UK bans denial of service attacks

OUT-LAW News, 09/11/2006

A law was passed yesterday that makes it an offence to launch a denial of service attack in the UK, punishable by up to ten years in prison. The new law is not yet in force.

There had been concern that Britain's Computer Misuse Act, written in the days before the World Wide Web, allowed denial of service attacks to fall through a loophole. These are attacks in which a web or email server is deliberately flooded with information to the point of collapse.

The 1990 legislation described an offence of doing anything with criminal intent "which causes an unauthorised modification of the contents of any computer"; the question was whether that covered denial of service attacks. When a court cleared teenager David Lennon in November 2005 on charges of sending five million emails to his former employer – because the judge decided that no offence had been committed under the Act – the need for amendment seemed obvious.

Lennon's lawyer had successfully argued that the purpose of the company's server was to receive emails, and therefore the company had consented to the receipt of emails and their consequent modifications in data. District Judge Kenneth Grant concluded that sending emails is an authorised act and that Lennon had no case to answer, so no trial took place. That ruling was overturned and Lennon was sentenced to two months' curfew with an electronic tag. But by that time, amendments to the 1990 legislation were already included in the Police and Justice bill.

It was passed yesterday, becoming the Police And Justice Act 2006. It has still to be brought into force. The Act also increases the penalty for unauthorised access to computer material from a maximum of six months' imprisonment to two years.

The 2006 Act expands the 1990 Act's provisions on unauthorised modification of computer material to criminalise someone who does an unauthorised act in relation to a computer with "the requisite intent" and "the requisite knowledge."

The requisite intent is an intent to do the act in question and by so doing:

• to impair the operation of any computer,
• to prevent or hinder access to any program or data held in any computer, or
• to impair the operation of any program or data held in any computer.

The intent need not be directed at any particular computer or any particular program or data.

The wording is wide enough that paying someone else to launch an attack will still be a crime, with a maximum penalty of 10 years in prison. Supplying the software tools to launch an attack or offering access to a botnet could be punished with up to two years in prison.

See: The Police and Justice Bill(the relevant clauses are 33 to 36; the Act was not available at the time of writing)as HTML or as a 145-page / 633KB PDF

See also:

• Denial of Service attacker sentenced to curfew, OUT-LAW News, 24/08/2006
• Appeals court says Denial of Service is a crime, OUT-LAW News, 12/05/2006
• Broad support for cybercrime update, OUT-LAW News, 08/03/2006
• Denial of Service to be criminalised by autumn 2006, OUT-LAW News, 26/01/2006
• US 'botmaster' pleads guilty, OUT-LAW News, 25/01/2006
• Call for reform of Denial of Service law, OUT-LAW News, 18/11/2005
• Denial of Service prosecution fails, OUT-LAW News, 03/11/2005 
• 'Regrettable' conviction under Computer Misuse Act, OUT-LAW News, 07/10/2005
• Another pitch to Parliament for Denial of Service law, OUT-LAW News, 14/07/2005 
• Parliament hears 10 minutes on Denial of Service law, OUT-LAW News, 07/04/2005
• Denial of Service prosecution in the UK, OUT-LAW News, 17/01/2005
• Computer Misuse Act needs reforming, concludes APIG, OUT-LAW News, 30/06/2004

Feedback | Printer-friendly page | Latest news | | All news feeds | Ask a lawyer