By purchasing and using an illegal computer botnet,
BBC’s “Click” programme chose to educate their affluent
English-speaking technically savvy audience about computer security
by exploiting 21,000 poor and vulnerable computer users in the
developing world.
“Click” demonstrated the power of modern criminal botnets in
their 14 March broadcast by purchasing and then using a criminal
botnet.
In the ensuing debate about the ethics of Click’s show, one
voice has been sadly absent: the 21,000 people whose hijacked
machines were used by the journalists. Who and where are they?
The bot-infected machines used by the BBC were “from the
developing world”. The show’s host told us: “If I click here I can
bring up a list of all the bots that we control, and which country
they’re in around the world. So you can see Columbia, Peru,
Thailand, Vietnam, Spain, Romania, Hungary.” Many other countries
were listed.
The BBC and others have defended this crime (and let’s not fool
ourselves - this was a crime) on the grounds of “educating” people
about the risks of lax security. The goal (apparently) was to try
and help people avoid the bot infections which hijack machines in
this criminal fashion. The show even included a security tutorial.
This could be summarised as: “switch on your firewall and stop
cruising ‘risky’ web sites”.
But who, exactly, were they educating? Primarily those of us who
normally watch and enjoy BBC Click anyway: English-speaking people
with access to the BBC News channel and a pre-existing interest in
technology.
Those of us who watch “Click” are, almost by definition, NOT the
people who most desperately need to understand how to use security
software.
The show’s producers said that they also wanted to educate the
victims of this crime. So the BBC left a calling card on all 21,000
machines. Each machine’s desktop wallpaper was changed to a BBC
notice explaining that an infection had occurred, and providing a
link to a tutorial about computer security.
But did the victims understand it? The desktop wallpaper shown
in the broadcast is pretty clearly in English. The BBC web page
with the security tutorial (at least the one I could locate) is
also written in English.
Dropping an English language tutorial into Thailand and Vietnam
is not my idea of effective education. And even if the page were
translated, how many would understand the lesson offered?
The team then tried to kill the botnet. The programme did not
explain how this was accomplished. No one explained how much (or
how little) thought was given to the risk of machines crashing by
using an undocumented remote maintenance process. We, the audience,
simply were not educated about the risks of playing with a botnet
in this way.
So why did the BBC raid and exploit computers belonging to the
world’s poor and vulnerable to educate me (a relatively rich,
educated, technically savvy, English-speaker) about botnets?
Perhaps cost was a consideration. We were told that infected
machines in the US and UK would have cost roughly ten times the
amount charged for machines in the developing world.
But if cost was the only worry, we could have had this same
lesson at the same price using only 2,000 bots located in the US
and UK. Surely a 2,000 bot demonstration is nearly as dramatic and
educational as a 21,000 bot demonstration?
I have reason to believe there was something else at work.
Something unsavoury.
A source familiar with the show’s production confirms that Click
was offered the chance to drive a larger botnet that would also
have included machines in the developed world. The Click team
specifically asked their criminal supplier to remove from the
botnet any infected machines that were located in Western Europe or
the US. The source explained that this was done “for legal
reasons”.
So there we have it. It seems that the BBC Click team fully
understood that there were risks involved in playing with a large
botnet. They surely understood that the Metropolitan Police and the
FBI are much more threatening than the under-staffed and
under-trained police forces of a far away country of which we know
little.
Someone made the decision to shift the risk of failure to those
who can least afford it.
Sadly we’ll never know if any of the 21,000 exploited machines
crashed because of Click’s meddling. We only know that 21,000
people in the developing world were subjected to the risk of
computer failure in order to educate those of us who are already in
a vastly superior position of wealth, knowledge, and power.
Shame on you, BBC.
See also: