Opinion: The BBC and the case of awareness versus ethics

The story started last week. The BBC, for a feature on its Click program, purchased and tested a botnet. After the test, the corporation dismantled the botnet, but not before leaving altered desktops on the infected systems, alerting the users to the problem. This is a classic case of ethics vs. user awareness. Adding fuel to the fire is the contention that the BBC broke the law.

Did the broadcaster break the law? And, if it did break the law, will it be charged for any specific crimes or face personal lawsuits? Does it matter?

The story, according to the BBC

The BBC, for the program Click, was in Russia to see “just how sophisticated cybercrime has become.” In order to do this it paid a few thousand dollars and, through a Russian contact, rented a botnet. The botnet consisted of 21,696 systems, controlled with a simple point-and-click system. The Click report explains that, so easy was the botnet to control, that anyone could do it. This underlines one of the main reasons that Spam, ID theft, and Malware propagation are so prevalent -- the tools are designed so that anyone can use them, no matter their level of knowledge.

The botnet was used to perform two tests. The first was to send Spam to BBC-owned e-mail accounts. What the corporation did was use the botnet over several hours to trickle out Spam to Gmail and MSN accounts under the control of the BBC. Every bot was to e-mail the test accounts 500 times. According to the BBC, it used the bot controls to slow the rate of Spam, limiting bandwidth and resource usage and leading to a test that lasted several hours. At the end of the test, the two test accounts were full of junk mail, literally thousands of e-mail messages.

The second test, a full-on Denial of Service attack, was conducted with the help of security vendor Prevx. For this test, Prevx allowed the BBC to use the bots and attack a backup Web site owned by the company. It took 60 bots out of the 21,696 to flood the site and take it offline. This test was designed to show that there are more options available to bot owners than just Spam. They can be used for malicious offensive maneuvers as well.

After the testing was finished, the BBC dismantled the botnet. Before it severed ties with the bots, the BBC altered the desktop backgrounds of each system. The altered desktop contained a message from the BBC that the system was a part of a botnet and displayed information on preventing further infection. After that, it ordered a self-destruct. Each bot was told to unload the software used to control it and sever ties with the Command and Control (C&C) center.

“It was not our intention to break the law. At no stage was any other data other than the IP address used. There is a powerful public interest in demonstrating the ease with which such malware can be obtained and used; how it can be deployed on thousands of infected PCs without the owners even knowing it is there; and its power to send spam e-mail or attack other Web sites undetected,” outlined a statement from the BBC given to various news sites.

“We believe that as a result of the investigation, computer users are now better informed of the importance and value of using basic security techniques to defend their PCs from attacks. This has been a subject of some debate and comment in the blogosphere. However we believed that the issue is vital for all PC users, not just those in the blogosphere, and that there would be great public interest in this demonstration.”

The BBC said that before the investigation, it consulted fully with its legal team.

The moral issues and security research and protection

As the story of what the BBC did moved around online, security experts and vendors fell over themselves to comment. This is their backyard, and the BBC just moved right into it. This is where the argument against the BBC moves from legal to moral and ethical.

“It would be considered a high crime indeed to allow a spambot to actually send spam to the outside world, even for "testing" purposes. And, shutting down a botnet yourself, even with the best intentions, is simply not a good idea. You don't know what accidental harm you may cause. You also don't really know what's on the user's system that will simply restart the whole process,” wrote Alex Eckelberry of Sunbelt Software, who said he felt sick while watching the BBC's work.

“It's highly disturbing that the BBC has, in effect, set a precedent here: If it's all for the good, then no worries, go ahead, blunder around and disable botnets, change user's desktop settings, show off how they send spam -- it's all ok, because the means justifies the end. Doesn't work for me. At all.”

Another expert, Sophos’ Graham Cluley, agreed, and said in a forum posting on the subject that: “The BBC were not authorised to access those computers - and so they have not only (in my humble opinion) broken the law. They've also managed to film themselves doing it. A TV report like this can help to raise awareness of the serious problem of computers being controlled by hackers. And that's great. But it is completely wrong for a broadcaster to use innocent people's computers without their permission for the purposes of their experiment.”

“The law says you can't mess around with other people's computers without authorisation. The BBC didn't have permission to send those spam messages,” he added. “Sending spam from someone else's computer obviously gobbles up bandwidth and will use up system resources. Even if the BBC felt the impact would be minimal - it doesn't make it right. And I wonder how Gmail and Hotmail feel about being hit by spam sent by the BBC? There's enough spam in the world. We don't need more - and we don't need journalists making experiments like this to prove something that can be demonstrated in a legal way.”

