By Tom Espiner
November 2, 2005
A British teenager has been cleared of launching a denial-of-service
attack against his former employer, in a ruling that delivers another
blow to the U.K's Computer Misuse Act.
At Wimbledon Magistrates Court in London, District Judge Kenneth Grant
ruled Wednesday that the teenager had not broken the CMA, under which
he was charged. The defendant, who can't be named for legal reasons,
was accused of sending 5 million e-mail messages to his ex-employer
that caused the company's e-mail server to crash.
The teenager greeted the news with relief, although an appeal by the
prosecution is still possible. "I feel very happy. This has been going
on for two years. At the moment, this is no longer hanging over my
head," the teenager told ZDNet UK.
The CMA, which was introduced in 1990, does not specifically include a
denial-of-service attack as a criminal offense, something some members
of the U.K. parliament want changed. However, it does explicitly
outlaw the "unauthorized access" and "unauthorized modification" of
computer material. Section 3 of the act, under which the defendant was
charged, concerns unauthorized data modification and tampering with
A denial-of-service attack is one in which a flood of information
requests is sent to a server, bringing the system to its knees and
making it difficult to reach.
The defendant was not called into the witness box during the trial, so
it was never confirmed whether an attack had taken place. The defense
counsel argued that sending a flood of unsolicited e-mails did not
constitute unauthorized access or modification, as the targeted
company's e-mail server was set up for the purpose of receiving e-mail
Judge Grant told the court that "the computer world has considerably
changed since the 1990 act," and that there was little legal precedent
to refer back to. He then ruled that denial-of-service attacks were
not illegal under the CMA.
In a written ruling, Judge Grant stated: "In this case, the individual
e-mails caused to be sent each caused a modification which was in each
case an 'authorized' modification. Although they were sent in bulk
resulting in the overwhelming of the server, the effect on the server
is not a modification addressed by section 3 (of the CMA)."
"On the narrow issue of an authorized or unauthorized modification, I
concluded that no reasonable tribunal could conclude that the
modification caused by the e-mails sent by the defendant were
unauthorized within the meaning of section 3," Grant added.
Peter Sommer, an expert witness for the defense, called for the law to
be revised in light of the trial. "This is an interesting result,
which highlights the need for reform of the CMA," Sommer, a senior
research fellow in the London School of Economics' Information Systems
Tom Espiner of ZDNet UK reported from London.
Earn your Master's degree in Information Security ONLINE
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.