Remember all those stories back in 2011 about Lulzsec, the hacker group behind a number of hacking attacks – including one against Sony as well as various government bodies, including possibly the CIA? It hasn’t ended well for at least some of their members – a number of whom have pleaded guilty to criminal charges in the UK, according to the BBC.
I thought I’d write a quick post about this just to emphasise that these examples show that hacking attacks, including DDoS (distributed denial of service) are illegal (in the UK at least anyway). It’s set out in the Computer Misuse Act 1990 (amended, for those who care, by the Police and Justice Act 2006) which, as it happens, was the subject of one of the very first blog posts on Gamer/Law,..
Anyway, this law criminalises:
(i) Intentional attempts to cause a computer to perform any function with intent to obtain unauthorised secure access to a computer or data on it (e.g. phishing),
(ii) Same as (i) but with the intent to carry out a further criminal offence (e.g. hacking a PC in order to commit fraud), or
(iii) acting in any way which causes the unauthorised modification of the contents of any computer, with the intent to impair the operation of any computer/programme or to hinder access to data on any computer (e.g. uploading a virus to a PC or server).
Breach is punishable by up to ten years in jail and/or fines. Of course, only the most ardent of Lulzsec supporters would pretend that their activities were not illegal. In practice the just as importnat question is catching the person carrying out the illegal act. That’s often a complicated question. I’ve seen several situations in which it is pretty hard to work out what has happened, when it happened, how and whether any law can be proven to have been breached at all by the alleged hacker (either beyond reasonable doubt for criminal cases, or on the balance of probabilities for weaker civil cases). Anyway, the point is that these Lulzsec hackers likely thought they wouldn’t be caught – they were wrong, and UK law was already set up to prosecute them.
Not that this had any deterrent effect. Since their attacks in 2011, if anything there has been even more DDoS thanks to the likes to Anonymous and others, who also have been arguing that DDoS and similar attacks should be seen as a form of free expression. Lulzsec themselves were defended by some as autually serving a social good by highlighting the weaknesses in IT systems and the hypocrisy and inadequacies of some of those who purported to maintain them.
Which raises an interesting question (albeit one likely to provoke strong reactions): DDoS attacks are illegal at the moment. But ought they still to be, always?