X

U.K. outlaws denial-of-service attacks

A newly passed law makes it illegal to impair the operation of a computer and closes a potential legal loophole.

Tom Espiner Special to CNET News
2 min read
A U.K. law has been passed that makes it an offense to launch denial-of-service attacks, which experts had previously called "a legal gray area."

Among the provisions of the Police and Justice Bill 2006, which gained Royal Assent on Wednesday, is a clause that makes it an offense to impair the operation of any computer system. Other clauses prohibit preventing or hindering access to a program or data held on a computer, or impairing the operation of any program or data held on a computer.

The maximum penalty for such cybercrimes has also been increased from 5 years to 10 years.

The law that attempted previously to deal with this area of computer crime was the Computer Misuse Act 1990 (CMA), which was drafted before widespread use of the Internet began.

In a denial-of-service attack, a person attempts to make a computer system unavailable to users by overloading it with data. The CMA only prohibited unauthorized modification of a system, which opened up legal ambiguity for denial of service attacks using e-mail.

In November 2005, David Lennon was tried for sending 5 million e-mails to his former employer, causing the e-mail server to crash. His defense successfully argued that as an e-mail server exists to receive e-mail, sending e-mail to that server could not be an unauthorized modification, no matter how much mail was sent.

District Judge Kenneth Grant agreed, and concluded that sending e-mail was an authorized modification of the server, so Lennon had no case to answer. Grant's ruling was later overturned, with Lennon sentenced to two months' curfew with an electronic tag. By that time, amendments to the CMA had been included in the Police and Justice Bill.

Tom Espiner of ZDNet UK reported from London.