'Email bomb' teen gets two-month curfew

A UK teenager pleaded guilty on Wednesday to breaking the Computer Misuse Act (CMA) by crashing the email server of his former employer.

David Lennon, 18, was sentenced to a two-month curfew by a judge sitting at Wimbledon Magistrates' Court.

Lennon had originally been cleared of the charges in November 2005, after another judge ruled it wasn't an offence to overwhelm an email server with millions of messages. This ruling was later challenged by the Crown Prosecution Service, and in May 2006 the case was sent back to the magistrates' court.

On Wednesday morning, Judge Dixon ruled Lennon should be subject to a curfew, which means he must stay at home between the hours of 00:30 and 07:00 on weekdays, and 00:30 and 10:00 on weekends. If he breaks this curfew, he risks a more serious sentence.

The curfew has been timed so as not to interfere with Lennon's work at a local cinema. Judge Dixon said it is "a happy coincidence" it will end the day before Lennon starts college in September.

The prosecution dropped their demand that Lennon should pay costs amounting to £29,000, which arose from his attack on Domestic and General Group, in which five million emails crashed its servers.

The defence argued Lennon should receive a conditional discharge, given the confusion over whether the CMA outlawed the sending of masses of emails - known as an email bomb. Judge Dixon, though, argued this was inappropriate.

He told the court: "Even given his age at the time, this was a grave offence and caused serious damage, so I need to impose something to make him think again."

The CMA, which was introduced in 1990, explicitly outlaws the "unauthorised access" and "unauthorised modification" of computer material. Section 3, under which he was charged, concerns unauthorised data modification and tampering with systems.

Lennon's original case was heard by District Judge Kenneth Grant, who ruled that an email bomb did not violate the CMA because email servers were set up to receive emails. As such, each individual email could be ruled to make an "authorised modification" to the server.

The CMA is now seen as insufficient to combat the rise of cyber crimes such as denial of service attacks. A series of amendments are being introduced by the government to update it.

Colin Barker and Graeme Wearden write for ZDNet UK