Denial of Service attacker sentenced to curfew

OUT-LAW News, 24/08/2006

A teenager who launched a Denial of Service attack on his former employer was sentenced to two months' curfew with an electronic tag yesterday following a landmark ruling.

David Lennon, 19, pleaded guilty to breaching the UK's Computer Misuse Act after using a 'mail bombing' program to attack Domestic & General Group's computer system. The software, called Avalanche, sent more than 500,000 emails to the insurer's server. The server collapsed.

Lennon was charged under section three of the Computer Misuse Act 1990. This describes an offence of doing anything with criminal intent "which causes an unauthorised modification of the contents of any computer". The Act goes on to explain that such a modification is unauthorised if the person whose act causes it is neither entitled to determine whether the modification should be made nor has consent to the modification from any person who is so entitled.

Last November, Lennon successfully argued in a Magistrates' Court that the purpose of the company's server was to receive emails, therefore the company had consented to the receipt of emails and their consequent modifications in data. District Judge Kenneth Grant concluded that sending emails is an authorised act. That there were lots of them was irrelevant. He ruled that Lennon had no case to answer, so no trial took place.

But in an appeal from the Director of Public Prosecutions, Lord Justice Keene and Justice Jack disagreed with Judge Grant's reasoning. Yes, the owner of a computer system would ordinarily consent to the sending of emails to his computer; but such implied consent is not without limits, they said. And the consent did not cover emails that had been sent not for the purpose of communication with the owner, but to interrupt his computer system.

It was successfully argued to the Queen's Bench Division of the High Court that the acts described in the charge amounted to an unauthorised modification to the computer by the adding of unauthorised data. Lennon had the requisite knowledge to commit the offence, because he knew the emails were unauthorised, it was argued.

Senior Crown Prosecutor Russell Tyner said today: “The police and CPS are determined to ensure that those who use the internet for crime are not beyond the reach of the law, and to make the internet a safe place for both businesses and domestic users. Mr Lennon's guilty plea indicates that this activity is criminal and you will be put in front of court to face the consequences.”

The Computer Misuse Act is scheduled for an update that will clarify the illegality of Denial of Service attacks. Provisions to amend it are contained in the Police and Justice Bill which is expected to become law later this year. The Bill will next come before Parliament for its Report Stage in October when Parliament is sitting again.

See: The judgment

See also:

• Appeals court says Denial of Service is a crime, OUT-LAW News, 12/05/2006
• Broad support for cybercrime update, OUT-LAW News, 08/03/2006
• Denial of Service to be criminalised by autumn 2006, OUT-LAW News, 26/01/2006
• US 'botmaster' pleads guilty, OUT-LAW News, 25/01/2006
• Call for reform of Denial of Service law, OUT-LAW News, 18/11/2005
• Denial of Service prosecution fails, OUT-LAW News, 03/11/2005
• 'Regrettable' conviction under Computer Misuse Act, OUT-LAW News, 07/10/2005
• Another pitch to Parliament for Denial of Service law, OUT-LAW News, 14/07/2005
• Parliament hears 10 minutes on Denial of Service law, OUT-LAW News, 07/04/2005
• Denial of Service prosecution in the UK, OUT-LAW News, 17/01/2005
• Computer Misuse Act needs reforming, concludes APIG, OUT-LAW News, 30/06/2004

Feedback | Printer-friendly page | Latest news | | All news feeds | Ask a lawyer