Did The BBC Break The Law By Exposing Botnets?

from the but-we-didn't-mean-any-harm dept

A TV show on the BBC is highlighting the ongoing problem of botnets -- by acquiring one of its own and using other people's computers in it to mount a DDOS attack on a security company's web site. The BBC says it had the security company's approval to do so, and that it didn't have any criminal intent, making its action legal. But some people aren't so sure, and say that intent doesn't offer a way out under British computer law. A tech lawyer says it's unlikely the broadcaster will face prosecution because there wasn't any real harm done, but those whose computers were used in the attack might disagree and view the methods used to make a point about computer security as a bit extreme.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: botnets
Companies: bbc


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    inc, 12 Mar 2009 @ 11:32pm

    If those people computer's involved in the bot net really cared about the harm being done they should learn to protect their computers better. At the very least turn them off when not in use.

    link to this | view in chronology ]

    • identicon
      R, 13 Mar 2009 @ 12:17am

      Re:

      That's like saying that if you really cared about keeping your home secure, you should have a complete security system with armed guards, dogs, etc.
      What the BBC failed to realise is that they not only acted against the security company, they committed the digital equivalent of breaking and entering against a large no of people from various countries. If anyone actually succeeds in proving that they're computer was part of the botnet, they will be charged under the British equivalent of the Computer Fraud and Abuse Act.

      link to this | view in chronology ]

      • icon
        Peet McKimmie (profile), 13 Mar 2009 @ 4:03am

        Re: Re:

        But the BBC didn't actually infect anyone - they bought time on an existing BotNet where every member could be said to have "opted in" through their choice to ignore adequate security software.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 13 Mar 2009 @ 4:16am

          Re: Re: Re:

          Using the hosue analogy again, not installing a security system on your house does not mean you have "opted in" to allowing somebody to break into your house and use your toilet while you're not looking.

          link to this | view in chronology ]

          • identicon
            Chronno S. Trigger, 13 Mar 2009 @ 5:45am

            Re: Re: Re: Re:

            To use the house analogy, installing AVG is like getting a free home security system that installs itself, and shutting down the PC when not in use is like locking the doors when no one's home. Sounds like something everyone would do if in that situation.

            link to this | view in chronology ]

          • identicon
            Headbhang, 13 Mar 2009 @ 5:51am

            Re: Re: Re: Re:

            No, it just means you are ignorant and reckless moron.
            Just like if you don't look around while crossing a busy road or watch your step while hiking in the mountains. You are obviously not opting in to be run over by a car or tripping over and breaking your nose. You just happen to be an idiot unfit to do those things.

            link to this | view in chronology ]

          • identicon
            Anonymous Coward, 15 Mar 2009 @ 11:09pm

            Re: Re: Re: Re:

            I agree that the user has not opted in but using the same house analogy let's say that while you are vacationing, a criminal breaks into your house. This is most definitely illegal. However the criminal then throws a party at your house and charges entry at the door. Are guests at the party criminally liable for breaking and entering?

            link to this | view in chronology ]

  • identicon
    Andy, 13 Mar 2009 @ 12:39am

    Stop shooting the messenger!

    Oh for heaven's sake. What's the point of bleating about what the BBC did wrong, when it specifically set out to demonstrate the existence and extent of the problem? This is the same as firing whistle blowers who point out failings in the company they work for. Why the obsession with shooting the messenger? The people whose computers were used for this should just be glad that they were not being used for genuinely nefarious purposes. In fact, perhaps they already are!

    If the BBC are charged it will be another case of law enforcement targeting the "low-hanging fruit" because they are not competent enough to catch real criminals and that is something of which they should be deeply ashamed. A case against the BBC would only highlight the failure to catch the real criminals and they would be well-advised not to go down that road!

    link to this | view in chronology ]

  • identicon
    Dan, 13 Mar 2009 @ 12:42am

    And I am sure the BBC will take the next DDOS attack on their servers as educational and shrug it off. After all the attackers didn't really intend to trash those data bases, it was just meant to demonstrate the security hole. No criminal intent in that. WTF were those arrogant bastards thinking, they can't even run a broadcasting network right, now they are computer security experts/white hat hackers. I think the proper nomenclature is criminal.

    link to this | view in chronology ]

    • icon
      Peet McKimmie (profile), 13 Mar 2009 @ 4:06am

      Re:

      The BBC attacked a site owned by a company called Prevx, with their up-front agreement. It is a site specifically set up for testing defences against this sort of attack. RTFA

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Mar 2009 @ 12:49am

    this is just investigative journalism at its finest and is no differant than the bbc journalist that got a job at an airport with a fake cv

    link to this | view in chronology ]

  • icon
    PaulT (profile), 13 Mar 2009 @ 2:33am

    In other news, there are still at least 22,000 people out there dumb enough to get themselves infected by a brand new botnet... As long as those people are out there, this kind of educational material are needed.

    link to this | view in chronology ]

  • identicon
    Paul G, 13 Mar 2009 @ 3:24am

    @ PaulT

    Unfortunately the reason that the BBC could compromise the users PC is because the dumb idiots ignore/don't understand the 'Education'.

    I support friends, family and the local community. 99% of them wouldn't have a clue about the threat. Even if they did, they wouldn't know what to do or where to start apart from pester me.

