U.K. Outlaws Denial of Service Attacks

gnaremooz writes "A U.K. law has been passed that makes it an offense to launch denial-of-service attacks. The penalties for violating the new statues are stiff, with sentences increased from 5 to 10 years. The five year penalty was from the 1990 "Computer Misuse Act", which was enacted before the Internet became widespread. The idea of stiffer penalties for DoS attacks are probably something we can all get behind, but the language of the law is frustratingly vague." From the article: "Among the provisions of the Police and Justice Bill 2006, which gained Royal Assent on Wednesday, is a clause that makes it an offense to impair the operation of any computer system. Other clauses prohibit preventing or hindering access to a program or data held on a computer, or impairing the operation of any program or data held on a computer."

Another law

[adpsimpson]

Another law with good intent.

Another set of wording so vague it's no use against those it's meant to stop.

Another set of abuses waiting to happen.

Re:Another law

[gweihir]

In short: Another law that was made without asking the domain experts. Are these people just incredibly arrogant or plain stupid?

Re:Another law

[Ksempac]

Well you ve got 2 possibilities...

One : You let a politician write the law with words and vague ideas everyone can understand, including politicians and judges. It doesn t satisfy experts, but at least politicians understand what are they voting for. Once the vague law is voted, judges can make their own decision by referring to the spirit of the law rather than the word of the law.

Second : You let experts write the law, only people with a lot of knowledge in the field will understand what it means, but that will still be up to the politicians to vote them. How do you expect them to vote well if they have no idea what is this all about ? How do you expect judges to use a law they dont understand ?
Moreover, how do you choose your expert for let's say... a law about DRM ? Do you ask a guy from the RIAA/the majors (i m sure they ve got a bunch of qualified engineers and scientists working on DRM) or Richard Stallman to write it ?

Re:Another law

[cayenne8]

Also, really....5-10 years for a denial of service?

People who kill people can get less time than that...c'mon, let the penalty fit the crime, this isn't even close. A bit of computer mischief can get you locked up in prison for 5-10 years?!?!?

The world has gone crazy....

Re:Another law

[RexRhino]

This law is really no worse than the laws that regulate health care, the economy, the enviornment, etc. You are simply a domain expert in this field, and thus you understand how stupid the law is. But when the government makes other stupid laws (for example, not allowing patients who are most certainly going to die to choose to try high-risk experimental treatments because the treatments are "too dangerous"... Or making "water saver" toilets manditory, that need two flushings to work properly, and thus use way more water that the old-school "wasteful" toilets... etc., etc.), you probably don't notice, or don't care. You probably say "Oh, a new drug safety law! I support drug safety!", or you say "A new water conservation law! I support protecting the enviornment!". Well, everyone else is saying "Wow, a new computer security law. I want computer security, so I support this!".

Laws are very crude tools... it is like doing brain surgery with hammers. This law was probably make with plenty of input from domain experts. Laws can be tricky enough when you are dealing with crimes like murder, rape, mugging, etc. But when you want a single code of rules to be used to micromanage the legality of acts of a highly technical nature outside the understand of the general voting public, and that are constantly changing, this is going to be the best you do. You create laws that are so overly vauge that the police have huge leeway to go after whoever they want on their own discretion, because you know that there is no way you can have hearings, discussions, commiteee meetings, and create a sensible set of rules in the time frame that things will keep up with technology. I am not saying I agree, but the people who make the laws trust the discrection of police and government officials more than they trust the general public to do OK without regulation.

Most people would rather deal with shitty laws, than leave things alone. I can't say I agree with that idea, but if YOU don't, then you are most certainly far outside the mainstream.

Re:Another law

[Hotawa+Hawk-eye]

Third: The politicians work with the experts to draft the law. The politicians write a first draft explaining to the experts what they want the law to do. The experts explain any technical problems they see with the draft. The politicians revise the law with the feedback from the experts, then the experts review the revised draft. Repeat until the politicians are satisfied with the proposed law. [Ideally the experts would be satisfied too, but the politicians are the ones whose job requires them to be satisfied.]

