BBC botnet "broke the law"

 

Gallery

Posted on 13 Mar 2009 at 08:43

A leading technology lawyer claims the BBC broke the law by buying and running its own botnet.

The BBC's Click programme bought the 22,000 PC botnet in a chatroom, to highlight how easy it was to purchase thousands of hijacked machines.

The BBC used the botnet to send thousands of spam messages to two, specially created Gmail and Hotmail accounts, as well as simulate a denial-of-service attack with the co-operation of security company PrevX.

The BBC claims that "if this exercise had been done with criminal intent it would be breaking the law," on a report on the Click website.

Technology lawyer Struan Robertson claims the botnet was illegal, irrespective of its good intentions. "The BBC appears to have broken the Computer Misuse Act by causing 22,000 computers to send spam," Robertson claims on the Out-law.com website.

"It does not matter that the emails were sent to the BBC's own accounts and criminal intent is not necessary to establish an offence of unauthorised access to a computer," he adds.

"The Act requires that a computer has been made to perform a function with intent to secure access to any program or data on the computer.

"Using the botnet to send an email is likely to satisfy that requirement. It also requires that the access is unauthorised - which the BBC appears to acknowledge."

If found guilty, the programme makers could face up to two years in prison, although Robertson believes the chances of prosecution are slim, especially as the BBC changed the wallpaper on affected PCs to warn them their machine was infected. "It is very unlikely that any prosecution will follow because the BBC's actions probably caused no harm. On the contrary, it probably did prompt many people to improve their security," Robertson concludes.

Unauthorised entry

Security companies routinely refuse to purge botnets from infected PCs, claiming that it would be illegal under the Computer Misuse Act. Sophos claims the BBC has now crossed that line.

"Is it appropriate for a broadcaster to use innocent people's computers without their permission for the purposes of their experiment?" asks the security firm's senior technology consultant, Graham Clulely on his blog.

"The law says you can't mess around with other people's computers without authorisation. The BBC and PrevX did not have the permission of the computer users to send those spam mesages.

"Sending spam from someone else's computer obviously gobbles up bandwidth and will use up system resources. Even if the BBC felt the impact would be minimal - it doesn't make it right."

No personal data

"It was not our intention to break the law," a spokesman for the BBC told PC Pro. "At no stage was any other data other than the IP address used. There is a powerful public interest in demonstrating the ease with which such malware can be obtained and used; how it can be deployed on thousands of PCs without the owners even knowing it is there; and its power to send spam email or attack other websites undetected.