Denial of Service Attacks – Realism Prevails

June 30, 2006

The Facts


 


Mr Lennon was employed by Domestic and General Group Plc (D&G) for three months until he was dismissed in December 2003.  On 30 January 2004 Mr Lennon started to send e-mails to D&G using a mail-bombing program called Avalanche V3.6, which he had downloaded from the Internet.  The program was set to mail until stopped; so  it would continue to send e-mails until it was manually stopped from doing so.  The majority of e-mails purported to come from Betty Rhodes, who was D&G’s human resources manager.  Her e-mail address was purportedly used. Each e-mail contained a list of other employees of D&G to whom it was copied once it reached D&G, thus increasing the e-mail traffic. During the last few hours of the e-mailing, different addresses were used.  The purpose of that was to try to defeat attempts to prevent the e-mails from continuing to arrive.  The last message stated it would not stop and was addressed to Betty Rhodes. It was estimated that Mr Lennon’s use of the program caused approximately 5 million e-mails to be received by  D&G e-mail servers.  The e-mails brought down D&G’s mail server. When D&G’s employees arrived for work they took steps to stop the e-mails and eventually this was done.


 


The Charge


 


Mr Lennon was charged with causing an unauthorised modification to a computer belonging to D&G with intent to impair the contents of the computer, contrary to s 3(1) of the Computer Misuse Act 1990.


 


The Law


 


 


Section 3 of the Act provides that a person is guilty of an offence if he does any act that causes an unauthorised modification of the contents of any computer and at the time he does the act he has the requisite intent and the requisite knowledge. The requisite intent is an intention to cause such a modification and by doing so to impair the operation of any computer, to prevent or hinder access to any program or data held in any computer, or to impair the operation of any such program or the reliability of any such data.  The requisite knowledge is knowledge that any modification he intends to cause is unauthorised. 


 


Section 17(8) provides that such a modification is unauthorised if, amongst other things, the person who makes it does not have consent to the modification from any person who is entitled to determine whether the modification should be made.


 


Prosecution Submissions


 


The prosecution alleged that Mr Lennon caused an unauthorised modification to the contents of D&G’s computers by the addition of data – in the shape of the 5 million e-mails which he sent – and that when he did so he had the requisite intent and the requisite knowledge. It was alleged that he had the requisite intent as he intended to hinder the operation of the computers by overwhelming them with e-mails and that he intended thereby to prevent or hinder access to their programs and data and to impair the operation of their programs and the reliability of their data. It was alleged that he had the requisite knowledge as he had knowledge that the modifications he intended to cause by adding the e-mails to the data in the computers were unauthorised.  The prosecution submitted that the implied consent of the owner of the mail server to receive e-mails should be deemed to be withdrawn in a case such as this where the defendant had directed a vast volume of e-mails to the server.


 


Defence Submissions


 


It was accepted by Mr Lennon that all these allegations were sustainable in law, except that, on the evidence, the modifications were not unauthorised for the purpose of s 3.  The defence submitted that the function of the mail servers was to receive e-mails; so D&G consented to receiving e-mails on them and as a result authorised potential senders of e-mails to modify the contents of the mail server by sending them. The e-mails sent by Mr Lennon should be considered on an individual basis. There was implied consent to each e-mail and so collectively they could not be regarded as unauthorised. Thus, although it was accepted that the individual e-mails sent by the defendant each caused a modification, it was submitted that in each case it was an authorised modification.


 


Youth Court’s Decision


 


On 2 November 2005, District Judge Kenneth Grant, sitting as a youth court in Wimbledon, held that there was no case to answer as he accepted the defence submission mentioned above.  He also accepted the defence submission that s 3 of the Act was intended to deal with the sending of malicious material such as viruses, worms and Trojan horses which corrupt or change data, but not with the sending of e-mails.


 


This judgment was heavily criticised in the legal and popular press.


 


Divisional Court’s Judgment


 


When the Divisional Court gave its judgment ([2006] EWHC 1201 (Admin)), it agreed with the press.  Like the press, the Court criticised the judge for failing to address the ‘reality of the situation’.


 


The Divisional Court held that the critical issue was whether Mr Lennon had consent from D&G to the modification of the computer. As Mr Lennon was not the person who was entitled to determine whether the modification arising from receipt of the e-mails should be made, consent was required from D&G.


 


The Divisional Court agreed that the owner of a computer which is able to receive e-mails is ordinarily to be taken as consenting to the sending of e-mails to the computer; but that implied consent is not without limits.  The Court used the analogy of the householder who consents to members of the public walking up the path to his door when they have a legitimate reason for doing so and consents to them using his private letterbox; such consent could not extend to a burglar coming up his path nor to having his letterbox choked with rubbish.


