When the BBC purchased a botnet for an article aimed at user awareness, several red flags were raised online. Comments and opinions from both the security world and the blogosphere flooded RSS feeds. Did the BBC break the law? If so, which law did it break and how would it apply? The Tech Herald has spoken with several legal experts and, at the end of the day, the simple answer is yes, the BBC broke the law and the odds are nothing will be done about it.
Once news of the BBC’s botnet came to light, the first few reports centered on the Computer Misuse Act (CMA), and accused the BBC of breaking the law. However, the BBC said that, before the investigation, it consulted with its legal team.
The corporation has also stated on the record that: “It was not our intention to break the law. At no stage was any other data other than the IP address used. There is a powerful public interest in demonstrating the ease with which such malware can be obtained and used; how it can be deployed on thousands of infected PCs without the owners even knowing it is there; and its power to send spam e-mail or attack other Web sites undetected.”
“We believe that as a result of the investigation, computer users are now better informed of the importance and value of using basic security techniques to defend their PCs from attacks. This has been a subject of some debate and comment in the blogosphere. However we believed that the issue is vital for all PC users, not just those in the blogosphere, and that there would be great public interest in this demonstration.”
According to U.K. law, the Computer Misuse Act deals with three things. The first aspect to the CMA is unauthorized access to computer material, wherein a violator “...causes a computer to perform any function with intent to secure access to any program or data held in any computer; the access he intends to secure is unauthorized; and he knows at the time when he causes the computer to perform the function that that is the case.”
Section two of the CMA deals with unauthorized access with intent to “...commit or facilitate commission of further offences,” or, simply stated, unauthorized access to a system to commit other crimes.
Section three of the CMA deals with unauthorized modification of computer material, wherein a person can be in violation if, “...he does any act which causes an unauthorized modification of the contents of any computer; and at the time when he does the act he has the requisite intent and the requisite knowledge.”
When researching the issue, The Tech Herald spoke to legal experts in the U.K. as well as the U.S. They explained the legality of the matter in relation to U.K. law, while the U.S. experts also explained both a realistic legal issue as well as a hypothetical.
Peter Groves, a Consultant with CJ Jones Solicitors in London, started his explanation with a bit of a history lesson, which remains in this article as an interesting fact.
“The Computer Misuse Act was introduced to deal with a range of activities involving computers, in the aftermath of a case where people who had hacked into the Duke of Edinburgh's email account were found by the court to have committed no offence. Considering that it's as old as it is, it still works remarkably well,” said Groves.
When talking about section one he added that: “...the required intent is to secure access to any program or data held in any computer, which is pretty low-level: if you give a computer a command, you must be trying to do one of those things. It would be hard for the BBC to argue that they didn't intend to gain access to data, if not to programs.”
Section two of the CMA does not apply, Groves pointed out, and neither would section three. Section three requires, “...an intent to cause a modification of the contents of any computer and by so doing to impair the operation of any computer; to prevent or hinder access to any program or data held in any computer; or to impair the operation of any such program or the reliability of any such data.”
“This is a pretty high level of intent, and the BBC certainly didn't wish to stop people having access to programs or data on their computers. But did they impair the operation of the computers they hacked? All they did apart from sending the emails was modify the wallpaper, which I suppose could be called impairment at a stretch, but I doubt that a judge would be amused to have their time wasted on something as trivial as that,” Groves added.
Another expert agreed with Groves, pointing to the three requirements of section one of the CMA and outlining the charges.
“Arguably, the BBC has satisfied all three limbs of the offence in that it has used a computer (through a bot) to secure access to data held on a victim's computer, the access was unauthorized and it knew at the time the access was unauthorized. The CMA is drafted in such a manner that “program”, “computer” or “data” are not defined and, therefore, the offence is potentially wide-ranging in nature,” John Yates, solicitor for DMH Stallard LLP, told The Tech Herald.
“The difficulty any “victim” of the BBC bot would face is that he /she or the police would have to convince the Crown Prosecution Service (the body that brings prosecutions in the UK) of the merits of such a prosecution. It is also worth noting the UK government has in recent years cut-back the budget of the Metropolitan Police’s Computer Crime Unit so it is questionable whether it would take this up. Alternatively, a victim may bring a private prosecution in their own name but the costs may be prohibitive,” he added.
In the U.S. we have something close to the Computer Misuse Act, the CFAA or Computer Fraud and Abuse Act of 1986. If some of the bots were located in the U.S., would the CFAA apply to the BBC? That’s possible, but there are some strings attached.
The CFAA “makes it an offence knowingly to use a program or access a computer without authorization and, as a result, cause more than $5,000 of damage,” explained Yates.
