A few days ago a friend retweeted a link to a campaign that took an unusual approach to expressing distaste at The Sun's campaign against benefit fraudsters.
Pride's Purge - Help Fight Back Against Murdoch’s Benefit ‘Scroungers’ Hotline
The blog's author, Tom Pride, is encouraging people to report 'fat-cat bankers' to the Sun email hotline. Or, more specifically, he is encouraging people to do this so much that the hotline is overwhelmed:
"Simply by repeatedly sending as many emails as possible with the names of scrounging bankers who have used taxpayers money to pay themselves massive bonuses, the hotline can be crashed."
Now I have no love for the Sun - about the only good thing I can say for it is that it is not quite as revoltingly toxic as the Daily Mail. But I do have a concern about Tom Pride's campaign, because it is encouraging people to break the law. My particular worry is that most people who like the look of this and feel tempted to join in probably won't have any idea that this is, in fact, illegal.
When the Computer Misuse Act 1990 was originally enacted its Section 3 created the offence of 'unauthorised modification of a computer'. The intent was clearly to create an offence of hacking, but as time went on it became clear that a computer might be attacked in a manner that was not obviously 'unauthorised modification'. In particular, Denial-of-Service (DOS) attacks were, some commentators suggested, not caught by s.3. Matters came to a head in 2005 when David Lennon carried out a mail-bombing attack on the email server of Domestic & General plc. At his trial Mr Lennon's defence was that his actions had not been unauthorised, because an email server is specifically intended to receive emails, so he had done nothing to it that he had not implicitly been authorised to do. The judge struck out the case against Mr Lennon on this basis, but the Director of Public Prosecutions appealed and so the Court of Appeal considered the meaning of s.3 CMA 1990. Mr Justice Jack, in giving the Court's judgment that the prosecution should continue, considered that the authorisation had implied limits:
"I agree, and it is not in dispute, that the owner of a computer which is able to receive emails is ordinarily to be taken as consenting to the sending of emails to the computer. His consent is to be implied from his conduct in relation to the computer. Some analogy can be drawn with consent by a householder to members of the public to walk up the path to his door when they have a legitimate reason for doing so, and also with the use of a private letter box. But that implied consent given by a computer owner is not without limit. The point can be illustrated by the same analogies. The householder does not consent to a burglar coming up his path. Nor does he consent to having his letter box choked with rubbish. That second example seems to me to be very much to the point here. I do not think that it is necessary for the decision in this case to try to define the limits of the consent which a computer owner impliedly gives to the sending of emails. It is enough to say that it plainly does not cover emails which are not sent for the purpose of communication with the owner, but are sent for the purpose of interrupting the proper operation and use of his system."
Even before the Court of Appeal had given its ruling though, Parliament was already planning to revise the CMA to close this loophole. The Police and Justice Act 2006 amended s.3 CMA 1990 so that the offence it created was instead one of an unauthorised act impairing a computer's operation. No longer was in necessary to show that there had been some change made to a computer; it is now enough to show that the computer, even if doing what it was intended to do (e.g. receive emails) has been impaired in that function. The amendment also extended the offence to include reckless, as well as deliberate, impairment. So, both by statutory amendment and by case law (Lennon) it is now clear that mail-bombing a mail server to the extent that it is no longer usable is a criminal offence (and other forms of DOS attack, including distributed DOS, are similarly offences.)
What this means, I'm afraid, is that fun though it may be to suggest burying the Sun hotline in irate email, it's actually against the law to do this. It's directly illegal to send such emails, although to be pragmatic the likelihood of prosecution for sending a particular email is pretty low. (I wouldn't be so sanguine if anyone used a mail-bombing app, though.) It's also illegal, under the long-standing rule against 'aiding, abetting, counselling or procuring an indictable offence', to encourage other people to do this - as, it seems, the blog author here has. (In the comments to the post, Tom Pride says this isn't a DDOS attack. With respect, as I've tried to explain here, in the eyes of the law it is.)
