Denial of service attacks outlawed

A UK law has been passed that makes it an offence to launch denial of service attacks, which experts had previously called "a legal grey area."

Among the provisions of the Police and Justice Bill 2006, which gained Royal Assent on Wednesday, is a clause that makes it an offence to impair the operation of any computer system. Other clauses prohibit preventing or hindering access to a program or data held on a computer, or impairing the operation of any program or data held on a computer.

The maximum penalty for such cybercrimes has also been increased from five to 10 years.

The law that attempted previously to deal with this area of computer crime was the Computer Misuse Act 1990 (CMA), which was drafted before widespread use of the internet began.

In a denial of service attack, a person attempts to make a computer system unavailable to users by overloading it with data. The CMA only prohibited unauthorised modification of a system, which opened up legal ambiguity for denial of service attacks using email.

In November 2005 David Lennon was tried for sending five million emails to his former employer, causing the email server to crash. His defence successfully argued that as an email server exists to receive email, sending emails to that server could not be an unauthorised modification, no matter how much mail was sent.

District Judge Kenneth Grant agreed, and concluded that sending emails was an authorised modification of the server, so Lennon had no case to answer. Grant's ruling was later overturned, with Lennon sentenced to two months' curfew with an electronic tag. By that time amendments to the CMA had been included in the Police and Justice Bill.