“The CFAA differs from the CMA in that it also allows for those suffering harm to bring a civil claim. Thus, if victims of the BBC bot were in the US, they could bring [a civil claim] provided that the standards of the criminal test (i.e. beyond reasonable doubt) are met, and the claim is brought within 2 years. Of course, the victim must also demonstrate $5,000 damage, which may be difficult in the BBC case,” he concluded.
When asked the question of what would happen to the BBC if it did this type of investigative report in the U.S., as well as how the law would apply, one expert broke the legal issues down into segments.
Expanding on the question, The Tech Herald wanted to know if there were serious legal issues to consider or passive ones, circumstances where the law was broken, but the expenditure of resources would be too high. Anne P. Mitchell, Esq., the CEO and President of the Institute for Social Internet Public Policy, explained the process to us.
“First, it is of course illegal to use a botnet,” she wrote in an e-mail response. This is because, “...by its very definition, a botnet consists nearly entirely of private computers which have been illegally trespassed upon.”
Mitchell went on to explain that, from the receiving perspective, the actual activities in which the BBC engaged with the botnet are arguably legal, because it applied them to itself and a third-party that had given prior consent. By “from the receiving” perspective, Mitchell pointed out in her e-mail that she means neither the BBC nor Prevx would have legal claim based on the activities.
“In other words - they first used the botnet to Spam themselves (there was therefore consent - in fact, technically because of that it wasn't Spam). They then DOSed the third party (Prevx) but it was, again (at least as I understand it) with the prior consent of Prevx.”
However, the people owning the illegally co-opted PCs could have a claim, she said. A point made by Yates as well. This is because, “the very act of using those PCs broke any number of laws. This may be the first time in history that the persons behind the use of a botnet are so readily identifiable (and have such deep pockets),” Mitchell explained.
The criminal who sold the botnet was all-too happy to take part in the experiment, however the end users were not and, despite the altered desktop, many of them will not know they were involved in the testing.
However, another claim could be raised. The BBC agreed to receive the Spam, but did Google? What about Microsoft? “...they too might be in a position to bring an action for illegal activity,” Mitchell explained, “...it doesn't matter that the BBC agreed to receive the Spam - it still could have negatively impacted Google and it almost certainly violated their TOS - unless they also had the prior consent of Google.”
Yet, are the legal issues serious or just passive?
“The legal issues are real, and are potentially serious. The BBC could face criminal prosecution under both state and Federal laws, as well as private lawsuits from their ISP (Google) and even any of the upstream providers that had to deal with the botnet traffic; and in theory, from the individual PC owners,” she said.
“Then there is also the fact that the BBC paid known criminals (the botnet operators). Now, of course, the other side of that is that U.S. law also gives great protection to the press, which I'm sure the BBC would attempt to invoke if there were any legal action here. All that said - do I think that any legal action will result from this? Probably not. And, if it does, it's anybody's bet as to which way it would be resolved.”
Another legal expert The Tech Herald talked to, Kathleen Porter, a partner at Robinson and Cole in the Business Group as well as chair of the firm's Intellectual Property and Technology Practice Group, spoke at length with us covering much of what has been mentioned. However, she pointed us to a case that could be directly tied to the BBC.
In 2005, Daniel James Cuthbert, an IT Security consultant, was convicted of violating section one of the Computer Misuse Act. His crime was hacking a tsunami appeal Web site. Now, the relation to the BBC is in statements made by the news agency. The BBC is on record as stating that: “It was not our intention to break the law.”
While convicted of hacking, Cuthbert was not attempting to break the law either. The crime Cuthbert was charged with was actually a test to ensure that the site wasn’t Phishing related. In 2004, Cuthbert donated to the tsunami site and when he didn’t see a confirmation or thank-you page, he carried out two security tests. These tests were detected by the site's security systems, which duly alerted authorities.
If a security consultant, testing a site that seemed off on personal suspicion that it was Phishing related, can be charged with CMA violations, why can the same not be expected for the BBC, which went to a criminal and purchased a botnet to use in a story designed to raise public awareness?
Cuthbert did not intend to break the law. He was not planning a featured story that demonstrated how easy it is to test a site hunting for clear signs of a Phishing operation. In essence, he was acting in a manner according to his profession. Exactly the same way the BBC was.
The tough question is what will anyone do about it? Will someone sue the BBC? Will there be an inquiry? The likely answer is no, and nothing will happen. This is not the first time the BBC has done something that the public or experts have disagreed with, and it's unlikely to be the last.
However, Don Tellock, a technology lawyer with the law firm of Schiff Hardin LLP, made an excellent point when The Tech Herald spoke to him as an expert about the BBC story. As long as the facts in the story are as presented, “there is a difference in researching the story, and violating the law and becoming the story.”
Never become the story, the golden rule of journalism it is said. Could that have been the intent of the BBC after all?
The Tech Herald: The BBC and the case of awareness versus ethics