BBC – Cybercriminal or Cyberchampion?

BBC gains unauthorised access to 22,000 machines (allegedly) but its ok, its not an offense its just research!
BBC gains unauthorised access to 22,000 machines (allegedly) but its ok, its not an offence its just research! - Am I the only one thinking "making up the rules as they go along?"

Unless youve been unable to see the news or access the internet over the last few days, you wont have failed to notice that yet again the BBC has come under the spotlight.  Lets put aside the issue of presenters making inappropriate remarks or engaging in inappropriate actions, and focus on the latest antics of the broadcaster who, IMO should be setting an example to the rest of the UK in terms of responsible broadcasting.

Before we go any further, its worth mentioning to our non UK readers that here in the UK we have to pay a yearly licence fee to watch television.  This allows us to watch BBC programming and listen to BBC radio.  So what if we dont want to watch/listen to the BBC?  Do we still have to pay?  Of course! Theres a whopping fine threatened if we dont.  So what if we watch streaming TV via the internet and dont have a TV?  Tough luck, you still have to pay.  BBC broadcasting has no adverts as such, but when you see the latest antics of them, you could be forgiven for thinking “We pay for this?”

Over the last few days the BBC has admitted to buying a botnet as part of a cybercrime investigation it is engaging in.  No problems so far?  Well appart from the issue of putting money into the pockets of criminals, but we wont dwell on that fact for the moment in the spirit of continuing with the article.

So after engaging one of these “sellers” allegedly in a chat room, the BBC aquired a botnet with access of approximately 22,000 machines in which it launched an attack to spam email addresses and change the desktop background of infected machines with BBC advice to clean up their systems.

In its defence, the BBC had this to say

“the demonstration was very much in the public interest. We believe that as a result of the investigation, general computer users are now better informed of the importance and value of using basic security techniques to defend their PCs from attacks.”

If I had been a victim of the BBC’s “investigation” I certainly wouldnt have seen it as being in the public interest and I have to ask the question “Why didnt you simple send an email to all those infected instead?”  Changing desktop backgrounds IMO sounds more like creating exciting television than putting across an important security message.

The BBC also said:

“The BBC has strict editorial guidelines for this type of investigation which were followed to the letter.”

And I would love to see those guidelines as to me it appears “anything goes”.

The BBC have justified these actions with:

“It was not our intention to break the law,”

Dont tell me research?  We’ve heard that defense before when people are charged under the Obscene Publications Act.  How many people have claimed this defence, only to be found guilty in a court?  Ill leave you to answer that question.

Now please keep in mind that the BBC is overseen by the UK government and then consider that the BBC have stated that they dont know who they paid the money to.  The UK government over the years has highlighted cybercrime as being the medium in which international & domestic criminals get funding and FACT has been quick to point out that computer crime (albeit in the case of these ads in copyright theft, which now predominantly with the BT protocol) is wrong.  Check out some of these adverts that have been run in the UK to highlight piracy and cybercrime in general:

So now we move onto the legislation of the Computer Misuse Act 1990.  I am quoting the sections of the act which I believe the BBC has committed.  See what you think:

1 Unauthorised access to computer material

(1) A person is guilty of an offence if—

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

(b) the access he intends to secure is unauthorised; and

(c) he knows at the time when he causes the computer to perform the function that that is the case.

(2) The intent a person has to have to commit an offence under this section need not be directed at—

(a) any particular program or data;

(b) a program or data of any particular kind; or

(c) a program or data held in any particular computer.

(3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both.

So from the above section, I would suggest that BBC has commited Sec(1) – “he causes a computer to perform any function with intent to secure access to any program or data held in any computer;the access he intends to secure is unauthorised; and he knows at the time when he causes the computer to perform the function that that is the case.”

Or have I got that wrong?  Last time I checked Windows was a program, they needed to secure access (in order to change the desktop wallpaper) its held on a computer, the access was unauthorised and he knows at the time.  In my opinion thats pretty much spot on with what happened.  The fact that the BBC wasnt intending on draining your bank account or instructing your PC to commit further offenses is really accademic (IMO).

