Should the BBC botnet have hijacked 22,000 computers?

A technology lawyer has claimed that the BBC broke the law when using a botnet to hijack 22,000 computers, with some security experts claiming it crossed the line' in its actions.

The BBC News technology programme Click acquired a botnet from an online chatroom and infected 22,000 computers, to demonstrate how easy it was for owners to get hold of the tools needed to launch distributed denial of service (DDoS) attacks.

The BBC website said that if the exercise had been carried out with criminal intent it would be breaking the law, but the purpose was to demonstrate the collective power of the tools when in criminal hands.

However, Pinsent Masons technology lawyer Struan Robertson said on the website that this was not true.

He said: "The BBC appears to have broken the Computer Misuse Act by causing 22,000 computers to send spam.

"It does not matter that the emails were sent to the BBC's own accounts, and criminal intent is not necessary to establish an offence of authorised access to a computer."

Robertson said that although the activity was technically illegal, the BBC was unlikely to be punished for it.

"The maximum penalty for this offence is two year's imprisonment," said Robertson. "But it is very unlikely that any prosecution will follow because the BBC probably caused no harm.

"On the contrary, it probably did prompt many people to improve their security."

Graham Cluley, security consultant at Sophos, was adamant that the BBC had gone about it in the wrong way.

He said that Sophos had been asked many times to take part in similar TV programmes, but it always made it clear that it was legally questionable.

David Harley, director of malware intelligence at ESET, said on his blog that although he wouldn't want anybody arrested over the issue, he did want to see an acknowledgement that the BBC may have gone too far.

He said: "The could have set up a botnet (real or simulated) on their own closed network and demonstrated anything they like, totally legally, or commissioned a group or agency, better resourced and more knowledgeable, to do it for them.

"But they chose not to pursue any of these alternatives, preferring to play the bold botmaster. Or worse still, simply didn't think about alternatives and consequences at all."

He concluded: "The legal system may not regard that as reckless, but I do."

"It was not our intention to break the law. At no stage was any other data other than the IP address used," the BBC said in a statement. "There is a powerful public interest in demonstrating the ease with which such malware can be obtained and used; how it can be deployed on thousands of infected PCs without the owners even knowing it is there; and its power to send spam e-mail or attack other websites undetected.

The BBC continued: "This will help computer users realise the importance and value of using basic security techniques to defend their PCs from such attacks. The BBC has strict editorial guidelines for this type of investigation which were followed to the letter."