Update: several nice, thoughtful blogs on the subject from John Graham at http://john-graham.me.uk/.

International law firm Pinsent Mason's Struan Robertson seems to agree (at least in part) with commentatory in the security industry that the BBC have broken the UK's Computer Misuse Act. Robertson, focused on the Click program's unauthorised access to 22,000 bot-compromised PCs in order to use them to send "spam" to email accounts set up by the program.

In fact, Click's mail-out doesn't really meet any meaningful technical definition of spam, but the point here is the proof of the concept, not the content of the messages. The essential point that Robertson makes here is that

" It does not matter that the emails were sent to the BBC's own accounts and criminal intent is not necessary to establish an offence of unauthorised access to a computer...It does not matter that the BBC's intent was not criminal or that someone else created the botnet in the first place".

However, he disagrees with the contention that the Act was broken by the unauthorised modification of the infected systems, on the grounds that:

 

"The offence of unauthorised modification requires a recklessness or an intent that I don't think the BBC has displayed."

Robertson's reservation is based on the fact that unauthorised modification is an offence under section three of the Act, which he argues entails the need to prove intent to

"to impair the operation of a computer or to hinder access to data."

 Far be it from me to argue with a lawyer - I have no formal legal training whatsoever. But section 3 also says that the intent doesn't need to be directed at any particular computer, program, or data, or a program or data of any particular kind, or any particular modification or a modification of any particular kind. It seems to me that if the PC user was deprived of their original wallpaper (even temporarily), that may well be a technical breach. Even the act of turning off the malicious functionality of the bots that infected these machines could be interpreted as a breach, it seems to me. Nor am I convinced that there wasn't a recklessness or negligence that might not expose them to potential mens rea issues. They made system modifications, apparently, to 22,000 systems. Did they check each system to be sure that the modifications wouldn't cause any unpleasant side effects on that system. Did they check afterwards? Did they consider at all the possibility that their actions might have unanticipated consequences

Do I want anyone at the BBC to be arrested for notifying 22,000 users of bot-infected PCs that they had a problem? Of course not (not least because any legal costs would probably impact on my TV licence fee in the future!). But I wouldn't mind seeing them acknowledge that they might have gone too far.

Let's assume (for the sake of argument, rather than out of personal conviction!) that it's permissible for them to have "bought" or rented a botnet, if that's what they did - that isn't actually clear. They could have explained the uses to which that botnet without breaking the law by demonstrating it. They could have set up a botnet (real or simulated) on their own closed network and demonstrated anything they like, totally legally, or commissioned a group or agency, better resourced and more knowledgeable, to do it for them. While changing wallpaper may have been a quick and effective way of communicating with the users of the compromised machines, it's unlikely that it was the only channel of communication open to them. But they chose not to pursue any of these alternatives, preferring to play the bold botmaster. Or, worse still, simply didn't think about alternatives and consequences at all. The legal system may not regard that as reckless, but I do.

David Harley
Director of Malware Intelligence