Posts on this blog represent my opinion. It may be my considered opinion on the basis of my formal study of law and technology. But it is not legal advice. It must not be treated as, or acted upon as, legal advice and no liability is accepted for doing so.

Tuesday 29 November 2011

A tempting target, but a dubious tactic

A few days ago a friend retweeted a link to a campaign that took an unusual approach to expressing distaste at The Sun's campaign against benefit fraudsters.

Pride's Purge - Help Fight Back Against Murdoch’s Benefit ‘Scroungers’ Hotline

The blog's author, Tom Pride, is encouraging people to report 'fat-cat bankers' to the Sun email hotline. Or, more specifically, he is encouraging people to do this so much that the hotline is overwhelmed:

"Simply by repeatedly sending as many emails as possible with the names of scrounging bankers who have used taxpayers money to pay themselves massive bonuses, the hotline can be crashed."

Now I have no love for the Sun - about the only good thing I can say for it is that it is not quite as revoltingly toxic as the Daily Mail. But I do have a concern about Tom Pride's campaign, because it is encouraging people to break the law. My particular worry is that most people who like the look of this and feel tempted to join in probably won't have any idea that this is, in fact, illegal.

When the Computer Misuse Act 1990 was originally enacted its Section 3 created the offence of 'unauthorised modification of a computer'. The intent was clearly to create an offence of hacking, but as time went on it became clear that a computer might be attacked in a manner that was not obviously 'unauthorised modification'. In particular, Denial-of-Service (DOS) attacks were, some commentators suggested, not caught by s.3. Matters came to a head in 2005 when David Lennon carried out a mail-bombing attack on the email server of Domestic & General plc. At his trial Mr Lennon's defence was that his actions had not been unauthorised, because an email server is specifically intended to receive emails, so he had done nothing to it that he had not implicitly been authorised to do. The judge struck out the case against Mr Lennon on this basis, but the Director of Public Prosecutions appealed and so the Court of Appeal considered the meaning of s.3 CMA 1990. Mr Justice Jack, in giving the Court's judgment that the prosecution should continue, considered that the authorisation had implied limits:

"I agree, and it is not in dispute, that the owner of a computer which is able to receive emails is ordinarily to be taken as consenting to the sending of emails to the computer. His consent is to be implied from his conduct in relation to the computer. Some analogy can be drawn with consent by a householder to members of the public to walk up the path to his door when they have a legitimate reason for doing so, and also with the use of a private letter box. But that implied consent given by a computer owner is not without limit. The point can be illustrated by the same analogies. The householder does not consent to a burglar coming up his path. Nor does he consent to having his letter box choked with rubbish. That second example seems to me to be very much to the point here. I do not think that it is necessary for the decision in this case to try to define the limits of the consent which a computer owner impliedly gives to the sending of emails. It is enough to say that it plainly does not cover emails which are not sent for the purpose of communication with the owner, but are sent for the purpose of interrupting the proper operation and use of his system."

Even before the Court of Appeal had given its ruling though, Parliament was already planning to revise the CMA to close this loophole. The Police and Justice Act 2006 amended s.3 CMA 1990 so that the offence it created was instead one of an unauthorised act impairing a computer's operation. No longer was in necessary to show that there had been some change made to a computer; it is now enough to show that the computer, even if doing what it was intended to do (e.g. receive emails) has been impaired in that function. The amendment also extended the offence to include reckless, as well as deliberate, impairment. So, both by statutory amendment and by case law (Lennon) it is now clear that mail-bombing a mail server to the extent that it is no longer usable is a criminal offence (and other forms of DOS attack, including distributed DOS, are similarly offences.)

What this means, I'm afraid, is that fun though it may be to suggest burying the Sun hotline in irate email, it's actually against the law to do this. It's directly illegal to send such emails, although to be pragmatic the likelihood of prosecution for sending a particular email is pretty low. (I wouldn't be so sanguine if anyone used a mail-bombing app, though.) It's also illegal, under the long-standing rule against 'aiding, abetting, counselling or procuring an indictable offence', to encourage other people to do this - as, it seems, the blog author here has. (In the comments to the post, Tom Pride says this isn't a DDOS attack. With respect, as I've tried to explain here, in the eyes of the law it is.)

As the two young men who tried to organise riots via Facebook found, it's very easy to get into a lot of trouble by saying something online. There's a good argument that it's far too easy, as Paul Chambers found out in the ongoing saga of the Twitter Bomb Joke trial. But as it is, it's worth pausing for thought - and perhaps a check of the law - before seeking to unleash the wrath of the Internet on a target, however deserving it may seem.