As for choosing experts, you try to get all sides represented, ideally. For a law about DRM, you'd ask major content providers (i.e. the RIAA, the MPAA, etc.) as well a free-speech advocates. Of course, this assumes that you _want_ all sides represented; if you're a policitian who's been bought by a company/industry ... I mean who's accepted large campaign contributions from a company/industry ... then you'll be listening jst to your bosses.

Hindering Access

preventing or hindering access to a program or data held on a computer, or impairing the operation of any program or data held on a computer

This is a pretty good description of DRM! So it's illegal now?

Re:Hindering Access

[sumday]

You seem to be forgetting the magnificent powers of wordplay that lawyers posess. You see, DRM isn't restricting access to data... It's securing access to data.

Re:Hindering Access

[glowworm]

This is a pretty good description of DRM! So it's illegal now?

No, the law states "he does any unauthorised act in relation to a computer" (34.3.1.a).

DRM and Encryption are both authorised act's. And... saying "you" don't authorise DRM on your PC isn't good enough, the UK laws allowing DRM override your own de-authorisation.

With encryption in general though, if you had a falling out with your employer and you encrypted his drive, then you would be guilty. Encrypting your own drive though is certainly legal and allowed. (Mind you in the UK you are required to hand over your keys to the police if lawfully requested).

IANAL.

Re:Hindering Access

[joe+155]

"preventing or hindering access to a program or data held on a computer, or impairing the operation of any program or data held on a computer"

I wouldn't take this to be not allowing anyone access to the data, and I'm convinced that no judge in the world would interpret it this way. I think that it largely is talking about preventing access from someone who is authorised to access the data. If the FSF is clever here they will bring private prosecutions against the companies who ship DRM trying to get CEOs put in prison over this - because I think that this is within what the law meant far more than what your line of arguement here is... With any new law of course this will need to be argued out, and it might get into the House of Lords if it really can't be settled (which at least would give us clarity on the matter). I wish Labour wouldn't bring in so many new laws each year that not even the lawyers can keep up with them

Good intentions

[robinesque]

Unfortunately merely meaning to do good isn't enough if you don't understand the root of the problem. This isn't going to deter people who are doing DoS attacks anyways. Usually they're using DDoS, through hijacked computers... This is pointless. But good for them for taking an interest.

Re:Where is the real damage

[the_unknown_soldier]

The original poster sounds a bit silly - but he is getting close to an important point.

I don't think anyone here denies that it is important if websites go down. It can cot businesses millions if their website is not available to customers. If DDOSing hurts business, then why should it not be a civil issue? Let the civil jurisdiction deal with it, because it certainly isn't something that is worthy of jail time.

Stupid idea

This needs to be a civil offense, not a criminal offense. When it's a criminal offense, we have these types of problems: vague-ness. Leave it to civil courts and have the victim sue the offender for so much money it's going to financially ruin the attacker.

If this is going to be a criminal case, a year in jail in addition to computer-banishment would be proficient. One, it prevents the person from repeating the crime. Two, it's going to be unpleasant for someone to spend a year in jail, not to be confused with prison, for something as physically harmless as denial of service attacks.

However, if a denial of service attack affects a medical institution or is against the government, then it needs to be a crime.

Cutting off nose to spite face much?

[KKlaus]

So let's see... DDOS takes down a site for a period of time (maybe more if its a shared server). And so we respond with 10 years in jail?

First of all, economically that's a moronic decision. Jail costs the state between 20-30 thousand dollars a year depending on where it is. Unless someone is DDosing Amazon, and here's where the vague wording of the law is an important shortfall, we're spending hundreds of thousands of dollars punishing someone who did perhaps a few thousand dollars worth of damage. That's bad economics, and I'm sure that money could be better used say, feeding the starving or allowing someone to go to college who otherwise wouldn't be able to.

