And still the controversy rages: several people have pointed out that it's unlikely that the PCs in the BBC's botnet are all in the UK, suggesting that there could be additional legal issues relating to other jurisdictions. The H reiterated the point that Ofcom regulations state that payment shouldn't be made to "convicted or confessed criminals... for a programme contribution by the criminal ... relating to his/her crime/s." It appears that there is only a possible exception where it is in the public interest .
So it's not only law enforcement who have to be convinced that the purity of the BBC's intent nullifies any question about the legality of their actions.
Some are proclaiming the value of its "investigation", but the BBC are not law enforcement, and don't have any automatic rights to special treatment before the law. They didn't really investigate anything in a forensic sense: law enforcement agencies and the security industry have, for many years, known more than the programme "revealed". What they did was demonstrate known phenomena for the benefit of their viewers.
Here are a few more interesting links:
- Legal view from Robert Carolina for Computer Weekly and his 15 questions that the BBC should answer
- Succinct summarization of the ethical issue by Paul Ducklin
- Marshal8e6 think that the BBC deserves a bouquet of flowers: not only have they missed the point re ethics and legality, they managed to suggest that it was all down to the failure of signature detection. Sigh... http://www.scmagazineuk.com/BBC-should-be-applauded-for-raising-awareness-of-botnet-attacks/article/128827/
- Prevx, prominently featured in the Click programme and contributors of the server that was targeted by the Beeb's DDoS attack, defended its position aggressively by attempting to divert attention away from the legal issues by proclaiming the inadequacy of the anti-malware industry and Sophos in particular. http://www.scmagazineuk.com/Prevx-defends-itself-over-Click-botnet-experiment-as-CEO-attacks-Sophos/article/128828/
- Commentary by Asavin Wattanajantra for IT Pro: http://www.itpro.co.uk/610182/should-the-bbc-botnet-have-hijacked-22-000-computers
Of course, it's perfectly reasonable to -inform- the public about these issues in the public interest: that's not the same as trying out criminal techniques. Sometimes journalists will, technically, break the law in order to demonstrate that it's possible or even easy to do so, and sometimes that public interest argument can be made quite convincingly. The question here is whether the public interest was served any better by the BBC's sailing close to the legal wind than it would have been by an entirely legal simulation.
David Harley
Director of Malware Intelligence
