14 DAY TRIAL // An episode of the BBC Click technology program that is scheduled to air today has generated a lot of controversy in the IT security community. The documentary tries to raise awareness over the growing threat of computer botnets, but in doing so it might have broken the law, numerous security professionals claim.
In order to demonstrate the destructive power that hijacked computers can have, the BBC decided it required access to such a botnet. Therefore, Spencer Kelly, host of the BBC Click TV show, went on underground chatrooms and acquired, through unspecified means, what he calls a "low-value," but 22,000-strong army of infected computers.
The test scenarios chosen by the reporter involved spam and denial of service attacks. The DDoS was demonstrated with the help of security company PrevX, which allowed the BBC to target one of their backup servers. According to the results, the flood of requests sent by only 60 zombie computers were enough to clog the site's bandwidth and render it inaccessible.
The spam test was performed on two e-mail addresses specifically created for this purpose on Gmail and Hotmail. Each of the 22,000 computers were directed to send spam to these addresses and according to the program's description, "Within hours, the inboxes started to fill up with thousands of junk messages."
While the intentions of the BBC Click and this documentary might have been honorable, security researchers say that the show has violated the Computer Misuse Act, the UK anti-hacking law. Graham Cluley, senior technology consultant at anti-virus vendor Sophos pointed out that the company "has been asked many times by the media to take part in TV programmes like this, and has always made clear that we believe their legality to be questionable. Moreover, to our mind, the dubious ethics of such experiments are without question."
Mr. Cluley is backed up on this by professionals from other security companies, including Joe Llewelyn from Kaspersky, Larry Bridwell from AVG Technologies, Dave Marcus of McAfee and Patrik Runald of F-Secure. Meanwhile, BBC Click commented on Twitter that "We would not put out a show like this one without having taken legal advice." They all seem to agree that by controlling someone else's computer without their consent, BBC Click is guilty of "unauthorized access."
Some people argued that criminal intent is required for this law to be breached. However, Out-law.com editor and technology lawyer Struan Robertson does not agree. "Section three of the Computer Misuse Act describes the need for an intent to impair the operation of a computer or to hinder access to data. Such intent is not required for the section one offence of unauthorised access" the legal expert explains.
When the experiment was finished, BBC Click changed the desktop wallpaper on the infected computers to warn the unsuspecting owners that their security was compromised. This action also raises legal and ethical issues. Robertson concluded that "it is very unlikely that any prosecution will follow because the BBC's actions probably caused no harm. On the contrary, it probably did prompt many people to improve their security."