Thursday, January 26, 2006

Denial of Service: I Told You So, part 22

As heavily predicted by various commentators, including, ahem, moi, Denial of Service (DoS) attack in the UK is set to become a new offence within the year. Parts of the Private Members Bill on Computer Misuse put forward last year by MP Tom Harris will be included in a new general crime bill. The Government has included updates – with new offences and stiffer penalties – in the Police and Justice Bill, introduced January 25 2006. This will amend the now rather outdated Computer Misuse Act 1990. the matter was brought to a head when a court cleared a teenager last November who had sent five million emails to his former employer, on the grounds that no offence had been committed under the Act.
Section 34 of the Bill expands on the 1990 Act's existing provisions to cover someone who does an unauthorised act in relation to a computer with "the requisite intent and the requisite knowledge." Previously, s 3 of the 1990 Act prohibited only on unauthorised modification of computer programs or data. (Section 1 of the Act deals with unauthorised access ie hacking.)

The requisite intent referred to is an intent to do the act in question, and by so doing:

-to impair the operation of any computer,
-to prevent or hinder access to any program or data held in any computer, or
-to impair the operation of any program or data held in any computer.

This is not so different from the existing law (see emboldened parts). The section on intent is identical to that in the existing 1990 Act, s 3. Crucially, the argument that an unsecured website impliedly authorised everyone in the world to make page requests from it, or send emails to it - even where those requests are for 5 milion pages in an hour leading to the server falling over - still seems potentially open.

As was said by the judge in the November teenager case: "In this case, the individual emails caused to be sent each caused a modification which was in each case an 'authorised' modification. Although they were sent in bulk resulting in the overwhelming of the server, the effect on the server is not a modification addressed by [the Act]."

The new law has changed the word "modification" to "act" (which is not defined except to say it includes a series of acts) but not touched the word "unauthorised". To make matters worse, s 34(4) states that "For the purposes of subsection (1)(b) above, the requisite knowledge is knowledge that the act in question is unauthorised". How hard is to claim after the November case that you reasonably thought making page requests or sending emails was an authorised act?

Quid iuris? One way round this of course would be a clear statement on any potential target website that persons are explicitly not authorised to send multiple emails to the site with the intent of causing system degradation - but this carries with it the usual problems of adequate notice for incorporation, nor is it a very appealing thing to have on your website front page. If the government are finally (after 3 PM Bills) going to the effort of making new law on DoS, I am surprised they have not chosen to clarify the meaning of "unauthorised" by statute. The intent requirement alone will not create a water-tight crime of DoS if the actus reus is not satisfied.

Less ballyhooed but also of interest is the new section 3A added by the 2006 Bill which is extracted below:

“3A Making, supplying or obtaining articles for use in offence under
section 1 or 3
(1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article—
(a) knowing that it is designed or adapted for use in the course of
or in connection with an offence under section 1 or 3; or
(b) intending it to be used to commit, or to assist in the commission
of, an offence under section 1 or 3."

This probably criminalises the making and selling of virus and DDOS toolkits, something I have wondered about in the past. What if you write a virus-making toolkit to learn about viruses and virus-spreaders so you can be a better security expert? (a) may still catch you. I would have felt happier if the new offense was restricted to the (b) branch, or if the "or" was an "and".


Anonymous said...


Perhaps it is just my relative ignorance, but just think for a moment if we forgot about the Computer Misuse Bill and looked at the Privacy and E Commerce Regulations. Since spam is the vehicle for DoS attacks, would amending Reg 21 to include businesses as well automatically provide them with protection from DoS?

The court would not have to deal with the issue of "modification" of the computer and the issue of "authorisation" unlike the CMA and it would be catch people like the 15 year old who was acquitted of DoS in November. I accept that the boy would not get a conviction in the true sense of it but at least if Reg 21 was extended to businesses it would be kill two birds with one stone. a) it would protect such businesses from DoS irregardless of how and why the attack happened and b) It would provide additional protection to businesses from spam itself. I accept the issue of jurisdiction is still a problem but at least theoretically the businesses would be covered.

Also if the damages were upped to the level of the Can Spam Act as you mentioned in an earlier blog then the businesses would be compensated for their costs of downtime which would benefit them more than a criminal conviction.

Just a suggestion from a 3rd year law student.


Anonymous said...

Just a correction on the earlier blog, I meant Reg 22 of the Privacy & Electronic Communications Regulations, sorry!

The one one on spam.


pangloss said...

"Spam" is defined as unsolicited commercial communications. - DoS email traffic need not be "commercial" and DoS can, and often does, take the form of page or other resource requests rather than emails - so I don't think your solution will work. ( Also if you're trying to sue or prosecute a DoS mastermind the last thing you want to have to do is check the CONTENTof every one of the 10 million emails he sent...)

Also in principle DP law - which spam forms part of - is intended to protect the privacy rights of corporations not individuals- so extending spam law to protect companies is not a wholly uncontroversial business (even tho the PECD Regs do to some small extent do this.)

But yes, in general, I am in favour of civil remedies for the victims of DoS and DDOS and crinminal enforcement is currently pretty hopeless so yes I think you're thinking along the right lines!