BBC cybercrime probe backfires
The BBC hacked into 22,000 computers as part of an investigation into cybercrime but the move quickly backfired, with legal experts claiming the broadcaster broke the law and security gurus saying the experiment went too far.
The technology show Click acquired a network of 22,000 hijacked computers - known as a botnet - and ordered the infected machines to send out spam messages to test email addresses and attack a website, with permission, by bombarding it with requests.
Click also modified the infected computers' desktop wallpaper.
"Within hours, the inboxes started to fill up with thousands of junk messages," the BBC wrote on its website.
Of the website attack, the BBC boasted: "Amazingly, it took only 60 machines to overload the site's bandwidth."
BBC was attempting to demonstrate just how easy it is for a computer to fall under the control of cyber criminals. All that it takes for a PC to be recruited into a botnet is for the user to open a malicious email attachment or simply visit an infected website.
Once it is infected, scammers can surreptitiously direct your computer to send spam messages or hold website operators to ransom by threatening to bombard their site in a move known as a distributed denial of service (DDoS) attack.
The BBC said it did not access any personal information on the infected PCs and did not believe it was breaking the law because the act wasn't done with criminal intent. It shut down the botnet once it was finished with its experiment.
But Struan Roberrtson, a technology lawyer with Pinsent Masons and editor of the Out-Law.com website, said the BBC broke Britain's Computer Misuse Act.
"It does not matter that the emails were sent to the emails were sent to the BBC's own accounts and criminal intent is not necessary to establish an offence of unauthorised access to a computer," he said.
Roberrtson said the maximum penalty for the offence was two years' imprisonment but it was unlikely that any prosecution would follow because the BBC's actions "probably" caused no harm.
Security expert Graham Cluley from Sophos said, regardless of the legality, "the dubious ethics of such experiments are without question".
Controversially, the BBC warned the users that their computers were part of a botnet by changing their desktop wallpaper to display a message from BBC Click.
"This is clearly an unauthorised modification of computer data, and is - to my mind - a breach of the Computer Misuse Act," said Cluley.
In response to the controversy, the BBC wrote on its Twitter account: "We would not put out a show like this one without having taken legal advice."
Cluley's colleague, Paul Ducklin, Sophos's head of technology for Asia Pacific, said although the BBC's move set a "dangerous precedent" it may have a positive impact.
"Maybe the silver lining is that the publicity will mean that people who wouldn't otherwise go looking for a bot on their own computer might do so," he said.
The full BBC Click program will be broadcast in Britain on Saturday but a teaser has been published on its website.