A few days ago a friend retweeted a link to a campaign that took an unusual approach to expressing distaste at The Sun's campaign against benefit fraudsters.
Pride's Purge - Help Fight Back Against Murdoch’s Benefit ‘Scroungers’ Hotline
The blog's author, Tom Pride, is encouraging people to report 'fat-cat bankers' to the Sun email hotline. Or, more specifically, he is encouraging people to do this so much that the hotline is overwhelmed:
"Simply by repeatedly sending as many emails as possible with the names of scrounging bankers who have used taxpayers money to pay themselves massive bonuses, the hotline can be crashed."
Now I have no love for the Sun - about the only good thing I can say for it is that it is not quite as revoltingly toxic as the Daily Mail. But I do have a concern about Tom Pride's campaign, because it is encouraging people to break the law. My particular worry is that most people who like the look of this and feel tempted to join in probably won't have any idea that this is, in fact, illegal.
When the Computer Misuse Act 1990 was originally enacted its Section 3 created the offence of 'unauthorised modification of a computer'. The intent was clearly to create an offence of hacking, but as time went on it became clear that a computer might be attacked in a manner that was not obviously 'unauthorised modification'. In particular, Denial-of-Service (DOS) attacks were, some commentators suggested, not caught by s.3. Matters came to a head in 2005 when David Lennon carried out a mail-bombing attack on the email server of Domestic & General plc. At his trial Mr Lennon's defence was that his actions had not been unauthorised, because an email server is specifically intended to receive emails, so he had done nothing to it that he had not implicitly been authorised to do. The judge struck out the case against Mr Lennon on this basis, but the Director of Public Prosecutions appealed and so the Court of Appeal considered the meaning of s.3 CMA 1990. Mr Justice Jack, in giving the Court's judgment that the prosecution should continue, considered that the authorisation had implied limits:
"I agree, and it is not in dispute, that the owner of a computer which is able to receive emails is ordinarily to be taken as consenting to the sending of emails to the computer. His consent is to be implied from his conduct in relation to the computer. Some analogy can be drawn with consent by a householder to members of the public to walk up the path to his door when they have a legitimate reason for doing so, and also with the use of a private letter box. But that implied consent given by a computer owner is not without limit. The point can be illustrated by the same analogies. The householder does not consent to a burglar coming up his path. Nor does he consent to having his letter box choked with rubbish. That second example seems to me to be very much to the point here. I do not think that it is necessary for the decision in this case to try to define the limits of the consent which a computer owner impliedly gives to the sending of emails. It is enough to say that it plainly does not cover emails which are not sent for the purpose of communication with the owner, but are sent for the purpose of interrupting the proper operation and use of his system."
Even before the Court of Appeal had given its ruling though, Parliament was already planning to revise the CMA to close this loophole. The Police and Justice Act 2006 amended s.3 CMA 1990 so that the offence it created was instead one of an unauthorised act impairing a computer's operation. No longer was in necessary to show that there had been some change made to a computer; it is now enough to show that the computer, even if doing what it was intended to do (e.g. receive emails) has been impaired in that function. The amendment also extended the offence to include reckless, as well as deliberate, impairment. So, both by statutory amendment and by case law (Lennon) it is now clear that mail-bombing a mail server to the extent that it is no longer usable is a criminal offence (and other forms of DOS attack, including distributed DOS, are similarly offences.)
What this means, I'm afraid, is that fun though it may be to suggest burying the Sun hotline in irate email, it's actually against the law to do this. It's directly illegal to send such emails, although to be pragmatic the likelihood of prosecution for sending a particular email is pretty low. (I wouldn't be so sanguine if anyone used a mail-bombing app, though.) It's also illegal, under the long-standing rule against 'aiding, abetting, counselling or procuring an indictable offence', to encourage other people to do this - as, it seems, the blog author here has. (In the comments to the post, Tom Pride says this isn't a DDOS attack. With respect, as I've tried to explain here, in the eyes of the law it is.)
