BBC Tries Its Hand at the Botnet Biz

After checking with its lawyers, the British Broadcasting Corp. (BBC) recently proceeded to buy control of a small-scale botnet (22,000 computers) through chat rooms and forums. From there, the network's computer and Internet news program, "Click," showed how hackers exploit computers, raising considerable debate on the legal and ethical issues of a stunt that appeared harmless.

The BBC didn't just use the botnet for spamming. Working with U.K. security firm Prevx Ltd. , it also performed a directed denial-of-service (DDoS) attack on a Website. Worryingly, it took only 60 of the 22,000 computers to render the site totally inaccessible. Upon completion of these experiments, the BBC then alerted all the bot desktops with a wallpaper message that they had been infected, then suggested ways to rectify it and keep it from recurring. That was followed by an executable file, which destroyed the botnet.

In carrying out this experiment, the BBC demonstrated the ease with which computers can be infected and the ways in which hackers use these botnets to control PCs around the globe. This can be done passively (collecting data from infected computers) or actively (sending spam and phishing emails, performing DDoS attacks, using extortion against commercial sites).

However, debate is raging in the security community over the legal and ethical issues that surround this experiment. The U.K.’s Computer Misuse Act (CMA) stresses at length, in particular section 3, the fine legal points of "Unauthorized modification of computer material." But the CMA only has jurisdiction in the U.K., and not all the computers, by the BBC’s own admission, were in that blessèd realm.

There are also the issues raised by contradicting the Fundamental Principles of Testing for the Anti-malware Testing Standards Organization (AMTSO), which states, "Never create new malware, and protect the public networks from the research at all times."

Clearly, there's a tangle of legal and ethical issues raised by this kind of stunt, and the BBC does a grave disservice to the public by conducting this kind of experiment on the open Web, rather than within a closed network. Yet unanswered, but open to debate, are issues like:

• Did any of the BBC executables affect even a single computer adversely without its user's knowledge?
• What does this say about the integrity of the ISP involved and any of its associated "who-is" routing capabilities?
• Should the BBC have been allowed to conduct such an experiment without the consent of everyone involved?
• Has the BBC inadvertently opened the gateway for those computers already infected to be further contaminated or exploited?

Pushing the boundaries is what investigative journalism is all about. There are many TV documentaries about murder, gangs, and drugs -- why not cybercrime documentaries about the underbelly of the Internet? Still, it's hard to proclaim the BBC’s experiment a victory for the greater good, especially if it encourages other media outlets to behave in a similar, reckless fashion.