BBC Click botnet 'attack' criticised by industry experts

News by Dan Raywood

The BBC Click investigation into hacking has been condemned by leading security experts.

The BBC Click investigation into hacking has been condemned by leading security experts.


Representatives from Sophos, Kaspersky, AVG, FaceTime and McAfee have used the social networking site Twitter to discuss the broadcast, where presenter Spencer Kelly acquired a botnet from an internet chatroom and sent out spam to two specific test email addresses set up by the programme.


Kelly and PrevX took over an existing botnet of approximately 22,000 computers, and used them for their spam experiment - ordering the innocent third-party computers to send 500 spam messages each to Hotmail and Gmail accounts under the control of the BBC.


Claims have been made that what the broadcaster did was illegal, with Sophos' senior technology consultant Graham Cluley claiming that ‘this is clearly an unauthorised modification of computer data, and is - to my mind - a breach of the Computer Misuse Act.'


Cluley has been active on Twitter bringing representatives from vendors together, he claimed that the ‘BBC overstepped the mark here, and showed bad judgement' and later asked ‘where were BBC Click's botnet of PCs? Imagine some had been US military computers? Will the BBC's reporter be the new Gary McKinnon!?'


In a response via Twitter, BBC Click claimed: “We would not put out a show like this one without having taken legal advice”.



However Struan Robertson, a technology lawyer with Pinsent Masons and editor of OUT-LAW.COM, said: “The BBC appears to have broken the Computer Misuse Act by causing 22,000 computers to send spam. It does not matter that the emails were sent to the BBC's own accounts and criminal intent is not necessary to establish an offence of unauthorised access to a computer.


“The Act requires that a computer has been made to perform a function with intent to secure access to any program or data on the computer. Using the botnet to send an email is likely to satisfy that requirement. It also requires that the access is unauthorised – which the BBC appears to acknowledge. It does not matter that the BBC's intent was not criminal or that someone else created the botnet in the first place.”



Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews