I have just emailed the BBC with a FoI request for any information they have on the computers that comprised the Botnet the Click team used.

I would like to make a FoI request for the information (specifically including the IP addresses) regarding the computers that comprised the Botnet used by the BBC Click researchers (Your story: http://news.bbc.co.uk/1/hi/programmes/click_online/7932816.stm). If you believe you would be unable to share the complete IP address, then I would accept the IP addresses in the human readable form with the last section ommited (eg. 208.77.188.166 would become 208.77.188.xxx or 208.77.188).

Although I hope that they will agree to share at least the limited IP information, the FoI process can take a while and I have my doubts that they will give me anything. I am expecting to get a polite refusal either on the grounds that the information hasn’t been retained (convenient) or that it is private information that they cannot share due to the Data Protection Act (In which case the irony will be that if they cannot share it due to the DPA then they also weren’t entitled to collect the information without permission in the first place).

I expect this will probably be my last post regarding this subject until I get a response or some other source is able to get more information out of the BBC who are currently stonewalling by refusing to discuss the legalality of the issue beyond siting “strong public interest” (something that is irrelevant to the Computer Misuse Act). At some date in the future I will write up the information collected as a single page source so people can use it as a stable resource.

If anyone has some new information, or wants to point me in the direction of a news or opinion source I haven’t read/mentioned I’d love to hear about it.

Yesterday when I first read about the BBC Click teams’ Botnet investigation I sent the BBC an email.

In this story it is stated that you acquired and used a botnet. Although the target of the DDoS and spam had consented to this, the article makes clear that the computers that made up the botnet belonged to owners who were not aware you had access.

Can you please respond regarding your position on the legality of your teams actions, especially with regards to the Computer Misuse Act 1990.

I received an email response to this question yesterday at 19:36 (AIM mail had spam filtered it, thus the delay in posting it).

Dear John Graham

I apologise for the delay in responding to your query but the person who was dealing with this was taken ill.

We would answer your point by saying.

It was not our intention to break the law. At no stage was any other data other than the IP address used. There is a powerful public interest in demonstrating the ease with which such malware can be obtained and used; how it can be deployed on thousands of PCs without the owners even knowing it is there; and its power to send spam e mail or attack other websites undetected . This will help computer users realise the importance and value of using basic security techniques to defend their PCs from such attacks. The BBC has strict editorial guidelines for this type of investigation which were followed to the letter.

Although I accept the point that they were covering an important issue, I don’t feel this answer really responds to the question I asked. Hopefully some other, larger, news sources can get a more detailed explanation from the BBC as to why they believe what they did was legal. I find his assertion that no details other than IPs were used strange, especially given the fact that they altered users background images…

Having only just set up this site before posting a couple of links to Slashdot regarding the BBC Click Botnet my site statistics give an interesting insight into the choice of browsers among Slashdot’s users.

1. 66.3% Firefox 3
2. 6.7% Internet Explorer 7
3. 4.5% Internet Explorer 6
4. 4.5% Google Chrome
5. 4.3% Firefox 2
6. 4% Opera
7. 3.9% Safari
8. 2.1% Iceweasel
9. 0.9% Internet Explorer 4
10. 0.7% Konqueror
11. 0.7% Seamonkey
12. 0.5% Generic Gecko
13. 0.2% Mozilla Minefield
14. 0.2% Mozilla Minefield

Credit also goes to the single visitor was using Solaris OS.

I don’t intend to imply anything from the above results, partly to ensure I avoid any risk of flaming from browser zealots. Though I admit I was suprised to see FF3 used so widely given that from my experience many Slashdotters browse at work, and many workplaces are IE only (so congratulations Mozilla).

Click “The BBC’s  flagship technology programme” have gained access to and used a botnet in a piece of investigative journalism.

Once they had gained control of the botnet “Click ordered its PCs to send out spam” and”Click launched a Distributed Denial of Service (DDoS) attack on a backup site owned by security company Prevx”. Although the email addresses spammed and site DDoSed were both in agreement, the infected PCs that made up the botnet belonged to people who had not agreed to take part. This seems like a clear crime under the Computer Misuse Act 1990:

(1) A person is guilty of an offence if—

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

(b) the access he intends to secure is unauthorised; and

(c) he knows at the time when he causes the computer to perform the function that that is the case.

I have emailed the BBC to ask them for an explanation of their action, and will post an update when I know more or receive a response.

update 10:47: The email I sent to the BBC is below:

In this story it is stated that you acquired and used a botnet. Although the target of the DDoS and spam had consented to this, the article makes clear that the computers that made up the botnet belonged to owners who were not aware you had access.

Can you please respond regarding your position on the legality of your teams actions, especially with regards to the Computer Misuse Act 1990.

Regards,
John Graham

update 13:23.

Still nothing from the BBC and nothing on The Reg, but Sophos’s Graham Cluley has written now blogged about this. His piece is worth checking for extra details, which included:

Furthermore, at the end of the first excerpt you’ll see that the BBC “warned” the users that their computers were part of a botnet. They did this by changing the desktop wallpaper of affected computers owned by innocent third parties to display a message from BBC Click.

As Graham notes this looks like another clear violation of the Computer Misuse Act. Also, the email accounts they spammed were located on Google and Microsoft owned services…

update 13:30

Well The Reg has finally posted an article on this story. For the moment as they haven’t mentioned the tip off I gave them over 3 hours ago.

update 14:17

I have received a very polite response to an email query to John Leydens the journalist who wrote The Register’s article on the BBC Click Botnet. It seems they had multiple tip-offs which seems plausible and the delay in posting the story was due to attempts to gain comment from the BBC and other sources prior submitting.