A teenager who crashed a former employer's server by sending a torrent of junk e-mail, a practice known as mail bombing, could still face up to five years in prison after the case was sent back to trial.
On Thursday, a British appeals court rejected a lower court's ruling that David Lennon didn't violate the UK's Computer Misuse Act of 1990. Lennon is charged with one count of unauthorised modification of a computer.
The case goes to the core of calls to revise the Computer Misuse Act with more specific language to address denial-of-service attacks. The U.K. Parliament is considering revising the act to increase the maximum penalty for unauthorised modification of a computer from five years' imprisonment to 10 years, among other changes.
Prosecutors must prove that the defendant's actions modified a computer, and that the action was unauthorised. Lennon allegedly launched a denial-of-service attack using a program called Avalanche in early 2004 that crashed the e-mail server of Domestic and General Group, a company that provides warranties for domestic appliances.
But a district judge at Wimbledon Magistrates' Court ruled in November that the excess e-mail was authorised since the company's website invited responses, and Lennon was therefore not in violation. Prosecutors appealed, sending the case to the Royal Courts of Justice.
Updated interpretations of the Computer Misuse Act are needed to deal with high-tech crime, Senior Crown Prosecutor Russell Tyner said in a statement.
Last Thursday, the Royal Courts of Justice sent the case back to the magistrates' court, saying the high volume of e-mail constituted a crime. No date has been set for Lennon's continuing trial.
Lennon could face six months in prison if sentenced in magistrates' court. However, prosecutors could ask for a referral to the crown courts, where he could face up to five years in prison, a Crown Prosecution Service official said.