Did BBC break the law by using a botnet to send spam?

The Computer Misuse Act makes it an offence in the United Kingdom to access another person’s computer, or alter data on their computer, without the owner’s permission.

The legislation has been used on a number of occasions to bring British hackers and virus writers to book, as obviously anyone breaking into a computer or installing malware is in breach of the act.

It is, therefore, somewhat surprising to find that the BBC appears to be have breached the law when making a program about computer crime.

BBC technology show BBC Click was investigating cybercrime and how gangs use networks of compromised computers (known as botnets or zombies) to send spam. As regular Clu-blog readers will be aware, well over 99% of all spam is sent from innocent people’s hacked computers without their knowledge.

Sign up to our free newsletter.
Security news, advice, and tips.

[View BBC clip]

BBC reporter Spencer Kelly and security company PrevX took over an existing botnet of approximately 22,000 computers, and used them for their spam experiment – ordering the innocent third-party computers to send 500 spam messages each to Hotmail and Gmail accounts under the control of the BBC.

Sure, a TV report like this can raise awareness of the serious problem of computers being controlled by hackers. But is it appropriate for a broadcaster to use innocent people’s computers without their permission for the purposes of their experiment?

Sophos has been asked many times by the media to take part in TV programmes like this, and has always made clear that we believe their legality to be questionable. Moreover, to our mind, the dubious ethics of such experiments are without question.

The law says you can’t mess around with other people’s computers without authorisation. The BBC and PrevX did not have the permission of the computer users to send those spam mesages. Sending spam from someone else’s computer obviously gobbles up bandwidth and will use up system resources. Even if the BBC felt the impact would be minimal – it doesn’t make it right.

Furthermore, at the end of this next excerpt you’ll see that the BBC “warned” the users that their computers were part of a botnet. They did this by changing the desktop wallpaper of affected computers owned by innocent third parties to display a message from BBC Click.

[View BBC clip]

This is clearly an unauthorised modification of computer data, and is – to my mind – a breach of the Computer Misuse Act.

Finally, the BBC says it “managed to acquire its own low-value botnet.. after visiting chatrooms on the internet,” but it is unclear whether they paid any money to the criminals who normally have control over such systems.

The BBC and PrevX might argue that it was making this TV show in the public’s interest, but surely there are ways of raising awareness of threats without breaking the law? Isn’t there enough spam around (I wonder how Hotmail and Gmail feel about this?) without journalists taking over botnets to generate more unwanted email traffic?

Update: According to this report in Out-law.com, I may not be correct in saying that the BBC committed an offence of unauthorised modification as it requires an intent to impair the operation of the computer or the software running on it. However, they do agree that unauthorised access appears to have occurred.

Do you agree with me in thinking the BBC went about this the wrong way? Think I’ve got it all wrong? Let me know in the below poll:

[polldaddy poll=1448277]

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.