Second of all, the kind of person you're going to be able to catch is not the person you want to throw in jail. We already have laws to punish people who run large botnets, and moreover by and large experienced blackhats won't be caught because they administrate their nets from countries ending in -stan. So the people who this legislation will put in jail will by and large be stupid college kids and people making a bad, poorly thought out decision as evidenced by the fact that they're using their home computer. These people need to be slapped with a big fine to they smarten them up, and then allowed to contribute to society.

This should be a poster case of a crime that should not carry criminal penalty.

Re:Cutting off nose to spite face much?

[Placido]

1. 10 years will be the maximum jail sentance and the actual penalty will be subject to the discretion of the judge
>> we're spending hundreds of thousands of dollars punishing someone who did perhaps a few thousand dollars worth of damage
2. Your argument is completely nonsensical. Catching and punishing criminals is always more expensive than the simple monetary value of their potential damage. However if we used that argument we wouldn't bother to lock up murderers for life. The value in locking up criminals is not monetary value but in the stabality of society.

Mustn't impede criminals, must we?

Damn! So now its illegal to use a script to flood a phishing site with dummy credit card info.
Or to load the ladvampire to use up the daily file transfer allowances on 419er's fraudulent "banks"....

Oh well, try getting them to act

[norfolkboy]

When one of my websites (with over 130,000 active members) was being attacked, South Wales Police told me they couldn't do much to investigate the perpetrator because all the funds were tied up in fighting online paediaphilia.

What's the point in making the term of sentance tougher, if there aren't any resources to investigate online crime in many UK forces?

What about encryption?

[ubercam]

Say I have an encrypted drive on my computer and its seized by the authorities? Is that not impeding access to a computer system?

Also I totally agree with the earlier statement on REAL damage. Say a company's website is down and they sell things online. Someone who was really intent on buying something from that website will wait until its back up. Someone who was just shopping around will likely continue to do so, and the casual websurfer would pass it by, perhaps trying again later. They're really not LOSING any business, they're merely delaying it till later. How many individuals'/organisations' business would they honestly lose? There's no way of knowing, so they just pull a number out of their ass and say "This much!" and expect to be rewarded that amount, plus legal expenses of course.

Now say the victim is an individual in their home. Can they claim damages under this law? Most likely not since they're not "losing" anything (in a business sense), other than access to a service they've paid for. Sure you can ring up your provider and complain but they'll probably blame it on you and tell you its your computer being full of spyware and viruses and you should reinstall Windows. If you tell them you run *nix they'll probably say I'm sorry that's not supported we can't help you. Big firms (*cough* BT *cough) are all too happy to blame the customer first.

So what this boils down to is that we've now got yet another lovely new law that's beneficial to big business and no one else. Oh happy day!

Cam

Re:Impair, you say?

[jc42]

Does this mean people can be prosecuted for installing Windows onto a computer system?

Maybe. But more likely it means you can be prosecuted for installing a browser. The only purpose of a browser is to use the bandwidth and cpu time of some other computer. That obviously interferes with anything running on that computer, impairing it for all other users.

Re:Where is the real damage

[TheVelvetFlamebait]

Where is the REAL damage?

I'd have to say the REAL damage is in the bandwidth of the site, the potential loss of customers, etc. Besides, the point is not really about the damage, it's about the intent. The law is designed to discourage the intention to do certain things. The DoS attacks show that you are intending to cause harm. The question isn't so much "Why should it be illegal?", so much as "Why shouldn't it?" It isn't a good thing; It's a manifestation of malicious intent.

Defacing a web page just requires some one to reload another copy. no real world harm is done.

I think these types of crimes deserve not more penalties than tagging a wall, or dressing up some ones yard with toilet paper.

The problem with tagging some sites is that they can get millions of hits per day. Down time can cost a helluva lot. It would be more like vandalising voting booths on election day; Lots and lots of people would be inconvenienced.

Re:One law for the rich ...

[TheVelvetFlamebait]

I don't expect anyone will get jailed for DoS-ing my broadband connection.
So whose computers does it apply to ? Only those belonging to the rich and powerful ?

A flawed conclusion from a flawed reason.

