Denial of Service Attacks and Computer Misuse

May 10, 2006

On 11 May judgment was given in DPP v Lennon by the Divisional Court. This was an appeal against the ruling in the magistrates’ court that there was no offence under the Computer Misuse Act 1990, s 3 where e-mails were sent – notwithstanding that the defendant had sent a vast number of them using the Avalanche mail-bomber program – because each e-mail sent to an e-mail server is authorised to modify it (otherwise e-mail would not work) and there that there was no cut-off point on the quantity which meant that e-mails suddenly became unauthorised (see Peter Sommer’s article on Computer Misuse Prosecutions in vol 16, issue 5).

The Divisional Court (Lord Justice Keene and Jack J) disagreed with the magistrates’ court’s ruling. The implied consent to the receipt of e-mails, which, it had been argued, made the modification of the server ‘authorised’ for the purposes of s 17 of the 1990 Act was not without limit. It plainly did not cover e-mails sent for the purpose of disrupting the recipient’s computer system. The analogy was drawn with an implied permission to deliver an envelope through a letter-box – this existed but did not extend to a person choking the letter-box with rubbish.

On the particular facts, the e-mails were sent in such a way as to purport to come from another sender. The court stated that the fact that they come from someone other than the true author does not necessarily make them unauthorised. Whether or not such an e-mail is authorised would depend on the circumstances.

The case is yet to be fully reported but a summary is available at [2006] All ER (D) 147 (May).