Surely the BBC broke the law?

Tomorrow the BBC technology program 'Click' will demonstrate how botnets are used to send spam and attack web sites. Botnets are networks of compromised PCs running malware that can be controlled to undertake distributed computing tasks usual for nefarious activities.

What has caused concern is the fact the BBC bought its own botnet to do the job. The murky backwaters of the internet is full of sites and chat rooms where hackers and criminals are happy to sell their wares - apparently.

The BBC took control of almost 22,000 computers to create up Click's network of hijacked machines, which has now been disabled. Which they used to launch a Distributed Denial of Service (DDoS) attack and to generate spam.

However as a number of experts have pointed out, they have broken the law in doing so. From The Telegraph

Security expert Graham Cluley from Sophos, a UK-based antivirus company, pointed out on his blog that: "The Computer Misuse Act makes it an offence in the United Kingdom to access another person's computer, or alter data on their computer, without the owner's permission." He says:

Sure, a TV report like this can raise awareness of the serious problem of computers being controlled by hackers. But is it appropriate for a broadcaster to use innocent people's computers without their permission for the purposes of their experiment?

Struan Roberrtson, a technology lawyer with Pinsent Masons confirmed that the BBC "appears to have broken the Computer Misuse Act," adding: "It does not matter that the emails were sent to the BBC's own accounts and criminal intent is not necessary to establish an offence of unauthorised access to a computer."

The maximum penalty for the offence is two years' imprisonment, but Roberrtson does not expect a prosecution "because the BBC's actions probably caused no harm. On the contrary, it probably did prompt many people to improve their security," he said.

The BBC responded that there was

"a powerful public interest in demonstrating the ease with which such malware can be obtained and used," and that it would enccourage people to defend their PCs from such attacks. Also: "The BBC has strict editorial guidelines for this type of investigation, which were followed to the letter."

That makes it ok then!

EFF Surveillance Self-Defence Website

Spotted this "Civil liberties hero of the week" today on the Liberty Central section of the Guardian website.

It is the Electronic Frontier Foundation (EFF) for its Surveillance Self-Defence website, which aims to educate the public about "the law and technology of government surveillance ... [as well as] providing the information and tools necessary to evaluate the threat of surveillance and take appropriate steps to defend against it."

The Guardian point out that "Although much of the legal advice is only applicable to American readers – fingers crossed EFF Europe produces EU-wide and British versions soon – the details on what information is stored about you by third parties, such as your ISP and telephone providers, is relevant to British citizens.

The practical technical advice will be an essential read for investigative journalists, who have expressed concern that the Regulation of Investigatory Powers Act 2000 and the communications traffic superdatabase could impede their ability to protect sources. It details how to securely delete your files or how to use encryption to protect private communications, including emails and instant messages."

Very useful indeed