It is unclear whether it is a criminal offence to overload and crash a company's email server, a UK court heard on Tuesday.
A prosecution witness in the trial of a teenager accused of launching an email bomb attack admitted that the legality of denial-of-service (DoS) attacks caused by a flood of email is a legal grey area that IT professionals want clarified. Police say the youth, who can't be named for legal reasons, sent five million emails to his former employer that forced an email server offline.
As reported on Tuesday, the teenager has been charged under the Computer Misuse Act, which has been criticised for being outdated.
Judge Grant asked expert witness for the prosecution Paul Overton whether, in his opinion, the Computer Misuse Act (CMA) contained the necessary language to cover DoS attacks caused by unwanted mail, given that the Act came into practice in 1990 before such attacks were known.
Overton, managing director of Trusted Management, a company that assesses operational risk in IT for governmental systems, replied that he was not a legal expert. He went on to say he first dealt with DoS attacks in 1999, and first became aware of them in 1997, confirming that "DoS attacks would not have been part of the language" in 1990.
The prosecution twice called for clarification from the judge on Tuesday regarding the point of law that may cover DoS attacks.
Overton also said that there is uncertainty and alarm within the IT community about the legality of spam.
"There is concern about increasing amounts of unwanted mail," said Overton.
In 2003, the UK government introduced legislation that made it illegal to send to spam to consumers' email addresses, but did not protect businesses.
Later in his cross-examination, the counsel for the defence asked Overton to confirm there was "little certainty about where this [junk mail] becomes unlawful."
"I accept it's a grey area," Overton said. The CMA currently explicitly outlaws 'unauthorised access' and 'unauthorised modification' of computer material. The defence is expected to argue that a flood of emails would not cause unauthorised access or modification, even if they forced an email server offline.
This trial is a test case for CMA as no-one has yet been successfully convicted under the Act of launching a DoS attack. The case continues.
Talkback
I have received spam many times over the years and once from a so-called friend; you
know DoS makes me nervous because you never know if you sue it the right way.
But CMA is hard to deal with because when the term(CMA, DoS) is coined the fact of this
forgery of word brings it into reality.Example
virus spyware. This behaviour is more far-reaching than the mere act.