The BBC has been come in for sharp criticism over the decision by its Click computing show to hire a live botnet to demonstrate the ease with which spam can bombard email users.
The botnet in question had a relatively small 22,000 ‘zombie' PCs in its control, but the experiment undertaken by the programme makers and software security company Prevx was able to use these systems to send out 500 test messages to two BBC email accounts, one Gmail and one Hotmail.
Within minutes, the test spam messages started to arrive in the nominated accounts, each one of which would have reached them via the real user PCs under the botnet's control.
The BBC is believed to have paid for the privilege of using a real botnet, which it also used to show the ability of such networks to launch denial of service attacks by bringing down a specified PrevX site using only 60 machines from the bot.
"Cyber criminals are getting into contact with websites and threatening them with DDoS attacks," explained Prevx's Jacques Erasmus to the BBC presenter, Spencer Kelly. "The loss of trade is very substantial so a lot of these websites just pay-up to avoid it.
If the BBC's purpose was educational - security experts regularly bemoan the fact that the vast majority of computers have no idea of the mechanisms behind computer crime - the legality of its actions have now been questioned.
"The law says you can't mess around with other people's computers without authorisation. The BBC and PrevX did not have the permission of the computer users to send those spam messages," said Graham Cluley of Sophos, in a hardline blog on the topic .
"Sending spam from someone else's computer obviously gobbles up bandwidth and will use up system resources. Even if the BBC felt the impact would be minimal - it doesn't make it right."
"This is clearly an unauthorised modification of computer data, and is - to my mind - a breach of the Computer Misuse Act," said Cluley.
An unnamed legal source consulted by Techworld suggested that for the BBC's actions to have been illegal under the act, intent would be taken into account. It would depend on whether complaints were made, and whether those complainants were based in the UK. Working out where the portion of the 22,000 botnetted PCs used in the test were actually located, would be virtually impossible, making it hard to show that a crime had been committed.