But I don’t know anyone who thinks that it violates federal law to deploy honeytokens on your own network. So when FBI officials caution that using deceptive files that way could make you more of a target, they aren’t giving legal advice. They’re giving “leave it to the FBI” advice, in a field where leaving it to the FBI is a recipe for failure.
Also, I suspect they’re talking through their, uh, hats. In what way will deploying fake files “backfire”? OK, fake files may not work forever; the hackers may come back and look harder for the real stuff, but is that really a reason not to deploy them?