And still the controversy rages: several people have pointed out that it’s unlikely that the PCs in the BBC’s botnet are all in the UK, suggesting that there could be additional legal issues relating to other jurisdictions. The H reiterated the point that Ofcom regulations state that payment shouldn’t be made to "convicted or confessed criminals… for a programme contribution by the criminal … relating to his/her crime/s." It appears that there is only a possible exception where it is in the public interest .
So it’s not only law enforcement who have to be convinced that the purity of the BBC’s intent nullifies any question about the legality of their actions.
Some are proclaiming the value of its "investigation", but the BBC are not law enforcement, and don’t have any automatic rights to special treatment before the law. They didn’t really investigate anything in a forensic sense: law enforcement agencies and the security industry have, for many years, known more than the programme "revealed". What they did was demonstrate known phenomena for the benefit of their viewers.
Here are a few more interesting links:
Of course, it’s perfectly reasonable to -inform- the public about these issues in the public interest: that’s not the same as trying out criminal techniques. Sometimes journalists will, technically, break the law in order to demonstrate that it’s possible or even easy to do so, and sometimes that public interest argument can be made quite convincingly. The question here is whether the public interest was served any better by the BBC’s sailing close to the legal wind than it would have been by an entirely legal simulation.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
Author David Harley, ESET