DPP v Lennon

DPP v Lennon is the first reported criminal case in the U.K. concerning so-called "denial of service" (DoS) attacks. The appeal court found that DoS attacks constituted an offence of unauthorised modification under s. 3 of the Computer Misuse Act 1990 (CMA) and thus clarified the law regarding DoS.

Facts
Lennon, a 16-year-old teenager, was employed by Domestic & General Group PLC (D&G) for three months until he was dismissed in December 2003. In January 2004, Lennon downloaded from the Internet a mail bombing program, the Avalanche v3.6, and used it to bombard D&G with emails. Email bombing is the action whereby a program deliberately sends large numbers of emails to a particular email address within a business and is an example of a DoS attack whereby multiple requests are made with objective to slow down or disable a network.

The Avalanche was set to "mail until it stopped". The emails also spoofed the name of Betty Rhodes, D&G's human resources manager, therefore they appeared to originate from Rhodes, rather than from Lennon. During the weekend, it was estimated that almost 5 million emails had been received by the group servers, with the last one sent to Ms Rhodes stating "it won’t stop". This consequently overwhelmed D&G's servers and brought them down along with the corporate website. The Metropolitan Police Service's Computer Crime Unit traced the attack to an address in the West Midlands. Lennon was arrested, interviewed and sent for trial at Wimbledon Youth Court.

Judgment
The defendant admitted on questioning that he had downloaded the program and sent the emails "modifying" the server of D&G, with the intention of causing a "bit of a mess up". However, he had not considered that he had done something criminal, neither had he realized the impact of his actions, nor the intention to cause damage to D&G, which was estimated nearly £18,000. Moreover, he stated that he could have carried out a "ping attack", but did not as that would merely slow the network for a few hours. Thus, he has recognized that at least he had considered the relative potential for interruption of two courses of action, and he had chosen the one which was more possible to cause problems to D&G.

Lennon was then charged with violating s.3 of the CMA for causing an "unauthorised modification" to a computer, with the knowledge that the modification was unauthorised and by doing so he impaired permanently or temporarily the right operation of that computer. The crucial question was whether this modification was authorised and whether D&G consented to those modifications. Ss. 17(7b) and 17(8) provide the statutory definitions of "unauthorised modification", where the first section makes clear that a modification includes the addition of any program or data and the second one defines "unauthorised" as where (the defendant) does not have consent to the modification from the person who is entitled to determine whether or not that addition should be made. At Wimbledon Magistrates' Court the prosecution submitted that Lennon had fulfilled the elements of s.3(1) as he had caused a modification of the contents of D&G's email servers.

The defence did not dispute that the sending and receipt of each email resulted in modification of D&G's server. Simultaneously, the defence made a submission of "no case to answer" on the grounds that the accused modification, by sending emails, was not capable to indicate that his activities have been unauthorised. The basis of the defendant's argument was that since the very function of the email server was to receive emails, then each individual email sent to the server is authorised to modify it and there can be no threshold over which a vast quantity of authorised transactions becomes unauthorised. Therefore, D&G must have consented to receive emails and modify the server, so he could not be guilty on the s.3(1) offence.

Per contra, the prosecution countered firstly, that there can only be consent to bona fide emails, which the defendant's were not. Secondly, the emails were unauthorised from the moment the Avalanche was instructed to send them. Thirdly, even if there was a number of emails that were impliedly authorised, there was a threshold at which their number transgressed into being unauthorised. Finally, they argued that all the emails were unauthorised since they came from the defendant rather than the purported sender.

The District Judge Grant, sitting as a youth court, accepted the defence's argument and held that there was no case to answer, dismissing the charges against Lennon. He also held that s.3 was to deal with the sending of malicious material like viruses, worms and Trojan horses which modify data, but not the sending of emails. Further, as D&G's servers were configured to receive emails, each email sent by the defendant on an individual basis, the implied consent to each resulted in implied consent collectively and thus, the modifications made were authorised.

Appeal
The Director of Public Prosecutions (DPP) appealed against the ruling of no case to answer. Lord Justice Keene and Justice Jack disagreed with Judge Grant's reasoning, allowed the appeal and remitted the case to the district judge to continue the hearing, stating that the district judge had "rather missed the reality of the situation by wrongfully finding that there was no case to answer". The issue this court had to consider was whether the addition to the data on D&G's server arising from the receipt of emails sent by Lennon was unauthorised within the meaning of s.17(8). This was unproblematic to answer since Lennon was not the person entitled to determine whether or not such "modification" should be made. So, s.17(8a) is satisfied. Then, the question was whether Lennon "had consent to the modification from any person who was so entitled" according to s. 17(8b).

As concern the issue of consent, a divisional court agreed that the owner of an email server would give consent to the receipt of emails. However, it held that this implied consent was not without limits. Thus, while D&G may have given implied consent for the sending of an email, it would not have agreed to being overwhelmed with the large number of emails. The court drew an analogy with a footpath on a private property. Just as a householder with the implied permission given to the members of the public walking up his or her path delivering mail through a letterbox, such implied permission could not be taken to extend to burglars using the path or having the letterbox to be "chocked with rubbish". It was not necessary to define the limits of that consent; it was enough to state that the implied consent covered emails sent for the purpose of communication with the owner and is withdrawn where emails are sent for the purpose of interrupting the operation and use of the system.

Contrary to the defendant's submission, his conduct should not be considered on a case-by-case basis, but as a whole, because the emails had been sent by a single program. Further, Avalanche was set to run until it stopped, so Lennon's purpose was obvious from the moment he started the program. Further, regarding prosecutions fourth submission of spoofed email addresses, referring to s.3(4) and the Zezev case, the court held that there was no consent to the sending of emails in the name of Ms Rhodes, there was no consent to the receipt of malicious emails purporting to come from an employee. However, the court expressly stated that not in all circumstances, an email purported to come from a person other than its originator should be treated as unauthorised, as the authorisation or not depends on the circumstances, i.e. where it was sent for a joke.

Remitting the case back for trial the court made a suggestion to the district judge to consider it as a test: Whether Lennon had knowledge that what he was doing was unauthorised, what answer would he have expected if he had asked D&G whether he might start the program.

Lennon, 19 years old then, was convicted and sentenced to two months’ curfew by an electronic tag. Lord Dixon sitting at WMC ruled that Lennon's guilty plea indicated that a DoS attack is a serious and criminal offence.

Commentary
Although on appeal the court solved the problem of DoS that even a realization that there was a possibility that the unauthorised email might impair the operation of the target system would suffice, the problems regarding implied consent and thus authorisation to the receipt of email remain unresolved.

The initial decision in the Magistrates' Court aroused considerable comment and consternation and led to renewed calls for the CMA to be updated so as to deal with changes in technology and use. The Police and Justice Act 2006 (s.36) amended s.3 of CMA criminalizing DoS attacks, punishable by a maximum of 10 years’ imprisonment. This amendment brought the UK in compliance with A.5 of the Council of Europe Cybercrime Convention and A.3 of the EU Framework Decision on Attacks against Information Systems.