Friday, November 26, 2004

ISP resorts to denial of service attacks on spammers

From The Register:

"Lycos Europe has started to distribute a special screensaver in a controversial bid to battle spam. The program - titled Make Love Not Spam, and available for Windows and the Mac OS - sends a request to view a spam source site. When a large number of screensavers send their requests at the same time the spam web page becomes overloaded and slow.

The servers targeted by the screensaver have been manually selected from various sources, including Spamcop, and verified to be spam advertising sites, Lycos claims. Several tests are performed to make sure that no server stops working. Flooding a server with requests so that the server is unable to respond to the volume of requests made - a process known as a distributed denial of service (DDoS) attack - is considered to be illegal.

Lycos believes the program will eventually hurt spammers. 'Spamvirtised' sites typically don't sell advertising, so they have to pay for bandwidth. Therefore more requests means higher bills, Lycos argues."
This is an interesting twist on the usual denial of service attack. Is Lycos exposing itself (and potentially the users of the screensavers) to criminal liability? In Ireland and the UK the answer would most likely be no - as I argue in this article on computer crime, current law fails to address this sort of attack, which falls outside the unauthorised access offences and the damage offences. However, Lycos might well be in trouble if it targets US based spammers - see Jeff Nemerofksy's piece on "Interruption of Computer Services to Authorised Users".

Before you ask: Lycos isn't necessarily shielding itself from liability by "making sure that no server stops working". Some jurisdictions do seem to require an attack which brings down a server, but equally some of the US laws mentioned in that article criminalise the degradation of service as well as an outright denial of service.

Friday, November 12, 2004

Anonymity and the Internet

Internet use is seldom truly anonymous. In most cases, ISPs keep records which will link users with their online activities. Consequently, litigants or potential litigants often approach ISPs looking for disclosure of users' identities. The most high profile examples have been in the music industry's file sharing cases, which are now set to come to Ireland.

May ISPs voluntarily disclose this information? Must they notify their users before doing so? Can litigants obtain a court order compelling an ISP to reveal the identity of a user? On what terms? I discuss the legal issues involved in this article, which originally appeared in the Commercial Law Practitioner.

Since that article was written, there has been a decision on this point in England, where Blackburne J. issued an order compelling disclosure. The full decision isn't yet available - but it appears from the news coverage that he didn't consider giving the alleged file-sharers an opportunity to make submissions before their identity was revealed. This is unfortunate. At a minimum, it ignores earlier English authority suggesting that users should be notified and given a chance to challenge any order.