Supplementary memorandum by the Home Office
Q 843 (legality of botnet use) Q 848 (frequency
of illegal botnet use)
The following questions were asked by the Committee
at the hearing on 28 March. As the questions range across both
843 and 848, they have been combined.
1. If a botnet is installed illegally on
UK machines, probably from abroad, for nefarious purposes, is
this an offence?
2. Following on from that, what if the perpetrator
can't be identified / found?
3. This botnet is hired out to people in
the UK. If they use it for illegal purposesdenial of service,
hacking or whateverare they are in turn committing a CMA
offence?
4. If they are using the botnet for something
annoying but not necessarily illegal, such as spamming, what action
could be taken against them?
5. Is the person who hires the machine participating
in the original offence of installing itie aiding and abetting
the original offence by providing a lucrative market for it? Or
is there any other incitement offence or other part of CMA that
might apply?
6. What is the legal position of someone
who pays to have a botnet attack in order to test security?
7. What is the position of people who unwittingly
have botnets on their computers?
The answers to these questions are based on
legal advice.
1. This is an offence contrary to section
1 of the Computer Misuse Actunauthorised access. A section
3 offence has also been committed because a botnet causes an unauthorised
modification to the contents of the computer. A section 2 offence
may also have been committed depending on the "nefarious
purposes" it is used for.
2. If a perpetrator cannot be identified
/ found then no offence exists.
3. If it is used for illegal purposes, this
may fall under the CMA offences, and also under a conspiracy offence,
incitement, or aiding and abetting, depending on what has occurred.
Depending on what the illegal purposes are, it might be possible
to charge substantial offences such as copyright offences or offences
under the Fraud Act. It is an offence under section 7 of the Fraud
Act 2006 to supply an article (which includes any program or data
held in electronic form) for use in frauds.
4. It depends on what they are doing, but
charges might be possible under section 127 Communications Act
2003. Depending upon the nature of the spam, harassment charges
could be considered under:
the Protection from Harassment Act
1997, under which a Restraining Order could be given;
Section 1 Malicious Communication
Act 1998 which created an offence of sending letters which convey
indecent or grossly offensive letter or electronic communication
or article. Maximum penalty six months imprisonment;
Section 16 Offences Against the Person
Act 1861 (threats to kill), and possibly sections 39 and 47 or
20. For section 47 and 20 offences you need bodily harm or medical
evidence of psychological injury;
Section 2 Criminal damage Act 1971
(threats to commit criminal damage);
Section 4 Public Order Act 1986 offencesIf
the messagese-mails, phone calls etc cause the victim to
fear that violence will be used against them then the police can
choose to charge the offender with an offence contrary section
4 which is punishable with up to five years imprisonment and also
allows the court to make a Restraining Order;
Section 4A Public Order Act 1986
no offence if both parties are in dwelling. If the offensive or
threatening letter, electronic communication or other article
is racialist in nature or motivated by religious hostility then
charges could be brought contrary to 32(1)(a) or 32 (1)(b) of
the Crime and Disorder Act 1998, In serious cases offenders could
face up to seven years imprisonment;
Regulation 22 of the Privacy and
Electronic Communications (EC Directive) Regulations 2003 which
say a person must not transmit, or instigate the transmission
of, unsolicited e-mails where the recipient has not consented
or has opted-out under regulation 22(3)). These Regulations can
be enforced by the Information Commissioner using his powers under
the Data Protection Act 1998 as extended by these Regulations
(see regulation 31) or by way of third party proceedings (see
regulation 30 and the answer from the Department of Trade and
Industry to Q.879).
5. This is possible, but if the action could
be proved, and depending what the hacker has done, the offence
might be prosecuted under a conspiracy charge under Section 1
of the Criminal Law Act 1977, or an incitement charge under common
law.
6. So long as a person has used their own
network to form the botnet and the attack is against their own
property or they have the owner's permission to carry it out against
their property then it is not an offence. The problem occurs when
the botnet is formed not of an individual's own network but rather
infected machines belonging to others. In such a case the person
paying for the botnet attack, if aware that it is not the owners
network, could be charged with (depending on the facts) offences
of incitement, conspiracy or even aiding/abetting a CMA offence.
7. There is no criminal liability, as people
in this position are perceived as victims.
|