10 Sep 2019
Session Block—Cybersecurity 12:20 - 12:40

Deception systems are an emerging type of cyber security defence. They enable effective protection of information systems and networks of diverse organisations. They can detect, analyse, and defend against the cyber-attacks. Deception technology considers the human intruder's (intruder of an information system and network) point of view and methodology for exploiting and navigating networks to identify and exfiltrate data. A significant deception system is honeypot. Honeypots can be defined as a system, the main purpose of which is to attract intruders in order to study their behaviour, methods, tools and goals. In other words, they aim to trap the intruders. 

The use of deception systems (honeypots) encompasses several legal issues. The presentation discusses the personal data protection issues the provider of the deception system must consider when the collection and processing of personal data of the intruder (of the information system and network of an organisation) occurs. The provider of a deception system under the perspective of the EU law is required to respect their legal obligations stemming from the EU's rules on personal data protection, mainly General data protection regulation (GDPR). The provisions of GDPR relate predominantly to the identification of data processed by the provider of the deception system to be considered as personal data, the legal ground for the legitimate processing of such data, the legal principles relating to their processing and the legal framework within which the exercise of the data subject's rights stemming from the fundamental right to personal data protection may be restricted. To illustrate, the conditions for the collection of data and data retention by the honeypots and honeynets providers (considered as controllers, as the IP addresses collection and processing occurs, which is considered as personal data) will be presented, e. g. as regards production honeypots, research honeypots etc. The presentation also considers legal issues in connection with the personal data protection the CSIRT (Computer Security Incident Response Team) faces when using deception systems within its proactive or reactive activities. 

Outline of the presentation 

  1. Introduction to research in deception systems and their legal issues 
  2. Technical background of the deception systems 
  3. Honeypots and honeynets 
  4. Honeytokens and honeyfiles 
  5. Related works 
  6. Legal definition of deception systems 
  7. Legal framework of privacy and personal data protection in EU law 
  8. Basic concepts of personal data protection 
  9. Data quality requirements under the EU law 
  10. Personal data in context of the deception systems 
  11. IP addresses 
  12. Use case – research honeynet 
  13. Use case - honeyfiles


P. J. Šafárik University in Košice, Faculty of Law
CSIRT researcher, PhD. candidate


Discussion not started yet.