Sponsored by..

Thursday, 12 March 2009

Did the BBC just break the law?

The BBC's lightweight tech program "Click" took over a botnet of 20,000 machines to demonstrate the perils of zombie PCs. The BBC insists that this is perfectly legal: "If this exercise had been done with criminal intent it would be breaking the law."

So was it legal? Well, not according to the Computer Misuse Act. The BBC states that "the owners of unprotected PCs have been made aware that they are vulnerable to future attacks" and
"Click advised them on what steps to take to make their systems more secure". In fact, you can see precisely what they did on this video clip.

So.. did they just alter the data on the compromised PCs? It certainly looks like it - and because they have both gained unauthorised access to a PC and have altered information on it, then that is potentially a criminal offence under section 3 of the act.

3 Unauthorised modification of computer material

(1) A person is guilty of an offence if—

(a) he does any act which causes an unauthorised modification of the contents of any computer; and

(b) at the time when he does the act he has the requisite intent and the requisite knowledge.
Certainly the BBC carried out an unauthorised modification. But did they have the requisite intent?

(2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing—

(a) to impair the operation of any computer;

(b) to prevent or hinder access to any program or data held in any computer; or

(c) to impair the operation of any such program or the reliability of any such data.
Clearly, the BBC did not have malicious intent to carry out a) b) or c), so under UK law they are probably just about in the clear.

But that's just UK law (and they are skating on thin ice as it is). In some other countries, unauthorised access and alteration of data for any reason is likely to be a criminal offence. The BBC probably did this with good intent, but it was quite possibly an ill-advised thing to do.

Added:
Copied from the comments (thanks Joel!)

Erm... why did you miss out the important bit - which is (1):

(Computer Misuse Act 1990)

1 Unauthorised access to computer material (1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.
(2) The intent a person has to have to commit an offence under this section need not be directed at—
(a) any particular program or data;
(b) a program or data of any particular kind; or
(c) a program or data held in any particular computer.
(3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both.

As I understand it, this means that you only have to secure access to a program or data (i.e. ANY ACCESS AT ALL) without authorisation to have acted illegally. Hence, what they have done is certainly illegal. I doubt anyone will be punished though...

Joel

El Reg is covering this here, they quote Graham Cluley of Sophos who says that he believes the BBC did break the law. It looks like there is a storm brewing.

Now, I don't think the BBC breached security to access any data. Unauthorised access to a bot application is tricky, but the question revolves around them changing the wallpaper. It was certainly ill-advised in my view.

2 comments:

Joel said...

Erm... why did you miss out the important bit - which is (1):

(Computer Misuse Act 1990)

1 Unauthorised access to computer material (1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.
(2) The intent a person has to have to commit an offence under this section need not be directed at—
(a) any particular program or data;
(b) a program or data of any particular kind; or
(c) a program or data held in any particular computer.
(3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both.

As I understand it, this means that you only have to secure access to a program or data (i.e. ANY ACCESS AT ALL) without authorisation to have acted illegally. Hence, what they have done is certainly illegal. I doubt anyone will be punished though...

Joel

Joel said...

it seemed like free advertising for those selling such botnets...

thank you Spencer Kelly...

:o(