Out-Law Guide | 02 Nov 2007 | 8:31 am | 3 min. read
Director of Public Prosecutions v Lennon
In this case the Defendant was alleged to have used Avalanche "mail bombing" software to flood the mail server of his former employer, Domestic and General, with 500,000 unsolicited e-mails. Many of the e-mails were disguised so that they purported to have come from Domestic and General's Human Resources manager. Mail bombing is the act of sending an large number of duplicate unsolicited e-mails. It is a form of denial of service ("DOS") attack in which the volume of e-mail sent saturates the target's e-mail processing and server storage capability. Depending upon the extent, nature and target of the attack, the effect of a mail bomb can be significant, ranging from a degradation in mail server performance to total failure of IT service. It is regarded as an unsophisticated form of DOS attack, the dangers of which have been significantly reduced by the proliferation of e-mail filtering software and other security measures.
The Defendant was charged with causing an unauthorised modification to Domestic and General’s computer with intent to impair its operation, contrary to s.3 of the Computer Misuse Act 1990. Section 3(1) of that Act 1990 provides: ‘A person is guilty of an offence if (a) he does any act which causes an unauthorised modification of the contents of any computer;’
The definition of "unauthorised modification" is set out at Section 17 of the Act which states that:
‘(7) A modification of the contents of any computer takes place if, by the operation of any function of the computer concerned or any other computer … (b) any program or data is added to its contents … (8) Such a modification is unauthorised if … (b) [the person whose act causes it] does not have consent to the modification from any person who is so entitled."
The prosecution argued that the Defendant had caused an unauthorised modification by adding data to Domestic and General's mail server. The Defendant admitted using the Avalanche software to launch the attack, and the defence did not dispute that the receipt of e-mails constituted a modification of Domestic and General's server. However, the defence made a submission of 'no case to answer' on the grounds that the modification complained of, namely the sending of e-mails, could not be shown to have been unauthorised. The basis of the Defendant's argument was that since the very function of the mail server was to receive and process e-mails, Domestic and General was to be taken as having consented to the receipt of e-mails and the consequent modification of the server There was no level above which the volume of e-mails sent and received could be said to be unauthorised.
District Judge Kenneth Grant, sitting in Wimbledon Magistrates Court, considered that s 3 of the Act was intended to deal with the sending of malicious material rather than the sending of bulk e-mails. Since Domestic and General's mail server was configured to receive e-mails, each modification upon the receipt of an e-mail must have been authorised. The judge therefore found that no reasonable tribunal could conclude that the modifications were unauthorised and the case was therefore dismissed.
On an appeal by the DPP, the Divisional Court (LJ Keene and Jack J) held that the District Judge had incorrectly concluded that the Defendant had no case to answer.
The owner of a mail server would ordinarily be taken to have consented to the receipt of e-mails. However, it was observed that such implied consent was subject to limitation and could not extend to e-mails that had been sent for the purpose of interrupting the system rather than for the purpose of genuine communication with the recipient. The Court also stated that e-mails should not be considered on an individual basis but rather as a whole. The Court made an analogy with the implied permission to deliver mail through a letterbox, such implied permission could not be taken to extend to allowing the letterbox to be "choked with rubbish".
The Divisional Court therefore ordered that the case be sent back to the Magistrates Court for trial. The Defendant pleaded guilty when the case was reheard in Wimbledon Youth Court and was sentenced to two months' curfew monitored by an electronic tag.
The initial decision in the Magistrates Court aroused considerable comment and consternation and led to renewed calls for the Computer Misuse Act to be updated in order to deal with changes in technology and use thereof. The Police and Justice Act 2006 amended Section 3 of the Computer Misuse Act to provide that DOS attacks do in fact constitute a criminal offence, punishable by a maximum 10 years' imprisonment (increased from a maximum of 5 years under the Computer Misuse Act). This amendment brought the UK into compliance with Article 5 of the Council of Europe Cybercrime Convention and the EU Framework Decision on Attacks Against Information Systems which deal with offences of system interference.
The Police and Justice Act also introduced a corollary offence of making, supplying or obtaining articles for use in computer misuse offences In addition to its application to authors and distributors of DOS software, this provision has the potential to bring a wide range of hitherto "grey areas" of activity within the reach of law enforcement.