Surely what the BBC did was in contravention of the UK Computer Misuse Act?
They made unauthorised changes to people's computers without their permission.
Sophos has been asked many times by the media to take part in TV programmes like this, and has always made clear that we believe their legality to be questionable. Moreover, to our mind, the dubious ethics of such experiments are without question.
The BBC might argue that it was making this TV show in the public's interest, but surely there are ways of raising awareness of threats without breaking the law? Isn't there enough spam around without journalists being given free license to take over botnets to generate more unwanted email traffic?
Update: BBC Click’s tweet states that they took legal advice following comments on the potential violation of U.K’s Computer Misuse Act.
There’s a slight chance that you may have unknowingly participated in a recent experiment conducted by the BBC.
In a bit of an awkward and highly unnecessary move, a team at the BBC’s technology program Click has purchased a botnet consisting of 22,000 malware infected PCs, self-spammed themselves on a Gmail account, and later on DDoS-ed a a backup site owned by security company Prevx (with prior agreement), all for the sake of proving that botnets in general do what they’re supposed to - facilitate cybercrime.
A video of the experiment is already available. Here are more details :
Upon finishing the experiment, they claim to have shut down the botnet, and interestingly notified the affected users. Exposing cybercrime or exposing the obvious, the experiment raises a lot of ethical issues. For instance, how did they manage to contact the owners of the infected hosts given that according to the team they didn’t access any personal information on them?
It appears that they modified the desktop wallpapers of all the infected hosts to include a link notifying them that they’ve been part of the experiment. Thanks, but no thanks.
Let’s talk money, and how much did they pay to get access to the botnet. Despite the fact that they’re not mentioning the exact amount, a quote within their article once again puts the spotlight on the dynamics of cybercrime economy :
“Computers from the US and the UK go for about $350 to $400 (£254-£290) for 1,000 because they’ve got much more financial details, like online banking passwords and credit cards details,” he said.”
I beg to differ. From my perspective based on the active monitoring of on the growing “botnet for hire” business during the last couple of years, it appears that the BBC got scammed on their way to expose the scammers by overpaying them. In a dynamic underground marketplace where transparency of the sellers and buyers doesn’t exist for the sake everyone’s anonymity, you are unable to say whether you’ve made a good or bad deal, since you’re unaware of all the propositions. Namely, the botnet you’ve just purchased is available at a cheaper price from a vendor of whose existence you’re not even aware of.
Take a peek at the screenshot from a similar service that’s been active for several years, with hosting services provided by “our dear friends” at Layered Technologies, and how cheaper their services are. See, I told you, but I didn’t and wouldn’t demonstrate you the obvious effectiveness of botnets in general. Take that for granted.
In an interview which I took from German malware researchers earlier this year, their primary concern for using a methodoly that could issue potential disinfection commands to Storm Worm infected hosts was the legal, and also, ethical side of the practice. Just like the way it should be, since their approach is among the many other the community is taking advantage of on its way to fighting cybercrime.