As the two young men who tried to organise riots via Facebook found, it's very easy to get into a lot of trouble by saying something online. There's a good argument that it's far too easy, as Paul Chambers found out in the ongoing saga of the Twitter Bomb Joke trial. But as it is, it's worth pausing for thought - and perhaps a check of the law - before seeking to unleash the wrath of the Internet on a target, however deserving it may seem.
Showing posts with label law. Show all posts
Showing posts with label law. Show all posts
Tuesday, 29 November 2011
Friday, 14 October 2011
SCL Conference 2011 - Day 1
I'm at the Society for Computing and Law's 2011 Conference in Bath, with the theme of New Technology v High Risk. I'll aim to blog updates on the sessions as we go along, so refresh for details.
Technology, Risk and Law - Dr Andrew Martin, University of Oxford.
A heartfelt plea for professionalism in the IT industry, in the context of properly understanding what risk is and what technology can and cannot do. Andrew Martin observed how we are increasingly reliant on security entities we have no knowledge of (eg certification authorities) and, with more and more of our household devices not only being connected to the Internet but having multiple sets of our credentials, this poses risks of security failures it is hard to be aware of, let alone properly quantify. He put forward three wishes for the genie that we have let out of the bottle: better technology, in the sense of understanding and removing vulnerabilities; more realism as to what IT can and can't do; and more focus on reliability and robustness in place of pushing the state of the art.
Cyber-crime - Prof Ian Walden (QMUL), Det Sup Charlie McMurdie (Met Police), Neil Hare-Broom (QCC Forensics)
Cyber-crime is getting more sophisticated; we are seeing seized PCs with over a dozen virtual machines, or more than 8TB of data to be examined. Some suspects have literally dozens of online IDs. The problem is made worse by the declining effectiveness of anti-malware protection, the growing pressure (from economy and convenience) for businesses to allow use of employee devices for work, and the jurisdictional challenges of cloud computing. The panel couldn't offer a simple answer, with views from "it can only get worse" to "we have to do what we can to help ordinary users and shouldn't just accept that this happens". Again, the question of how much we accept poor reliability in software came up - should we extend consumer protection law to cover the quality of software security? Ditto for enforcing pervasive use of encryption to protect payment details. Interestingly, the police officer was wary of adding more and more laws, on the basis that threats of prosecution can deter reporting - carrots are better than sticks.
Technology, Risk and Law - Dr Andrew Martin, University of Oxford.
A heartfelt plea for professionalism in the IT industry, in the context of properly understanding what risk is and what technology can and cannot do. Andrew Martin observed how we are increasingly reliant on security entities we have no knowledge of (eg certification authorities) and, with more and more of our household devices not only being connected to the Internet but having multiple sets of our credentials, this poses risks of security failures it is hard to be aware of, let alone properly quantify. He put forward three wishes for the genie that we have let out of the bottle: better technology, in the sense of understanding and removing vulnerabilities; more realism as to what IT can and can't do; and more focus on reliability and robustness in place of pushing the state of the art.
Cyber-crime - Prof Ian Walden (QMUL), Det Sup Charlie McMurdie (Met Police), Neil Hare-Broom (QCC Forensics)
Cyber-crime is getting more sophisticated; we are seeing seized PCs with over a dozen virtual machines, or more than 8TB of data to be examined. Some suspects have literally dozens of online IDs. The problem is made worse by the declining effectiveness of anti-malware protection, the growing pressure (from economy and convenience) for businesses to allow use of employee devices for work, and the jurisdictional challenges of cloud computing. The panel couldn't offer a simple answer, with views from "it can only get worse" to "we have to do what we can to help ordinary users and shouldn't just accept that this happens". Again, the question of how much we accept poor reliability in software came up - should we extend consumer protection law to cover the quality of software security? Ditto for enforcing pervasive use of encryption to protect payment details. Interestingly, the police officer was wary of adding more and more laws, on the basis that threats of prosecution can deter reporting - carrots are better than sticks.
Subscribe to:
Posts (Atom)
Posts
