The latest issue of Computing reports that the Home Office is now committed to introduce changes to update the 15 year old Computer Misuse Act. This follows the case earlier this month of a teenager who had allegedly crashed an email server by sending 5 million emails to his ex-employer. Wimbledon Magistrates Court found that the teenager had not broken the law.
Section 3 of the Act states:
"A person is guilty of an offence if—
(a) he does any act which causes an unauthorised modification of the contents of any computer; and
(b) at the time when he does the act he has the requisite intent and the requisite knowledge."
The difficulty faced by the prosecution was establishing that sending emails to an email server was an 'unauthorised modification'. Clearly when an email server receives an email, the contents of the email server are modified. However, the defence successfully argued that as the purpose of an email server was to receive emails, the receipt of one or more individual emails was authorised by the owners of the email server for the purposes of the Act.
There is nothing in the current Act to deal with difficulties caused by repeated submission of data to a server and as a result the teenager was acquitted. The judge specifically stated that the Act did not cover denial of service attacks.
The issue has been discussed in Parliament, and a private members bill has been tabled to amend the Computer Misuse Act specifically to address denial of service issues. The Bill is due for a second reading in 2006. In the meantime, the authorities will continue to struggle to take action against those disrupting the internet on the basis of the current UK legislation.
As suggested by a friend of mine, why didn't they just prosecute the guy under s.127(2)(c) of the Communications Act 2003 instead.
Posted by: Scott | November 17, 2005 at 03:16 PM
It's an interesting question. The Communications Act 2003 provides for an offence where a person '...for the purpose of causing annoyance, inconvenience or needless anxiety to another...persistently makes use of a public telecommunications network.' The facts of the case are not completely clear, but two possibilities are that there was an issue in proving: (i) that the motive behind the emails was in fact 'causing annoyance, inconvenience or needless anxiety', or (ii) that the individual had 'persistently made use' of the network, given that the relevant software may have generated the emails in such a way that the network was not persistently re-used by the individual in question.
Posted by: Kevin Calder | November 29, 2005 at 11:17 AM