Lets now look at section 3.  I wont break this down since I think you can see my take on this:

3 Unauthorised modification of computer material

(1) A person is guilty of an offence if—

(a) he does any act which causes an unauthorised modification of the contents of any computer; and

(b) at the time when he does the act he has the requisite intent and the requisite knowledge.

(2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing—

(a) to impair the operation of any computer;

(b) to prevent or hinder access to any program or data held in any computer; or

(c) to impair the operation of any such program or the reliability of any such data.

(3) The intent need not be directed at—

(a) any particular computer;

(b) any particular program or data or a program or data of any particular kind; or

(c) any particular modification or a modification of any particular kind.

(4) For the purposes of subsection (1)(b) above the requisite knowledge is knowledge that any modification he intends to cause is unauthorised.

(5) It is immaterial for the purposes of this section whether an unauthorised modification or any intended effect of it of a kind mentioned in subsection (2) above is, or is intended to be, permanent or merely temporary.

(6) For the purposes of the [1971 c. 48.] Criminal Damage Act 1971 a modification of the contents of a computer shall not be regarded as damaging any computer or computer storage medium unless its effect on that computer or computer storage medium impairs its physical condition.

(7) A person guilty of an offence under this section shall be liable—

(a) on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both; and

(b) on conviction on indictment, to imprisonment for a term not exceeding five years or to a fine or to both.

Ill leave you to make your own minds up on these antics, but as I said earlier to me the method in which the BBC has tackled this is not so much in the spirit of “investigation & public interest” but, in my opinion for sensationalist television.

Please also consider the following which was raised in a suplimentary memorandum by the Home Office:

” If a botnet is installed illegally on UK machines, probably from abroad, for nefarious purposes, is this an offence?”

To which, after legal advise the following answer was given:

“This is an offence contrary to section 1 of the Computer Misuse Act—unauthorised access. A section 3 offence has also been committed because a botnet causes an unauthorised modification to the contents of the computer. A section 2 offence may also have been committed depending on the “nefarious purposes” it is used for.”

You can see that particular memorandum in context here: http://www.publications.parliament.uk/pa/ld200607/ldselect/ldsctech/165/7032809.htm

Id love to hear your views and as always youre welcome to post them here on drop me an email.

Goblin – bytes4free@googlemail.com



8 Comments Add yours

  1. Andy says:

    “The BBC has strict editorial guidelines for this type of investigation which were followed to the letter.”

    And I would love to see those guidelines as to me it appears “anything goes”.

    Why not check the guidelines out for yourself!

    Good Place to start would be:

    http://www.bbc.co.uk/guidelines/editorialguidelines/edguide/crime/investigationsi.shtml

  2. openbytes says:

    I hope you understood that it was more of a flippant comment, based on the same ethos whereby the BBC has appeared (IMO) to have committed an act under Sec(1) and then justified it in the name of research. As I say in my article, how many times in the past has the defense given for cybercrime “it was just research”

    Now moving onto the link which was kindly provided by Andy, I quote

    “justification for using deception, undercover work or secret recording to gather further evidence.”

    I wonder what the justification for unauthorised modification of the “victims” computer was, when a simple email highlighting the issue would, IMO suffice. Maybe someone can clear this up. I would suggest that the justification would be that it would not make as interesting viewing if it was simply an email sent.

    Having looked at the guidelines, I see nothing here about the Computer Misuse Act, nor justification for (IMO) violating Sec(1).

    If the BBC thinks that its actions are lawful, I wonder what would happen if I tried the same stunt, with the intention of an article on Open Bytes? Does anyone really think “public interest” would wash?

    Ill leave you to consider that point, and ask ANYONE to comment here and tell me why the BBC havent committed an offence under sec(1) In my opinion the offense is complete and the only reason why I can see that this matter is not regarded as criminal is that its the BBC doing it. Or am I wrong?

    Could someone please correct me if I am?

  3. eksith says:

    “UK we have to pay a yearly licence fee to watch television.”

