Did BBC break computer misuse act with botnet?

The BBC has been criticised by security experts and a lawyer after it hacked into 22,000 PCs in a special investigation into the damage that can be done with a network of compromised computers.

Share

The BBC has been criticised by security experts after it hacked into 22,000 PCs in a special investigation into the damage that can be done with a network of compromised computers.

Technology programme BBC Click obtained a botnet compromised of 22,000 hijacked PCs from an underground forum.

The show's presenter Spencer Kelly and a security expert from Prevx then demonstrated how to use these machines to send spam to two accounts it had created with Gmail and Hotmail.

The programme also launched a distributed denial of service (DDoS) attack on a backup site owned by Prevx, with permission.

But Graham Cluley of Sophos said that the experiment contravened the law and it was "clearly an unauthorised modification of computer data".

"Sending spam from someone else's computer obviously gobbles up bandwidth and will use up system resources. Even if the BBC felt the impact would be minimal - it doesn't make it right," Cluley wrote in his blog.

Struan Robertson, a technology lawyer with Pinsent Masons and editor of OUT-LAW.COM, said the BBC "appears" to have broken the Computer Misuse Act.

"It does not matter that the emails were sent to the BBC's own accounts and criminal intent is not necessary to establish an offence of unauthorised access to a computer," he said.

"The Act requires that a computer has been made to perform a function with intent to secure access to any program or data on the computer. Using the botnet to send an email is likely to satisfy that requirement," he said.

"It also requires that the access is unauthorised – which the BBC appears to acknowledge. It does not matter that the BBC's intent was not criminal or that someone else created the botnet in the first place," said Robertson.

While the activity was "technically illegal", Robertson said that it was unlikely that the corporation would be punished.

"The maximum penalty for this offence is two years' imprisonment. But it is very unlikely that any prosecution will follow because the BBC's actions probably caused no harm. On the contrary, it probably did prompt many people to improve their security," he said.

Other security vendors and experts, including McAfee, AVG and Kaspersky, voiced their agreement with Cluley in a discussion on microblogging site Twitter.

Greg Day from McAfee also featured in the BBC Click programme, where he explained the nature of botnets through a demonstration within a contained and controlled environment using only McAfee machines in a lab.

McAfee said Day was not involved in BBC Click's botnet demonstration which involved real-world hijacked PCs.

Dave Marcus, director of security firm McAfee Labs told ComputerworldUK: "We appreciate what the BBC programme was trying to do, and that it was trying to raise awareness. But I consider how they did it a little bit questionable."

Marcus also wrote on Twitter: "Looks like auntie Beeb and helper may have broken the computer misuse act."

BBC Click made a short statement on Twitter: "We would not put out a show like this one without having taken legal advice."

BBC added that the programme has destroyed its botnet, and no longer controls any hijacked machines. The programme also warned users that their PCs are infected, and advised them on how to make their systems more secure.

What do you think about BBC using a botnet to highlight the problem of spam? Write a comment below or follow the debate on Twitter

Find your next job with computerworld UK jobs