David Lennon, who could not be named when he was cleared last
November because he was then under 18, must now decide whether to
plead guilty or stand trial in the magistrates' court. If
convicted, he faces a maximum possible sentence of five years in
prison and a fine.
After being dismissed from Domestic & General Group, in
early 2004, Lennon allegedly used a program called Avalanche that,
once activated, automatically sent continuous emails to the
insurer's server until the program was manually stopped. The server
received over 500,000 emails, the vast majority of which purported
to come from a human resources manager within the company.
Lennon was charged under section 3 of the Computer Misuse
Act 1990. This describes an offence of doing anything with criminal
intent "which causes an unauthorised modification of the contents
of any computer". The Act goes on to explain that such a
modification is unauthorised if the person whose act causes it is
neither entitled to determine whether the modification should be
made nor has consent to the modification from any person who is so
entitled.
In November, Lennon successfully argued in a Magistrates'
Court that the purpose of the company's server was to receive
emails, therefore the company had consented to the receipt of
emails and their consequent modifications in data. District Judge
Kenneth Grant concluded that sending emails is an authorised act.
That there were lots of them was irrelevant. He ruled that Lennon
had no case to answer, so no trial took place.
But in an appeal from the Director of Public Prosecutions, Lord
Justice Keene and Justice Jack disagreed with Judge Grant's
reasoning. Yes, the owner of a computer system would ordinarily
consent to the sending of emails to his computer; but such implied
consent is not without limits, he said. And the consent did not
cover emails that had been sent not for the purpose of
communication with the owner, but to interrupt his computer
system.
It was successfully argued in the to the Queen's Bench Division
of the High Court* that the acts described in the charge amounted
to an unauthorised modification to the computer by the adding of
unauthorised data. He had the requisite knowledge to commit the
offence, because he knew the emails were unauthorised, it was
argued.
The appeals court pointed out that a householder would consent
to people with a lawful purpose using the path to his front door –
but would not consent to a burglar walking up his path. Nor would
he consent to his post box being filled with rubbish.
The court also said the emails should not be considered on an
email-by-email basis but as a whole. The emails resulted from the
single action of running a program. If asked whether it would
receive a single email from Lennon, the company's response would
differ from its response if asked if it would receive 500,000
emails from Lennon.
The ruling will give the Crown Prosecution Service confidence
that it can prosecute other denial of service attacks under the
existing legislation.
Senior Crown Prosecutor Russell Tyner said: "Taking this case to
the court of appeal we have sought to clarify a point of law, to
update the interpretation of that law to cope with contemporary
high-tech crime."
He continued: "As technology develops at an ever increasing pace
the law may sometime need to be interpreted in new ways. UK law has
frequently shown that it is flexible enough to meet the demands of
changing times."
After the November decision, calls for the Act to be updated
were renewed. An update was attempted in 2002 and on two subsequent
occasions, each time as a Private Members' Bill.
This type of Bill rarely succeeds, but in the wake of the
November decision, another Private Members' Bill, from Tom Harris,
Labour MP for Glasgow South, won Government support. His provisions
to amend the 1990 legislation are included in the new Police and
Justice Bill which could become an Act by autumn 2006. Not only
does it clarify the position on Denial of Service attacks, it also
increases the maximum possible sentences for computer crimes.
* This article originally stated that the appeal went to the
Court of Appeal. In fact, it was taken to the Queen's Bench
Division of the High Court. OUT-LAW apologises for this
inaccuracy.
