BBC Responds to my Click Botnet question.

Yesterday when I first read about the BBC Click teams’ Botnet investigation I sent the BBC an email.

In this story it is stated that you acquired and used a botnet. Although the target of the DDoS and spam had consented to this, the article makes clear that the computers that made up the botnet belonged to owners who were not aware you had access.

Can you please respond regarding your position on the legality of your teams actions, especially with regards to the Computer Misuse Act 1990.

I received an email response to this question yesterday at 19:36 (AIM mail had spam filtered it, thus the delay in posting it).

Dear John Graham

I apologise for the delay in responding to your query but the person who was dealing with this was taken ill.

We would answer your point by saying.

It was not our intention to break the law. At no stage was any other data other than the IP address used. There is a powerful public interest in demonstrating the ease with which such malware can be obtained and used; how it can be deployed on thousands of PCs without the owners even knowing it is there; and its power to send spam e mail or attack other websites undetected . This will help computer users realise the importance and value of using basic security techniques to defend their PCs from such attacks. The BBC has strict editorial guidelines for this type of investigation which were followed to the letter.

Although I accept the point that they were covering an important issue, I don’t feel this answer really responds to the question I asked. Hopefully some other, larger, news sources can get a more detailed explanation from the BBC as to why they believe what they did was legal. I find his assertion that no details other than IPs were used strange, especially given the fact that they altered users background images…

This entry was posted on Friday, March 13th, 2009 at 23:19 and is filed under Computing. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

7 Responses to “BBC Responds to my Click Botnet question.”

  1. seo newport wales Says:
    March 14th, 2009 at 04:37

    “It was not our intention to break the law.”

    Sounds like they know they did and are claiming lack of intent. However, it was clearly their intention, the whole setup is them running an illegal botnet and demonstrating criminal activity. I don’t think this will really get interesting until the case after the BBC’s – “the BBC researchers ran a botnet with no censure from the law, why can’t I?”.

    They could have done an in-house demo with a network of say 32 computers, but I bet their IT people wouldn’t let them bot BBC computers …

  2. John Says:
    March 14th, 2009 at 10:41

    “Sounds like they know they did and are claiming lack of intent. ”

    Maybe I’m a too trusting but I don’t want to pass judgement just yet. The Click team have said on Twitter that they sought legal advice, and if that was the case I can only hope they know something about there actions that made them legal which hasn’t been made public yet.

  3. Carl Says:
    March 14th, 2009 at 20:31

    The wording of the reply is very interesting:

    “It was not our intention to break the law.” sounds like an admission that they did break the law, but that they were not thinking about the “legal law” because “The BBC has strict editorial guidelines for this type of investigation which were followed to the letter.”

    It may actually of been quite unfair of me to presume the BBC would of had an easier time staying the right side of the law than anyone else working in security research and/or security software publication, though considering the legal and editorial resources to hand one might assume they’d stear clear of such a minefield.

    That said, I would still like to see a full police investigation into the legality of what the BBC have done and perhaps a legal clarification within the computer misuse act to allow greater freedom for both the media and security professionals. I don’t hold up much hope of either happening though.

  4. The Beeb, Botnets, and Breaking the law. Says:
    March 15th, 2009 at 11:07

    [...] John Graham was quick off the mark and e-mailed the BBC.  He received this rather surprising reply: It was not [...]

  5. Observer Says:
    March 19th, 2009 at 10:20

    The Computer Misuse Act 1990 says:

    1(1) A person is guilty of an offence if:

    a) he causes a computer to perform any function with intent to secure access to any program or data held in a computer;
    b) the access he intends to secure is unauthorized; and
    c) he knows at the time when he causes the computer to perform the function that this is the case.

    The above exactly describes what they did.

  6. Computing Tips Says:
    June 23rd, 2009 at 14:36

    I found your blog on google and read a few of your other posts. I just added you to my Google News Reader. Keep up the good work. Look forward to reading more from you in the future.

  7. Paul Says:
    January 11th, 2010 at 22:14

    We need more posts like this!

Leave a Reply