As the two young men who tried to organise riots via Facebook found, it's very easy to get into a lot of trouble by saying something online. There's a good argument that it's far too easy, as Paul Chambers found out in the ongoing saga of the Twitter Bomb Joke trial. But as it is, it's worth pausing for thought - and perhaps a check of the law - before seeking to unleash the wrath of the Internet on a target, however deserving it may seem.
Posts on this blog represent my opinion. It may be my considered opinion on the basis of my formal study of law and technology. But it is not legal advice. It must not be treated as, or acted upon as, legal advice and no liability is accepted for doing so.
Tuesday, 29 November 2011
Subscribe to:
Post Comments (Atom)
4 comments:
I can see that it would be an offense for someone to say, set up a mail sending bot that, on it's own, sent so many emails that it would overwhelm a mailbox. But surely while the cumulative impact of thousands of people sending a single email would have the same effect, it would be very hard to prove that any single one them them did?
Further, there's a difference between my private email, which I don't invite the public to send their opinions to, and a mailbox that has been expressly created for that purpose.
Otherwise any website that goes down under high load could argue that they'd been effectively DOSed by their customers, and that they were entitled to have their customers prosecuted for showing up and not buying - they used the website in such way as to prevent others using it for it's intended purpose.
Surely the defining feature in the criminality is that it has to be one person, or at least an identifiable group doing the flooding? I can see that the guy calling for the massive action might be on dodgy ground, but sure if enough people chose to participate by sending a single email each, then each of them is only doing what the Sun has invited them to do?
Alasdair,
You're right that the risk of someone who sent an individual email being prosecuted is low - in part because the effect in isolation is small, but also because it might be hard for the CPS to get over the objection that they were unfairly singling out people just because they had been caught. (Of course, that defence didn't get very far with those who were caught committing otherwise minor offences during the riots.)
However, I'm not sure I agree with your distinction between public and private mailboxes. The point made in Lennon was that whatever purpose a mailbox is set up for, it's not there to be deluged in mail sent for the purpose of rendering it unusable.
As for overloaded sites in general, s.3 CMA 1990 only applies where the excessive access was deliberate or reckless. There is an interesting argument as to whether trying to direct hits to a competitor's site so as to overwhelm it would count as a DDOS attack; I've even seen the question raised as to whether, with elastic-demand cloud computing, it's legitimate to try to drive up a competitor's usage billing this way. (Something along the same lines was apparently done with pay-per-click ads.)
Interesting questions here. But I think you're wrong. Email bombing is not done by individual people but by zombie botnets for example. This means they are coming from one source, not from individuals. The emails in our case were actually requested by the Sun - they asked people to send examples of benefit scroungers - which is what we did. The fact that their own campaign ends up being so successful they get so deluged with emails is not at all against the law. Of course, the fact they don't like the content of our particular emails is also not a matter for the courts.
The courts could not allow individuals to be prosecuted in that situation because they would have to accept that sending an opinion to someone who openly asked for it was illegal. Now, they could try to prosecute the person who started the campaign - in this case me. And that would be an interesting test case. Of course,the fact of the matter is that some people would be more than prepared to go to court for things they feel strongly about. The publicity would be more than welcome. Do not underestimate how prepared some people would be to even do prison time over such issues. I know I would. By the way, our campaign was successful. The Sun's line is now closed and seems to remain so.
Tom,
With respect, that's pretty much the line that Mr Lennon took - and which the Court of Appeal comprehensively dismissed. Yes, the Sun was inviting emails. But if there is an organised campaign to send a vast number with the express intent of crashing their hotline (and you do say that is what you wanted to do) then your intent, and the intent of everyone who took part, wasn't to communicate with the Sun, it was to degrade or shut down the Sun's mail server. (Well, I suppose that was a form of communication in itself, but it certainly wasn't the form of communication that the Sun was inviting.)
You're quite right that the content is irrelevant though. As far as I can see your sample letter isn't abusive, threatening or defamatory. The only issue the Sun could have with you is that you contrived to deluge them with such vast numbers of copies of it that their hotline collapsed under the strain.
Post a Comment