More on the BBC’s Botnet


Update: several nice, thoughtful blogs on the subject from John Graham at

International law firm Pinsent Mason’s Struan Robertson seems to agree (at least in part) with commentatory in the security industry that the BBC have broken the UK’s Computer Misuse Act. Robertson, focused on the Click program’s unauthorised access to 22,000 bot-compromised PCs in order to use them to send "spam" to email accounts set up by the program.

In fact, Click’s mail-out doesn’t really meet any meaningful technical definition of spam, but the point here is the proof of the concept, not the content of the messages. The essential point that Robertson makes here is that

" It does not matter that the emails were sent to the BBC’s own accounts and criminal intent is not necessary to establish an offence of unauthorised access to a computer…It does not matter that the BBC’s intent was not criminal or that someone else created the botnet in the first place".

However, he disagrees with the contention that the Act was broken by the unauthorised modification of the infected systems, on the grounds that:

"The offence of unauthorised modification requires a recklessness or an intent that I don’t think the BBC has displayed."

Robertson’s reservation is based on the fact that unauthorised modification is an offence under section three of the Act, which he argues entails the need to prove intent to

"to impair the operation of a computer or to hinder access to data."

 Far be it from me to argue with a lawyer – I have no formal legal training whatsoever. But section 3 also says that the intent doesn’t need to be directed at any particular computer, program, or data, or a program or data of any particular kind, or any particular modification or a modification of any particular kind. It seems to me that if the PC user was deprived of their original wallpaper (even temporarily), that may well be a technical breach. Even the act of turning off the malicious functionality of the bots that infected these machines could be interpreted as a breach, it seems to me. Nor am I convinced that there wasn’t a recklessness or negligence that might not expose them to potential mens rea issues. They made system modifications, apparently, to 22,000 systems. Did they check each system to be sure that the modifications wouldn’t cause any unpleasant side effects on that system. Did they check afterwards? Did they consider at all the possibility that their actions might have unanticipated consequences

Do I want anyone at the BBC to be arrested for notifying 22,000 users of bot-infected PCs that they had a problem? Of course not (not least because any legal costs would probably impact on my TV licence fee in the future!). But I wouldn’t mind seeing them acknowledge that they might have gone too far.

Let’s assume (for the sake of argument, rather than out of personal conviction!) that it’s permissible for them to have "bought" or rented a botnet, if that’s what they did – that isn’t actually clear. They could have explained the uses to which that botnet without breaking the law by demonstrating it. They could have set up a botnet (real or simulated) on their own closed network and demonstrated anything they like, totally legally, or commissioned a group or agency, better resourced and more knowledgeable, to do it for them. While changing wallpaper may have been a quick and effective way of communicating with the users of the compromised machines, it’s unlikely that it was the only channel of communication open to them. But they chose not to pursue any of these alternatives, preferring to play the bold botmaster. Or, worse still, simply didn’t think about alternatives and consequences at all. The legal system may not regard that as reckless, but I do.

Director of Malware Intelligence

Author David Harley, ESET

  • emg

    Where I’m from, California, “Good Samaritan” laws exist to protect those who come to the aid of others for no other reason than kindness.

    These obviously wouldn’t protect the BBC, as they deal with emergency medical situations. But the idea is valid. In today’s litigious society, there can be a reluctance to help out. Fear of liability for any misstep can paralyze even the most helpful good Samaritan.

    So rather than criticize some people for trying to make the internet a safer place, why not come up with something yourself? You strongly imply that the amateurs should leave this to the professionals. Well, guess what? You, your employer, you’re the professionals — get to work, please.

    And yes, I do know that ESET provides trials and free tools in addition to the paid software and services. And yes, I’m a happy customer. But the majority of the 22,000 bot-compromised computers were likely owned by uneducated, unsophisticated users, with out of date antivirus (if at all) and wondering why their computer ran slower than usual and crashed all the time. They’re not going to go to your website and use the free tools available.

    Solve this and everyone wins.

    • Randy Abrams

      I agree that raising awareness is critical, but you don’t rape a person to prove it is a problem. You don’t illegally enter a person’s house to prove their locks are bad. You don’t change the desktop wall paper or send spam from another person’s computer to prove it is a problem. The BBC really messed up on this one.

      Randy Abrams
      Director of Technical Education

  • emg

    rape != sending unsolicited bulk e-mail

    To suggest they’re the same or similar is just being hysterical.

    You even state what was sent doesn’t really fit the definition of spam. I won’t argue with the wallpaper.


    How many bot-infected computers do we have sending spam, launching attacks, congesting networks, etc.

    Slippery slope arguments not withstanding, I’m glad that someone is doing something. And if there is a better idea, let’s hear it — no, let’s see it.

