BBC responds to botnet illegality claims

The BBC insisted that it had no intention of breaking the law by building and using a botnet - and its actions of had been in the public interest.
Written by Tom Espiner, Contributor
The BBC has said that it had no intention of breaking the law by building and using a botnet.

BBC Click acquired the means to build a botnet, used it to spam Gmail and Hotmail accounts it had set up, and launch a distrbuted denial of service attack against security company Prev-X.

In a statement on Monday, the BBC said that its actions had been "in the public interest".

"It was not our intention to break the law," the BBC told ZDNet UK on Monday. "There is a powerful public interest in demonstrating the ease with which such malware can be obtained and used; how it can be deployed on thousands of infected computers without the owners even knowing it is there; and its power to send spam e mail or attack other websites undetected."

The BBC said it had built and used a botnet in a news article on Thursday, bringing claims from security experts that this action had violated Section 1 of the Computer Misuse Act.

However, on Monday the BBC insisted that its actions had been in the public interest.

"This will help computer users realize the importance and value of using basic security techniques to defend their computers from such attacks," said the BBC statement. "The BBC has strict editorial guidelines for this type of investigation which were followed to the letter."

The BBC said that it had taken legal advice before making the progam. It makes me wonder about the quality of the legal advice the BBC took, and who they took it from.

The BBC declined to comment on exactly how much it had cost for the botnet, which criminals it had paid for access to the botnet, or indeed how it had acquired the botnet at all.

However, in the program Click reporter Spencer Kelly said the botnet had cost "a few thousand dollars", and that the BBC had no idea who it had paid.

The BBC added that the "demonstration was very much in the public interest. We believe that as a result of the investigation, general computer users are now better informed of the importance and value of using basic security techniques to defend their PCs from attacks."

I've already expressed my views about the BBC's actions in this case. Sophos security expert Graham Cluley told me on Monday that the BBC did not need to use real computers to launch the attack.

"It's just so unnecessary," said Cluley. "The BBC could have done a reconstruction under lab conditions to demonstrate how a computer sends out spam [and demonstrate Ddos]."

Cluley added that the BBC experiment could have caused trouble for the users of the computers.

"Imagine if you are filling in your tax return or uploading a prescription, and someone meddles with your computer," said Cluley. "What I'm concerned about is the recklessness of it."

This article was originally published on ZDNet.co.uk.

Editorial standards