BBC Click’s Botnet vs Computer Misuse Act 1990

I posted a story earlier today asking whether the BBC had broken the law when it performed a piece of investigatve journalism which included using a Botnet. The BBC used this botnet to perform spamming and DDoS operations on targets who had agreed to take part which is likely to ensure this side was legal.

However what is less clear is whether the BBC’s use of compromised PCs (the Botnet) whose owners had not given permission was legal under the Computer Misuse Act 1990. Although I initially thought the BBCs actions would of clearly crossed the line, I am beginning to think that they can claim their actions were within the law.

Offence 1:Unauthorised access to computer material

A person is guilty of an offence if—

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

(b) the access he intends to secure is unauthorised; and

(c) he knows at the time when he causes the computer to perform the function that that is the case

If the BBC broke the law it is likely to be this law. The BBC’s action was clearly intentional (c) and unauthorised (b) so the only question is whether the BBCs instructions to the Botnet to DDoS and Spam are covered by (a) “causes a computer to perform any function with intent to secure access to any program or data”. Given that a computer that is part of a Botnet is running the program that is exploiting it this seems likely to be the case.

Offence 2:Unauthorised modification of computer material

(1) A person is guilty of an offence if—

(a) he does any act which causes an unauthorised modification of the contents of any computer; and

(b) at the time when he does the act he has the requisite intent and the requisite knowledge.

This is the crime that Sophos have chosen to focus on, and in my opinion the BBC are safe on this charge. When the BBC installed a new wallpaper on the people’s computers informing them that they had been compromised it clearly performed “the unauthorised modification of the contents of any computer”. However it is the requirement (b) “has the requisite intent” that the BBC can claim means they did not commit a crime.

For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing—

(a) to impair the operation of any computer;

(b) to prevent or hinder access to any program or data held in any computer; or

(c) to impair the operation of any such program or the reliability of any such data.

What the BBC did probably doesn’t meet this criteria for requisite intent. Do any of you have a different opinion on the matter?

update 13th March 17:30:

David Harley left a comment on this topic including a link to his own article on this subject, I found it extremely informative and interesting to read and suggest it strongly to anyone interested in this story.

This entry was posted on Thursday, March 12th, 2009 at 14:58 and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

9 Responses to “BBC Click’s Botnet vs Computer Misuse Act 1990”

  1. Frog Bog Says:
    March 12th, 2009 at 16:56

    The BBC are plainly guilty. They deliberately made an unauthorised modification to computers (the botnet members) with the intent to impair the operation of a computer (their own).

    The law does not distinguish between authorised and unauthorised impairment, so the fact they DOSed their own computer is irrelevant.

    Many prosecutions under this act have been preposterous. I hope the responsible party is prosecuted, if only to get this stupid law changed.

  2. Carl Says:
    March 13th, 2009 at 01:59

    What about any potential costs the BBC has caused the ‘botnet members’ in unlawfully using the bandwidth from these machines? What if an affected machine happened to hit a bandwidth cap and/or be on a mobile ‘pay as you go/per MB’ service thus causing costs or business impact to the owners/operators of these computers or indeed the network/connectivity provider?

    Naturally if you have an infested machine then you are technically responsible for your own bandwidth costs, but there is clearly a difference between an unlawful use where the perpetrator/bot controller cannot be identified or held to account vs. a broadcasting company who has profited from these illegal actions.

    Whilst I appreciate that highlighting the cause/impact of botnets in a wider public arena is a good thing, you cannot have one rule for security researchers (who’d be up before the judge) and another for a media outlet, irrespective of intent and good meaning.

  3. John Says:
    March 13th, 2009 at 12:57

    Frog Bog: I’m not an expert on Computer Law so I certainly don’t intend to offer anything more than my own opinion (based on my limited knowledge). It is my view that the BBC broke the law by using the compromised PCs in the Botnet at all, but at the same time I think it would be hard to persuade the CPS and a Jury that changing a background to warn users is sufficient “requisite intent”. I may of course be entirely wrong, and I am looking forwards to seeing where this story goes and whether I am wrong.

    Carl: You make a number of good observations, and they justify answers, which I hope the BBC will begin to give over time. I myself have doubts this will ever go to court, given that it is unlikely that anyone infected will go to the police, and without going to court I doubt we will ever see a good explanation of why the BBC thinks what it did was legal.

  4. David Harley Says:
    March 13th, 2009 at 17:26

    I agree that this is unlikely to go to court, nor am I sure that it should. And I suspect that you’re right about the difficulty of convincing a jury of the mens rea aspect, too. However, I think that there is a case there to be answered, as I’ve blogged elsewhere: see http://blogs.securiteam.com/index.php/archives/1261 and http://www.eset.com/threat-center/blog/?p=713. (Sorry, they’re both a bit long to summarize usefully here!)

    David Harley

  5. scouser73 Says:
    March 15th, 2009 at 06:00

    The BBC did break the law with purchasing a botnet and having unfettered access to thousands of PC’s, but they’ve highlighted how easy it is for computers to be compromised if the user doesn’t have the necessary firewall/anti-virus protection.

    I think a valuable lesson has been learned in how such methods are used to propagate a botnet and in securing a person’s computer.

  6. ???????? Says:
    April 28th, 2009 at 03:46

    Jarkij a blog
    Cool! really cool! Not only that a post you read on one breath – so grasps and it is interesting, but also besides also in a head something remains. Usually posts you forget, as soon as you leave an Internet, and here is over what to think. I continue to reflect over this information.

  7. Peter Says:
    January 11th, 2010 at 20:28

    Thanks for the info.

  8. RONALD Says:
    July 4th, 2010 at 05:01


    Pillspot.org. Canadian Health&Care.Special Internet Prices.No prescription online pharmacy.Best quality drugs. No prescription pills. Order drugs online

    Buy:Actos.Prednisolone.Human Growth Hormone.Arimidex.Retin-A.Petcam (Metacam) Oral Suspension.Valtrex.Accutane.Zyban.Mega Hoodia.Zovirax.Nexium.100% Pure Okinawan Coral Calcium.Lumigan.Synthroid.Prevacid….

  9. mk9520 Says:
    August 30th, 2010 at 02:08

    Voyager http://ebesteqwpake.AUTOSECTIONS.INFO/tag/Voyager+Metrologic+mk9520/ : Metrologic…

    Metrologic…

Leave a Reply