(1) A person is guilty of an offence if- (a) he does any unauthorised act in relation to a computer; (b) at the time when he does the act he knows that it is unauthorised; and (c) either subsection (2) or subsection (3) below applies. Essentially, this involves doing something with, to, or about a computer knowingly without authorisation – the latter part will be discussed below. Intention (2) This subsection applies if the person intends by doing the act- (a) to impair the operation of any computer; (b) to prevent or hinder access to any program or data held in any computer; (c) to impair the operation of any such program or the reliability of any such data; or (d) to enable any of the things mentioned in paragraphs (a) to (c) above to be done. Again, this is fairly straightforward. The one most likely to apply to DDoS attacks would be (b), in that the purpose of a DDoS is usually to shut down a website. A bit of legal logic is required, in assuming that a server (or set of servers) counts as a computer, and a website and the services it offers count as either programs or data. The key word in this section is probably intends. This means that just visiting a website (for example, to see if a DDoS attack has taken it down) should not count as illegal under this subsection. However, subsection (3) gives an alternative: Recklessness (3) This subsection applies if the person is reckless as to whether the act will do any of the things mentioned in paragraphs (a) to (d) of subsection (2) above. Recklessness is another of the requirements for establishing what is known as mens rea in a criminal case (along with intention). While definitions are kind of complicated, the current definition (given in R v G & Anor) suggests that the accused has to know that there is a risk of their act having the effect (in this case, one of the things mentioned above) and that taking the risk would be unreasonable. Defining “unreasonable” is a further issue, but that might be going into too much detail. In any case, this is probably not all that relevant, given that intention should be fairly obvious, particularly is specific software was involved. Particulars and Definitions (4) The intention referred to in subsection (2) above, or the recklessness referred to in subsection (3) above, need not relate to- (a) any particular computer; (b) any particular program or data; or (c) a program or data of any particular kind. This is also pretty straightforward; essentially, the accused does not have to have anything specific in mind, it can be a general attack. (5) In this section- (a) a reference to doing an act includes a reference to causing an act to be done; (b) “act” includes a series of acts; (c) a reference to impairing, preventing or hindering something includes a reference to doing so temporarily. The first of this is worth noting. The second is fairly obvious and means there is no distinction between trying to access a website once and doing so multiple times (as in a DDoS attack). The third also covers a DDoS attack as the effect is often temporary. Punishment (6) A person guilty of an offence under this section shall be liable- (a) on summary conviction in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both; (b) on summary conviction in Scotland, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both; (c) on conviction on indictment, to imprisonment for a term not exceeding ten years or to a fine or to both. This is the hard part. If the case is heard in just a Magistrate’s Court, the maximum penalty is 12 months in prison (in England and Wales, 6 months in Scotland) but this goes up to 10 years if the case goes to full trial in a Crown Court (before a jury). The “statutory maximum” fine is £5,000 and is the most a magistrates’ court can give (in most cases). The Low Orbit Ion Cannon and Similar Tools On a related note, section 3A of the Computer Misuse Act (which came into force on 1st October 2008, although labelled as “prospective” on Legislation.gov.uk) makes it an offence: to make, adapt, supply or offer to supply anything intending it to be used in an act covered by section 3 (above) or assist in such an act, to supply or offer to supply such an article believing it is likely to be used in or assist in such an act, and to obtain an article “with a view to its being supplied for use” in committing or assisting in such an act. This offence is punished similarly to section 3 but with a maximum prison sentence of two years. Anyone considering making or distributing such tools or software should be aware that it could be an offence to do so. It does not appear that merely having the software would be illegal. Jurisdiction Finally, it is worth noting that sections 4 to 9 of the Act cover jurisdiction issues, making it clear that only “one significant link” is needed between the acts taking place and the United Kingdom for domestic Courts to have jurisdiction; the target being elsewhere would not be a defence.