BBC botnet "broke the law"
By Barry Collins
Posted on 13 Mar 2009 at 08:43
A leading technology lawyer claims the BBC broke the law by buying and running its own botnet.
The BBC's Click programme bought the 22,000 PC botnet in a chatroom, to highlight how easy it was to purchase thousands of hijacked machines.
The BBC used the botnet to send thousands of spam messages to two, specially created Gmail and Hotmail accounts, as well as simulate a denial-of-service attack with the co-operation of security company PrevX.
The BBC claims that "if this exercise had been done with criminal intent it would be breaking the law," on a report on the Click website.
Technology lawyer Struan Robertson claims the botnet was illegal, irrespective of its good intentions. "The BBC appears to have broken the Computer Misuse Act by causing 22,000 computers to send spam," Robertson claims on the Out-law.com website.
"It does not matter that the emails were sent to the BBC's own accounts and criminal intent is not necessary to establish an offence of unauthorised access to a computer," he adds.
"The Act requires that a computer has been made to perform a function with intent to secure access to any program or data on the computer.
"Using the botnet to send an email is likely to satisfy that requirement. It also requires that the access is unauthorised - which the BBC appears to acknowledge."
If found guilty, the programme makers could face up to two years in prison, although Robertson believes the chances of prosecution are slim, especially as the BBC changed the wallpaper on affected PCs to warn them their machine was infected. "It is very unlikely that any prosecution will follow because the BBC's actions probably caused no harm. On the contrary, it probably did prompt many people to improve their security," Robertson concludes.
Unauthorised entry
Security companies routinely refuse to purge botnets from infected PCs, claiming that it would be illegal under the Computer Misuse Act. Sophos claims the BBC has now crossed that line.
"Is it appropriate for a broadcaster to use innocent people's computers without their permission for the purposes of their experiment?" asks the security firm's senior technology consultant, Graham Clulely on his blog.
"The law says you can't mess around with other people's computers without authorisation. The BBC and PrevX did not have the permission of the computer users to send those spam mesages.
"Sending spam from someone else's computer obviously gobbles up bandwidth and will use up system resources. Even if the BBC felt the impact would be minimal - it doesn't make it right."
No personal data
"It was not our intention to break the law," a spokesman for the BBC told PC Pro. "At no stage was any other data other than the IP address used. There is a powerful public interest in demonstrating the ease with which such malware can be obtained and used; how it can be deployed on thousands of PCs without the owners even knowing it is there; and its power to send spam email or attack other websites undetected.
From around the web
advertisement
- Laptop bag reviews: nine tested
- Sony VAIO T Series Ultrabook review: first look
- Revealed: the military standards and robots HP uses to test its laptops
- Windows 8: multi-monitors and double standards?
- Why is TalkTalk's year-old porn filter suddenly big news?
- Why are laptop screens so far behind mobiles?
- HP EliteBook Folio review: first look
- The shoebox-sized all-in-one printer
- Forget the Ultrabook: here comes the HP Sleekbook
- HP Spectre XT review: first look
- Why you have to be left in the dark on OS patches
- Is Microsoft mismanaging Windows on ARM?
- Dealing with spam surrogates
- Why 3G broadband can be better and cheaper than ADSL
- Is Twitter bad for business?
- Publishing your email address isn't a security disaster
- Why you'll need a fax machine to develop iOS apps
- Learning to adapt to the mobile web
- Why you shouldn't use WPS on your Wi-Fi network
- Disabled users suffer when software breaks the rules
advertisement