    Lastly, of all the people targeted by the BBC there is bound to be one idiot who totally misses the point and starts legal action due to being violated in some way. I do hope the BBC managed to avoid infecting any machines in the USA as that bunch would sue their Mother if they saw a $1 oportunity.

    link to this | view in chronology ]

    • icon
      Peet McKimmie (profile), 13 Mar 2009 @ 4:09am

      Re: @ PaulT

      Unfortunately the reason that the BBC could compromise the users PC is because...


      The BBC *didn't* compromise anyone's PC - they bought time on an existing BotNet. The machines had already been compromised by a third party, and would have remained so whether or not the BBC got involved.

      link to this | view in chronology ]

      • identicon
        Lawrence D'Oliveiro, 13 Mar 2009 @ 4:22pm

        Re: @ PaulT

        Peet McKimmie wrote:

        The BBC *didn't* compromise anyone's PC - they bought time on an existing BotNet. The machines had already been compromised by a third party, and would have remained so whether or not the BBC got involved.

        In other words, the BBC bought stolen goods.

        link to this | view in chronology ]

  • identicon
    PhilSB, 13 Mar 2009 @ 3:25am

    BBC BotNet

    Certainly good investigative journalism. To many people have their computer and or wireless networks wide open to attack.

    What many UK PC users do not understand properly, is the level of risk they have exposed themselves to. When you get caught up in one of these botnet's they don't just take remote control of the computer, they quite often also have additional payloads, install keyloggers, and so much more. It would be easy to fit up a person for any number of criminal acts, without them even knowing, how they downloaded pornography, terrorist info, Infiltrate their bank account and or Identity theft, Scary really.

    Patching any OS, installing AV, and enabling Firewalls needs to be a mantra known to all. Anti-trust concerns are now causing more concerns than they are fixing. In particular, they bash Microsoft for putting the tools on the OS, users blame them for producing an OS, that does not protect adequately.

    When a large web site I was managing, came under attack it was a worldwide selection of IP's, it was definitely deliberate, and targetted. Any company running a large web site will have scaled, and taken countermeasures. Always have a good relationship with your ISP.

    No I don't work for Microsoft!

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Mar 2009 @ 4:10am

    Should be thankful the BBC was in control

    What about the flip side here. Your computer is infected by a botnet and will be used for malicious activity, pick one of the following:

    A) Your PC under the control of a criminal gang without your knowledge

    B) Your PC under the control of a BBC journalist using their own addresses for spam and a server that has approval to reveal the issue, then tell you about it so you can fix your PC and stop the problem before another gang is in control?

    I think I know which one I would pick.

    link to this | view in chronology ]

  • identicon
    some old guy, 13 Mar 2009 @ 5:43am

    Oh Bloody Brilliant

    Let's try and make reporting less effective by criminalizing the "investigative" portion of it. That's really smart!

    link to this | view in chronology ]

  • icon
    rwahrens (profile), 13 Mar 2009 @ 5:48am

    bad analogy

    Whether you "allow" that access or not, if you leave the fsking door open, someone will get in!

    Malware is chock full of not only botnet control software, but potentially, keyloggers and other bad stuff designed to steal your stuff.

    So if we use your house analogy, its like going to bed at night, leaving the front porch light on, door open, and someone comes in to use your phone for illegal activity, stage attacks on your neighbor's property, and steal all your wife's jewelry as well as all your electronics, before they leave.

    So yes, it IS your fault, even if you didn't give specific permission for the break-in, and the cops'll tell you you're an idiot after they take your report. The least you can do is turn the light off and close the door. Most people put locks on their doors and use those to deny easy access.

    Same with your computer. Buy a security app and USE it. Update your operating system, so it'll pull the patches to stay safe as the vulnerabilities are discovered. If you don't take these elementary steps, it IS your fault if you get compromised.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Mar 2009 @ 6:17am

    Saying you broke into people's computers without their consent to prove a point is just wrong. Next time I rob a bank I'll just tell the manager "hey, I was just testing your security measures for the BBC!"

    link to this | view in chronology ]

  • identicon
    PhilSB, 13 Mar 2009 @ 6:30am

    The BBC would quite likely be guilty of compromising some laws if not in the UK (Target Audience), then certainly elsewhere in the world. By participating in a BotNet style Activity, by using somebody else's bandwidth, or computing time. When I saw this item, early Saturday, the computers participating as Bots were worldwide not just UK.

    The secondary issue, is malicious intent, or use. In this instance there was none. They were merely demonstrating, to increase awareness, Opting in or Out is not the issue.

    To respond to some other comments, Should governments, force everyone to have a certificate of computer competance, or computer driving licence, before they are allowed use the Internet? Nanny state, Aunty BEEB, Hacker who wants to take advantage, take your pick.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Mar 2009 @ 7:23am

    The house analogy doesn't work, because there are many automated programs infecting machines out there that will scan for any opening and exploit it... without manned operation.

    Not securing with a firewall and some sort of malware/virus scanner (both are available for free) is like blaming the person who taught you about rain, after you let your outdoor sugar pile melt away into slowly escaping, sweet, sweet syrup.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Mar 2009 @ 8:15am

    Oh - its ok then

    It is ok because it is the BBC.

    However, the individual who informs someone about their bad security shall be prosecuted to the fullest extent of the law.

    btw, the site subjected to the attack from the botnet might have been party to the activity but the botnet participants were not.

    link to this | view in chronology ]

  • identicon
    Douglas, 15 Mar 2009 @ 7:55am

    @BBC: Great program and you did a great job exposing the problem! @Everyone else: ignore *this* pointless discussion!

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.