Various media are reporting how a British teenager escaped conviction after “mailbombing” his former employer. Mailbombing is a form of denial of service attack – in this case, the teen sent 5 million emails, which overwhelmed the target’s mail server.

According to zdnet, the youth was charged under section 3 of the CMA, which provides:

3.-(1) A person is guilty of an offence if-
a. he does any act which causes an unauthorised modification of the contents of any computer; and
b. at the time when he does the act he has the requisite intent and the requisite knowledge.

Section 3(2) provides that a “requisite intent” is:

… an intent to cause a modification of the contents of any computer and by so doing-
a. to impair the operation of any computer;
b. to prevent or hinder access to any program or data held in any computer; or
c. to impair the operation of any such program or the reliability of any such data.

and section 3(3) provides that:

The intent need not be directed at-
a. any particular computer;
b. any particular program or data or a program or data of any particular kind; or
c. any particular modification or a modification of any particular kind.

Although I can’t track down the written judgment, the article quotes it to the following effect:

…the individual e-mails caused to be sent each caused a modification which was in each case an ‘authorized’ modification. Although they were sent in bulk resulting in the overwhelming of the server, the effect on the server is not a modification addressed by section 3 (of the CMA).

This would seem to track the wording of the Act – the “modifications” made to the computer are made by the mailserver handling the messages it receives, and they are authorised. The emails didn’t apparently cause the mailserver to execute unauthorised instructions — as might be the case if they contain trojans, or exploited say a buffer overflow — they just put a load that the server couldn’t handle. (In passing, 5 million messages really isn’t outrageously many; what hardware and software were they using that couldn’t handle it?)

What the case neatly illustrates is the legal response to the distinction between using new technology to commit old crimes (ie frauds and scams, such as dudding people on eBay), versus using new technology to commit crimes that are only created along with the technology. The law is usually pretty good at handling the former, and pretty poor at handling the latter. Moreover, the latter is usually only addressed by legislation that is specific to the area being covered, and not of wider application.

The CMA was enacted in 1990 to handle the then-novel concept of hacking (really, “cracking”) into computers (ie, of the The Cuckoo’s Egg variety). This is a new tech crime, as you can’t hack computers until computers have been invented. The Act created three new crimes, all involving unauthorised access to, or unauthorised modification of the contents of, a computer.

While the Act handles that fairly well, this prosecution looks like an attempt to coerce the wording of the Act into an area it doesn’t really cover; that is, DOSing. That is another new tech crime, and one that needs to be dealt with by specific legislation. It should be fairly easy to draft anti-DOS legislation, although there is so often a transnational element that it may not do much unless paired with complementary legislation in other countries.

If they do do a redraft, it would interesting to see whether they attempt to cover other new tech problems of the moment, such as malware