Last updated: 
4 months 1 week ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Legal issues in dealing with Botnets

Tuesday, November 13, 2012 - 16:43

An interesting paper from ENISA and the NATO Cyberdefence Centre illustrates the narrow space that the law allows for incident response, and the importance of ensuring that new laws don’t prevent incident response teams from protecting networks, systems, their users and information against attack. By comparing the details of German and Estonian law, the report also highlights just how different national laws can turn out, even when they are aiming to implement the same international legislation. The report looks specifically at the problem of deal with botnets, which may involve laws on surveillance, examining network traffic, processing personal data, and accessing or modifying computers. These laws are the subject of international instruments – EU Data Protection and telecommunications law and the EU Framework Decision on Cybercrime.

Detecting compromised computers that are part of a botnet involves looking at patterns, and sometimes content, of their network traffic. The first question raised by the report is whether this activity might fall within surveillance law. Normally it should not, since the subject of investigation is computers, not people. However it is possible that over-broad drafting of either law or judgments could bring network investigations within scope. Investigations, particularly if they involve looking at content, are likely to be covered by laws on the privacy of communications. German communications law protects traffic patterns (who sent packets to whom) as well as content but fortunately the law does allow network operators to examine this information where this is necessary “to recognise, limit or eliminate a disturbance or error of the telecommunication systems”. The Supreme Court has recognised “sending of spam, the dissemination of malicious software (trojan horses, viruses etc.) and the misuse of computer systems for running DDoS” as causing such disturbances. German law therefore allows network operators to retain and use all logs for seven days, and those relating to a particular incident for as long as it takes to resolve the incident. Disclosing information (unless it is first anonymised) or breaking encrypted or password-protected traffic are still illegal.

The German telecommunications law only extends to network operators, however, not to the operators of websites and other networked services. These organisations only have the general data protection law to rely on, and the authors are concerned that this may not give them a justification for looking at network traffic, producing a “lack of synchronisation” in the law. Estonian law seems to have a similar problem, though here the data protection law only provides for civil, and not criminal, sanctions. Hosts and networks could take the view that neither a botmaster nor a victim is likely to sue them for unlawful processing of personal data – a risk that the authors think “rather theoretical”. It would be better if these anomalies were fixed and incident responders given a secure basis for what they do (note that this is contained in the proposed Data Protection Regulation).

A common way to investigate botnets and other malicious network traffic is to set up a honeypot – a computer that offers itself as vulnerable but is in fact configured to collect information about attempts to compromise it. Honeypots seem to fall outside communications privacy laws, since the honeypot is a party to the communication so cannot intercept or surveil itself. This leaves data protection as the relevant law, so honeypots should be careful only to collect traffic that is necessary for their purpose.

The desired outcome of a botnet investigation will usually be to take down its command and control servers. Incident response teams are unlikely to be able to order an ISP to disconnect a server, though authority to do so is often included in ISP contracts. The report suggests that police may be able to order the disconnection of a command and control server (or to do it themselves) under general powers to protect the public order.

It is sometimes suggested that since botnets often include the ability to update software on infected computers, this technology could also be used to ‘clean up’ the botnet if access is gained to its command and control servers. The report warns that the law may prohibit this since the clean up will involve modifying the content of computers without the consent of their owners. Unauthorised modification of a computer is one of the best established cybercrime offences, and laws don’t usually consider why the modification is being done, only whether the person doing it knows they are unauthorised. A ‘good worm’ or botnet update will commit exactly the same crime as a bad one. Furthermore laws are now being implemented to criminalise the creation of tools, not just their use, so disinfection seems likely to face even more legal hurdles in future.