Appeals Court says Denial of Service is a crime

A judge made a mistake when he suggested that a teenager using a 'mail-bombing' program to attack his former employer's computer system was not breaching the Computer Misuse Act, according to the Court of Appeal.

David Lennon, who could not be named when he was cleared last November because he was then under 18, must now decide whether to plead guilty or stand trial in the magistrates' court. If convicted, he faces a maximum possible sentence of five years in prison and a fine.

After being dismissed from Domestic & General Group, in early 2004, Lennon allegedly used a program called Avalanche that, once activated, automatically sent continuous emails to the insurer's server until the program was manually stopped. The server received over 500,000 emails, the vast majority of which purported to come from a human resources manager within the company.

Lennon was charged under section 3 of the Computer Misuse Act 1990. This describes an offence of doing anything with criminal intent "which causes an unauthorised modification of the contents of any computer". The Act goes on to explain that such a modification is unauthorised if the person whose act causes it is neither entitled to determine whether the modification should be made nor has consent to the modification from any person who is so entitled.

In November, Lennon successfully argued in a Magistrates' Court that the purpose of the company's server was to receive emails, therefore the company had consented to the receipt of emails and their consequent modifications in data. District Judge Kenneth Grant concluded that sending emails is an authorised act. That there were lots of them was irrelevant. He ruled that Lennon had no case to answer, so no trial took place.

But in an appeal from the Director of Public Prosecutions, Lord Justice Keene and Justice Jack disagreed with Judge Grant's reasoning. Yes, the owner of a computer system would ordinarily consent to the sending of emails to his computer; but such implied consent is not without limits, he said. And the consent did not cover emails that had been sent not for the purpose of communication with the owner, but to interrupt his computer system.

It was successfully argued in the Court of Appeal that the acts described in the charge amounted to an unauthorised modification to the computer by the adding of unauthorised data. He had the requisite knowledge to commit the offence, because he knew the emails were unauthorised, it was argued.

The Court of Appeal pointed out that a householder would consent to people with a lawful purpose using the path to his front door – but would not consent to a burglar walking up his path. Nor would he consent to his post box being filled with rubbish.

The court also said the emails should not be considered on an email-by-email basis but as a whole. The emails resulted from the single action of running a program. If asked whether it would receive a single email from Lennon, the company's response would differ from its response if asked if it would receive 500,000 emails from Lennon.

The ruling will give the Crown Prosecution Service confidence that it can prosecute other denial of service attacks under the existing legislation.

Senior Crown Prosecutor Russell Tyner said: "Taking this case to the court of appeal we have sought to clarify a point of law, to update the interpretation of that law to cope with contemporary high-tech crime."

He continued: "As technology develops at an ever increasing pace the law may sometime need to be interpreted in new ways. UK law has frequently shown that it is flexible enough to meet the demands of changing times."

After the November decision, calls for the Act to be updated were renewed. An update was attempted in 2002 and on two subsequent occasions, each time as a Private Members' Bill.

This type of Bill rarely succeeds, but in the wake of the November decision, another Private Members' Bill, from Tom Harris, Labour MP for Glasgow South, won Government support. His provisions to amend the 1990 legislation are included in the new Police and Justice Bill which could become an Act by autumn 2006. Not only does it clarify the position on Denial of Service attacks, it also increases the maximum possible sentences for computer crimes.