DPP v Lennon

Last updated

DPP v Lennon is the first reported criminal case in the U.K. concerning so-called "denial of service" (DoS) attacks. [1] The appeal court found that DoS attacks constituted an offence of unauthorised modification under s. 3 of the Computer Misuse Act 1990 (CMA) and thus clarified the law regarding DoS. [2]

Contents

Facts

Lennon, a 16-year-old teenager, was employed by Domestic & General Group PLC (D&G) for three months until he was dismissed in December 2003. In January 2004, Lennon downloaded from the Internet a mail bombing program, the Avalanche v3.6, and used it to bombard D&G with emails. [3] Email bombing is the action whereby a program deliberately sends large numbers of emails to a particular email address within a business and is an example of a DoS attack whereby multiple requests are made with objective to slow down or disable a network. [4] [5] [6]

The Avalanche was set to "mail until it stopped". The emails also spoofed the name of Betty Rhodes, D&G's human resources manager, therefore they appeared to originate from Rhodes, rather than from Lennon. [7] During the weekend, it was estimated that almost 5 million emails had been received by the group servers, with the last one sent to Ms Rhodes stating "it won’t stop". This consequently overwhelmed D&G's servers and brought them down along with the corporate website. [7] The Metropolitan Police Service's Computer Crime Unit traced the attack to an address in the West Midlands. Lennon was arrested, interviewed and sent for trial at Wimbledon Youth Court. [8]

Judgment

The defendant admitted on questioning that he had downloaded the program and sent the emails "modifying" the server of D&G, with the intention of causing a "bit of a mess up". [9] However, he had not considered that he had done something criminal, neither had he realized the impact of his actions, nor the intention to cause damage to D&G, which was estimated nearly £18,000. [10] Moreover, he stated that he could have carried out a "ping attack", but did not as that would merely slow the network for a few hours. Thus, he has recognized that at least he had considered the relative potential for interruption of two courses of action, and he had chosen the one which was more possible to cause problems to D&G. [7]

Lennon was then charged with violating s.3 of the CMA for causing an "unauthorised modification" to a computer, with the knowledge that the modification was unauthorised and by doing so he impaired permanently or temporarily the right operation of that computer. [3] The crucial question was whether this modification was authorised and whether D&G consented to those modifications. [3] Ss. 17(7b) and 17(8) [11] provide the statutory definitions of "unauthorised modification", where the first section makes clear that a modification includes the addition of any program or data and the second one defines "unauthorised" as where (the defendant) does not have consent to the modification from the person who is entitled to determine whether or not that addition should be made. [12] At Wimbledon Magistrates' Court the prosecution submitted that Lennon had fulfilled the elements of s.3(1) as he had caused a modification of the contents of D&G's email servers. [13]

The defence did not dispute that the sending and receipt of each email resulted in modification of D&G's server. [10] Simultaneously, the defence made a submission of "no case to answer" on the grounds that the accused modification, by sending emails, was not capable to indicate that his activities have been unauthorised. [14] The basis of the defendant's argument was that since the very function of the email server was to receive emails, then each individual email sent to the server is authorised to modify it and there can be no threshold over which a vast quantity of authorised transactions becomes unauthorised. [12] Therefore, D&G must have consented to receive emails and modify the server, so he could not be guilty on the s.3(1) offence.

Per contra, the prosecution countered firstly, that there can only be consent to bona fide emails, which the defendant's were not. Secondly, the emails were unauthorised from the moment the Avalanche was instructed to send them. Thirdly, even if there was a number of emails that were impliedly authorised, there was a threshold at which their number transgressed into being unauthorised. Finally, they argued that all the emails were unauthorised since they came from the defendant rather than the purported sender. [13]

The District Judge Grant, sitting as a youth court, accepted the defence's argument and held that there was no case to answer, dismissing the charges against Lennon. He also held that s.3 was to deal with the sending of malicious material like viruses, worms and Trojan horses which modify data, but not the sending of emails. Further, as D&G's servers were configured to receive emails, each email sent by the defendant on an individual basis, the implied consent to each resulted in implied consent collectively and thus, the modifications made were authorised. [15]

Appeal

The Director of Public Prosecutions (DPP) appealed against the ruling of no case to answer. Lord Justice Keene and Justice Jack disagreed with Judge Grant's reasoning, allowed the appeal and remitted the case to the district judge to continue the hearing, stating that the district judge had "rather missed the reality of the situation by wrongfully finding that there was no case to answer". [13] The issue this court had to consider was whether the addition to the data on D&G's server arising from the receipt of emails sent by Lennon was unauthorised within the meaning of s.17(8). [16] This was unproblematic to answer since Lennon was not the person entitled to determine whether or not such "modification" should be made. So, s.17(8a) is satisfied. Then, the question was whether Lennon "had consent to the modification from any person who was so entitled" according to s. 17(8b). [17]

