Denial of service attacks are legal 'grey area'
It is unclear whether it is a criminal offence to overload and crash a company's email server, a UK court heard on Tuesday.
A prosecution witness in the trial of a teenager accused of launching an email bomb attack admitted that the legality of denial-of-service (DoS) attacks caused by a flood of email is a legal grey area that IT professionals want clarified. Police say the youth, who can't be named for legal reasons, sent five million emails to his former employer that forced an email server offline.
As reported on Tuesday, the teenager has been charged under the Computer Misuse Act, which has been criticised for being outdated.
Judge Grant asked expert witness for the prosecution Paul Overton whether, in his opinion, the Computer Misuse Act (CMA) contained the necessary language to cover DoS attacks caused by unwanted mail, given that the Act came into practice in 1990 before such attacks were known.
Overton, managing director of Trusted Management, a company that assesses operational risk in IT for governmental systems, replied that he was not a legal expert. He went on to say he first dealt with DoS attacks in 1999, and first became aware of them in 1997, confirming that "DoS attacks would not have been part of the language" in 1990.
The prosecution twice called for clarification from the judge on Tuesday regarding the point of law that may cover DoS attacks.
Overton also said that there is uncertainty and alarm within the IT community about the legality of spam.
"There is concern about increasing amounts of unwanted mail," said Overton.
In 2003, the UK government introduced legislation that made it illegal to send to spam to consumers' email addresses, but did not protect businesses.
Later in his cross-examination, the counsel for the defence asked Overton to confirm there was "little certainty about where this [junk mail] becomes unlawful."
"I accept it's a grey area," Overton said. The CMA currently explicitly outlaws 'unauthorised access' and 'unauthorised modification' of computer material. The defence is expected to argue that a flood of emails would not cause unauthorised access or modification, even if they forced an email server offline.
This trial is a test case for CMA as no-one has yet been successfully convicted under the Act of launching a DoS attack. The case continues.