Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/19/2009
01:20 PM
Sara Peters
Sara Peters
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

BBC Responds To Legality Issues Of Recent Tech Show

Yesterday Nick Reynolds of the BBC directed me, as well as many other writers, to the BBC's official response to allegations that its technology show, Click, violated the U.K.'s Computer Misuse Act when it purchased and used a botnet as part of an investigative report into cybercrime.

Yesterday Nick Reynolds of the BBC directed me, as well as many other writers, to the BBC's official response to allegations that its technology show, Click, violated the U.K.'s Computer Misuse Act when it purchased and used a botnet as part of an investigative report into cybercrime.I blogged about this on Wednesday, and have excerpted most of it here:

    A lot of the debate has been about whether we did the right thing digging into the murky world of hackers and organised cybercrime. In seeking to demonstrate the threat, had we put ourselves in the position of those we wanted to expose?

    That's always a good question. After all, we could have simply described what we believe happens and given some warning advice, couldn't we? We've done this in the past. So have many others...

    But hacking has gone professional. Today, your PC can be doing bad things to other people without you even knowing. It's a major growth area for organised crime: it's global, and very local to all of us who work, communicate and play on the world wide web.

    So we felt that there was the strongest public interest in not just describing what malware can do, but actually showing it in action. A real demonstration of the power of today's botnets - to infect, disrupt and damage our digital lives - is the most powerful way to alert our audiences to the dangers that they face. It's a wake-up call to switch on that firewall and improve our security on the internet.

    We think that what we did was a first for broadcast journalism. We were amazed by the ease of use of the botnet, and the power of its disruptive capacity.

    No-one watching our programme could learn how to build a botnet or where to go to to buy one. But what is very clear is the level of threat - especially to home users who don't have the benefit of corporate-level security. (Our guide to PC protection is here.) As the hackers continue their silent running, we thought it was our job to expose the mechanics of their hidden economy. Please watch the full show and see what you think.

The full show (which I've not yet watched) can be viewed here, and will be available to watch for another few days.

The BBC has said it consulted legal experts before conducting the investigation and was advised that its actions would be legal provided it had no malicious intent. However, other legal experts have come out publicly saying quite the opposite. For example, Struan Robertson, quoted in a good story by John Leyden of The Register:

    Struan Robertson, editor of out-law.com and legal director at solicitors Pinsent Masons, reckons the "powerful public interest" argument is irrelevant in considering whether the BBC acted in violation of UK computer misuse law. He told El Reg that BBC Click would do better to apologise than hide behind such shaky defences.

      The public interest argument is no defence to the Computer Misuse Act. It could influence a decision by the police and the Crown on whether to take any action over the BBC's behaviour; but it could also backfire. An apology is more likely to make the problem go away, in my view, than an argument that breaking the law was the right thing to do.

      Breaking the law in the public interest is an argument that vigilantes will use. It rarely wins support from law enforcement.

A story in The Tech Herald noted that, in addition to the owners of the bot computers, ISPs and other service providers might have a case to bear against the BBC. From the story (by Steve Ragan):

    However, another claim could be raised. The BBC agreed to receive the Spam, but did Google? What about Microsoft? "...they too might be in a position to bring an action for illegal activity," [Anne P. Mitchell, Esq., the CEO and President of the Institute for Social Internet Public Policy] explained, "...it doesn't matter that the BBC agreed to receive the Spam - it still could have negatively impacted Google and it almost certainly violated their TOS - unless they also had the prior consent of Google."

    Yet, are the legal issues serious or just passive?

    "The legal issues are real, and are potentially serious. The BBC could face criminal prosecution under both state and Federal laws, as well as private lawsuits from their ISP (Google) and even any of the upstream providers that had to deal with the botnet traffic; and in theory, from the individual PC owners," she said.

Ragan goes on to compare this case against that of Daniel Cuthbert. (Described in detail on pages 3 and 4 (PDF.)

    In essence, he was acting in a manner according to his profession. Exactly the same way the BBC was.

However, it seems that this case will be handled quite differently than Cuthbert's. After Cuthbert's case in 2005, Detective Inspector Chris Simpson of the London Metropolitan Police Service's Computer Crime Unit made this statement in a press release by the Met:

    "It is my firm belief that the conviction of Daniel Cuthbert will send out a powerful message to those who think hacking is some form of sport, where there is no victim, or indeed crime."

Conversely, The Register reports:

    Some Reg readers have reported their concerns about the programme to the Met's Computer Crime Unit, which has said it's not prepared to do anything until a victim makes a complaint. [Emphasis added.] Given that BBC Click carefully chose machines outside the UK and US, this is unlikely to happen.

I haven't yet been able to confirm that the Metropolitan Computer Crime Unit did, in fact, make such a statement (not that I'm intimating that The Register is making that up, because I'm not).

I plan on going into a bit more detail on my opinions in a follow-up post, but here is my main point:

The fundamental trouble is not the BBC's actions. Nor is it the Computer Misuse Act. The fundamental trouble stems from the way the law -- and all cybercrime law -- is enforced.

Sara Peters is senior editor at Computer Security Institute. Special to Dark Reading. Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.