Several tools, methods and techniques aimed at protecting and securing communication between two or more network services have been successfully used for years now. Recently, they seem to have become ineffective against new and advanced security threats, therefore it is absolutely necessary to change and modernize techniques and tools that are used to protect networks from attackers. The honeypot and honeynet principle represents a different approach, which can defend given systems more effectively.

A honeypot is a “security resource whose value lies in being probed, attacked, or compromised” [1]. Honeypots are mainly categorized by the level of interaction, purpose, role and deployment. In this paper we will focus on the categorization by level of interaction, specifically low-level interaction honeypot and high-level interaction honeypot.

The low-interaction honeypot uses software emulation of network services and operating systems on the host operating system to detect an attacker. The high-interaction honeypot functions differently; it permits the attacker to access all services on the given operating system and platform, nothing is restricted.

A honeynet is a high-involvement honeypot with the same risks and vulnerabilities that are characteristic for networks of many organizations today. It is “not a single system but a network of multiple systems” [2]. “Honeynets represent the extreme of research honeypots. They are high interaction honeypots, which allow learning a great deal; however they also have the highest level of risk. Their primary value lies in research and gaining information on existing threats. A Honeynet is a network of production systems. Nothing is emulated. Little or no modifications are made to the honeypots. This gives the attacker a full range of systems, applications, and functionality to attack. From this it can be learnt a great deal, not only their tools and tactics, but their methods of communication, group organization, and motives” [3].

According to definitions of the honeynet and virtualization, a virtual honeynet can be defined as “a complete honeynet, running on a single computer in virtual environment” [3]. A virtual honeynet can be defined as “a technology that virtually implements many different operating systems in one hardware computer, and hence instead of having a honeynet of different physically separate honeypots, all the honeypots will be virtually set in one machine and still appear to the attacker as different separate machines” [4]. Virtual honeynets combine all the elements of a honeynet into a single physical system. Not only are all of the three requirements of data control, data capture, and data collection met, but also the actual honeypots themselves run on the single system [5].

A successful deployment of a honeynet is a successful deployment of its architecture. There are some core elements of the honeynet architecture [2]:

• Data control is the first requirement whose purpose is to control and contain the activity of the attacker.

• Data capture monitors and logs all of the attacker’s activities within the honeynet.

• Data collection—in case when the organization has more than one honeynet, all data has to be captured and stored in one central location.

• Data analysis is an ability to analyse the data collected from the honeynet.

Deployment and usage of honeynets may lead to a number of problems and issues. This paper outlines legal issues affecting the deployment and usage of the honeynets. Legal analysis is based on the European Union law (the EU law). Paper discusses the European Union regulations, the EU directives and international agreements. National legislation of member states of the EU are based on these legal documents (the EU directives, international agreements) or legal documents are an integral part of national legislation (the EU regulations, international agreements). Therefore, some native legislation may be slightly different from the concept of the EU law or international law.

There are several contributions of this paper. The first contribution of this paper is the review of the research literature related to legal aspects of honeypots and honeynets. The second contribution of this paper is the legal analysis of the core elements of honeynets from the perspective of the EU law . In the case of data capture and data control we focus on evolution of legal issues of these core elements according to generations of honeynets.

To formalize the scope of our work, we state three research questions :

• Which legal issues are related to the core elements of honeynets?

• What are definitions of honeypots and honeynets from the perspective of the EU law?

• What are the legal issues of data capture and data control according to generations of honeynets?

• What are the legal issues of data collection, data analysis and data presentation?

This paper is organized into nine sections. In Sect. 2 paper focuses on the papers related to legal issues of honeypots and honeynets. Section 3 outlines the honeynet generations. Section 4 is introduction to legal issues of honeypots and honeynet. This section outlines the definitions of honeypot and honeynet. Sections 5 and 6 contain legal analysis of core elements—data capture and data control according to honeynet generations. Section 7 focuses on data collection and its legal issues. Section 8 outlines data analysis and data presentation and outlines their legal issues. The last Section contains conclusions and author’s suggestions on the future research.