The BBC has said that it had purchased a network of 22,000 infected computers and used it spam its own e-mail accounts on Hotmail and GMail, used the computers for a denial-of-service test and then changed the infected computer’s wallpaper with a message saying that they were infected.
The program, Click (which airs on BBC One and BBC World News), said that it acquired the network by visiting chatrooms. The BBC has not said how much they paid for the botnet, but it has defended its actions, saying it was part of its own investigation into global cyber crime.
It also tested it on the computers to attack a backup site that was owned by Prevx, the security company that the BBC consulted with. According to the BBC, it only took 60 machines to overload the bandwidth of the site.
However, some are saying that it might have been a breach in the Computer Misuse Act and the BBC might face prosecution for using the botnet it bought, which has a maximum penalty of two years imprisonment if found guilty.
According to Struan Roberrtson, editor of OUT-LAW.com, “The BBC appears to have broken the Computer Misuse Act by causing 22,000 computers to send spam. It does not matter that the emails were sent to the BBC’s own accounts and criminal intent is not necessary to establish an offence of unauthorised access to a computer.”
“The Act requires that a computer has been made to perform a function with intent to secure access to any program or data on the computer. Using the botnet to send an email is likely to satisfy that requirement. It also requires that the access is unauthorised – which the BBC appears to acknowledge. It does not matter that the BBC’s intent was not criminal or that someone else created the botnet in the first place,” he continued.
However, he added that the BBC are not likely to face prosecution. “But it is very unlikely that any prosecution will follow because the BBC’s actions probably caused no harm. On the contrary, it probably did prompt many people to improve their security,” he said.
The BBC has said that it has deleted the botnet, and has no longer any control of the infected machines. It also said that it had warned the 22,000 users (which have been shown to be from all around the world) that they have been infected and offer options to fix the problem.
The segment will air on Saturday on BBC One.