Email bomber faces retrial

The Court of Appeal has ruled that a judge was wrong to throw out the case of a teenager accused of crashing a mail server with millions of emails

A teenager who was cleared of breaching anti-hacking laws by sending millions of messages to a former employer faces a retrial.

David Lennon, who is now 18 and can therefore be named for the first time, is alleged to have used a mail bombing programme called Avalanche to send approximately five million emails to his former employers, Domestic and General Group plc, in early 2004, crashing the company’s email server.

The case against him, brought under the Computer Misuse Act (CMA) 1990, was dismissed last November by District Judge Kenneth Grant at Wimbledon Magistrates' Court.

Judge Grant had said that Section 3 of the Act, which concerns unauthorised modification of data, had not been breached, as emails sent to a server configured to receive emails could not be classified as unauthorised.

But on Thursday, judges at the Royal Courts of Justice sent the case back to the Magistrates Court, saying Judge Grant "was not right to state there was no case to answer". Mr Justice Jack said the judge should consider "what answer Mr Lennon might have expected if he had asked D&G" before starting the mail bombing.

The Crown Prosecution Service (CPS), which had appealed against the original judgement, was pleased by Thursday's ruling. A statement said: "We have sought to clarify a point of law, to update the interpretation of that law to cope with contemporary high-tech crime. As technology develops at an ever increasing pace the law may sometime need to be interpreted in new ways.

"The police and CPS are determined to ensure that those who use the Internet for crime are not beyond the reach of the law, and to make the Internet a safe place for both businesses and domestic users."

The case highlighted flaws in the 16-year-old CMA, enacted in the days before Internet crime became a significant problem. Experts have complained in the past that it does not specifically outlaw denial-of-service attacks.

Security expert Peter Sommer, who has called for the CMA to be updated, was a defence witness in Lennon's trial last year. He said on Thursday that "the defence [had been] asking the court to take a fairly narrow and literal view of the CMA".

"My own view is that they could have made a decision either way. The fact that the Court of Appeal has reversed it is not a colossal surprise," he told ZDNet UK.