Mel Morris, CEO of Prevx, the company that helped the BBC, added a different perspective.

“Botnets exist primarily because of an abject failure of the PC security industry to adequately protect consumers from such threats. It is a myth, albeit a popular and industry serving myth that Botnets only infect PCs with little or no security. Users with well respected brands of fully up to date PC antivirus and so called internet security products are infected every day while their PC security product tells them they are clean. Maybe that's a larger public injustice and one Graham and his team of very capable guys should focus a little more on than trying to pose as a legal expert,” Morris said in a response to Cluley.

“Meanwhile the market engineering of security products from 10 of the top vendors heads further towards mutual exclusivity, meaning that consumers and businesses are denied the opportunity of using two or more products to provide additional protection… let's focus on the real fight that threatens our customers and our industry too. At the moment we are all, simply not doing anywhere near enough to educate people of the real risks. The risks that are ever present in spite of running up to date so called PC security.”

Experts from Kaspersky, F-Secure, AVG, and McAfee agreed with Cluley that what the BBC did was wrong on legal, ethical, and moral standpoints. The logic is that to fight something, you cannot become what it is you are going up against. When the BBC started sending Spam or launching Denial of Service attacks, it rendered itself no better than the criminals it sought to expose.

At the end of the day, does it matter?

Before the BBC faces any alleged charges, someone has to investigate them. Someone will need to press charges against the corporation for CMA violations, and even then there is no guarantee anything will happen, as the BBC could still walk away unscathed.

With regard to the 21,696 people who are the owners of the systems included in the botnet, what are the odds of a class-action suit? Would and could there be one? Which of the users wants to risk starting one, and duly taking on the legal team at the BBC?

There have been a lot of comments online in forums or blogs. Likewise, there have been several news articles written and opinions tossed about. At the end of the day, the IANAL-type comments from all of us are moot.

Security experts, researchers, consultants, and vendors all have to walk a thin line in their profession. Sometimes in their work, they come really close to that line, but none would ever admit to crossing it. Yet, looking at the cat and mouse game that is Information Security and the daily struggle of professionals versus criminals, sometimes the line is certainly blurred.

Still, professionals have a strict code of ethics, and they will never stoop to the level of a criminal to beat them at their own game. However, if they ever did, assuming the absolute worst, would we in the public ever know?

No matter what the law says, what the BBC did is done and over with.

The security world will keep fighting. It will keep taking on the criminals and the Spy vs. Spy-like games will continue. Only now it has to worry about public perception of its actions, alerts, and training. This is the reality of things from inside the security world.

In the eyes of the public, as far as opinion is concerned, the entire issue is nothing but a news company that pushed the limits, and may or may not have gone too far to make a point.

The Tech Herald: The BBC and the Computer Misuse Act

Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

Awesome Stuff Made Out Of Car Parts

An awesome picture has started doing the rounds showing a bathroom with sinks made out of car tires and faucets created from gas pumps. It’s the ideal bathroom for any discerning car nut. That got us thinking — what other stuff is there made out of car parts and car paraphernalia. Here are some of the coolest […]

Range Rover Evoque Convertible Confirmed

Land Rover has officially confirmed that the Range Rover Evoque Convertible will go on sale in 2016. The company released some publicity photos showing a prototype of the Evoque Convertible driving through train tunnels under construction in London. The company says use of the Crossrail tunnels let them test the convertible in privacy. A Land […]

Mercedes-AMG GT3 Racing Car to Debut at Geneva Motor Show

The company says the standard Mercedes-AMG GT already provides the ideal base for the race model, with low centre of gravity, good weight distribution and wide track width.The driver sits on a carbon-fibre seat pan and is protected by a roll-over cage made from high-tensile steel.The engine cover, doors, front wing, sidewalls, side skirts, diffuser, […]

Lamborghini Aventador Wallpaper

Lamborghini Aventador wallpaper for your desktop or mobile device. The Aventador LP 700–4  has a 6.5 liter V12 that will go 0–60 mph in  2.9 seconds and take you all the way to 220mph and maybe beyond.Each image links to a page with multiple sizes of wallpaper you can download.

Man Makes Tiny Edible Pancakes with Tiny Kitchen Tools (Video)

This Japanese guy cooks up some pancakes…nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!

What Color is this Dress?

White and Gold or Blue and Black?
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in the photo is probably causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a university in the UK told the BBC that it was impossible to see what other people see but that it […]

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

McLaren 675LT Wallpaper

Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]