Computer Misuse (Amendement) Bill

Ian Jackson ijackson at chiark.greenend.org.uk
Sun, 12 May 2002 19:08:21 +0100 (BST) 

Peter Sommer writes ("Computer Misuse (Amendement) Bill"):
...
> House of Lords Bill to amend the 1990 Computer Misuse Act to include D0S 
> attacks:
> 
> http://www.publications.parliament.uk/pa/ld200102/ldbills/079/2002079.pdf

I might as well reproduce the meat here.  The CMA gets amended by the
addition of this new section:

  3A Denial of service attacks

  (1) A person is guilty of an offence if without authorisation he
      does any act -
          (a) which causes; or
          (b) which he intends to cause,
      directly or indirectly, a degradation, failure, or other
      impairment of function of a computerised system or any part
      thereof.
  (2) A person is guilty of the offence in subsection (1)(a) even if
      the act was not intended to cause such an effect, provided that
      a reasonable person could have anticipated that the act would
      have caused such an effect.
  (3) For the purposes of subsection (1), the act is without
      authorisation if the person doing it -
          (a) is not the owner of the relevant computerised system or
              part thereof; or
           (b) does not have the permission of the owner.

(The original CMA 1990 is at
http://www.hmso.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm.)

I have a number of questions and criticisms:

* The other offences in the CMA 1990 all have a bit saying what the
penalty is.  This one doesn't.  Am I missing something ?

* This seems to me to be massively overbroad.  It includes any
degradation of performance, not just serious or total loss of service.
You commit the offence even if the performace degradation is a
side-effect of some legitimate effect.

For example: my anti-spam SMTP server SAUCE [1] deliberately delays
responding to erroneous SMTP instructions from machines trying to send
it mail.  It does this for a number of reasons mainly to do with
fighting spam (but also for slowing down endless loops).

However, it's clear that doing this `causes ... an impairmant of
function ... of a [computer]' - namely, it reduces the mail-sending
performance of the affected sending sites.  Since I'm not the owner of
those systems, and I don't have (at least in some cases) their
permission to slow their computer down in this way, I would appear to
be committing this offence.  Surely not ?  Am I then legally mandated
to have my mail-receiving software respond promptly ?

I'm sure ukcrypto readers can think of other examples.

* I'm very troubled by the `reasonable person could have anticipated'
bit.

Denial of service is frequently caused accidentally by
less-than-clueful users.  Are we to say that (for example) filling up
the disk by creating many large files, so that a shared computer
doesn't work any more, is now to be an offence ?  Surely a `reasonable
person could have anticipated' that using up huge amounts of a limited
resource like disk space would `impair [the] function' of the
computer ?

But, surely these miscreants should be dealt with via slapped-wrist
from the sysadmin, not by the criminal law !

Ian.