By purchasing and using an illegal computer botnet, BBC’s “Click” programme chose to educate their affluent English-speaking technically savvy audience about computer security by exploiting 21,000 poor and vulnerable computer users in the developing world.
“Click” demonstrated the power of modern criminal botnets in their 14 March broadcast by purchasing and then using a criminal botnet.
In the ensuing debate about the ethics of Click’s show, one voice has been sadly absent: the 21,000 people whose hijacked machines were used by the journalists. Who and where are they?
The bot-infected machines used by the BBC were “from the developing world”. The show’s host told us: “If I click here I can bring up a list of all the bots that we control, and which country they’re in around the world. So you can see Columbia, Peru, Thailand, Vietnam, Spain, Romania, Hungary.” Many other countries were listed.
The BBC and others have defended this crime (and let’s not fool ourselves - this was a crime) on the grounds of “educating” people about the risks of lax security. The goal (apparently) was to try and help people avoid the bot infections which hijack machines in this criminal fashion. The show even included a security tutorial. This could be summarised as: “switch on your firewall and stop cruising ‘risky’ web sites”.
But who, exactly, were they educating? Primarily those of us who normally watch and enjoy BBC Click anyway: English-speaking people with access to the BBC News channel and a pre-existing interest in technology.
Those of us who watch “Click” are, almost by definition, NOT the people who most desperately need to understand how to use security software.
The show’s producers said that they also wanted to educate the victims of this crime. So the BBC left a calling card on all 21,000 machines. Each machine’s desktop wallpaper was changed to a BBC notice explaining that an infection had occurred, and providing a link to a tutorial about computer security.
But did the victims understand it? The desktop wallpaper shown in the broadcast is pretty clearly in English. The BBC web page with the security tutorial (at least the one I could locate) is also written in English.
Dropping an English language tutorial into Thailand and Vietnam is not my idea of effective education. And even if the page were translated, how many would understand the lesson offered?
The team then tried to kill the botnet. The programme did not explain how this was accomplished. No one explained how much (or how little) thought was given to the risk of machines crashing by using an undocumented remote maintenance process. We, the audience, simply were not educated about the risks of playing with a botnet in this way.
So why did the BBC raid and exploit computers belonging to the world’s poor and vulnerable to educate me (a relatively rich, educated, technically savvy, English-speaker) about botnets?
Perhaps cost was a consideration. We were told that infected machines in the US and UK would have cost roughly ten times the amount charged for machines in the developing world.
But if cost was the only worry, we could have had this same lesson at the same price using only 2,000 bots located in the US and UK. Surely a 2,000 bot demonstration is nearly as dramatic and educational as a 21,000 bot demonstration?
I have reason to believe there was something else at work. Something unsavoury.
A source familiar with the show’s production confirms that Click was offered the chance to drive a larger botnet that would also have included machines in the developed world. The Click team specifically asked their criminal supplier to remove from the botnet any infected machines that were located in Western Europe or the US. The source explained that this was done “for legal reasons”.
So there we have it. It seems that the BBC Click team fully understood that there were risks involved in playing with a large botnet. They surely understood that the Metropolitan Police and the FBI are much more threatening than the under-staffed and under-trained police forces of a far away country of which we know little.
Someone made the decision to shift the risk of failure to those who can least afford it.
Sadly we’ll never know if any of the 21,000 exploited machines crashed because of Click’s meddling. We only know that 21,000 people in the developing world were subjected to the risk of computer failure in order to educate those of us who are already in a vastly superior position of wealth, knowledge, and power.
Shame on you, BBC.
- Why BBC Click violated the Computer Misuse Act
- The unanticipated consequences of BBC Click's botnet crime
- BBC's Click botnet special was irresponsible and illegal
This was first published in May 2009