A British teenager has been cleared of launching a denial-of-service attack against his former employer, in a ruling that delivers another blow to the U.K's Computer Misuse Act.
At Wimbledon Magistrates Court in London, District Judge Kenneth Grant ruled Wednesday that the teenager had not broken the CMA, under which he was charged. The defendant, who can't be named for legal reasons, was accused of sending 5 million e-mail messages to his ex-employer that caused the company's e-mail server to crash.
The teenager greeted the news with relief, although an appeal by the prosecution is still possible. "I feel very happy. This has been going on for two years. At the moment, this is no longer hanging over my head," the teenager told ZDNet UK.
The CMA, which was introduced in 1990, does not specifically include a denial-of-service attack as a criminal offense, something some members of the U.K. parliament want changed. However, it does explicitly outlaw the "unauthorized access" and "unauthorized modification" of computer material. Section 3 of the act, under which the defendant was charged, concerns unauthorized data modification and tampering with systems.
A denial-of-service attack is one in which a flood of information requests is sent to a server, bringing the system to its knees and making it difficult to reach.
The defendant was not called into the witness box during the trial, so it was never confirmed whether an attack had taken place. The defense counsel argued that sending a flood of unsolicited e-mails did not constitute unauthorized access or modification, as the targeted company's e-mail server was set up for the purpose of receiving e-mail messages.
Judge Grant told the court that "the computer world has considerably changed since the 1990 act," and that there was little legal precedent to refer back to. He then ruled that denial-of-service attacks were not illegal under the CMA.
In a written ruling, Judge Grant stated: "In this case, the individual e-mails caused to be sent each caused a modification which was in each case an 'authorized' modification. Although they were sent in bulk resulting in the overwhelming of the server, the effect on the server is not a modification addressed by section 3 (of the CMA)."
"On the narrow issue of an authorized or unauthorized modification, I concluded that no reasonable tribunal could conclude that the modification caused by the e-mails sent by the defendant were unauthorized within the meaning of section 3," Grant added.
Peter Sommer, an expert witness for the defense, called for the law to be revised in light of the trial. "This is an interesting result, which highlights the need for reform of the CMA," Sommer, a senior research fellow in the London School of Economics' Information Systems department, said.
Tom Espiner of ZDNet UK reported from London.