BBC buys, uses botnet to show dangers to PCs

Legal expert says BBC botnet may have broken the law with its spam test, even though the infected computers were not used for harm.

Elinor Mills Former Staff Writer

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.

See full bio

Elinor Mills

March 12, 2009 5:59 p.m. PT

2 min read

To demonstrate the threats from botnets, the BBC purchased a network of 22,000 infected computers, used it to spam its own e-mail accounts and for a denial-of-service test, and then left messages on the hijacked computers that they were infected.

The BBC's Spencer Kelly discusses how the BBC's botnet spammed two e-mail accounts the company created as a test. BBC

The BBC's Click technology program said it acquired the "low value" botnet after visiting Internet chat rooms and used the network to spam a Gmail and Hotmail account it created for the spam test. It demonstrated the test in a video that accompanies a BBC article about the expose on Thursday.

The e-mail accounts received thousands of spam messages within hours, the video says.

The botnet also was used in a distributed denial-of-service attack on a test site owned by security company Prevx. After the demo attacks were complete, the BBC left messages on the infected computers used in the botnet telling them they were infected and offering information for how to secure their systems, and then disabled the botnet, the company says.

No personal information was accessed on the infected PCs, the BBC said. "If this exercise had been done with criminal intent it would be breaking the law," the article said.

However, a European law firm says the BBC may in fact have broken the law despite its good intentions.

The BBC violated the Computer Misuse Act by acquiring and using the software to control the botnet, according to Struan Robertson, a technology lawyer with Pinsent Masons and editor of the firm's Out-Law.com site.

"It does not matter that the e-mails were sent to the BBC's own accounts and criminal intent is not necessary to establish an offence of unauthorized access to a computer," Robertson said.

"The Act requires that a computer has been made to perform a function with intent to secure access to any program or data on the computer. Using the botnet to send an e-mail is likely to satisfy that requirement," he wrote. "It also requires that the access is unauthorized--which the BBC appears to acknowledge."

Robertson said it is unlikely the BBC will be prosecuted because its action probably caused no harm.

Robertson notes that the BBC said on Twitter that it had consulted with lawyers before it acquired the botnet and took action.