 


The Court felt that there was a clear distinction between (i) the receipt of e-mails which the recipient merely does not want but which do not overwhelm or otherwise harm the server and (ii) the receipt of bulk e-mails which do overwhelm it.


 


The recipient of e-mails is not to be taken to consent to receiving e-mails sent in a quantity and at a speed which were likely to overwhelm the server.  Such consent was not to be implied from the fact that the server has an open as opposed to a restricted configuration.


 


The Court did not define the limits of the consent which a computer owner impliedly gives to the sending of e-mails, however, it said that it plainly does not cover e-mails which are not sent for the purpose of communication with the owner but are sent for the purpose of interrupting the proper operation and use of the system. That was plainly Mr Lennon’s intent in using the Avalanche program; it was clear that, if Mr Lennon had asked D&G if he might send 5 million e-mails, D&G would not have consented. Therefore, the purpose of Mr Lennon in sending the e-mails and the use made of D&G’s e-mail facility was unauthorised.


 


To determine whether there was implied consent, Mr Lennon’s conduct was to be considered as a whole. The Divisional Court concluded that the sending of e-mails was unauthorised from the start as he initiated the sending of e-mails by the single action of starting the Avalanche programme, which would run until stopped. It was, therefore, unnecessary to identify at which point the sending of e-mails became unauthorised by reason of their number.


 


The Divisional Court concluded that the District Judge was not right to find that there was no case to answer and remitted the case to him to continue with the hearing. Although the Divisional Court found that the modifications caused to D&G’s computers were unauthorised, it still needed to be established that Mr Lennon knew that those modifications were unauthorised. However, the Divisional Court laid down a very strong marker to the District Judge by suggesting that he should consider asking Mr Lennon what answer he would have expected D&G to give if he had asked them whether he might launch Avalanche. With that hint, it seems inconceivable that Mr Lennon will not be found guilty.


 


Bogus E-mails


 


The prosecution had also highlighted the fact that all the e-mails purported to come from somebody, Ms Rhodes, who had not sent them or authorised sending them. The prosecution submitted that this indicated that Mr Lennon knew that D&G would not have consented to receiving e-mails of the type being sent and so knew that they were not authorised for the purpose of s 3(4) of the Act.


 


The Divisional Court referred to the judgment of the Court of Appeal in Zezev and Yarimaka v Governor of HM Prison Brixton and another [2002] EWHC 589 (Admin), in which it was stated that: ‘if an individual, by misusing or bypassing any relevant password, places in the files of the computer a bogus e-mail by pretending that the password holder is the author when he is not, then such an addition to such data is plainly unauthorised as defined in section 17(8); intent to modify the contents of the computer as defined in section 3(2) is self-evident and, by so doing, the reliability of the data in the computer is impaired within the meaning of section 3(2)(c)’.


 


Accordingly the Divisional Court said that the e-mails were unauthorised as they entered the D&G computer by the false pretence of purporting to come from somebody other than the actual sender. It could not be said that implied consent to the receipt of malicious e-mails purporting to come from Ms Rhodes had been given by D&G. However, the court was not necessarily of the view that in all circumstances an e-mail purporting to come from one person but coming from another should be treated as unauthorised. For example, such an e-mail might be sent as a joke with no malicious intent and it could be argued that such an e-mail was covered by the implied consent of the computer’s owner. The answer depends upon all the circumstances.


 


Comment


 


As a result of pressure from industry and from Europe to ensure that denial of service attacks are illegal, the Government is seeking via clause 40 of the Police and Justice Bill to amend s 3 of the Computer Misuse Act 1990 so that a person is guilty of an offence if he ‘does any unauthorised act in relation to a computer’ as opposed to doing ‘any act which causes an unauthorised modification of the contents of any computer’. The Home Office believes that the Act covers denial of service attacks. The All Party Internet Group recommended that, although the Act already made many denial of service attacks illegal, there was significant value in adding an explicit offence to the legislation. Although the Bill has been criticised by some in the IT industry for not allowing sufficient time for debate, for failing to distinguish sufficiently between innocent and dishonest uses and for failing to deal properly with denial of service attacks, it seems that, if the Divisional Court’s decision is good law, the Act can already be used against those responsible for denial of service attacks.


 


Mark Lewis is a partner in the Commercial Resolution Group at IBB Solicitors, specialising in IT disputes: mark.lewis@ibblaw.co.uk.