After I described the actions of BBC Click’s production team in broadcasting their botnet special as “irresponsible, unethical, and almost certainly illegal” (ComputerWeekly 17 March 2009) I have heard more than a few questions.
The number one question from people outside the world of information security was this: “Why does it matter?” Even if the BBC Click producers “technically” committed a crime, why should anyone care?
As a university lecturer in legal aspects of information security I take this question seriously. Sometimes it is not enough for us to say that an action was technically a “crime”. The law is supposed to reflect societal values. We expect our government to take varying actions against crime depending upon the seriousness of the criminal acts.
Thankfully not all criminal acts produce harm to people or property. A person who fires a rifle blindly into a crowded public square without hitting anyone has “technically” committed a crime. A person who drives an automobile at 75mph on a motorway without causing an accident has also “technically” violated the law.
While both are crimes, we believe that one deserves harsh intervention by the police and courts while the other might reasonably be overlooked. We explain the different treatment by reference to the element of risk or negligence involved.
We know that firing a weapon blindly in a city could very easily cause mayhem and death. As a society we are outraged that someone could treat other people in such a cavalier fashion. We demand investigation and prosecution. For “minor” speeding offences, however, we take a more relaxed stance. We do not always demand strict compliance.
Although the producers of BBC Click took pains to “educate” us about how botnets are meant to work, they failed to discuss this issue of potential risk of their actions to the 21,000 computers already infected by the botnet Trojan.
Recall what we learned while watching the programme. Acting without permission, BBC Click producers instructed 21,000 computers around the world: to send spam; to launch a coordinated DDoS attack; to change the “wallpaper” of all 21,000 host machines; and finally to de-activate the trojan infection on all 21,000 machines.
Anyone who works in a large corporate IT environment who has ever attempted to update, upgrade, modify, patch, or remove software from a large group of computers using remote access tools will be able to explain that things often go wrong in the process.
There is a risk that the “target” machine whose contents are altered (for whatever reason) might fail. The failure could be minor or catastrophic.
The chances of failure for each individual machine are relatively small, but consider for a moment that the BBC Click team was tinkering with more than 21,000 machines.
These machines were almost certainly running outdated operating systems such as Windows 95, and it is unclear what level of technical sophistication the botnet developers used with regard to so-called “de-activation” instructions.
Even if the chances of inconvenient or catastrophic failure are only 1 in 100, this suggests that 210 machines somewhere in the world “fell over” in the cause of well-intentioned (if cack-handed) journalism.
We have no way of knowing what havoc this may have wreaked.
We don’t know how many of these 21,000 machines are used in a hospital or a doctor’s office; how many are used in safety critical systems; how many represent the only online education tool for a rural school; how many are used by small businesses in remote parts of the world; and how many are the only point of access in a remote village to global information sources – like the BBC.
I wonder whether the producers of BBC Click considered any of this before they fired 21,000 “bullets” around the world.
- Robert Carolina is a US Lawyer and an English Solicitor who specialises in the law of information technology. He is also a Senior Visiting Fellow with the Information Security Group, Royal Holloway University of London, where he teaches in the information security MSc programme. Opinions expressed are his alone.
This was first published in April 2009