To demonstrate the threats from botnets, the BBC purchased a network of 22,000 infected computers and, having taken legal advice, used it to spam its own email accounts and implement a denial-of-service test. The broadcaster then left messages on the hijacked computers that they were infected.
The BBC's Click technology programme said it acquired the 'low-value' botnet after visiting Internet chat rooms and used the network to spam a Gmail and Hotmail account it created for the spam test. It demonstrated the test in a video that accompanies a BBC article about the exposé on Thursday.
The email accounts received thousands of spam messages within hours, the video says.
The botnet also was used in a distributed denial-of-service attack on a test site owned by security company Prevx. After the demo attacks were complete, the BBC left messages on the infected computers used in the botnet telling them they were infected and offering information for how to secure their systems, and then disabled the botnet, the company says.
No personal information was accessed on the infected PCs, the BBC said. "If this exercise had been done with criminal intent it would be breaking the law," the article said.
A European law firm, however, says the BBC may in fact have broken the law despite its good intentions.
The BBC violated the Computer Misuse Act by acquiring and using the software to control the botnet, according to Struan Robertson, a technology lawyer with Pinsent Masons and editor of the firm's Out-Law.com site.
"It does not matter that the emails were sent to the BBC's own accounts and criminal intent is not necessary to establish an offence of unauthorised access to a computer," Robertson said.
"The Act requires that a computer has been made to perform a function with intent to secure access to any program or data on the computer. Using the botnet to send an email is likely to satisfy that requirement," he wrote. "It also requires that the access is unauthorised -- which the BBC appears to acknowledge."
Robertson said it is unlikely the BBC will be prosecuted because its action probably caused no harm.
Robertson notes the BBC said on Twitter that it had consulted with lawyers before it acquired the botnet and took action.