Select Committee on Science and Technology Minutes of Evidence

Supplementary memorandum by the Home Office

Q 843  (legality of botnet use) Q 848 (frequency of illegal botnet use)

  The following questions were asked by the Committee at the hearing on 28 March. As the questions range across both 843 and 848, they have been combined.

    1.  If a botnet is installed illegally on UK machines, probably from abroad, for nefarious purposes, is this an offence?

    2.  Following on from that, what if the perpetrator can't be identified / found?

    3.  This botnet is hired out to people in the UK. If they use it for illegal purposes—denial of service, hacking or whatever—are they are in turn committing a CMA offence?

    4.  If they are using the botnet for something annoying but not necessarily illegal, such as spamming, what action could be taken against them?

    5.  Is the person who hires the machine participating in the original offence of installing it—ie aiding and abetting the original offence by providing a lucrative market for it? Or is there any other incitement offence or other part of CMA that might apply?

    6.  What is the legal position of someone who pays to have a botnet attack in order to test security?

    7.  What is the position of people who unwittingly have botnets on their computers?

  The answers to these questions are based on legal advice.

    1.  This is an offence contrary to section 1 of the Computer Misuse Act—unauthorised access. A section 3 offence has also been committed because a botnet causes an unauthorised modification to the contents of the computer. A section 2 offence may also have been committed depending on the "nefarious purposes" it is used for.

    2.  If a perpetrator cannot be identified / found then no offence exists.

    3.  If it is used for illegal purposes, this may fall under the CMA offences, and also under a conspiracy offence, incitement, or aiding and abetting, depending on what has occurred. Depending on what the illegal purposes are, it might be possible to charge substantial offences such as copyright offences or offences under the Fraud Act. It is an offence under section 7 of the Fraud Act 2006 to supply an article (which includes any program or data held in electronic form) for use in frauds.

    4.  It depends on what they are doing, but charges might be possible under section 127 Communications Act 2003. Depending upon the nature of the spam, harassment charges could be considered under:

    —  the Protection from Harassment Act 1997, under which a Restraining Order could be given;

    —  Section 1 Malicious Communication Act 1998 which created an offence of sending letters which convey indecent or grossly offensive letter or electronic communication or article. Maximum penalty six months imprisonment;

    —  Section 16 Offences Against the Person Act 1861 (threats to kill), and possibly sections 39 and 47 or 20. For section 47 and 20 offences you need bodily harm or medical evidence of psychological injury;

    —  Section 2 Criminal damage Act 1971 (threats to commit criminal damage);

    —  Section 4 Public Order Act 1986 offences—If the messages—e-mails, phone calls etc cause the victim to fear that violence will be used against them then the police can choose to charge the offender with an offence contrary section 4 which is punishable with up to five years imprisonment and also allows the court to make a Restraining Order;

    —  Section 4A Public Order Act 1986 no offence if both parties are in dwelling. If the offensive or threatening letter, electronic communication or other article is racialist in nature or motivated by religious hostility then charges could be brought contrary to 32(1)(a) or 32 (1)(b) of the Crime and Disorder Act 1998, In serious cases offenders could face up to seven years imprisonment;

    —  Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 which say a person must not transmit, or instigate the transmission of, unsolicited e-mails where the recipient has not consented or has opted-out under regulation 22(3)). These Regulations can be enforced by the Information Commissioner using his powers under the Data Protection Act 1998 as extended by these Regulations (see regulation 31) or by way of third party proceedings (see regulation 30 and the answer from the Department of Trade and Industry to Q.879).

    5.  This is possible, but if the action could be proved, and depending what the hacker has done, the offence might be prosecuted under a conspiracy charge under Section 1 of the Criminal Law Act 1977, or an incitement charge under common law.

    6.  So long as a person has used their own network to form the botnet and the attack is against their own property or they have the owner's permission to carry it out against their property then it is not an offence. The problem occurs when the botnet is formed not of an individual's own network but rather infected machines belonging to others. In such a case the person paying for the botnet attack, if aware that it is not the owners network, could be charged with (depending on the facts) offences of incitement, conspiracy or even aiding/abetting a CMA offence.

    7.  There is no criminal liability, as people in this position are perceived as victims.

previous page contents

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007