I am stunned by the irresponsible, unethical, and almost
certainly illegal, actions of BBC’s “Click” programme in preparing
and broadcasting its “botnet” special on Saturday.
Assuming this was not some form of elaborate hoax the
journalists in question could be investigated and prosecuted for
the commission of multiple computer crimes.
How many violations of the law took place? Incredibly, the BBC’s
answer is “zero”. The BBC claims that they took legal advice and
reached the conclusion that there was no crime because they did not
intend to commit a crime. That is utter nonsense, and I challenge
the BBC to produce whatever memo they relied upon to reach such a
stunning conclusion.
It’s not just UK law that the BBC should be worried about. The
act of commandeering more than 21,000 computers around the world
may very well constitute a violation of the criminal laws in many
of the countries where those computers reside.
A journalist in France taking similar actions could face
prosecution under UK law with respect to unauthorised access to
computers located in the UK.
As a mundane example, if any of these compromised computers were
in California the Click team could face prosecution for violation
of California criminal law.
While the State of California may decide it will not request
extradition for trial (which as we’ve seen can take a long time for
alleged computer crimes), the journalists may wish to think twice
before their next business trip to Silicon Valley. Being arrested
by the County Sherriff at San Francisco’s airport could delay one’s
ability to file copy before deadline.
I am occasionally called upon to discuss the legal and ethical
dilemmas presented by so-called “ethical” or “white hat” hacking.
More than once I have been asked about a project that, while
laudable, must be re-designed in order to avoid legal problems or
ethical concerns.
I’m proud to say that my graduate students, academic colleagues,
and information security professional friends usually have enough
common sense to spot and avoid blatant problems like the ones
created by the BBC in the name of “education”.
Let’s get one thing clear. The producers of Click did not pay
off an anonymous criminal and commandeer 21,000 computers around
the world solely for the purpose of education.
Education could have been accomplished just as easily with a
simulation of the acts in question. Any number of current or past
law enforcement professionals could have confirmed in interviews
how these networks operate.
The actual act of operating the botnet was done to produce a
sense of drama, excitement, and even titillation.
“Look at us; we’re now breaking into 21,000 computers all around
the world without permission and making them do things that are
normally illegal, except that we are really good guys so it’s OK,"
is I guess what they were thinking.
This sort of journalism fails to rise to the level of
professionalism expected of a teenager writing for a school
newspaper, let alone the BBC.
Worse, in highlighting ease of access and advocating that “pure
motive means no crime” the BBC may actually encourage others to run
similar irresponsible “experiments”. Computer and Internet history
is littered with disasters born of pure motives.
The editorial team in question should be investigated (at the
very least) by the BBC. The global information security profession
already faces enough challenges without having to deal with this
sort of childish and unprofessional activity.
- About the author: Robert Carolina is a US Lawyer and an English
Solicitor who specialises in the law of information technology. He
is also a Senior Visiting Fellow with the Information Security
Group, Royal Holloway University of London, where he teaches in the
information security MSc programme. Opinions expressed are his
alone.
Read background on this investigation and catch up with the BBC's
Click investigation
15 questions the BBC should answer about its investigation
Picture credit: Rex
Features