As concern the issue of consent, a divisional court agreed that the owner of an email server would give consent to the receipt of emails. However, it held that this implied consent was not without limits. [18] Thus, while D&G may have given implied consent for the sending of an email, it would not have agreed to being overwhelmed with the large number of emails. The court drew an analogy with a footpath on a private property. Just as a householder with the implied permission given to the members of the public walking up his or her path delivering mail through a letterbox, such implied permission could not be taken to extend to burglars using the path or having the letterbox to be "chocked with rubbish". [16] It was not necessary to define the limits of that consent; it was enough to state that the implied consent covered emails sent for the purpose of communication with the owner and is withdrawn where emails are sent for the purpose of interrupting the operation and use of the system. [19]

Contrary to the defendant's submission, his conduct should not be considered on a case-by-case basis, but as a whole, because the emails had been sent by a single program. Further, Avalanche was set to run until it stopped, so Lennon's purpose was obvious from the moment he started the program. [13] Further, regarding prosecutions fourth submission of spoofed email addresses, referring to s.3(4) and the Zezev case, the court held that there was no consent to the sending of emails in the name of Ms Rhodes, there was no consent to the receipt of malicious emails purporting to come from an employee. [17] However, the court expressly stated that not in all circumstances, an email purported to come from a person other than its originator should be treated as unauthorised, as the authorisation or not depends on the circumstances, i.e. where it was sent for a joke. [12]

Remitting the case back for trial the court made a suggestion to the district judge to consider it as a test: Whether Lennon had knowledge that what he was doing was unauthorised, what answer would he have expected if he had asked D&G whether he might start the program. [20]

Lennon, 19 years old then, was convicted and sentenced to two months’ curfew by an electronic tag. Lord Dixon sitting at WMC ruled that Lennon's guilty plea indicated that a DoS attack is a serious and criminal offence.

Commentary

Although on appeal the court solved the problem of DoS that even a realization that there was a possibility that the unauthorised email might impair the operation of the target system would suffice, the problems regarding implied consent and thus authorisation to the receipt of email remain unresolved.

The initial decision in the Magistrates' Court aroused considerable comment and consternation and led to renewed calls for the CMA to be updated so as to deal with changes in technology and use. The Police and Justice Act 2006 (s.36) amended s.3 of CMA criminalizing DoS attacks, punishable by a maximum of 10 years’ imprisonment. [2] This amendment brought the UK in compliance with A.5 of the Council of Europe Cybercrime Convention and A.3 of the EU Framework Decision on Attacks against Information Systems. [21]

See also

Related Research Articles

<span class="mw-page-title-main">Denial-of-service attack</span> Type of cyber-attack

In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. The range of attacks varies widely, spanning from inundating a server with millions of requests to slow its performance, overwhelming a server with a substantial amount of invalid data, to submitting requests with an illegitimate IP address.

Trespass is an area of tort law broadly divided into three groups: trespass to the person, trespass to chattels, and trespass to land.

<span class="mw-page-title-main">Computer Fraud and Abuse Act</span> 1986 United States cybersecurity law

The Computer Fraud and Abuse Act of 1986 (CFAA) is a United States cybersecurity bill that was enacted in 1986 as an amendment to existing computer fraud law, which had been included in the Comprehensive Crime Control Act of 1984. Prior to computer-specific criminal laws, computer crimes were prosecuted as mail and wire fraud, but the applying law was often insufficient.

<span class="mw-page-title-main">Cybercrime</span> Type of crime based in computer networks

Cybercrime encompasses a wide range of criminal activities that are carried out using digital devices and/or networks. These crimes involve the use of technology to commit fraud, identity theft, data breaches, computer viruses, scams, and expanded upon in other malicious acts. Cybercriminals exploit vulnerabilities in computer systems and networks to gain unauthorized access, steal sensitive information, disrupt services, and cause financial or reputational harm to individuals, organizations, and governments.

<span class="mw-page-title-main">CAN-SPAM Act of 2003</span> American law to regulate bulk e-mail

The Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM) Act of 2003 is a law passed in 2003 establishing the United States' first national standards for the sending of commercial e-mail. The law requires the Federal Trade Commission (FTC) to enforce its provisions. Introduced by Republican Conrad Burns, the act passed both the House and Senate during the 108th United States Congress and was signed into law by President George W. Bush in December 2003 and was enacted on January 1, 2004.

Trespass to chattels is a tort whereby the infringing party has intentionally interfered with another person's lawful possession of a chattel. The interference can be any physical contact with the chattel in a quantifiable way, or any dispossession of the chattel. As opposed to the greater wrong of conversion, trespass to chattels is argued to be actionable per se.

