BBC Programme Broke Law With Botnets, Says Lawyer

A BBC programme has broken the Computer Misuse Act by acquiring and using software to control 22,000 computers, creating a botnet capable of bringing down websites. A technology law specialist has said that the activity is illegal.

Click used the software to demonstrate how easy it is to gain control of the tools used to hold website owners to ransom. It used software acquired through internet chatrooms. The software controlled 22,000 computers which it had infected.

"Click ordered its PCs to send out spam to two specific test e-mail addresses set up by the programme," said a BBC description of the programme's activity. "Within hours, the inboxes started to fill up with thousands of junk messages."

Some online gangs use botnets to launch distributed denial of service (DDoS) attacks which bombard a website with traffic until it becomes blocked. Some threaten website operators with DDoS attacks in bids to extract pay offs.

"By prior agreement, Click launched a Distributed Denial of Service (DDoS) attack on a backup site owned by security company Prevx. Click then ordered its slave PCs to bombard its target site with requests for access to make it inaccessible. Amazingly, it took only 60 machines to overload the site's bandwidth," said the BBC's report of the programme's activity.

The programme has said that the activity would only be illegal if those behind it had 'criminal intent', but Struan Roberrtson, a technology lawyer with Pinsent Masons and editor of OUT-LAW.COM, said that this is not true.

"The BBC appears to have broken the Computer Misuse Act by causing 22,000 computers to send spam. It does not matter that the emails were sent to the BBC's own accounts and criminal intent is not necessary to establish an offence of unauthorised access to a computer," he said.

"The Act requires that a computer has been made to perform a function with intent to secure access to any program or data on the computer. Using the botnet to send an email is likely to satisfy that requirement. It also requires that the access is unauthorised – which the BBC appears to acknowledge. It does not matter that the BBC's intent was not criminal or that someone else created the botnet in the first place," said Robertson.