Click used the software to demonstrate how easy it is to gain
control of the tools used to hold website owners to ransom. It used
software acquired through internet chatrooms. The software
controlled 22,000 computers which it had infected.
"Click ordered its PCs to send out spam to two specific test
e-mail addresses set up by the programme," said a BBC description
of the programme's activity. "Within hours, the inboxes started to
fill up with thousands of junk messages."
Some online gangs use botnets to launch distributed denial of
service (DDoS) attacks which bombard a website with traffic until
it becomes blocked. Some threaten website operators with DDoS
attacks in bids to extract pay offs.
"By prior agreement, Click launched a Distributed Denial of
Service (DDoS) attack on a backup site owned by security company
Prevx. Click then ordered its slave PCs to bombard its target site
with requests for access to make it inaccessible. Amazingly, it
took only 60 machines to overload the site's bandwidth," said the
BBC's report of the programme's activity.
The programme has said that the activity would only be illegal
if those behind it had 'criminal intent', but Struan Roberrtson, a
technology lawyer with Pinsent Masons and editor of OUT-LAW.COM,
said that this is not true.
"The BBC appears to have broken the Computer Misuse Act by
causing 22,000 computers to send spam. It does not matter that the
emails were sent to the BBC's own accounts and criminal intent is
not necessary to establish an offence of unauthorised access to a
computer," he said.
"The Act requires that a computer has been made to perform a
function with intent to secure access to any program or data on the
computer. Using the botnet to send an email is likely to satisfy
that requirement. It also requires that the access is unauthorised
– which the BBC appears to acknowledge. It does not matter that the
BBC's intent was not criminal or that someone else created the
botnet in the first place," said Robertson.
The BBC has destroyed its botnet and does not control machines
any longer. It said it has contacted the 22,000 computer owners to
warn them of their machines' vulnerabilities and advise them on how
to secure the computers.
Though the activity is likely to have been technically illegal,
Robertson said that it is unlikely that the corporation will be
punished for it.
"The maximum penalty for this offence is two years'
imprisonment. But it is very unlikely that any prosecution will
follow because the BBC's actions probably caused no harm. On the
contrary, it probably did prompt many people to improve their
security," he said.
A blog posting from security firm
Sophos suggests that the BBC has committed an offence of making
unauthorised modifications to a computer. Robertson said that that
is unlikely.
"The offence of unauthorised modification requires a
recklessness or an intent that I don't think the BBC has
displayed," he said.
Section three of the Computer Misuse Act describes the need for
an intent to impair the operation of a computer or to hinder access
to data. Such intent is not required for the section one offence of
unauthorised access, said Robertson.
The BBC did not respond to OUT-LAW's request for comment.
However, a message on the programme's Twitter account suggests that the
team did consult lawyers. "We would not put out a show like this
one without having taken legal advice," it said.
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