<span class="mw-page-title-main">Computer Misuse Act 1990</span> United Kingdom legislation

The Computer Misuse Act 1990 is an act of the Parliament of the United Kingdom, introduced partly in response to the decision in R v Gold & Schifreen (1988) 1 AC 1063. Critics of the bill complained that it was introduced hastily, was poorly thought out, and that intention was often difficult to prove, with the bill inadequately differentiating "joyriding" hackers like Gold and Schifreen from serious computer criminals. The Act has nonetheless become a model from which several other countries, including Canada and the Republic of Ireland, have drawn inspiration when subsequently drafting their own information security laws, as it is seen "as a robust and flexible piece of legislation in terms of dealing with cybercrime". Several amendments have been passed to keep the Act up to date.

Email privacy is a broad topic dealing with issues of unauthorized access to, and inspection of, electronic mail, or unauthorized tracking when a user reads an email. This unauthorized access can happen while an email is in transit, as well as when it is stored on email servers or on a user's computer, or when the user reads the message. In countries with a constitutional guarantee of the secrecy of correspondence, whether email can be equated with letters—therefore having legal protection from all forms of eavesdropping—is disputed because of the very nature of email.

Emailtracking is a method for monitoring whether the email message is read by the intended recipient. Most tracking technologies use some form of digitally time-stamped record to reveal the exact time and date when an email is received or opened, as well as the IP address of the recipient.

On Internet usage, an email bomb is a form of net abuse that sends large volumes of email to an address to overflow the mailbox, overwhelm the server where the email address is hosted in a denial-of-service attack or as a smoke screen to distract the attention from important email messages indicating a security breach.

<span class="mw-page-title-main">Mix network</span> Routing protocol

Mix networks are routing protocols that create hard-to-trace communications by using a chain of proxy servers known as mixes which take in messages from multiple senders, shuffle them, and send them back out in random order to the next destination. This breaks the link between the source of the request and the destination, making it harder for eavesdroppers to trace end-to-end communications. Furthermore, mixes only know the node that it immediately received the message from, and the immediate destination to send the shuffled messages to, making the network resistant to malicious mix nodes.

<span class="mw-page-title-main">Police and Justice Act 2006</span> United Kingdom legislation

The Police and Justice Act 2006 (PJA) is an act of the Parliament of the United Kingdom. It received royal assent on 8 November 2006. The PJA created the National Policing Improvement Agency. It changed how members of police authorities may be appointed and altered their duties. It increased police officers' powers to impose bail conditions when releasing a suspect. Along with the Serious Crime Act 2007, the PJA also updated the Computer Misuse Act 1990, which was regarded as outdated when the two statutes were passed. Pursuant to the PJA, the scope of the Computer Misuse Act was extended to deal with denial-of-service attacks.

Laws regarding "unauthorized access of a computer network" exist in many legal codes, though the wording and meaning differs from one to the next. However, the interpretation of terms like "access" and "authorization" is not clear, and there is no general agreement on whether piggybacking falls under this classification. Some jurisdictions prohibit it, some permit it, and others are not well-defined.

Cyber crime, or computer crime, refers to any crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target. Netcrime refers, more precisely, to criminal exploitation of the Internet. Issues surrounding this type of crime have become high-profile, particularly those surrounding hacking, copyright infringement, identity theft, child pornography, and child grooming. There are also problems of privacy when confidential information is lost or intercepted, lawfully or otherwise.

Jake Leslie Davis, best known by his online pseudonym Topiary, is a British hacktivist. He has worked with Anonymous, LulzSec, and other similar groups. He was an associate of the Internet group Anonymous, which has publicly claimed various online attacks, including hacking HBGary, Westboro Baptist Church, and Gawker. They have also claimed responsibility for the defacing of government websites in countries such as Zimbabwe, Syria, Tunisia, Ireland, and Egypt.

There is no commonly agreed single definition of “cybercrime”. It refers to illegal internet-mediated activities that often take place in global electronic networks. Cybercrime is "international" or "transnational" – there are ‘no cyber-borders between countries'. International cybercrimes often challenge the effectiveness of domestic and international law, and law enforcement. Because existing laws in many countries are not tailored to deal with cybercrime, criminals increasingly conduct crimes on the Internet in order to take advantages of the less severe punishments or difficulties of being traced.

<i>CompuServe Inc. v. Cyber Promotions, Inc.</i>

CompuServe Inc. v. Cyber Promotions, Inc. was a ruling by the United States District Court for the Southern District of Ohio in 1997 that set an early precedent for granting online service providers the right to prevent commercial enterprises from sending unsolicited email advertising – also known as spam – to its subscribers. It was one of the first cases to apply United States tort law to restrict spamming on computer networks. The court held that Cyber Promotions' intentional use of CompuServe's proprietary servers to send unsolicited email was an actionable trespass to chattels and granted a preliminary injunction preventing the spammer from sending unsolicited advertisements to any email address maintained by CompuServe.

