In my previous discussions of BBC Click’s BotNet programme I avoided a detailed discussion of the law. Whatever the law says, I believe their actions were irresponsible.
Even so, as the debate over the “BBC botnet caper” has developed I have been surprised by the number of, otherwise capable, information security professionals who simply fail to understand the law. Since I am a lawyer who teaches information security graduate students about law, I think it’s worth explaining why I believe the Click team broke the law.
I’ll talk about only one law today: Section 1 of the UK’s Computer Misuse Act 1990 (CMA).
Section 1 of CMA criminalises “unauthorised access” to computers. The offence has three elements. The accused is guilty if “(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer”, (b) the intended access is unauthorised, and (c) the accused knows the access is unauthorised.
Click’s presenter appeared to admit all three elements in the broadcast itself. He explained that the team used their new-found front-end software to control bot software on 21,000 infected computers. This seems to be a clear admission that the team were “causing a computer” (in the studio) to “perform [a] function” (sending control traffic) “with intent to secure access to a program” (the individual bot programs and any other resident software used) “held on [a] computer” (any one of the 21,000 infected machines).
The show’s host also described the bot computers as “hijacked”. Although the hijacking was done by someone else originally, this is still a clear admission that the Click team knew they were using the bot-infected machines without permission.
The fact that Click say they did not try to obtain information from the machines is completely irrelevant. A section 1 offence is committed simply by trying to gain access to a target machine. And in case you are wondering, “access” includes the act of using a program on the target machine.
Was this “legally” serious? If convicted, a violation of CMA Section 1 carries the potential of “imprisonment for a term not exceeding two years or . . . a fine or . . . both”. There is no requirement to impose a jail sentence or a fine, but this suggests that the courts can treat this as serious stuff.
What about finding a victim or proving harm? Much like the crime of driving under the influence, there is no requirement to prove harm or damage in order to obtain a conviction under Section 1. But people are always interested so I’ll discuss it briefly anyway.
As I wrote before (The unanticipated consequences of BBC Click's botnet crime) Click were messing around with machines in the developing world that probably run outdated operating systems. Some of these machines may have crashed as a result of the team’s actions.
In this case the potential victims are both out of sight and out of mind. If a machine in Thailand or Colombia (for example) crashed as a result of this experiment and caused harm to someone, the victim will probably never know that they were victimised by the BBC. We’ll never learn about it. We can hope that no one was hurt but we’ll never know for sure.
By the way, although the Click show said that the infected machines were in the developing world this does not avoid application of the CMA. If even one of the bot-infected machines was in the UK, or if the botnet front end was in the UK, then the CMA clearly applies and the action can be prosecuted in the UK.
I can’t escape the view that the Click team violated Section 1 of the CMA. I wonder what the producers of Click believe? I have tried to ask them. I am still waiting for a response.