The British public service broadcaster, which will air the BBC Click programme on Saturday, could have been in breach of the UK’s Computer Misuse Act 1990 when it bought the botnet – effectively a network of PC’s infected with malware which can be used to spread spam of other forms of malicious software, such as adware or spyware.
Under the act, it is a criminal offence to gain access another person’s computer, or to alter data or functions on that computer, without the owner’s permission. The maximum penalty for the offence stands at two years imprisonment although it is believed that the BBC is unlikely to be prosecuted as there was no criminal intent in the exercise.
The investigation looked at how botnets are used to distribute spam emails, with two test email accounts set-up for the purpose of the test receiving thousands of spam emails within the space of a few hours.
The investigation also allowed the BBC to launch a denial of service attack on a test web server.
After the demo attacks were complete, the BBC left messages on the infected computers used in the botnet telling them they were infected and offering information on how to secure their systems, and then disabled the botnet.