Denial of Service prosecution fails

Out-Law News | 03 Nov 2005 | 2:11 pm | 2 min. read

A London court cleared a British teenager of charges under the Computer Misuse Act yesterday, reasoning that the law could not apply to an alleged denial of service attack in which five million emails were sent to a former employer, according to ZDNet UK.

The teenager, who cannot be named for legal reasons, was not called to give evidence in the case, after District Judge Kenneth Grant agreed with defence lawyers that even if the emails had been sent – something that was not confirmed in court – no offence had been committed.

The ruling is likely to increase demands for the Computer Misuse Act to be updated because it supports a view that the Act, passed in 1990, fails to criminalise denial of service (DoS) attacks.

DoS attacks occur when web servers are flooded with requests for information, overwhelming the system. Although such attacks do not normally compromise information security, they cost time and money.

The question for District Judge Grant was whether the teenager’s alleged attack was prohibited by the Act.

In general terms, the Act targets three offences: unauthorised access to computer material; unauthorised modification of such material; and unauthorised access with intent to commit or facilitate commission of further offences.

In the past, some have argued that the Act cannot cover DoS attacks because such attacks do not involve the accessing or modification of material – they simply involve a lot of emails, which servers are designed to accept. Others, including the NHTCU, disagree. They say that DoS attacks do access and modify data stored in a computer's random access memory (RAM).

Distributed DoS attacks, or DDoS attacks, are more likely to breach the Act because these involve compromising other computers, instructing each of the computers to attack a single target at once.

According to ZDNet, the judge, while accepting that “the computer world has considerably changed since the 1990 Act," ruled:

"In this case, the individual emails caused to be sent each caused a modification which was in each case an 'authorised' modification. Although they were sent in bulk resulting in the overwhelming of the server, the effect on the server is not a modification addressed by [the Act]."

The first jury trial over a DoS attack was a prosecution against a teenager called Aaron Caffrey. However, Caffrey's defence did not argue the merits of the Act; instead, it convinced a jury that Caffrey did not launch the attacks and that they were in fact launched by hackers exploiting a Trojan in Caffrey's computer. Caffrey was acquitted.

Acknowledging Caffrey's case, the UK's All Party Internet Group (APIG) last year called for the Act to be amended. It called on the Home Office to add an explicit 'denial of service' offence to the Act's offence of impairing access to data.

Since then two MPs have introduced Private Member’s Bills into Parliament, seeking to implement this recommendation. The first attempt failed, as most Private Member’s Bills do. The second is scheduled for a second reading on 2nd December 2005.

Meanwhile, the next DoS trial is scheduled to begin on 25th November in Elgin Sheriff Court, Scotland. Matthew Anderson is charged with launching a DoS attack on the website of the British National Party.