BBC’s botnet practices treated as digital security threat and law violation

The buzz around the BBC Click’s investigation is still going on, reports the Register. The broadcast company claims that “public interest” justified its purchase and use of a botnet of 22,000 compromised machines. But a number of the top digital security experts as well as lawyers, journalists and the community itself dispute this view calling the actions of BBC as unethical and potentially dangerous.

During the investigation the team of BBC Click used zombie machines to send spam to webmail addresses it set up, and to launch a denial of service attack against a dummy website run by security firm PrevX, which advised on the exercise. BBC Clcik paid thousands of dollars from its own account to the crooks in Russia and Ukraine for the botnet network.

While the company alleges that the experiment was meant to illustrate the cyber crime risks experts in digital security have no common opinion with the two camps of them expressing different points. Kaspersky, AVG, McAfee, FaceTime, Sophos, Sunbelt Software and F-Secure disputed ‘good intentions’ of BBC calling the exercise as misguided, unnecessary and unethical.

The opposition that includes participant PrevX, Comodo, Marshal8e6 and MessageLabs supported BBC’s approach.

Meantime a BBC Click columnist provided the following reply (according to the Register report):

It wasn't our intention to break the law but if there has been any breach we have done this because of the powerful public interest in demonstrating the ease with which such malware can be obtained and used; how it can be deployed on thousands of PCs without the owners even knowing it's there; and its power to send spam email or attack other websites undetected. This will help computer users realise the importance and value of using basic security techniques to defend their PCs from such attacks. 

The 'Click' demonstration is featured in full in the programme, and further information is available on the BBC Click website. I can assure you we're ready to help the authorities with any inquiries arising from this report.

I've also registered your concerns about this report on our audience log. This is circulated widely within the BBC and made available to many BBC staff, including members of the BBC Executive Board, channel controllers and other senior managers.

In this regard Struan Robertson, editor of out-law.com and legal director at solicitors Pinsent Masons, expressed the common view:

The public interest argument is no defence to the Computer Misuse Act. It could influence a decision by the police and the Crown on whether to take any action over the BBC's behaviour; but it could also backfire. An apology is more likely to make the problem go away, in my view, than an argument that breaking the law was the right thing to do. 

Breaking the law in the public interest is an argument that vigilantes will use. It rarely wins support from law enforcement.

A security agency Sophos conducted a poll to learn the public opinion on BBC actions revealed that a majority (56%) of the 854 respondents were sure that the broadcaster’s behavior violated the law and "set a dangerous precedent". 1/3 of the polled said the exercise was useful as it "helps raise awareness" and 11% treated the whole issue as a storm in a teacup.