An increasingly popular technique for detecting would-be intruders, a honeypot is a type of hacker mouse trap. It’s a system that sits on an organization’s network for no other purpose than to be hacked. The goal is to divert attackers away from the actual company’s valuable network site, while placing the hacker in a more closely monitored environment.  Every keystroke can be analyzed.

“There are some legal issues here, and they are not necessarily trivial, and they’re not necessarily easy,” said Richard Salgado, senior counsel for the Department of Justice’s computer crime unit, speaking at an RSA Conference in San Francisco.

But this monitoring is what U.S. federal criminal law calls “interception of communications,” said Salgado, a felony that carries up to five years in prison. Fortunately for honeypot operators, there are exemptions to the Federal Wiretap Act that could be applied to some honeypot configurations, but they still leave many hacker traps in a legal danger zone.

One exemption permits interception of a communication if one of the parties consents to monitoring. To accomplish this, Salgado suggested that honeypots display a banner message warning the computer is being monitored. “You can provide a warning on the honeypot… and you’ve got the argument that they saw the banner, continued using the system, and consented to monitoring,” he said. But most hackers don’t penetrate a system through the front door. If they never see the banner, they haven’t consented to monitoring.  “It’s not the silver bullet.”

The consent exemption might apply without a banner if a court determines that the honeypot itself is one of the “parties” to the communication, Salgado said. But that goes out the window, or at least becomes more legally complicated, the moment the hacker uses the honeypot to connect to another machine, or sets up a chat system on the box. Now the honeypot operator is intercepting communications between two or more parties. “Those kinds of situation become problematic.”

Another relevant exemption was passed in the USA-PATRIOT Act in October 2001, but only applies to cases where the government steps in to do the spying. The so-called “computer trespasser exemption” allows the government to intercept the communications of a computer intruder at the invitation of the victim. “Everyone coming into that honeypot is a trespasser… So this exception may work very nicely with honeypots when the government is coming in to do the monitoring,” said Salgado. “But it has to be relevant to an ongoing investigation.”