I am stunned by the irresponsible, unethical, and almost certainly illegal, actions of BBC’s “Click” programme in preparing and broadcasting its “botnet” special on Saturday.
Assuming this was not some form of elaborate hoax the journalists in question could be investigated and prosecuted for the commission of multiple computer crimes.
How many violations of the law took place? Incredibly, the BBC’s answer is “zero”. The BBC claims that they took legal advice and reached the conclusion that there was no crime because they did not intend to commit a crime. That is utter nonsense, and I challenge the BBC to produce whatever memo they relied upon to reach such a stunning conclusion.
It’s not just UK law that the BBC should be worried about. The act of commandeering more than 21,000 computers around the world may very well constitute a violation of the criminal laws in many of the countries where those computers reside.
A journalist in France taking similar actions could face prosecution under UK law with respect to unauthorised access to computers located in the UK.
As a mundane example, if any of these compromised computers were in California the Click team could face prosecution for violation of California criminal law.
While the State of California may decide it will not request extradition for trial (which as we’ve seen can take a long time for alleged computer crimes), the journalists may wish to think twice before their next business trip to Silicon Valley. Being arrested by the County Sherriff at San Francisco’s airport could delay one’s ability to file copy before deadline.
I am occasionally called upon to discuss the legal and ethical dilemmas presented by so-called “ethical” or “white hat” hacking. More than once I have been asked about a project that, while laudable, must be re-designed in order to avoid legal problems or ethical concerns.
I’m proud to say that my graduate students, academic colleagues, and information security professional friends usually have enough common sense to spot and avoid blatant problems like the ones created by the BBC in the name of “education”.
Let’s get one thing clear. The producers of Click did not pay off an anonymous criminal and commandeer 21,000 computers around the world solely for the purpose of education.
Education could have been accomplished just as easily with a simulation of the acts in question. Any number of current or past law enforcement professionals could have confirmed in interviews how these networks operate.
The actual act of operating the botnet was done to produce a sense of drama, excitement, and even titillation.
“Look at us; we’re now breaking into 21,000 computers all around the world without permission and making them do things that are normally illegal, except that we are really good guys so it’s OK," is I guess what they were thinking.
This sort of journalism fails to rise to the level of professionalism expected of a teenager writing for a school newspaper, let alone the BBC.
Worse, in highlighting ease of access and advocating that “pure motive means no crime” the BBC may actually encourage others to run similar irresponsible “experiments”. Computer and Internet history is littered with disasters born of pure motives.
The editorial team in question should be investigated (at the very least) by the BBC. The global information security profession already faces enough challenges without having to deal with this sort of childish and unprofessional activity.
- About the author: Robert Carolina is a US Lawyer and an English Solicitor who specialises in the law of information technology. He is also a Senior Visiting Fellow with the Information Security Group, Royal Holloway University of London, where he teaches in the information security MSc programme. Opinions expressed are his alone.