Facts
In this case the Defendant was alleged to have used Avalanche
"mail bombing" software to flood the mail server of his former
employer, Domestic and General, with 500,000 unsolicited
e-mails. Many of the e-mails were disguised so that they
purported to have come from Domestic and General's Human Resources
manager. Mail bombing is the act of sending an large number of
duplicate unsolicited e-mails. It is a form of denial of service
("DOS") attack in which the volume of e-mail sent saturates the
target's e-mail processing and server storage capability. Depending
upon the extent, nature and target of the attack, the effect of a
mail bomb can be significant, ranging from a degradation in mail
server performance to total failure of IT service. It is regarded
as an unsophisticated form of DOS attack, the dangers of which have
been significantly reduced by the proliferation of e-mail filtering
software and other security measures.
The Defendant was charged with causing an unauthorised
modification to Domestic and General’s computer with intent to
impair its operation, contrary to s.3 of the Computer Misuse Act
1990. Section 3(1) of that Act 1990 provides: ‘A person is
guilty of an offence if (a) he does any act which causes an
unauthorised modification of the contents of any computer;’
The definition of "unauthorised modification" is set out at
Section 17 of the Act which states that:
‘(7) A modification of the contents of
any computer takes place if, by the operation of any function of
the computer concerned or any other computer … (b) any program or
data is added to its contents … (8) Such a modification is
unauthorised if … (b) [the person whose act causes it] does not
have consent to the modification from any person who is so
entitled."
Judgment
The prosecution argued that the Defendant had caused an
unauthorised modification by adding data to Domestic and General's
mail server. The Defendant admitted using the Avalanche software to
launch the attack, and the defence did not dispute that the receipt
of e-mails constituted a modification of Domestic and General's
server. However, the defence made a submission of 'no case to
answer' on the grounds that the modification complained of, namely
the sending of e-mails, could not be shown to have been
unauthorised. The basis of the Defendant's argument was that since
the very function of the mail server was to receive and process
e-mails, Domestic and General was to be taken as having consented
to the receipt of e-mails and the consequent modification of the
server There was no level above which the volume of e-mails
sent and received could be said to be unauthorised.
District Judge Kenneth Grant, sitting in Wimbledon Magistrates
Court, considered that s 3 of the Act was intended to deal
with the sending of malicious material rather than the sending of
bulk e-mails. Since Domestic and General's mail server was
configured to receive e-mails, each modification upon the receipt
of an e-mail must have been authorised. The judge therefore found
that no reasonable tribunal could conclude that the modifications
were unauthorised and the case was therefore dismissed.
On an appeal by the DPP, the Divisional Court (LJ Keene and Jack
J) held that the District Judge had incorrectly concluded that the
Defendant had no case to answer.
The owner of a mail server would ordinarily be taken to have
consented to the receipt of e-mails. However, it was observed that
such implied consent was subject to limitation and could not extend
to e-mails that had been sent for the purpose of interrupting the
system rather than for the purpose of genuine communication with
the recipient. The Court also stated that e-mails should not be
considered on an individual basis but rather as a whole. The Court
made an analogy with the implied permission to deliver mail through
a letterbox, such implied permission could not be taken to extend
to allowing the letterbox to be "choked with rubbish".
The Divisional Court therefore ordered that the case be sent
back to the Magistrates Court for trial. The Defendant pleaded
guilty when the case was reheard in Wimbledon Youth Court and was
sentenced to two months' curfew monitored by an electronic
tag.
Commentary
The initial decision in the Magistrates Court aroused
considerable comment and consternation and led to renewed calls for
the Computer Misuse Act to be updated in order to deal with changes
in technology and use thereof. The Police and Justice Act 2006
amended Section 3 of the Computer Misuse Act to provide that DOS
attacks do in fact constitute a criminal offence, punishable by a
maximum 10 years' imprisonment (increased from a maximum of 5 years
under the Computer Misuse Act). This amendment brought
the UK into compliance with Article 5 of the Council of Europe
Cybercrime Convention and the EU Framework Decision on Attacks
Against Information Systems which deal with offences of system
interference.
The Police and Justice Act also introduced a corollary offence
of making, supplying or obtaining articles for use in computer
misuse offences In addition to its application to authors and
distributors of DOS software, this provision has the potential to
bring a wide range of hitherto "grey areas" of activity within the
reach of law enforcement.
