BBC Rents a Russian Botnet and Spams and DOSes in Name of Journalism   - 787 Views,

For a piece for the BBC program “Click”, the BBC went to Russia to determine, they said, “just how sophisticated cybercrime has become.” For the sum of a few thousand dollars, they rented a botnet that was made up of 21,696 compromised PCs the world over.

According to the BBC, it was so easy to operate the botnet, that “anyone could do it.”

Controlling the botnet, the BBC then proceeded to send out a large run of spam - to themselves. That is, to email addresses that they had registered, at both Gmail and MSN/Hotmail.

Of course, they don’t own the servers that host those email addresses, so in the doing, they also spammed Google and Microsoft.

They then turned the botnet to another task: that of DOSing a server belonging to security firm Prevx. This was by agreement with Prevx, although most likely, again, not with the agreement of Prevx’ host and upstream providers (although of course we don’t know for sure).

The BBC’s rationale for this was that, again, they wanted to see just how sophisticated cybercrime had become, and to educate their readers (and persumably users) about the dangers of botnets.

In fact, after they were done, they left a message on each of the 21,696 compromised PCs, telling the PC owners that their machine had been part of the botnet, and then they dismantled the botnet (at least, that is what they claim - how they would have done that has not been revealed, and if they did do that, it seems that there would be several Russian criminals looking to kneecap them right now, at least).

The big issue that everyone has with this - about which all the news outlets are taking - is this: did the BBC break the law in doing this? Was what they did legal - or illegal.

The answer to these questions is complicated, not the least of which by the fact that the BBC is a British entity, and so subject to British computer security laws such as the Computer Misuse Act (CMA), but they also intentionally commited acts in the U.S. (where Google and MSN’s servers are), and have a pronounced U.S. presence. So even if their legal advisors told them that what they were going to do was legal in Britain (as the BBC claims they were told), that would not shield them from legal issues in the U.S. - or, indeed, anywhere that their actions seriously and negatively impacted computer or other resources.

When I was interviewed about this by the Tech Herald, I explained that “First, it is of course illegal to use a botnet. This is because by its very definition, a botnet consists nearly entirely of private computers which have been illegally trespassed upon.” We discussed several other legal issues that arose from what the BBC had done, at the end of which I concluded that “the other side of that is that U.S. law also gives great protection to the press, which I’m sure the BBC would attempt to invoke if there were any legal action here. All that said - do I think that any legal action will result from this? Probably not. And, if it does, it’s anybody’s bet as to which way it would be resolved.”

(You can read all of my comments in the Tech Herald here, and you can read the full Tech Herald article here.)

So, what do you think about these issues? Brave journalism? Dunderheaded illegal stunt? Or a bit of both?