The BBC acquired a botnet, but was it legal? - Update
As part of the BBC's Click programme, BBC researchers acquired a low value botnet and used it to demonstrate how botnets can be used to send spam and perform denial of service attacks. The programme, to be broadcast at 11:30 GMT on Saturday 14th March, shows the BBC, with the help of security company Prevx, taking control of a 22,000 machine botnet. The programme makers then use the botnet to send spam to two specially created email accounts and to perform a denial of service attack on a system set up by Prevx.
The BBC say they did not access personal information on the computer systems and took a number of steps to inform the users of the machines in the botnet that their machines had been hijacked. This included changing the desktop background, telling users to visit http://bbc.co.uk/click/infection and disabling the botnet software after the programme was completed. Excerpts of the programme are available on the BBC web site.
Graham Cluley of Sophos, questions in his blog whether the BBC have broken the law as represented in Computer Misuse Act, suggesting that the change of desktop background itself may be a breach of the act. In their online excerpt the BBC say "if you were to do this with criminal intent you would be breaking the law". Another issue Cluley points to is that the acquisition of the botnet itself may have involved paying money to criminals, something forbidden by regulatory bodies. In a later message on Twitter, Cluley also noted that the machines may well have not been in the UK, bringing different legal systems to bear on the BBC's actions.
According to Struan Robertson, a technology lawyer with Pinsent Masons, in a posting on Out-Law.com, the BBC's statement that the activity would only be illegal if those behind it had criminal intent is not true. Robertson said "The BBC appears to have broken the Computer Misuse Act by causing 22,000 computers to send spam. It does not matter that the emails were sent to the BBC's own accounts and criminal intent is not necessary to establish an offence of unauthorised access to a computer". However, Robertson does not think the BBC will be punished for the action "because the BBC's actions probably caused no harm."
At the time of writing, the BBC's only response has been a tweet from @BBCClick saying "We would not put out a show like this one without having taken legal advice".