computer misuse act proje

8/8/2019 Computer Misuse Act Proje

1/8


2/8

This article is about an unsuccessful

attempt to prosecute an individual who had

allegedly sent an e mail bomb to a company(known as a denial of service attack'). That

Magistrates Court decision led to renewed calls for the ComputerMisuse Act 1990 (CMA) to be updated to include a specificsection dealing with such an offence.

However, in Director of Public Prosecutions v Lennon theHigh Court overturned that original decision and held that theCMA did apply to such an attack.


3/8

The CMA is used to bring criminalprosecutions against those who impair the

operation of a computer by causing an

unauthorised modification. A denial of service

attack is when an overwhelming number of information requests

(such as e-mails) are sent to a server, the volume of which causesthe server to slow down or stop functioning. In addition to anydamage caused to the server itself, the loss of performance islikely to cause severe interruption to an organisation's day-to-daybusiness activities.

y

Like other types of attack on computer systems, for exampleviruses, many denial of service attacks are carried out bydisgruntled individuals, such as former employees. There havealso been reports of criminals using the threat of denial of serviceattacks to extort money from on-line businesses.


4/8

Mr Lennon had been dismissed from hisemployment with a company and hadallegedly used a mail-bombing' programdownloaded from the internet to send half

a million e-mails to the company (purportingto come from the human resources manager). This caused thecompany's server to crash and caused severe disruption to its business.

Lennon was charged with causing an unauthorised modification'to a company's computer with intent to impair its operation, contraryof the CMA. He made a submission of no case to answer before thedistrict judge in the Magistrates Court on the basis that themodification complained of, namely the sending of e-mails, could notbe shown to have been unauthorised'. Since the function of the server

was to receive e-mails, the company was to be taken as consenting toreceive e-mails, and thus the modification of its server was authorised'.


5/8

The Director of Public Prosecutions filed an appealwith the High Court.

The High Court said that although the owner of a

computer able to receive e-mails would ordinarily betaken to have consented to the sending of e-mails tothe computer, such implied consent was not withoutlimits. It plainly did not cover e-mails that had been

sent, not for the purpose of communication with theowner, but for the purpose of interrupting their system.


6/8

The High Court commented that there was someanalogy with a householder, whose consent to

someone walking up the path to their front door wouldnot extend to a burglar or to having their letterboxchoked with rubbish. If L had called R and requestedher consent to his sending her an e-mail about hisdismissal, she would have been puzzled as to why hehad bothered to ask. However, if he had asked her

whether he could send the half a million e-mails he infact sent, there would probably have been quite adifferent answer.

Accordingly, the district judge had been wrong toconclude that there was no case to answer


7/8

The original decision added fire to existing concernsthat the CMA was outdated. The Police and Justice Bill(not yet enacted) has proposed a number of measuresto broaden the offences under the CMA to explicitlyinclude denial of service attacks. However, this recentsuccessful appeal by the Director of Public Prosecutionsusing the current legislation has been welcomed, as itclarifies that prosecutions for denial of service attacks(using an e-mail bomb) cannot be dismissed by using

the defence that there is implied consent to receivesuch e-mails.


8/8

computer misuse act proje

Documents