BBC gains unauthorised access to 22,000 machines (allegedly) but its ok, its not an offense its just research!
BBC gains unauthorised access to 22,000 machines (allegedly) but its ok, its not an offence its just research! - Am I the only one thinking "making up the rules as they go along?"

Unless youve been unable to see the news or access the internet over the last few days, you wont have failed to notice that yet again the BBC has come under the spotlight.  Lets put aside the issue of presenters making inappropriate remarks or engaging in inappropriate actions, and focus on the latest antics of the broadcaster who, IMO should be setting an example to the rest of the UK in terms of responsible broadcasting.

Before we go any further, its worth mentioning to our non UK readers that here in the UK we have to pay a yearly licence fee to watch television.  This allows us to watch BBC programming and listen to BBC radio.  So what if we dont want to watch/listen to the BBC?  Do we still have to pay?  Of course! Theres a whopping fine threatened if we dont.  So what if we watch streaming TV via the internet and dont have a TV?  Tough luck, you still have to pay.  BBC broadcasting has no adverts as such, but when you see the latest antics of them, you could be forgiven for thinking “We pay for this?”

Over the last few days the BBC has admitted to buying a botnet as part of a cybercrime investigation it is engaging in.  No problems so far?  Well appart from the issue of putting money into the pockets of criminals, but we wont dwell on that fact for the moment in the spirit of continuing with the article.

So after engaging one of these “sellers” allegedly in a chat room, the BBC aquired a botnet with access of approximately 22,000 machines in which it launched an attack to spam email addresses and change the desktop background of infected machines with BBC advice to clean up their systems.

In its defence, the BBC had this to say

“the demonstration was very much in the public interest. We believe that as a result of the investigation, general computer users are now better informed of the importance and value of using basic security techniques to defend their PCs from attacks.”

If I had been a victim of the BBC’s “investigation” I certainly wouldnt have seen it as being in the public interest and I have to ask the question “Why didnt you simple send an email to all those infected instead?”  Changing desktop backgrounds IMO sounds more like creating exciting television than putting across an important security message.

The BBC also said:

“The BBC has strict editorial guidelines for this type of investigation which were followed to the letter.”

And I would love to see those guidelines as to me it appears “anything goes”.

The BBC have justified these actions with:

“It was not our intention to break the law,”

Dont tell me research?  We’ve heard that defense before when people are charged under the Obscene Publications Act.  How many people have claimed this defence, only to be found guilty in a court?  Ill leave you to answer that question.

Now please keep in mind that the BBC is overseen by the UK government and then consider that the BBC have stated that they dont know who they paid the money to.  The UK government over the years has highlighted cybercrime as being the medium in which international & domestic criminals get funding and FACT has been quick to point out that computer crime (albeit in the case of these ads in copyright theft, which now predominantly with the BT protocol) is wrong.  Check out some of these adverts that have been run in the UK to highlight piracy and cybercrime in general:

So now we move onto the legislation of the Computer Misuse Act 1990.  I am quoting the sections of the act which I believe the BBC has committed.  See what you think:

1 Unauthorised access to computer material

(1) A person is guilty of an offence if—

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

(b) the access he intends to secure is unauthorised; and

(c) he knows at the time when he causes the computer to perform the function that that is the case.

(2) The intent a person has to have to commit an offence under this section need not be directed at—

(a) any particular program or data;

(b) a program or data of any particular kind; or

(c) a program or data held in any particular computer.

(3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both.

So from the above section, I would suggest that BBC has commited Sec(1) – “he causes a computer to perform any function with intent to secure access to any program or data held in any computer;the access he intends to secure is unauthorised; and he knows at the time when he causes the computer to perform the function that that is the case.”

Or have I got that wrong?  Last time I checked Windows was a program, they needed to secure access (in order to change the desktop wallpaper) its held on a computer, the access was unauthorised and he knows at the time.  In my opinion thats pretty much spot on with what happened.  The fact that the BBC wasnt intending on draining your bank account or instructing your PC to commit further offenses is really accademic (IMO).

Lets now look at section 3.  I wont break this down since I think you can see my take on this:

3 Unauthorised modification of computer material

(1) A person is guilty of an offence if—

(a) he does any act which causes an unauthorised modification of the contents of any computer; and

(b) at the time when he does the act he has the requisite intent and the requisite knowledge.

(2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing—

(a) to impair the operation of any computer;

(b) to prevent or hinder access to any program or data held in any computer; or

(c) to impair the operation of any such program or the reliability of any such data.

(3) The intent need not be directed at—

(a) any particular computer;

(b) any particular program or data or a program or data of any particular kind; or

(c) any particular modification or a modification of any particular kind.

(4) For the purposes of subsection (1)(b) above the requisite knowledge is knowledge that any modification he intends to cause is unauthorised.

(5) It is immaterial for the purposes of this section whether an unauthorised modification or any intended effect of it of a kind mentioned in subsection (2) above is, or is intended to be, permanent or merely temporary.

(6) For the purposes of the [1971 c. 48.] Criminal Damage Act 1971 a modification of the contents of a computer shall not be regarded as damaging any computer or computer storage medium unless its effect on that computer or computer storage medium impairs its physical condition.

(7) A person guilty of an offence under this section shall be liable—

(a) on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both; and

(b) on conviction on indictment, to imprisonment for a term not exceeding five years or to a fine or to both.

Ill leave you to make your own minds up on these antics, but as I said earlier to me the method in which the BBC has tackled this is not so much in the spirit of “investigation & public interest” but, in my opinion for sensationalist television.

Please also consider the following which was raised in a suplimentary memorandum by the Home Office:

” If a botnet is installed illegally on UK machines, probably from abroad, for nefarious purposes, is this an offence?”

To which, after legal advise the following answer was given:

“This is an offence contrary to section 1 of the Computer Misuse Act—unauthorised access. A section 3 offence has also been committed because a botnet causes an unauthorised modification to the contents of the computer. A section 2 offence may also have been committed depending on the “nefarious purposes” it is used for.”

You can see that particular memorandum in context here: http://www.publications.parliament.uk/pa/ld200607/ldselect/ldsctech/165/7032809.htm

Id love to hear your views and as always youre welcome to post them here on drop me an email.

Goblin – bytes4free@googlemail.com