The Facts
Mr Lennon was employed by Domestic and General Group Plc (D&G) for three months until he was dismissed in December 2003. On
The Charge
Mr Lennon was charged with causing an unauthorised modification to a computer belonging to D&G with intent to impair the contents of the computer, contrary to s 3(1) of the Computer Misuse Act 1990.
The Law
Section 3 of the Act provides that a person is guilty of an offence if he does any act that causes an unauthorised modification of the contents of any computer and at the time he does the act he has the requisite intent and the requisite knowledge. The requisite intent is an intention to cause such a modification and by doing so to impair the operation of any computer, to prevent or hinder access to any program or data held in any computer, or to impair the operation of any such program or the reliability of any such data. The requisite knowledge is knowledge that any modification he intends to cause is unauthorised.
Section 17(8) provides that such a modification is unauthorised if, amongst other things, the person who makes it does not have consent to the modification from any person who is entitled to determine whether the modification should be made.
Prosecution Submissions
The prosecution alleged that Mr Lennon caused an unauthorised modification to the contents of D&G’s computers by the addition of data – in the shape of the 5 million e-mails which he sent – and that when he did so he had the requisite intent and the requisite knowledge. It was alleged that he had the requisite intent as he intended to hinder the operation of the computers by overwhelming them with e-mails and that he intended thereby to prevent or hinder access to their programs and data and to impair the operation of their programs and the reliability of their data. It was alleged that he had the requisite knowledge as he had knowledge that the modifications he intended to cause by adding the e-mails to the data in the computers were unauthorised. The prosecution submitted that the implied consent of the owner of the mail server to receive e-mails should be deemed to be withdrawn in a case such as this where the defendant had directed a vast volume of e-mails to the server.
Defence Submissions
It was accepted by Mr Lennon that all these allegations were sustainable in law, except that, on the evidence, the modifications were not unauthorised for the purpose of s 3. The defence submitted that the function of the mail servers was to receive e-mails; so D&G consented to receiving e-mails on them and as a result authorised potential senders of e-mails to modify the contents of the mail server by sending them. The e-mails sent by Mr Lennon should be considered on an individual basis. There was implied consent to each e-mail and so collectively they could not be regarded as unauthorised. Thus, although it was accepted that the individual e-mails sent by the defendant each caused a modification, it was submitted that in each case it was an authorised modification.
Youth Court’s Decision
On
This judgment was heavily criticised in the legal and popular press.
Divisional Court’s Judgment
When the
The
The
The Court felt that there was a clear distinction between (i) the receipt of e-mails which the recipient merely does not want but which do not overwhelm or otherwise harm the server and (ii) the receipt of bulk e-mails which do overwhelm it.
The recipient of e-mails is not to be taken to consent to receiving e-mails sent in a quantity and at a speed which were likely to overwhelm the server. Such consent was not to be implied from the fact that the server has an open as opposed to a restricted configuration.
The Court did not define the limits of the consent which a computer owner impliedly gives to the sending of e-mails, however, it said that it plainly does not cover e-mails which are not sent for the purpose of communication with the owner but are sent for the purpose of interrupting the proper operation and use of the system. That was plainly Mr Lennon’s intent in using the Avalanche program; it was clear that, if Mr Lennon had asked D&G if he might send 5 million e-mails, D&G would not have consented. Therefore, the purpose of Mr Lennon in sending the e-mails and the use made of D&G’s e-mail facility was unauthorised.
To determine whether there was implied consent, Mr Lennon’s conduct was to be considered as a whole. The
The
Bogus E-mails
The prosecution had also highlighted the fact that all the e-mails purported to come from somebody, Ms Rhodes, who had not sent them or authorised sending them. The prosecution submitted that this indicated that Mr Lennon knew that D&G would not have consented to receiving e-mails of the type being sent and so knew that they were not authorised for the purpose of s 3(4) of the Act.
The Divisional Court referred to the judgment of the Court of Appeal in Zezev and Yarimaka v Governor of HM Prison Brixton and another [2002] EWHC 589 (Admin), in which it was stated that: ‘if an individual, by misusing or bypassing any relevant password, places in the files of the computer a bogus e-mail by pretending that the password holder is the author when he is not, then such an addition to such data is plainly unauthorised as defined in section 17(8); intent to modify the contents of the computer as defined in section 3(2) is self-evident and, by so doing, the reliability of the data in the computer is impaired within the meaning of section 3(2)(c)’.
Accordingly the
Comment
As a result of pressure from industry and from Europe to ensure that denial of service attacks are illegal, the Government is seeking via clause 40 of the Police and Justice Bill to amend s 3 of the Computer Misuse Act 1990 so that a person is guilty of an offence if he ‘does any unauthorised act in relation to a computer’ as opposed to doing ‘any act which causes an unauthorised modification of the contents of any computer’. The Home Office believes that the Act covers denial of service attacks. The All Party Internet Group recommended that, although the Act already made many denial of service attacks illegal, there was significant value in adding an explicit offence to the legislation. Although the Bill has been criticised by some in the IT industry for not allowing sufficient time for debate, for failing to distinguish sufficiently between innocent and dishonest uses and for failing to deal properly with denial of service attacks, it seems that, if the Divisional Court’s decision is good law, the Act can already be used against those responsible for denial of service attacks.
Mark Lewis is a partner in the Commercial Resolution Group at IBB Solicitors, specialising in IT disputes: mark.lewis@ibblaw.co.uk.