honeypots context, this could be met by documentation of attempts to hack the system that creates the original need for the honeypot. (55) The fact that a honeypot is not a conventional sort of inquiry is irrelevant. As the Mack Court stated:
[i]f the struggle against crime is to be won, the ingenuity of criminals must be matched by that of the police; as crimes become more sophisticated so too must be the methods employed to detect their commission. In addition, some crimes are more difficult to detect.... Methods of detection of offences ... necessarily differ according to the class of crime. (56)
Assuming that the honeypot is a bona fide inquiry into threatened or actual hacks on a system, the only other concern regarding entrapment under Canadian law would be whether a honeypot triggers the second test and constitutes more than providing an opportunity. The Mack decision suggests that any or all of the following factors may be part of a court's evaluation: (57)
[1. T]he type of crime being investigated and whether there are other techniques available for police to detect its commission;
[2. W]hether an average person, having both strengths and weaknesses, in the position of the accused would be induced into committing a crime;
[3. T]he persistence of the police and the number of attempts made before the accused agreed to commit the offense;
[4. T]he type of inducement used by the police including: deceit, fraud, trickery or reward;
[5. T]he timing of the police conduct, in particular whether the police instigated the offense or became involved in ongoing criminal activity; ...
[6. W]hether the police appear to have exploited a particular vulnerability such as a mental handicap or a substance addiction;
[7. T]he proportionality between the police involvement, as compared to the accused, including an assessment of the degree of harm caused or risked by the police, as compared to the accused, and the commission of any illegal acts by the police themselves;
[8. T]he existence of any implied or express threats by the police or their agents;
[9. W]hether the police conduct is directed at undermining other constitutional values. (58)
The typical honeypot appears not more than mere opportunity, considering these criteria in order:
* Computer crime is difficult to detect and prove, requiring the use of the more sophisticated methods. Other methods would appear to be less effective and applied after the system break-in. This factor weighs in favor of the legality of honeypots. (59)
* It is unlikely that an average person would have the inclination or skills to break into the systems of entities such as the national defense department or other government agencies that are the frequent targets of hackers and which would be likely candidates to run a honeypot effectively.
* The use of a honeypot is typically a passive method involving no contact with potential hackers prior to their hacking activity other than the mere presence of the decoy system.
* There are no inducements or deceits beyond the fact that the decoy system appears real to those entering it.
* There is no importuning or instigation; the decoy system is just there. No person or...
NOTE: All illustrations and photos
have been removed from this article.
More articles from Rutgers Computer & Technology Law Journal
The USA PATRIOT Act and telecommunications: privacy under attack., June 22, 2003
Minnesota passes the nation's first Internet privacy law., June 22, 2003
Online shareholder meetings: corporate law anomalies or the future of ..., June 22, 2003
How to pry with maps: the Fourth Amendment privacy implications of gov..., June 22, 2003
Harvard as a model in trademark and domain name protection., June 22, 2003
Looking for additional articles?
Search our database of over 3 million articles.
Looking for more in-depth information on this industry?
Search our complete database of Industry & Market reports by text, subject, publication
name or publication date.
About Goliath
Whether you're looking for sales prospects, competitive information, company
analysis or best practices in managing your organization,
Goliath can help you meet your business needs.
Our extensive business information databases empower business
professionals with both the breadth and depth of credible,
authoritative information they need to support their business
goals. Whether it be strategic planning, sales prospecting,
company research or defining management best practices -
Goliath is your leading source for accurate information.
|
%20%20&position=1)