In my previous discussions of
BBC Click’s BotNet programme I avoided a detailed discussion of
the law. Whatever the law says, I believe their actions were
irresponsible.
Even so, as the debate over the “BBC botnet caper” has developed
I have been surprised by the number of, otherwise capable,
information security professionals who simply fail to understand
the law. Since I am a lawyer who teaches information security
graduate students about law, I think it’s worth explaining why I
believe the Click team broke the law.
I’ll talk about only one law today: Section 1 of the UK’s
Computer Misuse Act 1990 (CMA).
Section 1 of CMA criminalises “unauthorised access” to
computers. The offence has three elements. The accused is guilty if
“(a) he causes a computer to perform any function with intent to
secure access to any program or data held in any computer”, (b) the
intended access is unauthorised, and (c) the accused knows the
access is unauthorised.
Click’s presenter appeared to admit all three elements in the
broadcast itself. He explained that the team used their new-found
front-end software to control bot software on 21,000 infected
computers. This seems to be a clear admission that the team were
“causing a computer” (in the studio) to “perform [a] function”
(sending control traffic) “with intent to secure access to a
program” (the individual bot programs and any other resident
software used) “held on [a] computer” (any one of the 21,000
infected machines).
The show’s host also described the bot computers as “hijacked”.
Although the hijacking was done by someone else originally, this is
still a clear admission that the Click team knew they were using
the bot-infected machines without permission.
The fact that Click say they did not try to obtain information
from the machines is completely irrelevant. A section 1 offence is
committed simply by trying to gain access to a target machine. And
in case you are wondering, “access” includes the act of using a
program on the target machine.
Was this “legally” serious? If convicted, a violation of CMA
Section 1 carries the potential of “imprisonment for a term not
exceeding two years or . . . a fine or . . . both”. There is no
requirement to impose a jail sentence or a fine, but this suggests
that the courts can treat this as serious stuff.
What about finding a victim or proving harm? Much like the crime
of driving under the influence, there is no requirement to prove
harm or damage in order to obtain a conviction under Section 1. But
people are always interested so I’ll discuss it briefly anyway.
As I wrote before
(
The unanticipated consequences of BBC Click's botnet crime)
Click were messing around with machines in the developing world
that probably run outdated operating systems. Some of these
machines may have crashed as a result of the team’s actions.
In this case the potential victims are both out of sight and out
of mind. If a machine in Thailand or Colombia (for example) crashed
as a result of this experiment and caused harm to someone, the
victim will probably never know that they were victimised by the
BBC. We’ll never learn about it. We can hope that no one was hurt
but we’ll never know for sure.
By the way, although the Click show said that the infected
machines were in the developing world this does not avoid
application of the CMA. If even one of the bot-infected machines
was in the UK, or if the botnet front end was in the UK, then the
CMA clearly applies and the action can be prosecuted in the UK.
I can’t escape the view that the Click team violated Section 1
of the CMA. I wonder what the producers of Click believe? I have
tried to ask them. I am still waiting for a response.