The Guardian, among others, reports today that the BBC programme makers might have been breaching the Computer Misuse Act 1990 when they bought themselves a botnet on the internet as part of a programme showing how easy it is for criminals to use those botnets for sending spam or carrying out distributed denial of service attacks.
Well, duh! Of course it is. As Struan Robertson, editor of out-law.com and legal director at solicitors Pinsent Masons explains, never mind the newly revised section 3 offence of "unauthorised access with intent to impair" (which is apparently what security firm Sophos wants to charge the BBC with). Using computers that form part of a botnet to send e-mails or website access requests without the owners' knowledge or consent is likely to fulfill the criteria of a plain-vanilla section 1 offence of unauthorised access. Section 1 requires no mens rea in excess of the knowledge that the access is unauthorised, knowledge which - presumably - the BBC hacks will have had.
But wait a minute, the BBC did it to do good, not bad. Apparently,
"...following its demonstration, it warned users that their PCs had been compromised, and it had closed down the botnet.
If the users pay attention and secure their PCs, they should be better off than if the BBC had not become involved."
That's alright then, case closed, all is well. Robertson again:
"The maximum penalty for this offence is two years' imprisonment. But it is very unlikely that any prosecution will follow because the BBC's actions probably caused no harm. On the contrary, it probably did prompt many people to improve their security."
Hmm, that's all well and good and Matron is the last person to deny that there should maybe be room in the world for a bit of "benevolent" or "ethical" hacking. However, historically, the courts have taken a dim view of such arguments, most notably in the US, where Robert Lyttle, a member of hacker group The Deceptive Duo was jailed for four months in 2005 after he was convicted of hacking a number of US government websites , allegedly with the intention of highlighting security failures. OK, the fact that his partner-in-crime, Benjamin Stark, was also convicted of online credit card fraud makes pleas that they acted in the interest of online security, patriotism and world peace sound a wee bit hollow.
But the fact remains that hackers the world over have been been on notice for years, most notably since the adoption of the Cybercrime Convention, that the intention with with they gain unauthorised access to someone else's computer is neither here nor there. Which means, presumably, that the integrity of the computer system itself is seen as the protected good here and not a woolly notion of some abstract good or evil that will be achieved by hacking the system (a point, incidentally, which was made beautifully in a completely different context by the German Constitutional Court last year, when it created the new basic right of "security and confidentiality of information technology systems").
So, should we really have one law for the BBC and one for the rest of us? Matron wonders...