    There’s a similar system in Sri Lanka.

    At the risk of sounding nefarious, if I had the means in the same situation, I would have done the exact same thing irrespective of the consequences.

    Sometimes a slap to the face carries more weight than a verbal warning.

    However, I would never have expected or felt comfortable with the idea that news outlets, no matter its heritage, are willing to go this far to make a point. It’s no secret that journalism often borders on the illegal, but there are legitimate reasons for pushing boundaries and some lines you simply don’t cross in an effort to educate the public.

    … If that was their ultimate goal…

    Impartiality and objectivity plays a large part in trust. Which is why journalists are still allowed on both sides of conflicts. A private citizen would never have the same access for the same reason.

    And I agree, it seems an awful lot like a ploy to sell the network. But I sincerely hope this wasn’t a ratings stunt.

  4. xISO_ZWT says:

    Whether nefarious or not. There is a law against ‘that act’. There are still quite a few of us that respect and follow the law; No one should be above the law.

    BTW; Did the BBC mention that it’s not a computer virus – it’s a MS Windows virus which does not affect UNIX, GNU/Linux, BSD OS’s.

  5. eksith says:

    “No one should be above the law.”
    Does that include those who create them?

  6. “Its worth mentioning to our non UK readers that here in the UK we have to pay a yearly licence fee to watch television.”

    This isn’t quite correct – the licence fee is only required if you watch a live programme. Watching archived shows on systems such as iPlayer or 4oD does not require a licence.

  7. xISO_ZWT says:

    Especially those who represent and are entrusted to serve the public. Since they have deeper knowledge of the laws, they should also be held to a higher standard also higher retribution for willful disobedience of said laws.

  8. openbytes says:

    VIEWS UPDATE BY OPENBYTES

    Quote “This isn’t quite correct – the licence fee is only required if you watch a live programme. Watching archived shows on systems such as iPlayer or 4oD does not require a licence.”

    Oh so thats ok then. Whilst I completely disagree with that (we saw a run of adverts telling students that streaming TV archived or not required a licence.) I would challenge that remark. *EDIT* Please see final part of this entry *EDIT*

    Anyway thats a moot point since the article here is in regards to asking the question is the offence complete in reference to both Sec(1) and Sec(3) of the Computer Misuse Act 1990

    Ive received a lot of feedback and comments – thanks everyone.

    Now putting aside the issue of the criminal offense, lets ask a different question now. If, as is claimed this was all in the public interest and an oportunity to send out an educational message about security, isnt that in itself completely pointless? Let me explain.

    Openbytes has repeatedly covered the fact that security of Windows systems is somewhat lacking. Even with the best system and code of practice in regards to securing your system, people are still falling victim with new exploits and vulnerabilities. (Check the Military for example)

    I would put it to the BBC that their “experiment” and message was a complete waste of time, since even after taking all precautions people still fall victim to new exploits even if someone “takes to heart” the “education” the BBC provides them (via a changed Windows backdrop)

    Maybe the message that the BBC was trying to say was “Use Linux, its far more secure”

    I dont know about anyone else, but forgetting about this case for a minute, I certainly wouldnt take any IT advice from the BBC. Having watched the program “Click” I am personally not impressed. Since there were allegedly 20,000 machines involved in this, I wonder what the Crown Prosecution Service would have to say if even just a few of them made a statement?

    I will watch this with great interest. The media producing “entertaining education” at the expense of unwitting users? Is this what we now think it acceptable? IMO a sad indictment of todays society.

    Goblin – bytes4free@googlemail.com

    *EDIT*
    After Tvlicencing posted here with a correction on my “have to have a TV license to watch tv” I would refer you to the following link: http://www.tvlicensing.co.uk/information/students.jsp#link2 it appears that archived shows via PC are fine to watch without one, although it begs the question, how on earth would this be policed is anyones guess. I urge readers to go over to the link and also consider, what does ” if you use any device to receive television programmes as they’re being shown on TV” actually mean? Would you require a license if you were watching a streamed archived show that coincidently was being repeated on TV at the same time?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s