    • Randy Abrams

      I am not about to suggest rape and unautorized entry are the same, however comitting a crime to prove a point is still committing a criem to prove a point. It would be insignificantl different if they took camera crews to various homes, walked in the front door and moved the furniture around to prove that homes are not locked. There is no evidence that they illegal activities resulted in anyone actually acting and securing their PCs. If thye want to contact owenrs and ask their permission to use their bot infected computers, that’s fine. At ESET, we are working with several other companies and government groups on a pilot project called “Securing our eCity”. The goal is to raise awareness and provide education. We’ll post more in the near future as the pilot program launches in San Diego


  • David Harley

    1. I don’t think that the BBC acted only out of kindness. The presenters of the Click program are journalists, not philanthropists. I’m sure their intentions as regards the users of the infected systems were concerned were ultimately good, but I’m pretty sure their first concern was to get a good story. There’s nothing wrong with that if you get your story in the right way, of course. But…

    2. …I’m not criticising the BBC for trying to make the internet a safer place, but for the way they went about it. It’s possible that they incited criminal behaviour by paying criminals for access to a botnet: as far as I know, they haven’t yet clarified that point. They chose to behave like botmasters, very possibly breaking the law in the process, instead of taking one of several entirely legal alternative routes to telling their story.

    3. I’ve already enumerated several of those alternative routes in this blog posting. I’m sorry you think that the 12 hours or so I put into my job 5-7 days a week – most of which is not spent blogging – doesn’t count as work. Trivializing the work we do here is unfair and unconstructive. And no, I’m not claiming to be a philanthropist either. I have to make a living too, but I do it this way because it’s a way in which I can sometimes make a positive difference.

    4. I’ve certainly never said “leave it to the professionals.” On the contrary, it seems to me that eliminating antisocial behaviour is everyone’s job. It’s very convenient for everyone to keep throwing the blame for social problems back onto the shoulders of vendors and security professionals, but that’s just perpetuating the myth that you can fix social problems with technical solutions. What we do here is try to fix part of the problem, but we don’t have the 100% solution. And nor, advertising fluff notwithstanding, does anyone else. The problem of cybercrime is not going to be solved by the security industry alone.

    5. You’re right: if more people behaved responsibly when it comes to protecting their systems and being sensible about what they do online, criminals would have a tougher time and I’d get more sleep. But the fact that so many people don’t behave responsibly doesn’t excuse the BBC’s irresponsibility. I expect better from them, and so should you.

    David Harley

  • emg

    I guess where I still find a difference is that when a person leaves his computer unsecured, the fact of his doing so adversely affects me. The analogy would be the in my apartment building, my neighbors leave their doors unlocked all the time. Hobos come in, take residence and leave trash in the hallways, make the air smell, and slide old pizza boxes under the door to my apartment. At night I can hear them trying to pick the lock to my door (but they can’t, because I have a hefty deadbolt and keep my windows locked).

    So when no one’s around, I step through the sliding glass door in the back, take a chair from the living room table, and place my 3’x3′ note to it and leave it right next to the front door so it can’t be missed.

    It’s a legally insignificant difference, but it’s a difference in my mind.

    I wouldn’t mind if the landlord shut off the power, like has been suggested before. I wouldn’t mind if someone came by and started locking doors for people.

    I’m glad to hear about the Securing our eCity project. We could use it.

  • Bob Ellsmore

    I agree that, theoretically, the law was broken. However, the adverse reaction seems more than a trifle hysterical. Yes, they are not philanthropists but journalists out for a story. As journalists they knew that no simulated botnet or explanation would have a fraction of the impact that actually doing it would have.

    And it has the side-effect that at least 22,000 less PCs will be spewing out spam

    • Randy Abrams

      It is not a safe assumption that there are 22,000 fewer machines spewing out spam. The machines could have multiple bots on them and the owners have not been taught how to prevent re-infection.

  • David Harley

    I guess we’ll never know, technically, whether the law was broken, unless the case actually goes to court, but theoretically? Either it was broken or it wasn’t. Are you really saying that it doesn’t actually matter whether a public broadcasting body broke the law and the guidelines that are supposed to govern its dealings with criminals?

    “The end justifies the means”, huh? Even if we accept that decidedly ropey moral position, for the sake of argument, I think you’re wrong. The BBC -did- use a simulation. The fact that they used a real botnet to do it, putting them in legal jeopardy, may make the issue more sensational, but why is that more effective than demonstrating it by legal means?

    I’m afraid that the “side-effect” is probably far less positive than you’re assuming. Even if none of those systems was damaged (a pretty big assumption) by the BBC’s actions, and even if we accept that fiddling with wallpaper is a better means of communication than email, for example, what grounds do you have for assuming that any permanent change will have been effected in the behaviour of either the zombies or their owners?

  • Rashida Kinzle

    Hey cheers for this cool entry. It is super refreshing.

Follow us

Copyright © 2016 ESET, All Rights Reserved.