The teenager, who cannot be named for legal reasons, was not
called to give evidence in the case, after District Judge Kenneth
Grant agreed with defence lawyers that even if the emails had been
sent – something that was not confirmed in court – no offence had
been committed.
The ruling is likely to increase demands for the Computer Misuse
Act to be updated because it supports a view that the Act, passed
in 1990, fails to criminalise denial of service (DoS) attacks.
DoS attacks occur when web servers are flooded with requests for
information, overwhelming the system. Although such attacks do not
normally compromise information security, they cost time and
money.
The question for District Judge Grant was whether the teenager’s
alleged attack was prohibited by the Act.
In general terms, the Act targets three offences: unauthorised
access to computer material; unauthorised modification of such
material; and unauthorised access with intent to commit or
facilitate commission of further offences.
In the past, some have argued that the Act cannot cover DoS
attacks because such attacks do not involve the accessing or
modification of material – they simply involve a lot of emails,
which servers are designed to accept. Others, including the NHTCU,
disagree. They say that DoS attacks do access and modify data
stored in a computer's random access memory (RAM).
Distributed DoS attacks, or DDoS attacks, are more likely to
breach the Act because these involve compromising other computers,
instructing each of the computers to attack a single target at
once.
According to ZDNet, the judge, while accepting that “the
computer world has considerably changed since the 1990 Act,"
ruled:
"In this case, the individual emails caused
to be sent each caused a modification which was in each case an
'authorised' modification. Although they were sent in bulk
resulting in the overwhelming of the server, the effect on the
server is not a modification addressed by [the Act]."
The first jury trial over a DoS attack was a prosecution against
a teenager called Aaron Caffrey. However, Caffrey's defence did not
argue the merits of the Act; instead, it convinced a jury that
Caffrey did not launch the attacks and that they were in fact
launched by hackers exploiting a Trojan in Caffrey's computer.
Caffrey was acquitted.
Acknowledging Caffrey's case, the UK's All Party Internet Group
(APIG) last year called for the Act to be amended. It called on the
Home Office to add an explicit 'denial of service' offence to the
Act's offence of impairing access to data.
Since then two MPs have introduced Private Member’s Bills into
Parliament, seeking to implement this recommendation. The first
attempt failed, as most Private Member’s Bills do. The second is
scheduled for a second reading on 2nd December 2005.
Meanwhile, the next DoS trial is scheduled to begin on
25th November in Elgin Sheriff Court, Scotland. Matthew
Anderson is charged with launching a DoS attack on the website of
the British National Party.