Why wouldn't do you think the law would protect you? If someone did DoS your broadband, then yes, they could be charged as a criminal. I don't know how else it could be.

Re:Punish The Malicious, Spare The Ignorant Innoce

[erik_norgaard]

I disagree! You buy a computer - you're responsible for it. If you don't have the knowledge to secure it, you pay the professional to do it for you. You may also insure yourself for any damage caused by your system, insurance companies exist for that.

It's like having a car: You are liable for the damage caused by the car independent of who drives it. If it is stolen or hijacked, you are still liable. Therefore your are required to have an insurance that can cover the damage, there are safety requirements for the vehicle, and you are responsible to see that your car meet these requirements. If you are not professional you go to the mechanic and have it done. And even if everything is OK, and your car is stolen and involved in an accident, you are liable, your insurance will cover damage, and if the thief is caught the insurance company will seek to get the thief to pay up.

The same should go for the Internet: Once you're on the public network you are liable for any damage caused. If we hold people liable they will make sure that their systems does not inflict any damage, reduce the risk. Currently, people just say:

    "Oh sorry, I didn't patch my system, I didn't update my anti-virus and someone broke into my system without my knowledge... but that's not my fault!"

and

    "I don't know how to maintain my system, but I just want to use e-mail anyway, so why should I need to care?"

Of course, it is not entirely fair just to blame the user. Software vendors disclaim ALL liability, even for errors they have knowledge of. Schneier's dream is to make software vendors liable for their products. I think that unless the public have full access to the code vendors should not be able to disclaim liability. You can't both disclaim liability and impose restrictions on how the product may be used.

If there is product liability, then it is also fair to hold users liable for inappropriate use and abuse caused by their misconfiguration or negligence and liability cannot be passed onto the vendor.

If this means that uncle Bob and aunt Alice can't use the Internet, because they wont accept responsibility for their systems and won't buy insurance against abuse, fine! Cut the connection!

Re:Where is the real damage

[tonyray]

If you were to stand in front of Wal-Mart's doors and refused to let customers enter the store, I think you would go to jail. A DoS attack does the same thing.

Re:Carjacked!

[Slyfoot]

"I believe you should only be able to disclaim liability if you also disclaim all rights to control the product - ie. open source."

I agree wholeheartedly with that!

As for defending ignorance, I guess it does come across that way, but there's a subtle difference between defending a person's right to be ignorant and defending ignorance. Ignorance is no excuse for breaking the law, but it isn't, and it shouldn't, be against the law to be running a computer that has been invaded by a malicious user!

I hate to say it, but it's almost exactly like forcing a rape victim to pay a fine for wearing skimpy clothes while walking the streets at night. Is it a stupid thing to do? Sure. Is the person liable for being raped? No! And computer virgins regularly get raped, so to speak.

I certainly DO believe that users should take an active responsibility to learn how to use their computers well. I'm not defending the right to be eternally dumb, but I am saying that the average user shouldn't be penalized for not having above average technical skills, because obviously half the people are always going to be below average in that respect. I believe users should learn, and learning computers should be treated exactly like learning anything else: for example, if you're learning computer science in school, and you don't study, you get a failing grade, yes? But you don't get taken to court and fined for being a poor student. As for penalties, surely a fine counts a financial penalty, no?

I do agree with your point that vendors should assume liability to protect their users. And I do agree that people should be responsible for learning how to use their computers well, including about matters of security. But if we're going to make people pay for not knowing they should have installed Bogosoft's latest virus definitions, or installed Fakeware's latest anti-spyware-botware-nosyware product, I think that's going a bit too far.

I mean, where would this lead to? To use the tortured car analogy, should Uncle Bob and Aunt Alice be forced to complete a written and hands-on computer test before being allowed to use a computer to send an e-mail to Aunt Carol? Not that you are suggesting this, of course, but it doesn't sound that far-fetched when you use the car analogy for liability.

Should users pay internet insurance to their ISPs? I dunno. I think it's crazy, but I'm suddenly envisioning a society where that is the case. O Brave New World! You might be on to something after all.