DDoS Attacks and the Law

[Originally posted at pirateparty.org.uk in January 2011]

Earlier this week it was announced that five people had been arrested across the UK in connection with distributed denial of service (DDoS) attacks on “major US companies across several industries” and was done on request from the FBI. While few details have emerged, it is understood that they were arrested under the Computer Misuse Act 1990. The aim of this post will be to examine the relevant part of this law and how it applies to DDoS attacks. As always, it should not be taken as legal advice, and any corrections and thoughts are most welcome.

The Law

The relevant law is section 3 of the Act, entitled “unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.”, which was added by section 36 of the Police and Justice Act 2006.

The Offence

(1) A person is guilty of an offence if-
(a) he does any unauthorised act in relation to a computer;
(b) at the time when he does the act he knows that it is unauthorised; and
(c) either subsection (2) or subsection (3) below applies.

Essentially, this involves doing something with, to, or about a computer knowingly without authorisation – the latter part will be discussed below.

Intention

(2) This subsection applies if the person intends by doing the act-
(a) to impair the operation of any computer;
(b) to prevent or hinder access to any program or data held in any computer;
(c) to impair the operation of any such program or the reliability of any such data; or
(d) to enable any of the things mentioned in paragraphs (a) to (c) above to be done.

Again, this is fairly straightforward. The one most likely to apply to DDoS attacks would be (b), in that the purpose of a DDoS is usually to shut down a website. A bit of legal logic is required, in assuming that a server (or set of servers) counts as a computer, and a website and the services it offers count as either programs or data. The key word in this section is probably intends. This means that just visiting a website (for example, to see if a DDoS attack has taken it down) should not count as illegal under this subsection. However, subsection (3) gives an alternative:

Recklessness

(3) This subsection applies if the person is reckless as to whether the act will do any of the things mentioned in paragraphs (a) to (d) of subsection (2) above.

Recklessness is another of the requirements for establishing what is known as mens rea in a criminal case (along with intention). While definitions are kind of complicated, the current definition (given in R v G & Anor) suggests that the accused has to know that there is a risk of their act having the effect (in this case, one of the things mentioned above) and that taking the risk would be unreasonable. Defining “unreasonable” is a further issue, but that might be going into too much detail. In any case, this is probably not all that relevant, given that intention should be fairly obvious, particularly is specific software was involved.

Particulars and Definitions

(4) The intention referred to in subsection (2) above, or the recklessness referred to in subsection (3) above, need not relate to-
(a) any particular computer;
(b) any particular program or data; or
(c) a program or data of any particular kind.

This is also pretty straightforward; essentially, the accused does not have to have anything specific in mind, it can be a general attack.

(5) In this section-
(a) a reference to doing an act includes a reference to causing an act to be done;
(b) “act” includes a series of acts;
(c) a reference to impairing, preventing or hindering something includes a reference to doing so temporarily.

The first of this is worth noting. The second is fairly obvious and means there is no distinction between trying to access a website once and doing so multiple times (as in a DDoS attack). The third also covers a DDoS attack as the effect is often temporary.

Punishment

(6) A person guilty of an offence under this section shall be liable-
(a) on summary conviction in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both;
(b) on summary conviction in Scotland, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both;
(c) on conviction on indictment, to imprisonment for a term not exceeding ten years or to a fine or to both.

This is the hard part. If the case is heard in just a Magistrate’s Court, the maximum penalty is 12 months in prison (in England and Wales, 6 months in Scotland) but this goes up to 10 years if the case goes to full trial in a Crown Court (before a jury). The “statutory maximum” fine is £5,000 and is the most a magistrates’ court can give (in most cases).

The Low Orbit Ion Cannon and Similar Tools

On a related note, section 3A of the Computer Misuse Act (which came into force on 1st October 2008, although labelled as “prospective” on Legislation.gov.uk) makes it an offence:

  • to make, adapt, supply or offer to supply anything intending it to be used in an act covered by section 3 (above) or assist in such an act,
  • to supply or offer to supply such an article believing it is likely to be used in or assist in such an act, and
  • to obtain an article “with a view to its being supplied for use” in committing or assisting in such an act.

This offence is punished similarly to section 3 but with a maximum prison sentence of two years. Anyone considering making or distributing such tools or software should be aware that it could be an offence to do so. It does not appear that merely having the software would be illegal.

Jurisdiction

Finally, it is worth noting that sections 4 to 9 of the Act cover jurisdiction issues, making it clear that only “one significant link” is needed between the acts taking place and the United Kingdom for domestic Courts to have jurisdiction; the target being elsewhere would not be a defence.

Summary

DDoS attacks are almost certainly against the law, with a maximum punishment of ten years in prison. One merely needs to act with the intention of taking down a website, however temporarily for the law to apply. Even distributing tools to use in DDoS attacks can be an offence.

Authorisation

It should be noted that this section is entirely opinion and speculation.

The only area of contention (in my opinion) is, as mentioned above, in 3.(1)(a) and (b) where the law specifies that the act must be “unauthorised” and the defendant must know this. When this law applies (as originally enacted in 1990) to normal misuse of computers, authorisation is fairly straightforward. However, when dealing with accessing a website (or “online location”) it becomes a lot less clear. As a website is a public location, it would seem that authorisation is not needed for the average person to visit them. That said, the websites of many large companies include some form of “terms of use” that would prevent any use intended to cause damage; the Mastercard and Amazon UK websites have words to that effect but I cannot quote them here as that would seem to breach those terms. However, the Visa and PayPal sites do not appear to have such terms.

Of course, even if we accept the terms of use might make the use of the site “unauthorised” the binding nature of such terms is in doubt as the only way to access the terms is to visit the site, making the conditions somewhat circular (i.e. you would need to access the website to see if you were authorised to do so). This area of law is particularly confusing, with little case-law on it. That said, some of these issues were touched upon by Mrs Justice Proudman in her decision on NLA v Meltwater, particularly at 95-98 and 103, although the decision does not set a precedent and she was mainly considering the applications to copyright.

Update 29/11/2011: Having read DPP v Lennon (a case concerning mass/spam emails) it seems that the authorisation issue can be dealt with by implied licences that are restricted to what the Court feels appropriate. At [14], Keene notes that there is:

a clear distinction between the receipt of emails which the recipient merely does not want but which do not overwhelm or otherwise harm the server, and the receipt of bulk emails which do overwhelm it. It may be that the recipient is to be taken to have consented to the receipt of the former if he does not configure the server so as to exclude them. But … he does not consent to receiving emails sent in a quantity and at a speed which are likely to overwhelm the server. Such consent is not to be implied from the fact that the server has an open as opposed to a restricted configuration.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s