A teenager who crashed a former employer's server by sending a torrent of junk email, a practice known as mail-bombing, could yet face up to five years in prison after the case was sent back to trial.
Last Thursday, a British appeals court rejected a lower court's ruling that David Lennon didn't violate the Computer Misuse Act of 1990. Lennon is charged with one count of unauthorised modification of a computer.
The case goes to the core of calls to revise the Computer Misuse Act with more specific language to address DoS (denial-of-service) attacks. Parliament is considering revising the act to increase the maximum penalty for unauthorised modification of a computer from five years' imprisonment to 10 years, among other changes.
Prosecutors must prove that the defendant's actions modified a computer, and that the action was unauthorised. Lennon allegedly launched a DoS attack using a program called Avalanche in early 2004 that crashed the email server of Domestic and General Group, a company that provides warranties for domestic appliances.
But a district judge at Wimbledon Magistrates' Court ruled in November that the excess email was authorised since the company's website invited responses, and Lennon was therefore not in violation. Prosecutors appealed, sending the case to the Royal Courts of Justice.
Updated interpretations of the Computer Misuse Act are needed to deal with high-tech crime, Senior Crown Prosecutor Russell Tyner said in a statement.
Last Thursday, the Royal Courts of Justice sent the case back to the magistrates' court, saying the high volume of email constituted a crime. No date has been set for Lennon's continuing trial.
Lennon could face six months in prison if sentenced in magistrates' court. However, prosecutors could ask for a referral to the crown courts, where he could face up to five years in prison, a Crown Prosecution Service official said.