Can a honeypot to identify a stalker be GDPR-compliant?

Over on Stack Exchange, someone is asking about creating honeypots in order to identify stalkers or hackers. The question proposes creating downloadable files with tracking pixels, using features of platforms like Google Drive, or using the advertising features of Google Analytics to infer location and demographics of the stalker. The files/websites would be crafted to be indexed by Google under search terms that would be interesting to a stalker. The question is what limitations the GDPR would place on such strategies.

On one hand, security measures can clearly be an overriding legitimate interest, cf Recital 49 GDPR.

On the other hand, such measures might not be necessary and proportional, especially when the threat supposed to be countered by these measures is still speculative. I think this scenario is very similar to video surveillance, where the EDPB writes in Guidelines 3/2019:

20. The legitimate interest needs to be of real existence and has to be a present issue (i.e. it must not be fictional or speculative). A real-life situation of distress needs to be at hand – such as damages or serious incidents in the past – before starting the surveillance. In light of the principle of accountability, controllers would be well advised to document relevant incidents […] and related criminal charges.

I also have doubts whether such strategies would be adequate for the stated purpose of inferring the identity of a stalker. For example, Google Analytics is not magic and Google’s estimated age ranges for an individual user are frequently wildly off – if the tracking isn’t blocked outright by the browser. If the processing activity is not adequate for its stated purpose, it would fail the Art 5(1)(c) data minimization principle.

In any case the Art 13 information obligation would make covert data collection illegal, even if these activities were otherwise supported by an overriding legitimate interest. Covert action would have to be done by law enforcement.

What do you think about the GDPR-compliance of honeypots? Are there other factors that should be considered?

1 Like

Welcome @latk! Glad to have you here. :smiley: This is is a really interesting question!

From an ePrivacy perspective you’d need to start-off with asking for consent for actually placing the GA cookies on the terminal equipment of the ‘stalker’. Subsequent processing could be based on legitimate interest, if any (more about that below).

What I find more interesting is that the usage of Google Analytics isn’t allowed in light of the Schrems II judgement by the CJEU. And although Google is fancy on not ‘using personal data’ with GA, it is in fact personal data, especially if Google combines it with all the other things it has on you, it might not be identifiable to the controller, but to Google it is and thus personal data. That personal data is then transferred to servers in the United States without adequate measures, the default data processing agreement probably includes SCC"s, but I am not sure on that.

I believe Recital 49 GDPR to merely state that security measures can constitute a legitimate interest. Art. 6(1)(f) GDPR provides a concise test: It must be legitimate, necessary in relation to the purpose and not override the interest and rights of the data subject.

Using GA is not at all necessary in any way, nor is it practical. You can gather certain demographics, but essentially you are just trusting some system, of which you do not know how it works, to just give you information, which you can then use to prosecute that person? yeah no…

Something that would be much more practical getting the user’s IP address or real location such as by WebRTC leaks or just the IP given to the server (if it isn’t a VPN). That way you can actually go after the user and get the users personal data by court order.

Back to the honeypot: Using a honeypot is likely legitimate but I don’t think it is necessary to go further than recording IP addresses, possibly a hardware ID using a vulnerability in for example PDF’s, those are real identifiers that you can use in the courts, as opposed to some Google Analytics demographics.

I don’t share the opinion that Art. 13/14 GDPR prohibits covert surveillance, although it probably does in this instance. For example the usage of hidden camera’s is allowed under the GDPR if it is absolutely necessary (which is a really high bar, it essentially means every other measure was exhausted and failed), is temporary, the possibility of it happening in certain situations like theft was mentioned in advance, limiting the interference with the right to privacy and after the fact informing the data subjects of the processing.

Something where I would find it appropriate and necessary is when you’re after a specific person that keeps disturbing and interfering with your service by technical means, and you set-up a honeypot to gather information to be able to seek effective remedy against the hacker/stalker.

In any case, all of the compliance work should be done in advance and put on paper, legitimate interest assessments, motivated decision about informing or not informing data subjects as stipulated in Art. 13/14. GDPR and all other compliance aspects

Thank you @hugo for your input! Your mention of ePrivacy reminded me that it’s perfectly normal (and often compliant) to collect IPs in web server access logs, precisely to enable forensics and prosecution if necessary. Your other points seem entirely correct as well.

I’ve went and wrote an answer to the Stack Exchange question which synthesizes some of the points made here.

Of course, I found a paper[1] that discusses these topics immediately afterwards, but it’s not quite applicable to the scenario (identifying a specific attacker vs mere general honeypots for maintaining security or research purposes). It also seems there was a follow-up paper conducting an example DPIA for a honeypot system.[2] While it might not be the best DPIA, it does a good job of highlighting risks for persons affected by such a honeypot which could be useful for a legitimate interest balancing test.

  1. Sokol, Míšek, Husák (2017): Honeypots and honeynets: issues of privacy. In: EURASIP J. on Information Security. doi:10.1186/s13635-017-0057-4 (open access) ↩︎

  2. Horák, Stupka, Husák (2019). GDPR Compliance in Cybersecurity Software: A Case Study of DPIA in Information Sharing Platform. In: Proceedings of the 14th International Conference on Availability, Reliability and Security. doi:10.1145/3339252.3340516 URL: (includes PDF) ↩︎

1 Like

Your answer on Stack Exchange is great! I can only view the first paper, the second one (DPIA) I need to pay for. The first paper seems good, but is indeed not really applicable to this situation.

Updated post with link to the paper’s home page which includes a PDF of the author version. When I stumbled upon the paper it had an access token so I hadn’t noticed the lack of open access, sorry!

FAQ | Privacy Policy |  ToS