The story started last week. The BBC, for a feature on its Click program, purchased and tested a botnet. After the test, the corporation dismantled the botnet, but not before leaving altered desktops on the infected systems, alerting the users to the problem. This is a classic case of ethics vs. user awareness. Adding fuel to the fire is the contention that the BBC broke the law.
Did the broadcaster break the law? And, if it did break the law, will it be charged for any specific crimes or face personal lawsuits? Does it matter?
The story, according to the BBC
The BBC, for the program Click, was in Russia to see “just how sophisticated cybercrime has become.” In order to do this it paid a few thousand dollars and, through a Russian contact, rented a botnet. The botnet consisted of 21,696 systems, controlled with a simple point-and-click system. The Click report explains that, so easy was the botnet to control, that anyone could do it. This underlines one of the main reasons that Spam, ID theft, and Malware propagation are so prevalent -- the tools are designed so that anyone can use them, no matter their level of knowledge.
The botnet was used to perform two tests. The first was to send Spam to BBC-owned e-mail accounts. What the corporation did was use the botnet over several hours to trickle out Spam to Gmail and MSN accounts under the control of the BBC. Every bot was to e-mail the test accounts 500 times. According to the BBC, it used the bot controls to slow the rate of Spam, limiting bandwidth and resource usage and leading to a test that lasted several hours. At the end of the test, the two test accounts were full of junk mail, literally thousands of e-mail messages.
The second test, a full-on Denial of Service attack, was conducted with the help of security vendor Prevx. For this test, Prevx allowed the BBC to use the bots and attack a backup Web site owned by the company. It took 60 bots out of the 21,696 to flood the site and take it offline. This test was designed to show that there are more options available to bot owners than just Spam. They can be used for malicious offensive maneuvers as well.
After the testing was finished, the BBC dismantled the botnet. Before it severed ties with the bots, the BBC altered the desktop backgrounds of each system. The altered desktop contained a message from the BBC that the system was a part of a botnet and displayed information on preventing further infection. After that, it ordered a self-destruct. Each bot was told to unload the software used to control it and sever ties with the Command and Control (C&C) center.
“It was not our intention to break the law. At no stage was any other data other than the IP address used. There is a powerful public interest in demonstrating the ease with which such malware can be obtained and used; how it can be deployed on thousands of infected PCs without the owners even knowing it is there; and its power to send spam e-mail or attack other Web sites undetected,” outlined a statement from the BBC given to various news sites.
“We believe that as a result of the investigation, computer users are now better informed of the importance and value of using basic security techniques to defend their PCs from attacks. This has been a subject of some debate and comment in the blogosphere. However we believed that the issue is vital for all PC users, not just those in the blogosphere, and that there would be great public interest in this demonstration.”
The BBC said that before the investigation, it consulted fully with its legal team.
The moral issues and security research and protection
As the story of what the BBC did moved around online, security experts and vendors fell over themselves to comment. This is their backyard, and the BBC just moved right into it. This is where the argument against the BBC moves from legal to moral and ethical.
“It would be considered a high crime indeed to allow a spambot to actually send spam to the outside world, even for "testing" purposes. And, shutting down a botnet yourself, even with the best intentions, is simply not a good idea. You don't know what accidental harm you may cause. You also don't really know what's on the user's system that will simply restart the whole process,” wrote Alex Eckelberry of Sunbelt Software, who said he felt sick while watching the BBC's work.
“It's highly disturbing that the BBC has, in effect, set a precedent here: If it's all for the good, then no worries, go ahead, blunder around and disable botnets, change user's desktop settings, show off how they send spam -- it's all ok, because the means justifies the end. Doesn't work for me. At all.”
Another expert, Sophos’ Graham Cluley, agreed, and said in a forum posting on the subject that: “The BBC were not authorised to access those computers - and so they have not only (in my humble opinion) broken the law. They've also managed to film themselves doing it. A TV report like this can help to raise awareness of the serious problem of computers being controlled by hackers. And that's great. But it is completely wrong for a broadcaster to use innocent people's computers without their permission for the purposes of their experiment.”
“The law says you can't mess around with other people's computers without authorisation. The BBC didn't have permission to send those spam messages,” he added. “Sending spam from someone else's computer obviously gobbles up bandwidth and will use up system resources. Even if the BBC felt the impact would be minimal - it doesn't make it right. And I wonder how Gmail and Hotmail feel about being hit by spam sent by the BBC? There's enough spam in the world. We don't need more - and we don't need journalists making experiments like this to prove something that can be demonstrated in a legal way.”
Mel Morris, CEO of Prevx, the company that helped the BBC, added a different perspective.
“Botnets exist primarily because of an abject failure of the PC security industry to adequately protect consumers from such threats. It is a myth, albeit a popular and industry serving myth that Botnets only infect PCs with little or no security. Users with well respected brands of fully up to date PC antivirus and so called internet security products are infected every day while their PC security product tells them they are clean. Maybe that's a larger public injustice and one Graham and his team of very capable guys should focus a little more on than trying to pose as a legal expert,” Morris said in a response to Cluley.
“Meanwhile the market engineering of security products from 10 of the top vendors heads further towards mutual exclusivity, meaning that consumers and businesses are denied the opportunity of using two or more products to provide additional protection… let's focus on the real fight that threatens our customers and our industry too. At the moment we are all, simply not doing anywhere near enough to educate people of the real risks. The risks that are ever present in spite of running up to date so called PC security.”
Experts from Kaspersky, F-Secure, AVG, and McAfee agreed with Cluley that what the BBC did was wrong on legal, ethical, and moral standpoints. The logic is that to fight something, you cannot become what it is you are going up against. When the BBC started sending Spam or launching Denial of Service attacks, it rendered itself no better than the criminals it sought to expose.
At the end of the day, does it matter?
Before the BBC faces any alleged charges, someone has to investigate them. Someone will need to press charges against the corporation for CMA violations, and even then there is no guarantee anything will happen, as the BBC could still walk away unscathed.
With regard to the 21,696 people who are the owners of the systems included in the botnet, what are the odds of a class-action suit? Would and could there be one? Which of the users wants to risk starting one, and duly taking on the legal team at the BBC?
There have been a lot of comments online in forums or blogs. Likewise, there have been several news articles written and opinions tossed about. At the end of the day, the IANAL-type comments from all of us are moot.
Security experts, researchers, consultants, and vendors all have to walk a thin line in their profession. Sometimes in their work, they come really close to that line, but none would ever admit to crossing it. Yet, looking at the cat and mouse game that is Information Security and the daily struggle of professionals versus criminals, sometimes the line is certainly blurred.
Still, professionals have a strict code of ethics, and they will never stoop to the level of a criminal to beat them at their own game. However, if they ever did, assuming the absolute worst, would we in the public ever know?
No matter what the law says, what the BBC did is done and over with.
The security world will keep fighting. It will keep taking on the criminals and the Spy vs. Spy-like games will continue. Only now it has to worry about public perception of its actions, alerts, and training. This is the reality of things from inside the security world.
In the eyes of the public, as far as opinion is concerned, the entire issue is nothing but a news company that pushed the limits, and may or may not have gone too far to make a point.
The Tech Herald: The BBC and the Computer Misuse Act