Destroying the Botnet?

I stumbled across an interesting story about the intersection of law, ethics and technology. Workers at an internet security company called TippingPoint discovered a way to gain control of a network of computers remotely – and secretly – controlled by spammers (a so-called “botnet”). The botnet is made up of 400,000 computers and used to send out huge volumes of spam.

The researchers are now capable of sending out a signal to the infected computers to remove the virus. However, like the way the program installed itself, it would have to be done without the consent of the computer owner.

Killing the network would reduce spam and improve the performance of the infected computers. But the dilemma is that TippingPoint has no more right to interfere with the computers than the original spammers did – unauthorized interference is prohibited by the Computer Fraud and Abuse Act. They are naturally concerned with liability arising should any problems occur from the deletion.

A quick look at comments across the blogosphere, however, suggests that most people out there would support the company in running the deletion.


  1. Wouldn’t TippingPoint acts fall under the “Good Samaritan” exception and protect them from being sued? I guess they can’t be sure this rule applies everywhere? I have to admit that, as they mention, there could be an issue where the “target system is responsible for someone’s life support”…

    If they have “identified” the infected PC, why not contact the owners and bring them to a website where they would agree or refuse any intervention? Perhaps, more realistically, why not advertise their solution online and let people use it? …while making a buck!!

    I can’t help but think this smells like marketing…

  2. I’m not sure about any “Good Samaritan” exception that might protect them.

    I suppose there are ways they could get consent to do the removal, but the easiest ways – a pop-up or web page redirection – would also involve first manipulating the user’s computer without consent.