The Trojan horse defense is a technologically based take on the classic SODDI defense, believed to have surfaced in the UK in 2003. The defense typically involves defendant denial of responsibility for (i) the presence of cyber contraband on the defendant's computer system; or (ii) commission of a cybercrime via the defendant's computer, on the basis that a malware or on some other perpetrator using such malware, was responsible for the commission of the offence in question.

<span class="mw-page-title-main">Microsoft Digital Crimes Unit</span>

The Microsoft Digital Crimes Unit (DCU) is a Microsoft sponsored team of international legal and internet security experts employing the latest tools and technologies to stop or interfere with cybercrime and cyber threats. The Microsoft Digital Crimes Unit was assembled in 2008. In 2013, a Cybercrime center for the DCU was opened in Redmond, Washington. There are about 100 members of the DCU stationed just in Redmond, Washington at the original Cybercrime Center. Members of the DCU include lawyers, data scientists, investigators, forensic analysts, and engineers. The DCU has international offices located in major cities such as: Beijing, Berlin, Bogota, Delhi, Dublin, Hong Kong, Sydney, and Washington, D.C. The DCU's main focuses are child protection, copyright infringement and malware crimes. The DCU must work closely with law enforcement to ensure the perpetrators are punished to the full extent of the law. The DCU has taken down many major botnets such as the Citadel, Rustock, and Zeus. Around the world malware has cost users about $113 billion and the DCU's jobs is to shut them down in accordance with the law.

On November 13, 2021, Conor Brian Fitzpatrick, going by his alias "Pompompurin", compromised the FBI's external email system, sending thousands of messages warning of a cyberattack by cybersecurity CEO Vinny Troia who was falsely suggested to have been identified as part of The Dark Overlord hacking group by the United States Department of Homeland Security.

References

  1. Fafinski, S. (2007). "Cyber crime". The New Law Journal. 157 (7258): 159.
  2. 1 2 Pinsent Masons, DPP v Lennon, (2007), accessed 19 February 2012.
  3. 1 2 3 Kon, Georgina; Church, Peter (2006). "A denial of service but not a denial of justice". Computer Law & Security Review. 22 (5): 416–417. doi:10.1016/j.clsr.2006.07.004.
  4. Creaton, J. (2006). "Recent Judicial Decisions". Police Journal. 79 (4): 371.
  5. Creaton, Jane (2016). "Recent Judicial Decisions". The Police Journal: Theory, Practice and Principles. 80 (2): 167–183. doi:10.1350/pojo.2007.80.2.167.
  6. Creaton, Jane (2016). "Recent Judicial Decisions". The Police Journal: Theory, Practice and Principles. 78 (2): 159–174. doi:10.1350/pojo.2005.78.2.159.
  7. 1 2 3 Fafinski, S. (2006). "Service denied?". The New Law Journal. 156 (7248): 1712–1713.
  8. Oate, J. (23 August 2006). "Kid who crashed email server gets tagged". The Register . Retrieved 17 February 2012.
  9. Fafinski, Stefan (2007). "The security ramifications of the Police and Justice Act 2006". Network Security. 2007 (2): 8–11. doi:10.1016/S1353-4858(07)70017-X.
  10. 1 2 Consulting C., (2006) "Denial of service attacks- Lennon and the Computer not much use Act", Electronic Business Law 8, 1,9
  11. s.17 Computer Misuse Act 1990
  12. 1 2 3 Hörnle, J. (2006), "UK-Computer Misuse-Denial of service attack", Electronic Business Law 8(6), 13
  13. 1 2 3 4 Fafinski, Stefan (2016). "Computer Misuse: Denial-of-Service Attacks". The Journal of Criminal Law. 70 (6): 474–478. doi:10.1350/jcla.2006.70.6.474.
  14. Fafinski, Stefan (2016). "Access Denied: Computer Misuse in an Era of Technological Change". The Journal of Criminal Law. 70 (5): 424–442. doi:10.1350/jcla.2006.70.5.424.
  15. Lloyd., I., Information Technology Law (5th edn., OUP Oxford, 2008) pp. 236
  16. 1 2 "Computer misuse: consent to modification of computer", Archbold News, 2006 6, 1–2
  17. 1 2 [2006] EWHC 1201 (Admin), 2006 ALL ER (D) 147
  18. Pinsent Masons, "Denial of Service attacker sentenced to curfew" (2006), accessed 17 February 2012
  19. Edwards, L. & Waelde, C. (2009), Law and the Internet (3rd edn), Oxford: Hurt Publishing, p. 677
  20. Lloyd 2008 , p. 237.
  21. Fafinski, Stefan (2008). "Computer Misuse: The Implications of the Police and Justice Act 2006". The Journal of Criminal Law. 72: 53–66. doi:10.1350/jcla.2008.72.1.477.

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.