After I described the actions of
BBC Click’s production team in broadcasting their botnet
special as
“
irresponsible, unethical, and almost certainly illegal”
(ComputerWeekly 17 March 2009) I have heard more than a few
questions.
The number one question from people outside the world of
information security was this: “Why does it matter?” Even if the
BBC Click producers “technically” committed a crime, why should
anyone care?
As a university lecturer in legal aspects of information
security I take this question seriously. Sometimes it is not enough
for us to say that an action was technically a “crime”. The law is
supposed to reflect societal values. We expect our government to
take varying actions against crime depending upon the seriousness
of the criminal acts.
Thankfully not all criminal acts produce harm to people or
property. A person who fires a rifle blindly into a crowded public
square without hitting anyone has “technically” committed a crime.
A person who drives an automobile at 75mph on a motorway without
causing an accident has also “technically” violated the law.
While both are crimes, we believe that one deserves harsh
intervention by the police and courts while the other might
reasonably be overlooked. We explain the different treatment by
reference to the element of risk or negligence involved.
We know that firing a weapon blindly in a city could very easily
cause mayhem and death. As a society we are outraged that someone
could treat other people in such a cavalier fashion. We demand
investigation and prosecution. For “minor” speeding offences,
however, we take a more relaxed stance. We do not always demand
strict compliance.
Although the producers of BBC Click took pains to “educate” us
about how botnets are meant to work, they failed to discuss this
issue of potential risk of their actions to the 21,000 computers
already infected by the botnet Trojan.
Recall what we learned while watching the programme. Acting
without permission, BBC Click producers instructed 21,000 computers
around the world: to send spam; to launch a coordinated DDoS
attack; to change the “wallpaper” of all 21,000 host machines; and
finally to de-activate the trojan infection on all 21,000
machines.
Anyone who works in a large corporate IT environment who has
ever attempted to update, upgrade, modify, patch, or remove
software from a large group of computers using remote access tools
will be able to explain that things often go wrong in the
process.
There is a risk that the “target” machine whose contents are
altered (for whatever reason) might fail. The failure could be
minor or catastrophic.
The chances of failure for each individual machine are
relatively small, but consider for a moment that the BBC Click team
was tinkering with more than 21,000 machines.
These machines were almost certainly running outdated operating
systems such as Windows 95, and it is unclear what level of
technical sophistication the botnet developers used with regard to
so-called “de-activation” instructions.
Even if the chances of inconvenient or catastrophic failure are
only 1 in 100, this suggests that 210 machines somewhere in the
world “fell over” in the cause of well-intentioned (if cack-handed)
journalism.
We have no way of knowing what havoc this may have wreaked.
We don’t know how many of these 21,000 machines are used in a
hospital or a doctor’s office; how many are used in safety critical
systems; how many represent the only online education tool for a
rural school; how many are used by small businesses in remote parts
of the world; and how many are the only point of access in a remote
village to global information sources – like the BBC.
I wonder whether the producers of BBC Click considered any of
this before they fired 21,000 “bullets” around the world.
Read background on this investigation and catch up
with the BBC's Click investigation
15 questions the BBC should answer about its
investigation
BBC violate Computer Misuse Act
Keep away from the dark
- Robert Carolina is a US Lawyer and an English Solicitor who
specialises in the law of information technology. He is also a
Senior Visiting Fellow with the Information Security Group, Royal
Holloway University of London, where he teaches in the information
security MSc programme. Opinions expressed are his alone.